In 2021, litigators and eDiscovery practitioners confronted a mix of new developments and perennial challenges. Data privacy laws continued to evolve rapidly, while emerging technology gave companies better ways to respond to data breaches. As the volume of electronic documents continued to rise, 2021 was a good year to take stock of records management policies and the protocols for managing large-scale eDiscovery. 2021 also saw several notable developments in litigation procedure. Key highlights from Mayer Brown’s Tip-of-the-Month coverage of these topics last year are recapped below.
Data Privacy and Data Breaches
- GDPR. The General Data Protection Regulation (GDPR) presents a significant compliance obstacle for companies moving data to jurisdictions outside the European Economic Area (EEA), including to the US. Although GDPR was implemented in 2018, there were three major developments in 2021:
- Brexit. With the Brexit transition having ended in 2020, transfers of personal data outside the UK are now subject to separate requirements under the UK GDPR (which are, at least now, substantially the same as the requirements under the EU GDPR).
- SCCs. In June 2021, the European Commission published a final version of its new “standard contractual clauses” (SCCs) for international personal data transfers outside the EEA, SCCs that will replace those that many businesses currently rely on for transfers to the US.
- Transfer Impact Assessments. Also in June 2021, the European Data Protection Board published a final version of its recommendations on supplementary measures for international personal data transfers outside the EEA, including guidance on how to carry out “transfer impact assessments” when transferring certain personal data.
- Use of AI in Data Breaches. Every year brings a slew of high-profile data breaches, and 2021 was no exception. Fortunately, emerging artificial intelligence (AI) technology is making it easier for companies to respond to data breaches.
- A response will often involve notifying the individuals whose data has been accessed. Identifying these individuals typically requires a large and complex data review from sources with varying degrees of uniformity and accessibility—ranging from scanned hard copy files to databases containing data for thousands of individuals.
- AI technologies show some promise in identifying and extracting data from large document pools, especially where the documents are uniform.
- Despite the developments in these AI technologies, at times it may still be better to rely on human reviewers for complex or irregular files such as those scanned from hard copies or compiled originally by hand.
- Records Management Policies. As the amount of electronic information grows, the ability to manage that information can diminish rapidly. A records management policy is often key to controlling the creation, maintenance and disposition of documents and data.
- The successful implementation of records management policies can cut costs, streamline the organization’s information management system and facilitate a more efficient and effective response to the demands of litigation. Also, knowing which, and where, records are maintained will be invaluable when responding to a data breach, complying with discovery obligations or in the case of a disaster recovery.
- An effective records management policy will include programs that routinely dispose of redundant records and other data. It will also establish protocols for suspending document destruction when the company faces litigation.
- To ensure the smooth implementation of a records management policy, a knowledgeable official should be designated to oversee it. Records managers should work to educate senior management on records management legal obligations, including data privacy and regulatory obligations.
- Managing eDiscovery. When faced with large volumes of data, there are strategies that a producing party can employ to reduce massive volumes of data to a more manageable level.
- When contemplating the use of advanced analytics for filtering large data volumes, hiring the appropriate eDiscovery vendor is an important first step.
- Once a vendor is selected, counsel should consider using “early case assessment” tools and review workflows to prioritize documents for review and production.
- Counsel should also consider using other technologies to expedite large document reviews, including concept clustering, email threading and technology-assisted review technologies (such as continuous active learning).
- FRCP 30(b)(6). In December 2020, amended Federal Rule of Civil Procedure 30(b)(6) went into effect, requiring parties to meet and confer about matters for examination in the deposition of a corporation, agency or other organization.
- The goal of the revision is to help reduce the number of disputes surrounding the Rule 30(b)(6) deposition and witness(es) that are brought before the court.
- The rule change is designed to help clarify proposed examination topics earlier in the litigation.
As we enter a new year, we expect that many of these trends, developments and tips will remain relevant.