In 2016, e-discovery and information governance saw significant vendor consolidation, new review tools such as native file redaction, more cloud-based review and information governance, the end of the “three-day rule” for CM/ECF filings and a growing conversation about the evidentiary use of the “Internet of Things” (IoT). However, the most significant events of 2016 involved the implementation and enactment of new rules and laws. Courts applied the 2015 e-discovery amendments to the Federal Rules of Civil Procedure, issuing decisions addressing many of the prior, oft-cited flaws in the e-discovery process, such as unpredictable and unfair sanctions rulings and runaway discovery. There also was the formation and approval of the Privacy Shield, replacing the Safe Harbor scheme. Finally, we saw the passage of the Defend Trade Secrets Act of 2016, providing a federal cause of action to private companies for trade secret theft.
Each of these three seminal topics were discussed in Mayer Brown’s Electronic Discovery & Information Governance practice’s Tips of the Month series and are recapped below.
Court’s Application of 2015 Federal Rule Amendments. The court’s application of the amended rules in 2016 highlighted the year in e-discovery. For the most part, the hundreds of decisions applying the amended rules were aligned with drafter’s intentions.
- Focus on Proportionality. Rule 26(b)(1), which defines the scope of permissible discovery, was amended to limit discovery to relevant, nonprivileged information that is “proportional to the needs of the case.” The rule lists relevant proportionality considerations as “the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.” Thus, it is doing away with the “reasonably calculated to lead to the discovery of admissible evidence” language, which many pointed to as the seed that yielded runaway discovery. Although former Magistrate Judge Paul Grewal noted in an opinion last January that “[p]roportionality in discovery under the Federal Rules is nothing new” (Gilead Sciences, Inc. v. Merck & Co., 2016 WL 146574 (N.D. Cal. Jan. 13, 2016)), courts often applied the amended rule to rein in discovery.1
- Changing World of Spoliation Sanctions under Amended Rule 37(e). Under amended Rule 37(e), the court may impose sanctions on an offending party for failing to preserve ESI where the ESI (1) “should have been preserved in the anticipation or conduct of litigation”; (2) is lost “because a party failed to take reasonable steps to preserve it”; and (3) “cannot be restored or replaced through additional discovery.” Amended Rule 37(e) was designed to address concerns about the consistency and proportionality of sanctions. In applying the amended Rule, district courts issued more predictable sanctions, such that Rule 37(e) now provides a genuine safe harbor for those parties that take “reasonable steps” to preserve their ESI information. Consequently, courts appear to be applying amended Rule 37(e) by crafting proportionate, “middle ground” curative sanctions when there is prejudice but no showing of intent to deprive. In addition, courts to date are not imposing preclusive sanctions absent a showing that the offending party acted intentionally and was not merely negligent with regard to lost ESI.2
Privacy Shield, Now Official. More than fifteen months after the Court of Justice of the European Union invalidated Safe Harbor, and eleven months since the Privacy Shield agreement was first announced, it became official in July 2016. Organizations seeking to transfer European data to the United States began signing up for certification starting on August 1, 2016. The path to approval included review by the EU Article 29 Working Party, the European Parliament, the European Data Protection Supervisor, and finally the EU Article 31 Committee.
- Snowden Fallout. The most significant changes concern the US national security access to European data, which largely do not impact companies participating in the transfer mechanism. Privacy Shield contains assurances and clarifications regarding the bulk collection of signals intelligence, an issue raised in particular by the Article 29 Working Party. The approved version of Privacy Shield clarified standards regarding secondary processing, retention periods and onward transfers of personal information. In approving Privacy Shield, the European Commission (EC) noted in its adequacy decision that US law protects individuals from adverse decisions that result from automated processing in several specific domains, such as credit lending, mortgage offers and employment. However, US law does not provide for broader regulation of automated processing as exists in the European Union. The adequacy decision highlighted automated processing as “an area that needs to be closely monitored” and it will need to be discussed as part of Privacy Shield’s first annual review.
