The last few weeks have been an interesting time for practitioners of ediscovery in the UK. The result of the referendum to leave the European Union (EU) has resulted in a fair degree of turbulence in the markets and within the main political parties. As one would expect, there has been much commentary on the possible ramifications of what is being called “Brexit” and what impact this will have for those in ediscovery who are closely linked to financial and legal industries across Europe. Some of the commentary has been enlightening, but much of it has been focused on the negative aspects associated with venturing into uncharted waters. Instead of focusing on the negative, I want to discuss how this ruling will affect the industry and what it means for the future.
What’s the path for leaving the EU?
This feeling of negativity and unease is understandable as there is no real precedent for a country leaving the EU. Much of the current debate has been focused on interpreting the current rules and attempting to predict how and when the new Conservative government will extricate the UK from the EU. Article 50 of the Lisbon Treaty dictates that, “Any Member State may decide to withdraw from the Union in accordance with its own constitutional requirements.” The timeframe for leaving the UK is two years from when Article 50 is formally invoked, however, some commentators have already suggested that it could be as late as 2022 until the UK formally leaves the EU, not including the possibility of numerous legal challenges which could further delay the process.
Until a plan is in place there is inevitably going to be a degree of positioning (and posturing) from both the UK government and the remaining EU members, who will naturally seek to get the best deal possible for their countries. This political uncertainty will have an impact on many corporations’ attitudes toward risk, and so it is important to keep these points in mind when thinking about this issue:
- Look to firms who have a history of being innovative and quick to react to the changing markets. These firms are more likely to have a positive attitude and help you mitigate risk.
- Being able to budget, scope, and deliver ediscovery services when having access only to very little information is normal in our ever changing and evolving marketplace.
Managing Data Protection
It is important to keep an objective eye on the shifting landscape and remain proactive when it comes to helping shape our industry going forward. One of the immediate issues that will need to be addressed is what implications Brexit has on data protection. The responsibility to safeguard and make available any data held on an individual has been a key challenge for corporations and law firms, and an area where the law is reasonably clear. However, the practical application is usually less clear. In litigious or regulatory matters, when tasked with assessing and collecting data from a company or individual, the preferred approach is to have the data brought to a central location to be analysed in a single repository. This consolidation of the data sources not only saves time and costs, but also leads to efficiencies when reviewing data which is duplicative. However, this is not often possible as there are many hurdles to overcome when trying to negotiate the various EU data in-country laws and powers of the data controllers. That said, ediscovery is a pragmatic discipline, so if centralizing is not possible then we will defer to counsel and implement a backup plan such as building a mobile processing and review platform to allow the data to be analysed in-country. Whilst this might seem like a reactive and inefficient solution, it gives a degree of flexibility and timeliness to the requirement.
Safe Harbor and Privacy Shield
Whilst there was significant discussion concerning the collapse of Safe Harbor in 2015, given the strict privacy concerns relating to an individual’s data, the default position has been to refrain from sending data from the EU to the US. Most US law firms have a London/European office and are more than capable of either carrying out in-country review themselves or instructing one of the document review suppliers in the EU. Again, an inelegant solution, but more pragmatic and repeatable than trying to navigate complex individual country rules on data protection!
Despite the recent adoption of the Privacy Shield data transfer agreement between the EU and the US (which looks to replace the previous perceived protection of Safe Harbor with more rigorous controls), we expect little to change in that we will continue to process and host data within the EU, and will only transfer data to the US on litigious or regulatory matters with the explicit consent from the client, the custodians, and after seeking legal counsel. Post Brexit, this position may change, a likely trade agreement between the UK and US may well involve a more practical approach to data protection which could see a separate agreement put in place to safeguard data transfers between these two countries.
General Data Protection Regulation
In the interim there are plans to redress the current data transfer and management situation via the General Data Protection Regulation. This piece of EU regulation aims to bring together the various rules on EU data protection ostensibly to give EU citizens better control of the data organisations hold on them. The primary aim is to eliminate the current confusing country-specific variance from the overall EU regulation. UK firms would have been expected to have implemented the GDPR by May 2018, and whilst this was a potentially onerous and costly change for UK firms, it was generally seen as being a positive move. Brexit aside, the GDPR will likely (for a short time at least), become law in the UK. However, there is a distinct possibility that the UK will seek to devise its own data protection rules which will not only comply and complement the GDPR, but also reflect the desire to deal with countries outside of the EU. It will be imperative that the UK maintains robust controls over how an individual’s data is managed, irrespective of where the data originated. Given that UK legal and financial institutions are generally accepted to be robust and transparent, there are some who foresee a future where the UK could become a clearing house (much like it already is for clearing the EU currency) except for managing data from various countries.
Trying to deal with current cases and plan for the future at a time of economic and political uncertainty is always a challenge. Clients should look for a provider that will not only provide solutions to current problems, but also provide a more consultative service to help share the burden of change in the sector. Whenever there has been a great leap forward in technological innovation and regulatory change, there has usually been the spectre of chaos lingering in the background ready to prey on the unprepared or uninformed.
Whilst the ediscovery industry has continued to change and evolve since inception, we have to be vigilant, transparent, embracing of new technology, professionally sceptical, and, most of all, we need to be able to react to adversity with a positive outlook and thereby hopefully avoid making an already complex situation worse.