(1) Overall Context Corporate Legal and Compliance Matters



Similar documents
BCS, The Chartered Institute for IT Consultation Response to:

WHAT MATTERS MOST TO CORPORATE COUNSEL IN E-DISCOVERY MANAGEMENT. Presenting the results from BDO s inaugural Inside E-Discovery Survey

B. Preservation is not limited to simply avoiding affirmative acts of destruction because day-to-day operations routinely alter or destroy evidence.

Data Protection and Cloud Computing: an Overview of the Legal Issues

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Purpose: To ensure that e-discovery Requests and Litigation Hold Notices are received, routed and responded to in a timely and thorough manner.

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Documentation of statistics for International Trade in Service 2016 Quarter 1

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Proactive Data Management for ediscovery

Meeting E-Discovery Challenges with Confidence

International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States

Office 365 Data Processing Agreement with Model Clauses

Forensic Services. kpmg.hu

IN THE UNITED STATES DISTRICT COURT EASTERN DISTRICT OF TEXAS DIVISION. v. Case No. [MODEL] ORDER REGARDING E-DISCOVERY IN PATENT CASES

THE U.S. VERSUS EUROPEAN TRADEMARK REGISTRATION SYSTEMS: Could Either Learn From The Other? Cynthia C. Weber Sughrue Mion, PLLC

The European psychologist in forensic work and as expert witness

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

E-Discovery: New to California 1

16525/1/12 REV 1 GS/np 1 DG D 2B

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament

ELECTRONIC EVIDENCE THE TEXT MESSAGE

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

Public Records Act Training. Office of the California Attorney General

Defining relevant market(s) product (parties overlapping products and close substitutes) and geographic (local, regional, national or global?

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Delivering Global Ediscovery Successfully. Emily A. Cobb, Ropes & Gray Andrew Szczech, Kroll Ontrack Thomas Sely, Kroll Ontrack

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Data Sheet: Archiving Symantec Enterprise Vault Discovery Accelerator Accelerate e-discovery and simplify review

Under the Cybersecurity Law, network operators are obligated to consider the following security

Cloud Service Contracts: An Issue of Trust

Foreign Bank Account Reporting for Employee Benefit Plan Investments

Article 29 Working Party Issues Opinion on Cloud Computing

e-discovery Forensic Services kpmg.ch Advisory

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

Under European law teleradiology is both a health service and an information society service.

The Government of Republic of India and the Government of The Republic of Cyprus (hereinafter referred to as the Contracting Parties );

Electronic Discovery. Answers to life s enduring questions

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY

Loan regulations (Adopted by the Administrative Council by Resolution 1562, on 14 November 2013)

Sample Arbitration Clauses with Comments

STATE OF NEVADA Department of Administration Division of Human Resource Management CLASS SPECIFICATION

Supported by. World Trademark Review. Anti-counterfeiting. Poland. Contributing firm Patpol Patent & Trademark Attorneys.

Hong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014

SAMPLE EXAMINATION PAPER LEGAL STUDIES. Question 1 Explain the meaning and the nature of law (10 marks)

DELIVERING OUR STRATEGY

Casablanca Stock Exchange Reforms : Achievements and Challenges Content

Group of Coordinators for the Recognition of Professional Qualifications Mutual Evaluation of Regulated Professions Meeting of 06 March 2015

STATE OF WYOMING Electronic Mail Policy

PRIVACY POLICY. What Information Is Collected

IN THE CIRCUIT COURT OF THE STATE OF OREGON IN AND FOR THE COUNTY OF MULTNOMAH

General Conditions of Purchase (as of March 2002) Abbr.: AEB of the Salzgitter Bauelemente GmbH, Salzgitter

