Lighthouse Blog

It was a tumultuous summer in the world of data privacy, so I wanted to keep legal and compliance teams updated on changes that may affect your business in the coming months. Below is a recap of important data privacy changes across multiple jurisdictions, as well as where to go to dive into these updates a little deeper. Keep in mind that some of these changes may mean heightened responsibilities for companies related to breach requirements and/or data subject rights.U.S. On September 17th, four U.S. Republican senators introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act” (SAFE DATA). The Act is intended to provide Americans “with more choice and control over their data and direct businesses to be more transparent and accountable for their data practices.” The Act contains data privacy elements that are reminiscent of the GDPR and California Consumer Privacy Act (CCPA) of 2018, including requiring tech companies to provide users with notice of privacy policies, giving consumers the ability to opt in and out of the collection of personal information, and requiring businesses to allow consumers the ability to access, correct, or delete their personal data. See the press release issued by the U.S. Senate Committee on Commerce, Science and Transportation here: https://www.commerce.senate.gov/2020/9/wicker-thune-fischer-blackburn-introduce-consumer-data-privacy-legislationCalifornia’s Proposition 24 (the “California Privacy Rights Act of 2020”) will be on the state ballot this November. In some ways, the Act expands upon the CCPA by creating a California Privacy Protection Agency and tripling fines for collecting and selling children’s private information. Proponents say it will enhance data privacy rights for California citizens and give them more control over their own data. Opponents are concerned that it will result in a “pay for privacy” scheme, where large corporations can downgrade services unless consumers pay a fee to protect their own personal data. See: https://www.sos.ca.gov/elections/ballot-measures/qualified-ballot-measures for access to the proposed Act.In mid-August, the Virginia Legislative Commission initiated study commissions to begin evaluating elements of the proposed Virginia Privacy Act, which would impose similar data privacy responsibilities on companies operating within Virginia as the GDPR does for those in Europe and the CCPA does for those in California. To access the proposed Act, see: https://lis.virginia.gov/cgi-bin/legp604.exe?201+sum+HB473.EuropeOn September 8, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) concluded that the Swiss-US Privacy Shield does not provide an adequate level of protection for data transfers from Switzerland to the US. The statement came via a position paper issued after the Commissioner’s annual assessment of the Swiss-US Privacy shield regime, and was based on the Court of Justice of the European Union (CJEU) invalidation of the EU-US Privacy Shield. You can find more about the FDPIC position paper here: https://www.edoeb.admin.ch/edoeb/de/home/kurzmeldungen/nsb_mm.msg-id-80318.htmlSimilarly, Ireland’s data protection commissioner issued a preliminary order to Facebook to stop sending data transfers from EU users to the U.S., based on the CJEU’s language in the Schrems II decision which invalidated the EU-US Privacy Shield. In response, Facebook has threatened to halt Facebook and Instagram services in the EU. Check out the Wall Street Journal’s reporting on the preliminary order issued by the Ireland Data Protection Commission here: https://www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-data-to-u-s-11599671980. For Facebook’s response filing in Ireland, see: https://www.dropbox.com/s/yngcdv99irbm5sr/Facebook%20DPC%20filing%20Sept%202020-rotated.pdf?dl=0Relatedly, in wake of the Schrems II judgment, the European Data Protection Board has also created a task force to look into 101 complaints filed with several data controllers in EEA member states related to Google/Facebook transfers of personal data into the United States. See the EDPB’s statement here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_enBrazilIn September, the new Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) became retroactively effective after the end of a 15-business-day period imposed by the Brazilian Constitution. This was a surprising turn of events after the Brazilian Senate rejected a temporary provisional measure on August 26th that would have delayed the effective date to the summer of 2021. Companies should be aware that the law is similar to the GDPR in that it is extra territorial and bestows enhanced privacy rights to individuals (including right to access and right to know). Be aware too, although administrative enforcement will not begin until August of 2021, Brazilian citizens now have a private right of action against organizations that violate data subjects’ privacy rights under the new law. For more information, check out the LGPD site (that can be translated via Google Chrome) with helpful guides and tips, as well as links to the original law: https://www.lgpdbrasil.com.br/. The National Law Review also has a good overview of the sequence of events that led up to this change here: https://www.natlawreview.com/article/brazil-s-data-protection-law-will-be-effective-after-all-enforcement-provisions.EgyptIn June, Egypt passed the Egyptian Data Protection Law (DPL), which is the first law of its kind in that country and aims to protect the personal data of Egyptian citizens and EU citizens in Egypt. The law prohibits businesses from collecting, processing, or disclosing personal information without permission from the data subject. It also prohibits the transfer of personal data to a foreign country without a license from Egypt. See the International Association of Privacy Professional’s reporting on the law here: https://iapp.org/news/a/egypt-passes-first-data-protection-law/To discuss this topic further, please feel free to reach out to me at SMoran@lighthouseglobal.com.data-privacyccpa, gdpr, data-privacy, blog, data-privacy,ccpa; gdpr; data-privacy; blogsarah moran

