Tag:GDPR

1
e-DAT Practice Group Partner to Attend Upcoming ABA Program and Master’s Conference in Europe on E-Discovery and Data Privacy
2
Bumps in the Road for a US Adequacy Decision Under GDPR
3
Will 2023 Be the Year When the United States Receives an Adequacy Decision under GDPR from the European Union?
4
AnywhereCommerce, Inc. v. Ingenico, Inc. (D. Mass. 2021)

e-DAT Practice Group Partner to Attend Upcoming ABA Program and Master’s Conference in Europe on E-Discovery and Data Privacy

Daniel Miller, a partner of the K&L Gates e-Discovery Analysis & Technology (“e-DAT”) Group and the firm’s Pittsburgh office, will attend this week’s ABA Cross-Border Institute in Paris. Daniel will also participate on a panel discussion at next week’s Master’s Conference in London.

Read More

Bumps in the Road for a US Adequacy Decision Under GDPR

As discussed in a prior post on this blog, electronic discovery that requires the processing and use of records and information that includes the personal data of individuals residing in the and the European Economic Area (“EEA”) must often incorporate measures to allow for compliance with the European Union’s General Data Protection Regulation (“GDPR”), which contains a number of requirements and limitations regarding the processing of such personal data and its transfer to countries outside the EEA.

Read More

Will 2023 Be the Year When the United States Receives an Adequacy Decision under GDPR from the European Union?

Electronic discovery for legal matters within the United States often involves preserving, collecting, processing, reviewing, and producing data that concern individuals living outside the United States. In some of these situations, the data privacy laws of jurisdictions outside the United States can complicate electronic discovery to be performed in the United States. Perhaps the most well-known data privacy law is the European Union’s General Data Protection Regulation (“GDPR”), which outlines requirements related to the processing of the personal data of individuals residing in the and the European Economic Area (“EEA”) and addresses the transfer of data outside the EEA.

Article 45 of GDPR forbids the transfer of the personal data of EEA residents (described as “data subjects”) to any country outside of the EEA unless (i) the EU determines that the country’s legal privacy frameworks and practices ensure an adequate level of protection for data subjects’ personal data (termed an “adequacy decision”), or (ii) one or more safeguards deemed appropriate by the EU are imposed on the cross-border data transfer. Accordingly, transfers of personal data of EEA residents to a country outside the EEA that lacks an adequacy decision must rely on such safeguards (or, alternatively, a derogation defined by Article 49 of GDPR). These safeguards can include use of data processing agreements that contain standard contractual clauses, binding corporate rules that address data privacy and protection concerns, and/or binding and enforceable commitments by the data controller or processor located in the country to which the data are being transferred.

Some legal matters requiring cross-border data transfer to the United States may not clearly fit within one of Article 49’s derogations, which may prompt the need to employ such a safeguard to accommodate the data transfer because the United States does not currently have an adequacy decision from the EU. However, such an adequacy decision may soon exist. On December 13, 2022, the European Commission published a draft adequacy decision for the United States, based largely on a new United States executive order that commits to changes to its foreign intelligence agencies’ access to personal data and the creation of a new system through which EU data subjects can seek redress for the infringement of their data privacy rights in the United States. This draft adequacy decision will now receive review and feedback from the European Data Protection Board, the Council of the European Union, and the European Parliament before its possible implementation.

With a GDPR adequacy decision possible for the United States by the summer of 2023, legal practitioners in the United States can consider how data transfer and review workflows in some circumstances could be streamlined in the wake of such an adequacy decision. The European Commission’s draft adequacy decision is available at https://commission.europa.eu/document/download/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en?filename=Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf.

AnywhereCommerce, Inc. v. Ingenico, Inc. (D. Mass. 2021)

Key Insight: The court granted reconsideration of plaintiffs’ motion to compel discovery of documents in the possession of a corporate defendant in France. In a prior order, the court found that the GDPR did not preclude the court from ordering defendants to produce evidence, but based the order on plaintiffs’ representation that much of the requested information was located in the U.S. and therefore in the possession of domestic defendants. Thus, the court bifurcated its analysis to exclude any documents in the possession of French defendants. On reconsideration, plaintiffs claimed the important and relevant documents were located in France. Applying the factors from Restatement (Third) of Foreign Relations Law § 442(1)(c), the court found they weighed in favor of disclosure, together with the entry of a protective order that would protect France’s interests under the GDPR.

Nature of Case: Breach of contract

Electronic Data Involved: ESI generally

Case Summary

Copyright © 2022, K&L Gates LLP. All Rights Reserved.