(1) Overall Context Corporate Legal and Compliance Matters

Transcription

1 1 (1) Overall Context Corporate Legal and Compliance Matters We understand that the EU Commission has recognized the need for a clarification and harmonization of the data privacy regulations throughout the European Union. Before providing its recommendation to the European Parliament, the Commission is open for public comments on its plan for strengthening these regulations. This document has been created by H7b1 Eurl, the French branch of the H7b1 Group, a Swiss group of companies providing technology assistance to law firms and corporations in Europe for collecting and managing their data in the frame of legal matters. Corporations from the private sector operating in Europe are faced with the reality of increasing investigations and document requests in relation to international legal matters. It is our observation that the data privacy regulations of some European jurisdictions can conflict with the international standards of investigation and compliance, which corporations often decide to follow. Legal and compliance costs are constantly rising for corporations, partly due to the vast amount of electronic data that is now generated by day to day operations and the subsequent burden of handling that data in accordance with the applicable requirements. Corporations are also facing important new legal and compliance risks due to the increase in global compliance standards inside and outside of Europe. Thus we urge the EU Commission to consider not only a strong harmonization of the data privacy legal framework throughout EU jurisdictions, but also a stronger coherence of this framework with other global compliance regulations, such as competition, antibribery and export control laws and related regulations. A data privacy framework that would strengthen its interface with other fundamental regulations would demonstrate another level of global European leadership by helping corporations in efficiently protecting the personal data of EU citizens, as well as to uphold their corporate compliance duties. This document is a response to the proposals set forth by the EU Commission. It only constitutes an opinion of H7b1 for the purpose of contributing to the debate on data privacy within the context of legal and compliance matters.

2 2 (2) About the Author A Specialized Data Processor (3) Preliminary Note on Terminology H7b1 is a legal technology service provider assisting corporations and law firms to preserve, collect and transform corporate data into legal technology database systems, as well as to produce data to other parties in the frame of legal matters. We are neither a data privacy nor a legal service provider. H7b1 has imported a technology practice referred to as litigation support technology from the United States and has created a service organization able to use this technology both for European legal matters and for foreign discovery requests in Europe. As such, for the past 7 years, H7b1 has been the pioneer of the litigation support technology practice on continental Europe. From the data privacy standpoint, we mostly operate for our clients as data processors. For many years we have supported our corporate and legal clients in their efforts to secure evidence and manage it for legal matters such as international arbitrations, corporate investigations, DOJ investigations, and international litigation. There is an a priori conflict with the use of the term data processing between the forensic/litigation support industry and the EU data privacy framework, which we would like to bring to the attention of the Commission. From the standpoint of the Directive, processing of personal data consists of any handling of personal data. Actions such as securing data in case of an investigation, copying and providing it to a legal or compliance department, putting it into a database, producing it to other authorities or jurisdictions and reviewing it constitute personal data processing. This use of the term is in conflict with the legal industry where data processing is generally used only for the operation of creating a database from documents to the exclusion of securing data, which is typically known in our industry as data preservation. In other words, preserving corporate data in the frame of an investigation is processing from the EU data privacy standpoint but not from the litigation/forensics standpoint. This difference in terminology sometimes leads to confusion and uncertainty when discussing data privacy regulations in the frame of compliance and legal matters.

3 3 (4) Data Processing Subcontracting by Law firms We would ask for further harmonization of laws throughout the European Union that would guarantee corporations (as data controllers) the right to grant their law firms (as data processors) the authorization to subcontract one level to specialized data processors, such as forensic accountants or legal technology providers. The work of attorneys and their auxiliaries, to which legal technology providers and forensic accountants can belong, is often covered by attorney professional secrecy, which is different from legal privilege. Thus, securing the ability of the attorneys to subcontract work on data in all EU jurisdictions to their outsourced auxiliaries will ensure that all data processors (such as forensic accountants, technology providers, and attorneys) are covered by professional secrecy when possible. This would help to avoid issues, where a law firm could not, as a data processor, subcontract to forensic accountants and legal technology providers. Instead these specialized providers would be contracted directly by corporations and those data processors would then not be covered by attorney professional secrecy. (5) Custodian Consent : Clarification and Alternative Terminology We believe that it would be useful, within the frame of legal and compliance matters, that the data controllers are able to securely rely on the concept of custodian consent granted that: (i) The term custodian benefits from a sufficiently accurate definition so that it is clear from which person the consent should be obtained for a given data set. Based on our practice, we believe that using the term custodian consent can lead to a terminology issue in our professional domain, and that the term primary data subject, instead of custodian in the expression custodian consent would be more appropriate. (ii) The person from which the data will be obtained should then have an opportunity to require tailored processing, avoiding situations where the non consensual no is the only alternative to a yes. A key example of tailored processing would be a two phased approach, where the data can first be technically processed (before any analysis and viewing) but accessed by investigators only after proper de identification of sensitive data, in accordance with the conditional consent.

4 4 (6) Tunnel Processing Once a corporate investigation has begun a frequent first step, in terms of international standards, is to protect a small portion of the corporate data from alteration, either through the normal course of business, technical accident or from intentional alteration. In our legal technology profession, this step is often referred to as data preservation. It mainly consists of securing backup tapes, performing forensic copies of PC disks and performing forensic copies of portions of network data. The issue is that by asking the relevant persons for their consent to preserve their data, the investigators may not be able to obtain the data in a state they would have prior to the persons knowledge of the investigation. Some persons could then alter data prior to the effective start of the exercise. This very simple possibility may diminish the value of the investigation and may impede the possibility to conclude it quickly and efficiently. Therefore, we propose a fundamentally new type of data processing, exclusively in the frame of compliance and legal matters, which we would call tunnel processing. The idea behind tunnel processing is that a corporation, suspecting internal fraud or another certified compliance issues, could preserve and minimally access a portion of corporate data without any consent. However, this would only be possible for the very narrow purpose of the investigation and for a very limited portion of time, providing then a certificate that the preserved data has been either deleted (for example forensic images of laptops) or returned to normal record management cycle (for example backup tapes) if the object of the investigation does not transform into a legal matter. This method of tunnel processing would help ensure the integrity of internal corporate investigations, for example when no major interest can be asserted.

5 5 (7) Final Note Harmonization: Global corporations have an interest in the harmonization of the data protection laws in the European zone, in the particular within the narrow domain of compliance and judicial matters. Coherence: An effective connector of data privacy regulations with other important regulations, such as competition, anti bribery or export control laws, would not only add to the fundamental rights of the citizens but also to the ability of corporations in Europe to strengthen their competitiveness. Rafik E. Abboud H7b1 Chief Executive Officer Author Candice Cuvelier H7b1 Information Operations Manager Reviewer 15 January 2011