Below is a copy of a featured article written by Denisa Luchian for The Lawyer.com that features Lighthouse's John Shaw.A highlight of the challenges arising from the increased use of collaboration and messaging tools by employees in remote-work environments.Our “top trends” series was born out of a desire to help in-house lawyers with their horizon scanning and with assessing the potential risks heading their way. Each post focuses on a specific area, providing companies and their lawyers with quick summaries of some of the challenges heading their way.Our latest piece in the series looks at the top 3 trends in-house lawyers should take notice of in the area of employment disputes, and was carefully curated by one of our experts – Lighthouse director of business development John Shaw. The Covid-19 pandemic has affected every sector of law and litigation, and employment law is certainly no exception. From navigating an ever-changing web of COVID-19 compensation regulations, to ensuring workplaces are compliant with shifting government health guidelines – the last six months have been chaotic for most employers. But as we all begin to regain our footing in this “new normal”, there is another COVID-19-related challenge that employers should be wary of: the increased use of collaboration and messaging tools by employees in remote-work environments.This past spring, cloud-based collaboration tools like Slack and Microsoft’s Teams reported record levels of utilisation as companies around the world were forced to jettison physical offices to keep employees safe and comply with government advice. Collaboration tools can be critical assets to keep businesses running in a remote work environment but employers should be aware of the risks and challenges the data generated from these sources can pose from an employment and compliance perspective.Intermingling of personal and work-related data over chatAs most everyone has noticed by now, working remotely during a pandemic can blur the line between “work life” and “home life.” Employees may be replying to work chat messages on their phone while simultaneously supervising their child’s remote classroom, or participating in a video conference while their dog chases the postman in the background. Collaboration and chat messaging tools can blur this line even further. Use of chat messaging tools is at an all-time high as employees who lost the ability to catch up with co-workers at the office coffee station transition these types of casual conversation to work-based messaging tools. These tools also make it easy for employees to casually share non-work related pictures, gifs, and memes with co-workers directly from their mobile phone.The blurring line between home and work, as well as the increased use of work chat messaging can also lead to the adoption of more casual written language among employees. Most chat and collaboration tools have emojis built into their functionality, which only furthers this tendency. Without the benefit of facial expressions and social cues, interpretation of this more casual written communication style can vary greatly depending on age, context, or culture.All of this means that personal, non-work related conversations with a higher potential for misinterpretation or dispute are now being generated over employer-sanctioned tools and possibly retained by the company for years, becoming a part of the company’s digital footprint.Evidence gathering challengesEmployers should expect that much of the data and evidence needed in future employment disputes and investigations may originate from these new types of data sources. Searching for and collecting data from cloud-based collaboration tools can be a more complicated process than traditional searching of an employee’s email or laptop. Moreover, the actual evidence employers will be searching for may look different when coming from these data sources and require additional steps to make it reviewable. Rather than using search terms to examine an employee’s email for evidence of bad intent, employers may now be examining the employee’s emoji use or reactions to chat comments on Teams or Slack.Evidence for wage and hour disputes may also look a bit different in a completely remote environment. When employees report to a physical office, employers can traditionally look to data from building security or log-in/out times from office-based systems to verify the hours an employee worked. In a remote environment, gathering this type of evidence may be a bit more complex and involve collecting audit logs and data from a variety of different platforms and systems, including collaboration and chat tools. A company’s IT team or eDiscovery vendor will need to understand the underlying architecture of these tools and ensure they have the capacity to search, collect, and understand the data generated from them.Employer best practicesEmployers should consider implementing an employee policy around the use of collaboration tools and chat functionality, as well as a comprehensive data retention schedule that accounts for the data generated from these tools. Keep these plans updated and adjust as needed. Ensure IT teams or vendors know where data generated by employees from these new data sources is stored, and that they have the ability to access, search, and collect that data in the event of an employment dispute.chat-and-collaboration-data; microsoft-365microsoft, cloud, emerging-data-sources, blog, chat-and-collaboration-data, microsoft-365microsoft; cloud; emerging-data-sources; blogthe lawyer

