Kroll Ontrack’s Canine Forensics Team: Sniffing out the evidence and cutting costs

Kroll Ontrack is pleased to announce our latest weapon against data theft; our Canine Data Defenders. This new service, believed to be the first of its kind in the UK, will enable clients to reduce initial data forensics costs and speed up computer forensics investigations.

How does it work?

A dog’s sense of smell is unbelievably powerful, between 10,000 and 100,000 times as acute as humans, depending on the breed. A useful way of imagining this is to think of the difference in terms of vision; if a human can see an object one third of a mile away, a dog can see the same object 3,000 miles away. It is because of this ability that the dog’s sense of smell has long been utilised in the medical, military and law enforcement fields to detect cancer cells, explosives and drugs.

What do Kroll Ontrack’s dogs look for?

cf dogThe human endocrine system is extremely complex and to a trained nose, compounds found in sweat can reveal much about the human in question’s behaviour and mental state. Someone using a device for illegal activity, for example, is likely to release a greater amount of stress hormone into their sweat which in turn is transferred onto the device via touch. Kroll Ontrack’s canine team has been trained to pick up on these scents and lead handlers to devices that have been used for nefarious purposes. The process is simple and a team of two dogs can check 100 devices within an hour, which is a marked improvement on a human team handling and scanning each device.

After a successful pilot study, the Canine Data Defenders will be available to clients from 31st June 2016.

Kroll Ontrack Head of Computer Forensics , John Perro, commented “This is not about substituting human knowledge but about saving our clients’ time and money. Our dogs can pinpoint a machine used for suspect activity within seconds, allowing our human team to get straight into a type 2 data analysis.  We can also see applications in internal compliance investigations.  A quick sweep of an office using our dogs will provide compliance officers with a quick and accurate spot check of the company’s activities.”

A second team of dogs is currently in the final stage of training to provide early-evidence services for our ediscovery team, further cementing the role of dogs at Kroll Ontrack.

How can banks reduce litigation and investigation-related legal costs?

How can banks reduce legal costs?

Last week over 50 corporate in-house counsel and lawyers working in the financial sector gathered in the rather glamorous surroundings of the Banking Hall to join Kroll Ontrack  for our breakfast seminar, ‘Banks or Law Firms: Who holds the purse strings’

After a delicious breakfast, our illustrious panel tackled the complex and often, controversial topic of managing legal costs for banking-related investigations and litigations. The key themes up for debate were:

  • How recent ‘big ticket’ regulatory investigations have affected the banking world
  • Using the latest predictive coding technology to reduce legal costs
  • Leveraging corporate buying power when using law firms and other professional service providers
  • Discussing alternative pricing structures
  • Examining the pros and cons of unbundling legal services

The debate was moderated by Ben Fielding of Kroll Ontrack and our speakers included Elizabeth Meekison a Senior Lawyer in Commercial Litigation atLloyds Banking Group,  Mark Humphries – Senior Partner at Humphries Kerstetter, Thomas Leyland, Partner at Dentons and,  Orion Wisness, Discovery Consultant at Kroll Ontrack. With representation from in-house counsel from banks, senior partners from top law firms and a technology provider, each brought their own experiences and opinions to what was an eloquent, wide-ranging, and informative discussion.

The key points that emerged were:

Priorities for banks:

  • Banks value accuracy, defensibility of process and not necessarily lower costs when it comes to ediscovery
  • Working collaboratively with law firms and technology providers and ensuring regular and effective communication

The benefits of proactivity:

  • The importance of involving an ediscovery provider from the beginning of the disclosure process or investigation.
  • How implementing information governance strategies and managing the quantity and location of your data can reduce costs.
  • How fixed fee modelling could be implemented (and why this might not be a possibility in certain cases.)

Legislative concerns:

  • Are the standard disclosure rules too broad?
  • In light of spiralling data volumes, should the disclosure rules be modified so they are closer to the arbitration model?

The importance of predictive coding technology

With the recent judgement (Pyrrho Investments v MWB Property [2016] EWHC 256 (Ch)) approving the use of predictive coding still hot news, much of the debate and audience’s questions were focused on:

  • How technology such as predictive coding can be used to reduce the burden of big data in litigation and investigations
  • The implications of the recent judgement approving use of predictive coding technology in the UK
  • The need for both corporations and law firms to fully understand exactly what predictive coding entails in terms of both its capabilities and its limitations

We would like to thank speakers for taking the time out of their busy schedules to take part in the debate and share their expertise. We’d also like to thank our guests for joining us and further enlivening the discussion with their considered questions.