- Relevance of Privacy Shield after GDPR. Perhaps the more important issue to monitor is how relevant Privacy Shield will be once the General Data Protection Regulation (GDPR) comes into effect in May 2018. GDPR, signed in April 2016 by the European Parliament and Council, will apply to any organization, anywhere in the world, that processed personal data or monitors the behavior of individuals located in the EU. The expectation is that the privacy shield framework will continue to be available after the GDPR comes into effect. GDPR will impose extensive additional obligations on some companies and its important to understand the mechanisms build into Privacy Shield to address where there are differences between GDPR and Privacy Shield. First, the ongoing process of annual review will allow the EC to raise the standards required by Privacy Shield as the GDPR is implemented. Second, the adequacy decision recognizes that Privacy Shield “Principles apply solely to the processing of personal data by the US organization in as far as processing by such organizations does not fall within the scope of EU legislation.” Organizations that decide to certify to Privacy Shield should remain ready to comply with GDPR within two years. We will continue to monitor any changes in Privacy Shield and the implications of the GDPR coming into effect.
- Swiss-US Privacy Shield. On January 11, 2017, US and Swiss authorities reached final agreement on the Swiss-US Privacy Shield Framework. The Framework defines standards for handling personal data exported from Switzerland to the United States and enables US companies to meet Swiss legal requirements to protect personal data transferred from Switzerland. The Framework is a successor to the former Swiss-US Safe Harbor framework, which was declared invalid by the Swiss data protection commissioner following the invalidation of Safe Harbor by the European Court of Justice.
A New Weapon in the Fight against Trade Secret Theft. With the passage of the Defend Trade Secrets Act of 2016 (DTSA) in May 2016, a new federal private cause of action for trade secret misappropriation was created. Prior to passage of the DTSA, such claims were governed almost exclusively by state law, with 48 of the 50 states adopting some version of the Uniform Trade Secrets Act (UTSA). Although plaintiffs establishing diversity or concurrent jurisdiction could file suit in federal court, many plaintiffs bringing claims of trade secret misappropriation had no choice but to file suit in state court. Now, under the DTSA, the owner of a trade secret may bring a civil action in federal district court for acts of misappropriation if the trade secret is related to a product or service used in, or intended for use in, interstate or foreign commerce. Similar to the UTSA’s definition of misappropriation, the DTSA’s includes the acquisition or disclosure of a trade secret (1) that was acquired by improper means, (2) where there was a duty to maintain the secrecy of the trade secret or (3) where the trade secret was acquired by accident or mistake.
- Related Considerations. To most effectively utilize DTSA, companies should: (1) take reasonable measures to protect trade secrets; (2) evaluate policies and procedures for handling trade secrets and confidential information; and (3) manage risks associated with incoming and departing employees. We will continue to monitor how the courts apply DTSA in the coming year.
2 For examples of Rule 37(e) related decisions: see Nuvasive, Inc. v. Madsen Med., Inc., 2016 WL 305096 (S.D. Cal. Jan. 26, 2016) (retroactive application of the amended Rule 37(e) vacating a previous adverse inference jury instruction because the party did not act with the intent to deprive the other party of discoverable text messages); Living Color Enters., Inc. v. New Era Aquaculture, Ltd., 2016 WL 1105297 (S.D. Fla. Mar. 22, 2016) (court denied adverse inference jury instruction because no actual loss and prejudice was found); FiTeq Inc. v. Venture Corp., 2016 WL 1701794 (N.D. Cal. Apr. 28, 2016) (actual loss and prejudice required for adverse inference jury instruction); Best Payphones, Inc. v. New York, 2016 WL 792396 (E.D.N.Y. Feb. 26, 2016) (court found that the plaintiff had been negligent in its failure to properly implement a legal hold, and that the lost information was relevant, it nevertheless declined to impose sanctions because the defendants did not demonstrate that they suffered prejudice from the loss of the information); Brown Jordan Int'l, Inc. v. Carmicle, 2016 WL 815827 (S.D. Fla. Mar. 2, 2016) (court allowed adverse evidentiary inferences to be made regarding lost ESI, but declined to grant case terminating sanctions).