Below is a copy of a featured article written by Denisa Luchian for The Lawyer.com, where she interviews Lighthouse's Matt Bicknell. Lighthouse business development director EMEA Matt Bicknell talks to The Lawyer about how in today’s remote environment, cloud based collaboration tools are not just desirable but a necessity – but also the challenges they pose for eDiscovery processes.What is the driving force behind the massive migration to cloud-based environments over the last few years?There are a few factors at play here. Prior to the Covid-19 pandemic, companies were already moving their data to the Cloud (both public and private) in droves, in order to take advantage of unlimited data capacities and drastically lower IT overhead. The move to the Cloud is also being driven by a younger workforce that feels at home working with cloud-based chat and collaboration tools, like M365 or G-Suite. However, the worldwide shift to remote work due to the pandemic really broke the dam when it comes to cloud migration. We’ve seen a seismic shift to cloud-based tools and environments since March of 2020. In a completely remote environment, cloud-based collaboration tools are not just desirable, they are necessary to keep workforces productive. Migrating to the Cloud can greatly reduce the need for workers to be physically present in an office building.What are some of the challenges that cloud migration can pose to the eDiscovery process?Unlimited storage capacity at low cost can be a great thing for an organisation’s bottom line, but can definitely cause issues when it comes time to find and collect data that is needed for a litigation or investigation. Search functions built for cloud-based tools are often built for business use, rather than for the functionality that legal and compliance teams require in order to find relevant information. In addition, collecting and producing from collaboration tools like Teams or Slack can be much more complicated than a traditional email collection. Relevant communications that previously would have happened over email now happen over chat, through emoticon reactions, or through collaboratively editing a document. All of this relevant data may be stored in several different places, in a variety of formats within the Cloud. Even attachments are handled differently in cloud-based applications – instead of sending a static document as an attachment via email, Teams defaults to sending a link to the document in Teams. This means that the document could look significantly different at the time of collection than it did when the link was sent. Collecting from those types of sources, producing them in a format that makes sense to a reviewer/opposing counsel, and accounting for all the dynamic variables can be a difficult hurdle to overcome if the organisation hasn’t planned for it.How can companies prepare for eDiscovery challenges in a cloud environment?First, make sure compliance, legal and IT all have a seat at the table and have input into decisions that may affect their workflows and processes. Understand where your data resides and have effective retention, data governance, and compliance policies in place. Your policies should spell out which cloud-based applications employees may use and also have rules in place regarding how they can be used and where work product should be stored. Understand your legal hold policy and what type of data it encompasses. Make sure you have the right talent (either within your organisation or through a vendor) who understands the underlying architecture behind Teams, G-Suite, or any other cloud-based tool your organisation uses and also knows how to collect relevant information when needed. Ensure that your IT team or vendor has a system in place to monitor application and system updates. Cloud-based updates can roll out on a weekly basis; those changes may significantly impact the efficacy of your data retention and collection policies and workflows.As cloud technology continues to evolve, what does the future hold for eDiscovery? Because of the near endless storage capacity of the Cloud, the amount of data companies generate will just continue to exponentially expand. As a result, the technology behind AI and analytics will continue to improve, and those tools will eventually be less of an option to use in certain matters and more of a necessity to use for most matters. I also think as more companies feel comfortable moving their data to the Cloud, we will start to see more and more of these companies bring their eDiscovery programs in house. Vendors are already beginning to offer subscription-based, self-service, spectra eDiscovery programs which hand over the eDiscovery reigns to the organisation, while the vendor stores and manages the data in the Cloud (both public and private). This type of service allows companies to eliminate the middleman, control their own eDiscovery costs, and easily scale up or down to meet their own needs, while leaving the burden of data storage security and maintenance with the vendor. Finally, look for vendors to start offering subscription-based services to help organisations manage the near-constant stream of application and system updates for cloud-based services.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, cloud, g-suite, blog, microsoft-365, chat-and-collaboration-data, information-governance,microsoft; cloud; g-suite; blogthe lawyer

Legal operations departments aim to support the delivery of legal services in an efficient manner. To that end, resource management and solving problems through technology are core responsibilities of the department. But, the tasks of a legal department vary from answering legal phone calls, filing patents, reviewing and approving contracts, and litigating, just to name a few. With such a varied workload, what to automate can be difficult to identify. To help, I have put together a brief overview of where to start.Step 1: IdentificationStart by identifying the tasks that are repetitive. One of the best ways I have found to do this is to set up a quick 15-minute discussion with 3-5 representatives from different functional areas of your legal team, and from different levels (e.g. individual contributor, manager, function head). In that meeting, ask them one or all of the following questions:What tasks do you wish your team no longer had to do?What tasks do you want to be replaced by robots in the future?What tasks are low value but your team still spends a lot of time on?You should not spend too much time here – the goal is to identify a pretty quick list that is top of mind for people. From these interviews, create a list for