Managing International Legal Holds in the Era of Data Protection: Eight Practice Points
- Information governance
- 4 min read
Implementing legal holds quickly and effectively is key to maintaining defensibility during litigation and investigations. When a matter involves U.S. law, parties have a duty to preserve relevant information once litigation is reasonably anticipated. To maintain compliance, altering retention policies and sending legal hold notices to all potential custodians are crucial steps for avoiding future spoliation sanctions. To help parties understand their preservation duties, in 2010 and 2019 the Sedona Conference published commentaries providing guidance on legal holds covering triggers and process.
In the updated 2019 version, a new guideline directed organizations to be mindful of local data protection laws and regulations when initiating a legal hold and planning legal hold policy outside of U.S. borders. This prompted Sedona to create an international-focused commentary to help legal teams understand and navigate the complexities cross-border matters can bring, which is amplified by the current privacy landscape. Public comment closed at the end of this October on “The Sedona Conference Commentary on Managing International Legal Holds,” so it is important to monitor when the final version is published. It is unlikely that any changes would be significant, so now is the time for legal teams to start considering the practice points noted in the commentary.
Data Privacy Challenges
Implementing legal hold plans can decrease the risk associated with inadvertent spoliation and increase the chances of successful outcomes. A well-developed plan allows legal teams to better manage matter costs while decreasing the chances of lost data, time, or strategy advantages. With the rise in data and international transactions, more cases and investigations are involving parties and data located outside of U.S. borders. International legal holds, which arise when preservation obligations cross international borders, can present unique obstacles leading to matter delays and increased expenditures. The biggest challenge is when preservation conflicts with restrictive international data protection laws.
For example, the General Data Protection Regulation (GDPR) contains binding principles applying to data preservation. The law directs data controllers to conduct processing activities involving personal information with lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. GDPR articles five and six contain more detail on these obligations. If counsel does not consider such requirements during a case or investigation involving both the U.S. and an EU member state, then penalties may result for unlawful processing activities. Several other nations have also followed suit and implemented similar protections and requirements in their data privacy regulations.
The commentary mainly focuses on how U.S. preservation duties interact with GDPR requirements. Since the majority of updated international data protection laws are based on the GDPR to some degree, the framework is meant to apply in situations involving other nations as well. The commentary suggests that practitioners should review and consider the following eight practice points for managing international legal holds.
- Determine Whether the Preservation of Personal Data Is Necessary, and Then Determine Whether a Data Protection Law Applies: In many instances, preservable information will contain personal identifiers. If the data controller is subject to the GDPR or other international regulation, then the team needs to perform a deeper analysis to remain compliant.
- Apply the Data Protection Law’s Guiding Principles for Processing Personal Information to Every Preservation Step or Process: Failure to take any binding data protection principles into account can result in penalties and cause delays. Counsel should implement extra protection measures mandated by international law to avoid negative outcomes. Also, do not forget to consider obligations relating to transfers of personal data across borders.
- Document the Lawful Basis for Preservation and Preservation Steps Taken Thereafter: This is a requirement under the GDPR that will help maintain defensibility. Documentation should start as soon as a legal hold is triggered.
- Take Steps to Minimize the Scope of Preserved Information: Data minimization is meant to promote consumer privacy interests by limiting processing and use to only what is absolutely necessary. This is manifesting as a focus in many new laws, so it is crucial to advance this principle when determining which data is subject to a legal hold. A best practice is diving deeper into the information a custodian has and limiting the legal hold language to relevant documents.
- Consider Involving Data Protection Officers, Supervisory Authorities, or Work Councils: Keep in mind that this will be dependent on the specific circumstances and issues pertaining to a matter.
- Communicate Clearly with Data Subjects, Advising What Materials the Organization is Preserving, and What Steps Will be Taken as to Personal Information: Communication and transparency are key to maintain compliance with both legal hold and data protection requirements. The GDPR mandates preservation notice to data subjects.
- Make Sure Legal Hold Notices are Translated in Accordance with Local Law: When local law requires translation for business communications, it is best to interpret legal holds under this umbrella. Translation also aligns with the goal of being transparent during preservation and data processing activities.
- Reevaluate and Release Legal Holds and Dispose of Information When No Longer Needed: If the scope changes, counsel should release information no longer needed. This promotes the principles of data minimization, purpose limitation, and storage limitation. It will also help teams focus on the most important information and better control costs.
Teams encountering international legal holds should consider integrating the above practice points in their legal hold programs. This is a good opportunity to partner with a consultant possessing deep experience in shaping, implementing, and managing data to ensure legal hold readiness. This will require the right strategies, expertise, and software. A partner that also has detailed knowledge and practice with data protection regulations such as the GDPR will be key to maintaining compliance, bringing clarity to the process, and offering confidence of reliable advanced planning.
If you enjoyed this blog, consider reading New Sedona Commentary Tells Us Protecting Privilege Can be Easy with Rule 502(d) Orders.