Handling Foreign Data in a Post-Safe Harbor World

    Jan 26, 2016

    In a recent webcast, “No Safe Harbor: Five Strategies for Cross-Border eDiscovery,” four e-discovery experts from Recommind offered five strategies for how firms can prevent violating EU privacy laws in the new Safe Harbor-less environment:

    1. Limit collection. The more data collected, the greater the chance that personally identifiable information (PII) will be collected as well. Limiting collection can prevent PII from being collected and transferred. Ways to do this include leveraging mobile early case assessment and collections technology, indexing files on-location in the country for a text-based search of the data, and filtering aggressively via metadata.

     2. Process and host locally. If you can’t transfer data out of a country, then process and host it on that country’s grounds if possible. E-discovery experts should take advantage of multinational data centers to meet standards. “When you’re dealing with a multinational company that has data abroad, it should always be a first step to see what you can collect in the least restrictive jurisdiction,” said Michael Donovan, senior director of client services.

    3. Segment data. Once the data is processed, it’s important to segment it and extract information that could be considered private. This is not the same thing as doing a standard review, but rather relies on identifying information that could pose problems for eventual reviewers if it is moved. Recommind said its own in-house reviewers typically use a three-step process for segmenting the data. First, a company expert will take the database and apply analytics, specifically using software to auto-segment the data. Then, that segmented data will undergo a first pass by an EU team to confirm proper segmentation and that private data is not being moved. Finally, the confirmed safe data is shared across the border with a U.S. team to conduct review.

    4. Restrict access. Sometimes, U.S. access to potentially private data is absolutely essential. In those cases, companies must keep data access truly remote. Fortunately, this can be done with current technology that allows a firm to control a computer or program remotely. This ensures that even though someone from the United States is looking at the data, it is hosted on a local machine and not transferred outside of EU bounds. “You’re going to want a very defensible audit trail of who sees what,” Donovan said. He suggested using IP restrictions to control who views potentially private information: “Using all of this in a layered approach, you can very tightly control who has access to the database.”

    5. Redact globally. Redaction software can help ensure that a team does not miss any possible personal information. Some software can redact PII, PCI, entities, and other personal information automatically, using search and “regular expressions” to block out data. This way, information such as driver’s license numbers, zip codes, phone numbers, and other information that cannot be moved can be redacted onsite. “Global redactions is the great emerging technology out there,” Donovan said. E-discovery professionals can take a responsive document, look for patterns of PII, and then use those patterns to block out private information among all documents.

    Applying these five strategies can be difficult, and they may require a shift in how U.S. companies view PII. But that could be a good thing, the panel agreed. “There is the mindset in the U.S. based on regulation and practice that we look at PII as an asset of a company,” said Paul Ambrosio, associate general counsel. “Perhaps that mindset should be put to the side a bit when focusing on the transfer of data from an EU perspective.”


    © 2017, ARMA International