top of page

Don’t Let EU Privacy Rules Trip You Up in EDiscovery

Cross-border eDiscovery today is a complex process filled with landmines, specifically when grappling with international data privacy laws in the EU.

From 2000 to 2015, the US-EU Safe Harbor Agreement made it easier for EU companies to transfer personal data to companies in the US, as long as the US companies adhered to certain data privacy principles. Since its invalidation last October, organizations have been scrambling to ensure their personal data transfers are compliant and prepare for its replacement: the Privacy Shield. Many consider the Privacy Shield to be a different name for the same thing, but in reality, the new requirements call for stronger monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission, both of which will assist European data protection authorities in addressing complaints by EU citizens – meaning even more regulatory burdens on US businesses.

With the Privacy Shield agreement still pending approval from member countries, US organizations remain in a murky transitional period, spending time, money, and resources in order to avoid legal issues. In December of last year, the EU issued new directives backed by heavy monetary fines, which have left thousands of US internet companies — like Facebook, Google, and Amazon —  in turmoil about how they collect, store, and use EU customer data. The provisions include: separate storage of EU citizens’ data, mandatory disclosure of data breaches, parental permission for children under 16 to join social networks, and the right of EU citizens to delete accounts and be completely “forgotten” by data collectors. Failure to comply with such regulations will not only lead to lawsuits, but a maximum monetary fine of 4 percent of a company’s global revenue. Based on Facebook’s projected revenue for 2016, that would be a $100 million penalty if Facebook slipped up when collecting or storing EU citizens’ data!

While we wait to see how the Privacy Shield will affect global eDiscovery, many organizations are left wondering what they can do to stay compliant. Bloomberg Law offers 4 main guidelines for information governance when working with cross-border eDiscovery:

  1. Know your data: Knowing what kind of data you have and where it is will allow you to expedite searches for pertinent information and will also demonstrate a need to invest in processing tools that can handle data stored in unusual formats.

  2. Make inroads with the local data protection authority: Research the rules specific to each geographic location and determine ways to establish broad compliance across various business units.

  3. Choose state-of-the-art review tools: The better the review tool, the more efficient and defensible the results will be. Risk-conscious organizations are investing in legal technology that will help them remain compliant with data privacy laws and reduce the chance of inadvertently leaking sensitive information, particularly in international litigation. Blackout, for example, is an automated redaction application for Relativity that automatically redacts sensitive words, phrases, and patterns (SSNs, credit card numbers, etc.) from case documents, preventing accidental disclosure while significantly reducing costs.

  4. Think globally, but act locally: It’s generally much safer to avoid taking data off-site for eDiscovery, potentially triggering data privacy laws. Find an eDiscovery vendor that offers on-site support, as well as regulatory experience, language fluency, and industry expertise.

All in all, organizations are currently facing an extremely complex and messy cross-border eDiscovery process. As we bid goodbye to the Safe Harbor Agreement and anticipate the Privacy Shield taking effect, it is more crucial than ever to look to strategies and tools to ensure compliance with global data protection laws without breaking the bank.

To learn more about how automated redaction can help you stay compliant, contact



bottom of page