Last week, I took part in my very first event of The Sedona Conference, a US based nonprofit organization, which on its website states to be a “research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”. I attended the International Programme on Cross-Border Discovery & Data Protection Laws in Dublin and here is some of what I learned.
Over the two days of this international program, professionals from around the globe discussed issues around cross-border discovery and data protection laws. The level of discussion was of very high standard as lawyers, in-house counsels and vendors all put their individual gains aside and joined with the goal to drive the advancement of law and policy in a just and reasoned way through an ongoing dialogue. This is part of the Sedona identity and I was impressed by how detailed certain questions were discussed without losing the practical focus to how the law should be interpreted or principles must be applied.
Obviously, GDPR and its effect on cross-border discovery were very hot topics at the conference. There was some agreement that GDPR will facilitate international transfer of data (or at least that this is the intention of the Regulation). Nevertheless, this optimism was not shared by all panelists as the different legal bases for a transfer can be;
- time-consuming (e.g. authorization from the Data Protection Authorities),
- not helpful in a discovery setting (e.g. judges will never sign Model Clauses) or
- difficult to get (e.g. the consent of the data subject).
Transfers of data from Europe to the United States clearly attracted most interest at the conference. This is one of the fields with high tension as two completely different data protection cultures clash. While in the US data is seen as a commodity that can be more or less freely traded, Europe follows a different approach. In the EU (and in most other jurisdictions in the world), data is the personal property of the individual it is attributed to. Therefore, it is, as such, protected by the law to which the person is subject and this protection travels with the data, even if a person’s data is transferred to another jurisdiction. It is obvious that these two understandings are worlds apart and for many of the U.S. based companies that operate with personal data of European based individuals, GDPR must be quite a cultural shock. This, of course, only if they have already realized that GDPR will drop European data protection laws right on their doorstep.
It is also useful to know that Sedona, in its efforts of advancing the law, has developed and is maintaining principles and guidelines in different areas to support practitioners in law firms, companies and providers. For the area of e-Discovery, there is a large number of very helpful documentation particularly for the in-house community. For instance, one can find guidance on the selection process for e-Discovery providers or principles to consider in international investigations.
Lastly, there were also discussions around additional topics, such as;
- updates from other geographical areas,
- a proposed catalogue of questions that you as an in-house counsel should use to assess your vendors to determine their GDPR compliance
- the new ISO standards for discovery
- and many more.
Overall, it was a great experience to be at the Sedona Conference. One last important learning though: Next time, I will pay more attention to the specifications of the conference venue. It turned out that I was completely unprepared for there to be a golf course and a spa located on premise. The Carton House, clearly, was no bad place at all to enjoy a well-deserved pint of Guinness after a long day of constructive dialogue. #yerralife
If you are interested in GDPR, consider taking the GDPR Reality Check Survey. Participants will recieve benchmarking data and survey analysis in August 2017.