There have been numerous articles, editorials and information sessions since the European Court of Justice issued its Safe Harbor ruling on Monday, and rightfully so. The ruling, which invalidates the Safe Harbor framework, upends a nearly two decades-long practice that facilitated global data transfers vital to international business and imperative for eDiscovery.
The blow from Safe Harbor’s collapse could be ameliorated by the timely creation of a replacement standard; however, that does not seem likely. Though some suggest there may be new legislation from the European Union in 2016 that will provide guidance, it is at best a few months away and may take many more years to enact. Another option would be to revert to agreements that pre-date the Safe Harbor framework’s implementation. But these older standards are likely not equipped to cover the complexities of modern data transfer requirements or account for the new file types that have emerged in the last 15 years. The end result is that organizations are unsure how to proceed.
This state of limbo has to be overcome by the international business and legal communities. While politicians and privacy experts debate the situation, lawyers and litigation support teams are facing a vastly more complex environment with a patchwork of rules – potentially as many as 28 – as they handle eDiscovery for matters that are already in progress or slated for 2016. And, if a matter crosses multiple jurisdictions within the EU—and many will—each transfer is subject to a new review by individual member states.
A potential path forward for organizations operating within the EU is to create their own data centers within its jurisdiction. While this may be an adequate long-term solution, it fails to provide short-term, timely relief. Standing up a data center needs significant time and capital investments, requiring the better part of a year to source a location, build the center out, secure it, staff it and fully operationalize both the physical and IT environments.
Bearing in mind the significant challenges legal entities face in the wake of the Safe Harbor ruling, I agree with Hugh Logue, a legal market research analyst who noted that these are “perfect market conditions for legal service providers.” In the short-term at least, engaging with a legal services company or law firm that has representation in one or more EU member states seems to be the only way that corporations will be able to avoid violating EU laws with the attendant fines and prosecutions for clients while still avoiding sanctions in U.S. courts.
For those corporations seeking a legal services partner with on-the-ground presence in the EU, I offer questions you should have answered before you make a final selection (You may also want to check out an earlier post for additional tips):
- What are your collection methodologies and can you demonstrate how they comply with local and EU rules?
- Describe how you provide secure remote connectivity for data transfer?
- How do you use available technology to manage redaction so that your team can contain the costs of eDiscovery?
While the ruling against the Safe Harbor framework may present some confusion in the short term, eDiscovery professionals can leverage legal services partners to help ensure that current and imminent matters remain on schedule and within budget. Indeed, you may find these partnerships morph into long-term solutions as well.