 

UK High Court approves use of Predictive Coding in litigation

Last week legal technology providers in the UK had a lot to celebrate as the English High Court approved the use of predictive coding for disclosure in litigation.

The judgement, handed down by Master Matthews, gave official judicial authorisation for the use of predictive coding in High Court proceedings. Summing up his decision, Master Matthews stated that predictive coding is just as accurate, if not more so than a manual review using keyword searches. He also estimated that predictive coding would offer significant cost savings in this particular case and that the possible disclosure of over 3 million documents done via traditional manual review would be disproportionate and ‘unreasonable’.

To read the judgement in full, please click here.

How does predictive coding work?

Predictive coding is an advanced machine-learning technology which allows computers to predict how documents should be coded (i.e., should a document be tagged ‘responsive’ or ‘privileged’) based on decisions made by human subject matter experts. Put simply, an experienced lawyer trains the computer by coding a sample set of documents, and the computer then learns what to look for based on this training. In the context of edisclosure and other investigative exercises involving electronic evidence, this technology can find key documents faster and with fewer human reviewers, thereby saving on cost and review time.

Who uses predictive coding?

Other jurisdictions, such as the USA and Ireland, have led the way in giving judicial approval to predictive coding, and the UK judgement references these cases in detail. Despite these cases as well as the ever-increasing sophistication of the technology itself, the UK law community has been somewhat reluctant to make use of the technology, as explored in this study by Kroll Ontrack Legal Consultant and former litigation lawyer, Hitesh Chowdhry.

In Chowdhry’s white paper, ‘Rage Against the Machine; Attitudes to Predictive Coding Amongst UK Lawyers’, he notes that his study revealed that the main barriers to adopting predictive coding technology were:

  • Risk aversion and mistrust of the technology’s accuracy
  • Belief that predictive coding would have a negative effect on revenue
  • Satisfaction with existing methods and a belief that existing practices offered more accuracy than studies have suggested
  • Insufficient understanding and knowledge of the complex predictive coding process
  • Diffusion amongst professionals

The UK judgement counters much of the fears uncovered in Chowdhry’s study by stating that the technology is accurate and offers cost savings.

Predictive coding and the Civil Procedure Rules

As data volumes continue to grow and traditional manual reviews using keyword searches become less feasible, predictive coding may be the best path toward complying with the Civil Procedure Rules.

Jeff Shapiro, a lawyer who has written frequently on costs in edisclosure, offered this comment:  “The judgementapproving predictive coding for the disclosure of documents highlights the judiciary’s continued march to proportionate costs in litigation via application of the overriding objective. Review amounts to approximately 70% of total disclosure costs. With the ubiquity of electronic document creation and storage, litigators have an ever-increasing costs’ burden in order to fulfil their CPR disclosure obligations. The judiciary, recognising the realities of modern disclosure where millions upon millions of documents may need ‘to be considered for relevance and possible disclosure’, has proclaimed that predictive coding may be used as a substitute for manual review.”

The cost savings offered by predictive coding will undoubtedly be popular with clients and potentially will give a competitive edge in winning work.

We hope that this judgement will encourage more UK firms to take advantage of the benefits offered by predictive coding.

For more information about this technology, please click here.

Is it time for banks to take greater control of their legal spend?

Legal fees incurred by banks can have a huge impact on profits. Deutsche Bank provides a prime example of this; according to data from Bloomberg, they have spent more than any other European financial institution due to a combination of regulatory fines and litigation costs.  Around 1.2 billion euros were earmarked for litigation. These legal costs have, in part, led to the bank reporting a  2.1 billion euro loss in the fourth quarter with the bank’s stock falling to the lowest value since 2009. In contrast, Bank of America’s profits rose by 10%, in part due to a reduction in spending on legal fees.

This leaves in-house lawyers in an awkward position when regulatory scrutiny and in-progress litigation cases are unavoidable but they are facing more pressure to cut cost.

The first port of call for any in-house counsel managing regulatory investigations is usually a trusted law firm, Yet, with the culture of billable hours being so prevalent, are law firms in the best position to provide the improved efficiencies and reduced costs in-house counsel are seeking?

Indeed, such is the concern about spiralling legal costs that the Competitions and Markets Authority, an organisation more associated with causing legal fees, recently announced that plans to investigate law firms in light the following concerns:

  • Whether clients can drive effective competition by making informed purchasing decisions;
  • Whether clients are adequately protected from potential harm or can obtain satisfactory redress if legal services go wrong;
  • How regulation and the regulatory framework impact on competition for the supply of legal services.