further vetting. Just in case you come up empty handed or aren’t able to get time with people within legal, here is a list of items that are commonly automated and we would expect to come up:Contract Automation Self service retrieval of boilerplate contracts (e.g., NDAs) Self service building common contracts (e.g., clause selection for vendor contracts, developer agreements)Request for review, negotiation, and signature of other contractsLegal Team Approvals Marketing document approvals Budget approval for any legal team spend Legal Assistance Requests (Intake) Legal research request Legal advice on an issue neededNeed for outside counselPatent Management Alerts for filing and renewal deadlines Automatically manage workflow for submissionsSelect one or two items from your list and then validate it with your boss and/or general counsel. You want to understand whether others agree on the impact automation will make and identify any potential concerns.Step 2: Build vs. BuyWhether to purchase third-party software or build your own internally is always a good question to start with. Building your own tool gives you exactly what you want with, oftentimes, very little need to change your process. But, it is more resource-intensive both for the build and the maintenance. Buying off the shelf software limits you in what’s commercially available but it takes all the load off your development resources.For some, build or buy may be an easy question as they may not have access to development resources. For others, they may not have any budget for an external tool and/or may be required to use internal teams. For most, however, they fall in the middle and have some access to resources and some budget (but usually not enough of either – that’s a whole other topic).If you fall into this latter category, you will have to analyze your options. Your organizational culture will dictate what depth of analysis is needed. Regardless of the level of detail, the process is the same. The easiest place to start is by surveying what is commercially available. Even if you decide to build, knowing what software is out there, what features are available, and the general costs is helpful. Next, it is helpful to get an approximate cost of the build and maintenance if done internally. This can be a rough order of magnitude based on estimates from other internal tools developed or can be a more detailed estimate developed with the engineering team. Once you have the costs, you will want to add some information about the pros and cons of each solution – e.g., time to build and implement, technology dependencies (if known), other considerations (e.g., we are moving to the cloud in 6 months and we don’t know impact). Once you have this analysis, you can put forth a recommendation to your boss and whomever else is required to decide on how to proceed.Step 3: DesignNow that you have a decision, you can move on to design. This is the most critical stage as this is where you are determining exactly what results your automation will produce. The first thing to do here is to map out your current internal process including who does what. You want to make sure you have a representative of each group take a look at the process diagram and validate it.Once you have the process in place, you’re ready to work with the development team. If you are buying a solution for automation, you should be working closely with the software provider’s onboarding team to overlay your current process with the capabilities of the software. You will want to note where the software does not support your process and where changes will need to be made. If you adjust your process, be sure to involve the same representatives that helped with the initial diagram to provide feedback on any proposed changes in the process.If you are building the solution, you will meet with your internal product resource. This person (or people) will want to understand the process diagram and may even want to watch people go through the process so they can understand user behavior. They will then likely convert your diagram into user stories that developers will develop against. Make sure to be as specific as possible in this process. This resource will be the one representing your voice with the developers so you want them to really understand the nuances of the process.Expect some iteration back and forth during this stage and although I have simplified it here, this will be a long stage and the most important.Step 4: ImplementationThe final stage of the process is implementation. Start with a pilot of the automation. Either select a small use case or a small group of users and validate that your automation functions as planned. During this pilot project, it is really helpful to have resources from your software providers or from the development team readily available to make changes and help answer questions. During this pilot, you should also keep track of how the automation is performing versus your expectations. For example, if you expected it to save time, create a way to track the time it saves and report on that metric.After a successful pilot and necessary refinement, you can move on to your full rollout. Create a plan that includes the deployment of the technology, training, feedback, and adjustment. Make sure to also identify the longer-term maintenance strategy that includes continuing to gather feedback and ways to improve the automation over time.There are lots of great publications that go into further detail about each of the steps above, but hopefully this points you in the right direction. Once deployed, automation can be a very powerful tool that augments your team without adding additional FTEs.To discuss this topic more, please feel free to reach out to me at DJones@lighthouseglobal.com.legal-operations; ai-and-analyticslegal-ops, blog, legal-operations, ai-and-analyticslegal-ops; bloglighthouse

