Many of us would be forgiven if we admitted to being thoroughly fed up, even bored, by all the writings, webinars, podcasts and seminars on GDPR in particular, so I promise that this is not just another one. There are experts across the world far more versed in the nuts and bolts of GDPR than I am and as I say reams and reams have already been written. What I am interested in is a more general view of the topics in the title and specifically how they affect or could affect discovery and eDiscovery in SA.
Let us look at Data Protection initially, and in particular how we are affected in SA as far as discovery is concerned given the arrival of GDPR and the advent of Brexit and POPIA. It is easy for us in SA to dismiss GDPR and Brexit as having nothing to do with us but the reality is that they could have some relevance to cases in which SA law firms are involved. Any SA corporations or institutions that need to comply with GDPR will (hopefully!) have dealt with that by now and I do not intend to go into it. My starting point is the position of lawyers when taking instructions from their clients at the outset of a litigation, arbitration, competition matter or investigation. Obviously they enquire about the sources of data and documents and should also be asking if potential custodians use portable devices for business communications, but now they need to make further enquiries about their clients’ business. They will need to know if the client works with suppliers, customers or partners based in the EU or if any of its employees are EU citizens. If the client is a global corporation with a site in SA, then it will be essential to know if any data which resides on the company’s servers or infrastructure contains information about persons residing in the EU. For example if the client has premises in Paris as well as Johannesburg then it may be that having access to HR records which includes ALL personnel and not just SA staff is a potential breach if any of that information “loses” its privacy. As I said I do not want to write a whole piece on GDPR as it is very well covered, for example in this article which I saw on Infology’s website and written by a very well known technology and eDiscovery expert in the USA, Tom O’Connor
Before dealing with the SA eDiscovery aspect, a brief look at the situation vis-à-vis Brexit and GDPR. I made my views clear on Brexit some time ago so no need to re-visit that, but clearly Britain needed to do something very quickly in the light of the Brexit decision or otherwise it would not have embraced or been included in GDPR. This would have left us in the strange position, almost back to where we were years ago, whereby one European country would have different DP laws than another. Anyway, the Brits solved it by passing a new DP Act this year, The Data Protection Act 2018, which is the UK’s implementation of GDPR and therefore the UK is now in the same position as other countries in Europe as far as DP is concerned. This means that we can treat the UK in the same way and I read an article of interest by a UK shipping litigation law firm BDM, on this subject.
Of course, here in SA we have our own DP legislation, POPIA, allegedly ready for implementation this year. We need it, as the only laws preventing the drain of data from this country at the moment are GDPR and the UK’s DP Act 2018 which seems a little strange. It is expected that POPIA will also interpret its regulation around the principles of GDPR so we will be reading from the same page.
In my eDiscovery work in the UK I came across Data Protection many, many times more often than not when US service providers and lawyers instructed me to collect and process data and documents relating to one of their global cases and the client had premises somewhere in the UK or other parts of Europe. It never ceased to amaze me how lightly the US took Data Protection and to an extent, still do. You will see from the first article mentioned above that there is no right of privacy within the US Constitution or the Bill of Rights unlike Europe where privacy is a fundamental right. This caused many difficulties when dealing with eDiscovery as the US clients wanted all data collected and shipped back to the US for processing and hosting or had us deal with it in the UK. The latter was better practice from a DP aspect as we were registered under DP laws as data processors and therefore were entitled and able to process data which may contain private information. The problems arose when the data was to be shipped back to the USA. Despite warnings from us about potential breaches, our US clients often ignored them and simply demanded the data. There was in place the ill fated Safe Harbour principles eventually brought down by Max Schrems in the landmark case in 2015 and it is very interesting to note that since the implementation of GDPR last month he has already filed suits against Google and Facebook for breaches, claiming damages of close to 4m euros each. If proved they would also attract huge fines. You see the problem is that whatever is done by lawyers and/or service providers, it is the corporate client who faces the heavy financial sanctions which are based upon a percentage of turnover. Safe Harbour was replaced by the “Privacy Shield which was nothing other than Safe Harbour under a different name and still self regulated! The mistake made by many instances from the US was that they thought, armed with a Court Order from the US and a Safe Harbour or Privacy Shield certificate, they could remove any data they liked from within Europe. Nice idea but one which was often met by a Data Controller within the company in Europe telling them to take a course of action involving sex and travel!
Here in SA I have deep concerns about DP and Privacy for all of the reasons mentioned above and POPIA even extends its reaches beyond the rights of individuals but includes entities. It isn’t and shouldn’t be a problem, if SA lawyers and service providers understand DP and Privacy and deal with it properly. Just think of all the cases and investigations in SA involving financial institutions in which, obviously, there is a great deal of information about individuals and removing or processing that information without consent would be the clearest breach. How is your SA client going to react when he is faced with a fine of millions of Rand because lawyers and service providers failed to advise and deal with DP correctly? Fortunately, there are ways of utilising some of the features of eDiscovery technology to materially assist in this but of course that is of little use unless eDiscovery technology is actually being used! Furthermore, it is of even less use if the service provider does not understand this and fails to advise and then act upon it. The big point about Data Protection as far as SA is concerned is that it provides an opportunity for eDiscovery providers and lawyers to insist that data remains in SA and is therefore processed and hosted here. Are we taking this opportunity in SA???
So, now we talk about the Cloud and how that affects eDiscovery, especially in relation to Data Protection. Undoubtedly the whole concept of Cloud based solutions has taken root and is expanding globally and I wholeheartedly applaud that concept. However, again, I have concerns as far as Data Protection is concerned and therefore, again how eDiscovery is affected. Cloud installations offer excellent security and avoid the huge cost of infrastructure making it a valuable concept for law firms, service providers and corporations alike. The question remains however, where is the data hosted? I know of many excellent eDiscovery solutions which are cloud based but the cloud installation is in the US and this will NOT be acceptable in the light of GDPR or, I suggest, POPIA. It is likely that if the cloud installation is European based then, for example, POPIA will find that acceptable as it can be established that the data would be hosted in a privacy environment that is, at least as well, if not better regulated, than SA through POPIA. It is still essential, in my view, to alert the end client to this so that they can make the decision about where its data will be hosted. So many cases here in SA involve parastatals. How do you think they would react to knowledge that their data is being hosted outside SA whether it is in an area with good DP and privacy or not? I have been involved in numerous cases over the years whereby the end clients insisted on their data remaining in the country of origin or in some cases even in their own premises.
I hope that, by now, you can see my real concerns in SA over DP and Privacy and cloud based hosting and I am finding, more and more, that I am asked to comment and advise on these issues. Maybe that is because I prompt it, but it needs to be prompted by law firms and service providers alike. eDiscovery technology can help enormously once these issues have been canvassed properly with the end clients. I have said, many times, that the combination of DP and Privacy laws and eDiscovery being incorporated into our Uniform Rules will be a huge game changer for SA. Regular readers will know that I have worked tirelessly on having the Rules changed for 3 years now and we have been waiting for almost 18 months for an update from the Rules Board to no avail. I have had an article on eDiscovery in SA accepted by De Rebus and await its publication. My hope is that this will have the widest possible readership and will encourage more people and institutions to lobby for this crucial change.
As ever, do not hesitate to contact for advice or assistance on this or other eDiscovery matters.