Kroll Ontrack is hosting a seminar discussing this difficult topic, with speakers from leading banks (Lloyds, Barclays) and top law firms (Dentons and Humphries Kerstetter). In what will no doubt be a fiery debate, the panel will discuss:

  • How recent ‘big ticket’ regulatory investigations have affected the banking world
  • Using new technology to reduce expenditure
  • Leveraging buying power when using law firms and other professional service providers
  • Discussing the relative merits of fixed fee vs billable hour pricing structures
  • Examining the pros and cons of unbundling legal services

To register for the event, please click here.

 

 

 

Happy Birthday, Document Review Centre

Can you believe it’s been a whole year since we launched our fabulous Document Review Centre in London? So much has changed since we first opened; we’ve doubled in size, we’ve launched a dedicated website for our review lawyers and we’ve even started to uncover trends in document review.

To celebrate this milestone, we held a party for our team of document review lawyers. Over 60 lawyers from current and past projects joined the managed review team at 1920 Bar in Clerkenwell for drinks and a few ‘friendly’ games of pool.

Below are a couple of photographs from the night.
doc review 3

 

 

 

 

 

 

doc review 4

 

 

 

 

 

We’d like to thank our lawyers for their hard work over the past year; they are often the unsung heroes of a case, working countless weekends, missing Bank Christmas, and generally putting in the hours to make sure clients’ deadlines are met. We hope you enjoyed the party and look forward to another busy year!

 

5 data analytics myths debunked

Data Analytics

Perplexed by Data Analytics? Stuck on statistics? Then fear not, Philip O’Donnell, Forensic Data Analytics Consultant is here to guide you through the fascinating world of analytics, explaining complex concepts, tackling technical terms and showing the power of data in a series of business scenarios.
In his first blog, Philip will debunk some of the most prevalent myths surrounding data analytics. Over to you, Philip!

1) Once you have an analytics tool, anyone can be a data analyst

Father of Data Analytics, John Tukey, summed up the aim of analytics in typically succinct manner by stating,

“The greatest value of a picture is when it forces us to notice what we never expected to see.”

Put broadly, data analytics is a process to uncover hidden patterns, unknown correlations, market trends, customer preferences using mathematical and statistical techniques.

However, many people think data analytics is just a tool that turns data into graphs and that once you have this tool, anyone can analyse data. This is a little like saying that by owning a saw, you are a master carpenter!
To get the most out of data analytics, it is imperative that the right techniques as well the steps in the process must be understood and used in the right context to be truly effective in any investigation and if performed incorrectly can have misleading discoveries.

2) Data analytics is just for auditors

Where there are people, there is data and this data can be analysed and used to improve the way we operate. Music industry moguls use data analytics to measure listener responses to new music. This then helps them work out which genres, and new artists, are likely to bring them a hit.
Analytics is used by all spheres of society, from medical research and environmental studies to more obvious financial applications. Even Hollywood screenwriters have discovered that analytics can produce great success stories. In the Oscar-winning film Moneyball, a poorly performing baseball team hired a statistics expert to help them change their drafting procedures. By using statistics to help select players rather than traditional scouting methods, the team went onto have the longest winning streak in baseball history.

Analytics helps people in all industries make better, more informed decisions and deliver new innovative ways of thinking and doing business.

3) Data context doesn’t matter

The key component to performing any analytics is to understand the environment in which the client operates. Interpreting and advising on findings is a key aspect of the analytics process, so to really add value for clients, sector knowledge is vastly important. The most experienced data analysts need to understand the context of the data, especially in high profile legal investigations, banking cases, corporate compliance, financial analysis, and government projects. Clients looking to get the most out of their data will need to choose a provider who is able to harness industry knowledge and take a pragmatic approach to data science and analytics methodologies.

4) Analysing data can compromise the security and integrity of data estates

This myth does have some truth in that many inexperienced analysts do not understand the importance of a proper data extraction exercise. Direct extraction of raw data from core system is a key step in the analytics process and in the past, I have seen where incomplete and incorrect data extraction has caused data analytics investigation to be invalidated.
However, an experienced data analytics provider is rigorous in ensuring data extraction is performed correctly and is accountable in the chain of custody. Done properly, performing extraction ensures that the complete dataset and minimises the risk of an incomplete investigation. Extraction is performed in such a way that it does not compromise existing security of the data as well preserving the integrity of the system. Extraction can be performed on multiple data sources. These include relational databases, data warehouses as well legacy flat files and dynamic xml formats.

5) Analytics techniques don’t change

Data analytics is an incredibly dynamic discipline and new techniques are being developed all the time. A good analytics provider will always stay abreast of the latest trends and methods. So what is in store for 2016?