G20 HIGH-LEVEL PRINCIPLES ON FINANCIAL CONSUMER PROTECTION

Clearer rules for international couples frequently asked questions

CAPABILITY STATEMENT LEGAL TECHNOLOGIES AND COMPUTER FORENSICS. DECEMBER 2013

GUESTBOOK REWARDS, INC. Privacy Policy

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

May 10, Office of the United States Trade Representative th Street NW Washington, D.C

Cross-border Challenges for e-discovery

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

AMA NSW AND ASMOF NSW Submission on Health Practitioners Regulation National Law

TOWARDS A STRATEGIC NANOTECHNOLOGY ACTION PLAN (SNAP)

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Data Privacy in the Cloud: A Dozen Myths & Facts

Case 2:14-cv KHV-JPO Document 12 Filed 07/10/14 Page 1 of 10 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS

How To Write A Letter To The European Commission On A Number Of Issues

Electronic Discovery

For personal use only

Record Retention, ediscovery, Spoliation: Issues for In-House Counsel

ELECTRONIC DISCOVERY. Dawn M. Curry

GUIDELINES FOR USE OF THE MODEL AGREEMENT REGARDING DISCOVERY OF ELECTRONICALLY STORED INFORMATION

Transcription:

1 (1) Overall Context Corporate Legal and Compliance Matters We understand that the EU Commission has recognized the need for a clarification and harmonization of the data privacy regulations throughout the European Union. Before providing its recommendation to the European Parliament, the Commission is open for public comments on its plan for strengthening these regulations. This document has been created by H7b1 Eurl, the French branch of the H7b1 Group, a Swiss group of companies providing technology assistance to law firms and corporations in Europe for collecting and managing their data in the frame of legal matters. Corporations from the private sector operating in Europe are faced with the reality of increasing investigations and document requests in relation to international legal matters. It is our observation that the data privacy regulations of some European jurisdictions can conflict with the international standards of investigation and compliance, which corporations often decide to follow. Legal and compliance costs are constantly rising for corporations, partly due to the vast amount of electronic data that is now generated by day to day operations and the subsequent burden of handling that data in accordance with the applicable requirements. Corporations are also facing important new legal and compliance risks due to the increase in global compliance standards inside and outside of Europe. Thus we urge the EU Commission to consider not only a strong harmonization of the data privacy legal framework throughout EU jurisdictions, but also a stronger coherence of this framework with other global compliance regulations, such as competition, antibribery and export control laws and related regulations. A data privacy framework that would strengthen its interface with other fundamental regulations would demonstrate another level of global European leadership by helping corporations in efficiently protecting the personal data of EU citizens, as well as to uphold their corporate compliance duties. This document is a response to the proposals set forth by the EU Commission. It only constitutes an opinion of H7b1 for the purpose of contributing to the debate on data privacy within the context of legal and compliance matters.

2 (2) About the Author A Specialized Data Processor (3) Preliminary Note on Terminology H7b1 is a legal technology service provider assisting corporations and law firms to preserve, collect and transform corporate data into legal technology database systems, as well as to produce data to other parties in the frame of legal matters. We are neither a data privacy nor a legal service provider. H7b1 has imported a technology practice referred to as litigation support technology from the United States and has created a service organization able to use this technology both for European legal matters and for foreign discovery requests in Europe. As such, for the past 7 years, H7b1 has been the pioneer of the litigation support technology practice on continental Europe. From the data privacy standpoint, we mostly operate for our clients as data processors. For many years we have supported our corporate and legal clients in their efforts to secure evidence and manage it for legal matters such as international arbitrations, corporate investigations, DOJ investigations, and international litigation. There is an a priori conflict with the use of the term data processing between the forensic/litigation support industry and the EU data privacy framework, which we would like to bring to the attention of the Commission. From the standpoint of the Directive, processing of personal data consists of any handling of personal data. Actions such as securing data in case of an investigation, copying and providing it to a legal or compliance department, putting it into a database, producing it to other authorities or jurisdictions and reviewing it constitute personal data processing. This use of the term is in conflict with the legal industry where data processing is generally used only for the operation of creating a database from documents to the exclusion of securing data, which is typically known in our industry as data preservation. In other words, preserving corporate data in the frame of an investigation is processing from the EU data privacy standpoint but not from the litigation/forensics standpoint. This difference in terminology sometimes leads to confusion and uncertainty when discussing data privacy regulations in the frame of compliance and legal matters.