We are thrilled to announce the one-year anniversary of our Law & Candor podcast. One year, five seasons, and 30 episodes later, we are still here and wholly devoted to pursuing the legal technology revolution. Click the image to listen to season five now or scroll down for more details. Co-hosts Bill Mariano and Rob Hellewell are back for season five of Law & Candor with six easily digestible episodes that cover a range of hot topics from cloud migrations to managing DSARs. This dynamic duo, alongside industry experts, discuss the latest topics and trends within the eDiscovery, compliance, and information governance space as well as share key tips for you and your team to take away. Check out the latest season's line-up below:Achieving Information Governance Through a Transformative Cloud Migration Scaling Your eDiscovery Program: Self Service to Full Service Leveraging AI and Analytics to Detect PrivilegeEffective Strategies for Managing DSARsFacilitating a Smooth and Successful Large Review Project with Advanced AnalyticsTop Microsoft 365 Features to Leverage in Your eDiscovery ProgramEpisodes are created to be short and bingeable so that you can listen on the platform of your choice with ease. Check them out now or bookmark them to listen to later. Follow Law & Candor on Twitter to get the latest updates and join the conversation.Catch up on past seasons by clicking the links below:Season 1Season 2Season 3Season 4Special Edition: Impacts of COVID-19For questions regarding this podcast and its content, please reach out to us at info@lighthouseglobal.com.ediscovery-reviewcloud, information-governance, ai-big-data, blog, ediscovery-review,cloud; information-governance; ai-big-data; bloglighthouse

Like most cloud-based productivity platforms, Google offers solutions for both home and business environments. Free for personal use applications such as Gmail, Google Docs, and Google Drive deliver a rich set of communication and Office-like functionality that have near feature parity with their commercial corporate-focused G Suite counterparts. From the perspective of evidence acquisition in the civil arena, we find a significant number of organizations bypassing the conventional Microsoft stack in favor of G Suite. These organizations tend to operate in the technology space including biotech, electronics, engineering, and all flavors of “garage” startups.While cloud platforms enable a limitless world of collaboration and information storage, they also introduce an alternative set of metadata that can trip up seasoned examiners and eDiscovery practitioners. This can be particularly problematic for metadata dates. Historically, determining the date of a file that moved between computers is quite simple; however, arriving at the “best” date for any given piece of cloud evidence can be a subjective exercise and is limited to metadata exposed and potentially altered by the cloud platform. In the following post, I’ll dive into how this issue arises so that practitioners and analysts can use the most accurate evidence date for their eDiscovery needs. A “document” in Google Docs is simply a set of records and field values stored in a database. This departs from the traditional concept of a document being contained in a stand-alone file on your computer’s desktop. Currently, to be reviewed alongside traditional ESI, a Google Doc (ie, a spreadsheet or presentation) must be pulled from Google’s database, converted into a traditional document file, and downloaded for processing and review.Thus, the handling of dates can become an issue for documents within G Suite. If a Microsoft (MS) Excel document is created by a user on their laptop, uploaded to Google Drive, edited in place, and then later downloaded for eDiscovery purposes, what is the document’s date? A typical MS Office (Excel, Word, PowerPoint, etc) document has three dates assigned by the file system (think: my laptop’s hard drive): Created, Modified, and Accessed. It also has up to three dates “embedded” inside the file itself: Created, Modified, and Last Printed. What happens when the Excel file makes a round trip to Google and back? With so many dates to choose from, it’s tough to pick just one!Before the upload to Google Drive, here are the file system dates for our MS Excel document. Notice that the file system is telling us the document was created on June 30, 2020, at 11:33 AM.And here are the embedded “application” dates. Note that “Date last saved” is essentially a “modified” date, and this document has not yet been printed. By looking at the application-level dates, we can also tell that the file was actually created at 11:04 AM, and then copied to its present location at 11:33 AM.After uploading to Google Drive, Google will assign its own Created and Modified dates to the item. You’ll notice in the graphic below that Google’s displayed Modified date of June 30 at 1:36 PM matches the Modified date of the original file. So far so good! But, take a look at Google’s recording of the Created Date: it’s been set by Google to simply “11:23 AM” on the date of the upload action (July 10, 2020.) Notice also that Google indicates the document was created “with Google Drive Web.”Now, let’s make an edit to the Excel file. There are two ways to accomplish this in Google Drive: 1) you can edit the document “in place” using Google Docs without abandoning the original MS Excel format, or 2) you can do a “Save As” and convert the document into Google Sheets format. In this example, we are going to use method #1 and make a couple of edits to our MS Excel file. Google Docs immediately auto saves the file for us. Let’s look at the dates.After editing in Google Drive, but leaving as Excel format, you’ll notice in the graphic below that Google’s Modified date has been changed to the time of the edit. This makes sense. The Created date, which Google previously set to the time of upload, remains the same.Let’s assume that this record is needed for e discovery purposes, and it is downloaded from Google Drive to a forensic examiner’s machine to pass along to the case team. When the file reaches the machine, the creation of the new file results in the following file system date values. Notice that they’ve all been changed to the date/time of the download action!However, if we take a look inside the Excel file at the embedded “application” dates, we notice that we have a creation date of 6/30/2020 at 11:04 AM that has remained unaltered throughout this entire process. However, the “Date last saved” is reflective of the time of the download action. We may have expected this date to be set to 11:27 AM, which was the time at which the document was edited in Google Drive, but it is unfortunately altered by the download action. The image on the right shows the “Info” tab from MS Excel itself, which indicates a blank value for “Last Modified.”Using the same Excel file, I will now choose to “Save as Google Sheets”.You’ll notice that the creation and modification timestamps in the graphic below have been set to the time at which the MS Excel file was converted to a Google Sheet. Google also indicates the application that created the document was “Google Sheets.”I made a couple of edits to the file in Google Sheets and then right clicked to download it to my workstation. First, Google converts the file from Google Sheets format into MS Excel format.chat-and-collaboration-data; information-governancecloud, g-suite, blog, chat-and-collaboration-data, information-governancecloud; g-suite; blogjosh headley

It feels fitting that the summer of 2020 would bring us Schrems II. This surprising Court of Justice of the European Union (CJEU) decision wreaked havoc in late July by invalidating the EU - U.S. Privacy Shield and calling into question other mechanisms for transferring the personal data of EU citizens into the United States (and beyond) under the GDPR. Let’s take a deeper dive into that decision and what it means for companies that need to transfer EU citizens’ data into the U.S.Shrems HistorySchrems II is the second decision by the CJEU that is based on privacy complaints made against Facebook by Austrian privacy activist Max Schrems. Both cases stem from privacy concerns related to the U.S. National Security Agency (NSA)’s ability to access the personal data of EU citizens, famously disclosed by Edward Snowden in 2013.In the first Schrems decision in 2015, the CJEU invalidated the U.S. - EU Safe Harbor Framework (the predecessor to the EU - U.S. Privacy Shield) as a means to transfer personal data from the EU into the U.S., finding that the protections afforded by the Safe Harbor framework did not meet fundamental privacy rights guaranteed within the EU to EU citizens.In the aftermath of the first Schrems decision, the U.S. Department of Commerce and the EU Commission collaborated to implement the EU-U.S. Privacy Shield as a replacement to the Safe Harbor Framework, again allowing for a broader transfer mechanism of personal data into the U.S. compared to the alternatives (namely, “standard contractual clauses” (SCCs) and “binding corporate rules” (BCRs) – more on those below). Since its implementation in 2016, over 5,000 organizations have met the requirements administered by the International Trade Administration to join the Privacy Shield. Meeting those requirements can mean a large investment for organizations in overhauling their data privacy practices.That brings us to Schrems II, wherein Schrems brought a second complaint against Facebook, this time challenging the validity of SCCs as a mechanism to transfer personal data into the U.S. In Schrems II, he argued that the same privacy concerns related to the NSA’s ability to access EU citizens’ personal data under the Safe Harbor framework also applied to personal data transferred via an SCC. It should be noted here that around the same time, European privacy advocates also filed a challenge to the new EU-U.S. Privacy Shield with the European Court.Schrems II CJEU DecisionIn the Schrems II ruling in July, the CJEU ultimately decided to address both the EU-U.S. Privacy Shield and SCC issues.The Court upheld the validity of SCCs as a means to transfer personal data from the EU into the U.S. However, rather than carte blanche approval, the Court laid out obligations for both parties of an SCC and data protection supervisory authorities within the EU. Those obligations include:Entities that are transferring personal data of EU citizens into the U.S. must verify “on a case by case basis” that the protections afforded by the SCC can be met and that there is an “adequate level of protection” in the U.S. to protect the personal data of EU citizens.Entities that are receiving personal data of EU citizens in the U.S. have an obligation to notify the data exporter if they are unable to comply with the SCC for any reason.Data protection supervisory authorities within the EU have a mandatory obligation to evaluate not only the terms of the SCCs themselves, but also whether the data protections afforded by the U.S. legal system can meet those terms. If the SCC is found to be insufficient, the supervisory authority has an obligation to stop the transfer.This decision puts SCCs (and thereby BCRs) on shaky ground throughout the entire world, because the threshold set by the Court applies to any third country, not just the U.S. (see Questions 2 and 6 of the FAQ issued by the European Data Protection Board for more information on these points).However, the real kicker of Schrems II for U.S.-based companies with an international presence is that the CJEU completely invalidated the EU-U.S. Privacy Shield. The Court found that the U.S. does not provide sufficient protection of EU citizens’ personal data because of the access the U.S. government has to EU citizens’ personal data and because EU citizens have no means of redress against U.S. authorities should their privacy rights be violated.What Does Shrems II Mean for Companies that Need to Transfer Personal Data from the EU into the U.S.Companies that were relying on the Privacy Shield to transfer EU data into the U.S. should:Work to put individual SCCs or BCRs in place to achieve these transfers. There is no grace period during which a company can keep transferring data using the Privacy Shield mechanism, according to the European Data Protection Board (see Question 3 for more information).Continue to comply with all current Privacy Shield obligations. While the CJEU decision invalidates