According to the International Analytics Institute the number one trend for analytics in 2016 will be that the distinction between cognitive analytics and automated analytics becomes blurred. Automated analytics is the changing of an airplane price or stock price based on the real-time analysis of factors such as customer demand or other market forces. Cognitive analytics is the inspired by how the human brain processes information, draws conclusions, and codifies instincts and experience into learning. Cognitive analytics uses machine learning techniques such as Neural Networks, Logistic Regression and historic data. By understanding the human decision making and learning process, data scientists can incorporate this knowledge into their models and achieve even more accurate and in-depth insights.

Click here to find out more information about our Data Analytics service.

Trends in Document Review: Phase II Investigations

Kroll Ontrack’s Document Review centre handles a real variety of projects, each one with unique requirements and for different purposes.  However, one trend we have noticed since opening last January is an increased number of clients requiring assistance in matters that stem from the mergers and acquisitions process. Pre- and post-merger audits and merger control RFIs from regulatory bodies such as the European Commission, the UK Competition and Markets Authority, the French Autorité de la concurrence, the German Bundeskartellamt as well as the US Department of Justice are just a few examples of incidences where ediscovery providers may be called upon for assistance.

Phase II is an in-depth analysis of the merger’s effects on competition and requires more time. It is opened when the case cannot be resolved in Phase I, i.e. when the Commission has concerns that the transaction could restrict competition in the internal market. A phase II investigation typically involves more extensive information gathering, including companies’ internal documents, extensive economic data, more detailed questionnaires to market participants, and/or site visits.

As mentioned in Kroll Ontrack’s landmark paper on the pressures faced by businesses from regulators, authorities such as the UK’s Competition and Markets Authority, European Commission and US Department of Justice are placing companies under increased scrutiny. As a result, corporations and their law firms are increasingly turning to the technology and specialist document review services offered by ediscovery providers to manage this data and reduce costs.

A recent Phase II request for information perhaps highlights why companies and their law firms are using managed document review services.  We were approached by a leading global law firm on behalf of their client, a FMCG supplier who had been subject to European Commission Phase II request for information and needed urgent document review services.

This case was particularly high priority as the client required highly-qualified review lawyers to start work within less than 24 hours at the weekend and had not contacted Kroll Ontrack until late on Friday afternoon.  However, despite this late notice, we were able to find the requested 7 lawyers to begin reviewing the next day.

Mid-way through the review, foreign language documents were discovered in the system. This could have represented a real set-back in terms of time needed for recruiting lawyers speaking the relevant languages. However, Kroll Ontrack’s pool of review lawyers are of such high calibre the existing team already contained several native and fluent speakers in those languages, despite language ability not being an initial criteria for selection.

In these circumstances, completing such a request in-house would have been incredibly difficult, not only from a technical standpoint but assembling, at short notice, qualified lawyers fluent in the unexpected languages.

Kroll Ontrack was able to provide a total of 42 review lawyers and conduct a privilege review of 19,000 documents and non-privileged review of 29,000 documents within 7 days.  Once the review was complete, the client was so impressed with our efficiency that 10 reviewers were retained in order to complete a redaction exercise.

 

This is not just any Christmas party, this is a Kroll Ontrack Christmas party…

The Honourable Society of the Inner Temple is famed for its rich legal history, art collection and its enviable array of alumni, including two former PMs, Chaucer (maybe), Baroness Butler-Sloss (of Diana inquest fame),  Sir Francis Drake (explorer) and even Gandhi, to name but a few. But this past week, the solemn surroundings of the Temple’s Main Hall were subject to a very different kind of ‘nonviolent civil disobedience’ in the form of the Kroll Ontrack Christmas Party with special comedy guests, This Is Your Trial.

For the uninitiated, This Is Your Trial is an improvised comedy show where professional comedians play the judge, clerk, prosecution and defence. Members of the audience are then given the opportunity to accuse their friends of crimes. The clerk then selects three cases with the remainder of the audience acting as jury to determine the accused’s fate, hopefully with hilarious results.

andrew partyFirst in the dock was our own esteemed Legal Technologies Director, Mr. Andrew Szczech, charged with the particularly grievous crime of ‘rapping at karaoke’.

An attempt to gain leniency by entering an early guilty plea was rejected by the court after it was pointed out that the evening was a lot more fun if we actually had a trial.

Despite wafer-thin evidence and an extremely unreliable witness, who may or may not have been in the unknown location where the incident is alleged to have taken place, Mr. Szczech was rightly found guilty and sentenced to pay a fine of 50 cents.jake party

The second despicable con was Mr. Jake McQuitty, a Partner at TLT solicitors. Mr. McQuitty was indicted with a) taking opera lessons, b) not being grumpy

about his clients and, most seriously of all, c) putting his children to bed! All these acts, in the eyes of his accuser, were not the normal activities of a Partner at a City law firm.