3 (4) Data Processing Subcontracting by Law firms We would ask for further harmonization of laws throughout the European Union that would guarantee corporations (as data controllers) the right to grant their law firms (as data processors) the authorization to subcontract one level to specialized data processors, such as forensic accountants or legal technology providers. The work of attorneys and their auxiliaries, to which legal technology providers and forensic accountants can belong, is often covered by attorney professional secrecy, which is different from legal privilege. Thus, securing the ability of the attorneys to subcontract work on data in all EU jurisdictions to their outsourced auxiliaries will ensure that all data processors (such as forensic accountants, technology providers, and attorneys) are covered by professional secrecy when possible. This would help to avoid issues, where a law firm could not, as a data processor, subcontract to forensic accountants and legal technology providers. Instead these specialized providers would be contracted directly by corporations and those data processors would then not be covered by attorney professional secrecy. (5) Custodian Consent : Clarification and Alternative Terminology We believe that it would be useful, within the frame of legal and compliance matters, that the data controllers are able to securely rely on the concept of custodian consent granted that: (i) The term custodian benefits from a sufficiently accurate definition so that it is clear from which person the consent should be obtained for a given data set. Based on our practice, we believe that using the term custodian consent can lead to a terminology issue in our professional domain, and that the term primary data subject, instead of custodian in the expression custodian consent would be more appropriate. (ii) The person from which the data will be obtained should then have an opportunity to require tailored processing, avoiding situations where the non consensual no is the only alternative to a yes. A key example of tailored processing would be a two phased approach, where the data can first be technically processed (before any analysis and viewing) but accessed by investigators only after proper de identification of sensitive data, in accordance with the conditional consent.

4 (6) Tunnel Processing Once a corporate investigation has begun a frequent first step, in terms of international standards, is to protect a small portion of the corporate data from alteration, either through the normal course of business, technical accident or from intentional alteration. In our legal technology profession, this step is often referred to as data preservation. It mainly consists of securing backup tapes, performing forensic copies of PC disks and performing forensic copies of portions of network data. The issue is that by asking the relevant persons for their consent to preserve their data, the investigators may not be able to obtain the data in a state they would have prior to the persons knowledge of the investigation. Some persons could then alter data prior to the effective start of the exercise. This very simple possibility may diminish the value of the investigation and may impede the possibility to conclude it quickly and efficiently. Therefore, we propose a fundamentally new type of data processing, exclusively in the frame of compliance and legal matters, which we would call tunnel processing. The idea behind tunnel processing is that a corporation, suspecting internal fraud or another certified compliance issues, could preserve and minimally access a portion of corporate data without any consent. However, this would only be possible for the very narrow purpose of the investigation and for a very limited portion of time, providing then a certificate that the preserved data has been either deleted (for example forensic images of laptops) or returned to normal record management cycle (for example backup tapes) if the object of the investigation does not transform into a legal matter. This method of tunnel processing would help ensure the integrity of internal corporate investigations, for example when no major interest can be asserted.

5 (7) Final Note Harmonization: Global corporations have an interest in the harmonization of the data protection laws in the European zone, in the particular within the narrow domain of compliance and judicial matters. Coherence: An effective connector of data privacy regulations with other important regulations, such as competition, anti bribery or export control laws, would not only add to the fundamental rights of the citizens but also to the ability of corporations in Europe to strengthen their competitiveness. Rafik E. Abboud H7b1 Chief Executive Officer Author Candice Cuvelier H7b1 Information Operations Manager Reviewer 15 January 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information