the Privacy Shield, it does not relieve current participant organizations of their obligations.Watch for further guidance from both the European Data Protection Board and the U.S. Department of Commerce (DOC). DOC and the European Commissioner for Justice issued a joint press release in early August, stating that they have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy shield framework that would meet the requirements laid out by the CJEU.Companies that rely on SCCs or BCRs as a means to transfer personal data should: Conduct a risk assessment to determine whether those agreements and the recipient of the data in the U.S. can provide an adequate level of data protection, according to the European Data Protection Board (see Questions 5 and 6 for more information).Watch for further guidance from data protection authorities in relevant countries related to SCCs and BCRs in the wake of Schrems II. The transfer of personal data between countries is vital to the lifeblood of many companies, large and small. While Schrems II has thrown a wrench into the legality of those transfers… all is not lost. Stay tuned for updates from U.S. and EU authorities that may help ease the burden of this unexpected decision by the CJEU. Resources for More Information CJUE Schrems II full decision: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=16606736CJEU press release on its Schrems II decision: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdfEU – U.S. Privacy Shield Program Schrems II FAQs: https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-UpdateEuropean Data Protection Board Schrems II FAQs: https://edpb.europa.eu/our-work-tools/our-documents/ovrigt/frequently-asked-questions-judgment-court-justice-european-union_enS. Secretary of Commerce Wilbur Ross Statement on Schrems II ruling and the importance of EU-U.S. data flows: https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-andJoint press statement from the U.S. Secretary of Commerce and the European Commissioner regarding initiated discussions for a new privacy shield: https://www.commerce.gov/news/press-releases/2020/08/joint-press-statement-us-secretary-commerce-wilbur-ross-and-europeanUK’s Information Commissioner’s Office updated statement on the Schrems II decision: https://ico.org.uk/make-a-complaint/eu-us-privacy-shield/To discuss this topic further, please feel free to reach out to me at SMoran@lighthouseglobal.com. Or, take a look at other Worldwide Data Privacy Updates.data-privacycloud-security, blog, data-privacycloud-security; blogsarah moran

We are now past the midpoint of 2020, which means we are more than halfway through the first year of a brand new decade. This midway point is a great time to take a look at the hottest trends in the legal tech world and predict where those trends may lead us as we move further into the new decade.If we were evaluating future trends in legal tech during a normal year, there might be one or two uncertainties or prominent events from the first half of the year that we would need to take into account. Maybe a shift in global data safety laws or a change to the Federal Rules of Evidence. But, as I’m sure we’re all tired of reading, 2020 has not been a normal year (“the new normal”, “these uncertain times”, “these unprecedented events”, etc. etc. etc.). No matter how you phrase it, we can all agree that 2020 has been… unpredictable. Or to be a bit less understated: the first six months of 2020 have drastically changed how many corporations and law firms function on a day-to-day basis, and industry leaders are predicting that many of those changes will have a lasting effect. For example, a recent Gartner survey of company leaders from HR, legal and compliance, finance, and real estate industries showed that 82% of those responding plan to allow employees to continue working remotely in some capacity once employees are allowed back in the office, while close to half responded that they will allow employees to work remotely full time.So what does that mean for the legal tech industry? Well, while the world around us has changed dramatically due to the events of 2020, many of those changes actually dovetail quite nicely into where legal tech was already headed. In this article, we will look at the latest trends in legal tech and how 2020, in all its chaos, has affected those trends.SaaS self-service, spectra eDiscovery: The growing adoption of cloud services is leading us to a unique hybrid approach to managing eDiscovery programs: SaaS self-service, spectra eDiscovery solutions. This new subscription-based approach gives law firms and corporate legal teams the ability to take charge of their own fates by bringing their eDiscovery program in house, while leaving much of the security risks, costs, and IT burdens to a reputable, secure vendor that can house the data in a private cloud or within its own data centers. The benefit of controlling your own eDiscovery program in house are obvious. Legal teams would have the ability to control costs and access their data whenever and wherever they need to without the expense and hassle of having to go through a middle man. It would also give legal teams more control over their own costs, deadlines, and workflows, with the ability to fluidly scale up or down depending on case need. The self-service, spectra subscription approach is also unique in that it leaves the burden and risk of creating and managing an entire IT data storage infrastructure with the vendor. A security-minded vendor with SOC 2 and ISO 27001 security certifications can house data in a private cloud or their own data center, providing a completely secure environment without the overhead and risk of managing that data in house. A subscription service also may come with the reassurance that if a project or timeline becomes more burdensome than expected, the in-house team could easily pass off a workflow or entire project to the vendor seamlessly.In 2020, a SaaS self-service, spectra solution has the added benefit of being available in every location around the world, at any time. If a worldwide pandemic has taught us anything, it is that traveling to multiple locations throughout the world to set up data centers to handle the specific needs of a case or a client is no longer a feasible solution. Housing and accessing data in the Cloud does not require abiding by global travel restrictions or mandatory quarantines. A SaaS self-service, spectra model where data is stored in the Cloud allows for global expansion without concern for pandemics, natural disasters, or political uncertainty.Big Data Analytics: Big data analytics and technology assisted review (TAR) are certainly not new ideas to 2020. The technology and tools have existed for years and the legal industry has slowly been adopting them. (I say “slowly” in contrast to how fast these tools are developed and adopted in other areas outside of the legal field.) The need to find reliable ways to comb through massive amounts of data in the eDiscovery and compliance arenas will only grow, and we can expect that the technology will only continue to improve and become even more reliable.One could argue that the biggest hindrance to big data analytics in the legal world is not the advancement of the technology, but rather the ability and willingness of many lawyers and courts to adopt that technology as a defensible, necessary legal tool in the modern world of big data. The legal field is notoriously slow to adopt new technology. As a personal example, I clerked for a prominent, incredibly smart criminal defense attorney who still used carbon paper to make copies of important court filings. This occurred during the same year that the third season of Lost aired (or the same year that the first season of Madmen premiered - pick your reference. Either way, not that long ago). And every law firm is rife with stories of the old-school partner who holes up in the firm library (the existence of which could also be an example to my point, in and of itself) because she doesn’t believe in online legal research. While the practice of law is steeped in an awe-inspiring mix of tradition and history, it can also be frustratingly slow to expand on that tradition because it refuses to use a copier. Even Don Draper had a copier by the second season.However, if we can say one positive thing about 2020, it is that the last six months have pushed the legal world into the technological future more than any other time period to date. Almost every in-house counsel, law firm, and court across the globe has been forced to find a way to conduct its business in a completely remote environment. This means that judges, law firms, and in-house counsel are facing the reality that the legal world needs to rely on and adapt to technology in order to survive. One hopes that this new reality helps lead to a more robust adoption of technological advancement in the legal world in general, and hopefully, a shift away from the reactionary relationship the legal industry always seems to have with technology. Because data volumes will only continue to explode and there will come a time in the near future when it will not be defensible to tell a judge or a client that discovery may take years in order to allow time for a team of 200 contract attorneys to look at each individual document that hits on a search term. Analytics will eventually be a requirement for a defensible eDiscovery program, and 2020 may be the year that helps many in the legal field take a more proactive approach to its adoption.New sources of data (i.e. collaboration tools): Like big data analytics, online collaboration tools like Teams and Slack are not new to 2020, but this year has certainly helped push the use of these tools to the forefront of many companies’ day-to-day business. It seems like new collaboration tools arise every month and companies are increasingly pushing employees to utilize them. Organizations are realizing the value of these collaboration tools in a post-COVID environment, where online collaboration is not only preferable, but absolutely critical. Not to repeat some of 2020’s greatest memes, but I’m sure we’ve all seen the 2020 adage that this is the year that we all realized that not only could that meeting have been an email, that email could have been an instant message. Data actually proves that theory to be true. Microsoft for example, found that chat messages within Microsoft Teams meetings increased over 10x from March 1 to June 1.The widespread use of these types of tools, in turn, generates more and more unique data that needs to be accounted for during an eDiscovery or compliance event Going forward, organizations will need to ensure that they know which tools their employees or contractors are using, what data those tools generate, and how to defensibly collect, process, and review that data in the event of a lawsuit or investigation (or retain a vendor who can guide them through that process). Which brings us to our final 2020 trend…Continuous program update subscription services: Going hand-in-hand with the above, watch out for eDiscovery programs and solutions that can manage the continuous delivery of program updates on all of the applications and platforms that organizations use to effectively perform their work. Gone are the days when the same data collection or processing workflow could be used for years at a time and still be defensible. From iPhone iOS to Teams, systemic updates to work applications and platforms can now roll out on an almost weekly basis, and it is imperative that legal and compliance teams stay on top of those updates and adapt to them in order to ensure that company information remains secure and that any data generated can be defensibly collected and processed when needed. In 2020 and beyond, look for technologically advanced eDiscovery subscription services that give companies the ability to prepare for and stay ahead of the never-ending stream of software updates.To discuss this topic further, please feel free to reach out to me at SMoran@lighthouseglobal.com.ai-and-analytics; ediscovery-review; legal-operationscloud, ai-big-data, blog, ai-and-analytics, ediscovery-review, legal-operations,cloud; ai-big-data; blogsarah moran