During the trial, it transpired that the dastardly Mr. McQuitty also played tennis to an above average standard and regularly chopped wood in his garden; all wholesome activities which the prosecution leapt on to prove his inherent abnormality. However, the defence cleverly pointed out that all of these details considered together likely rendered Mr. McQuitty a psychopath, just like everyone else in the room. The psychopathic jury agreed and let him walk free.

steph partyThe final defendant hauled before the Court was Kroll Ontrack Case Manager, Stephanie Painter, accused by Peter Susman QC of being ‘too nice’, his sworn evidence being cited as ‘just talk to her’. The Court quickly accepted that Stephanie was indeed ‘nice’, but the case revolved around the central issue of whether she was ‘too nice’. Steph didn’t help her case by admitting that if she stumbled upon an upturned tortoise she would ‘nicely’ turn it the correct way, rather than beat it to death with a rock – pretty nice of her! But ultimately her excellent defence counsel made a very compelling argument that there was indeed a limit to Ms. Painter’s niceness, and seemingly that limit could be found somewhere between allowing Jeremy Clarkson to enter the party but NOT Katie Hopkins or Hitler. This total disregard for the feelings of two of the most monstrous individuals of recent ages meant the jury vociferously and unanimously determined that Steph was indeed ‘nice’ but was not guilty of being ‘too nice’.

I must say, the comedy was absolutely brilliant. So good that I have actually googled their upcoming London dates to take some friends to see a show! All in all, another fantastic event, a huge thanks to all clients and prospective clients for joining us and we look forward to socialising with you again in 2016.

Kroll Ontrack expands local ediscovery capabilities in the Netherlands

Kroll Ontrack has responded to growing demand from Dutch law firms and companies for local support in international investigations and other legal matters faced by companies in the Netherlands by offering ediscovery services locally in the Netherlands.

We have provided data recovery services in the Netherlands for 8 years and ediscovery services remotely for 10 years and are now establishing a local team of ediscovery experts in Amsterdam. In addition to expanding our operation, we are also moving to new premises which are opening in November 2015 in South Amsterdam, located conveniently close to the heart of the Dutch legal and business district.

Law firms in the Netherlands are increasingly familiar with the benefits of ediscovery, especially where they are dealing with U.S. and U.K.-led litigation, regulatory investigations and other multi-jurisdictional matters. We believe that use of ediscovery technology will become commonplace and that there will be widespread adoption of the latest developments such as predictive coding technology, which automates the document review process and significantly reduces the cost of responding to requests for information.  This adoption of ediscovery technology can also extend into proactive initiatives whereby companies undertake audits of their systems to check for any wrongdoing.

Tim Phillips, Managing Director of Kroll Ontrack International Legal Technologies, said: “The new office in Amsterdam will house a larger, Dutch-speaking team of ediscovery and forensics professionals, giving our clients in the Netherlands access to the expertise they need in litigation and investigations on their doorstep. We are committed to building a long-term business that will employ local experts but that will be backed by the resources of the international leader in ediscovery technologies.”

Tina Shah, Legal Consultant, added: “It’s much easier for clients to call us in to help with regulatory or legal enquiries when we are just a few doors down the road rather than in a remote location.  The flight to leniency in competition matters means that time is often of the essence when investigations or dawn raids take place, so it pays to have an ediscovery partner that is already nearby and able to quickly come to your assistance. Additionally, clients will benefit from our world class data centres in London, Paris, Frankfurt and Tokyo as well as our valuable document review service.”

To celebrate the launch of the newly expanded office, we welcomed our Dutch clients to join us for festive cocktails and amazing views at Amsterdam’s unique Skylounge bar.

The view from the SkyLounge

The view from the SkyLounge

No more EU-US Safe Harbor. What are the implications for citizens and businesses?

Introduction

On 6th October 2015, the Court of Justice of the European Union declared in the case Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) that the “Safe Harbor Agreement” between the EU and the US is invalid.

Until now, the so called “Safe Harbor Agreement” was an agreement signed in 2000 between the US Department of Commerce and the European Union that allowed US-based companies to transfer data from EU to the US and to thus comply with the EU Data Protection Directive of 1995. In 2000, the European Commission had declared that the US provides for adequate safeguards for data protection. The “Safe Harbor Agreement” consisted of data protection principles to which to which US undertakings may subscribe voluntarily. Up to date, 4400 companies transferred data to the US under the “Safe Harbor Agreement”.

The online version of the Court judgment is available online here and the press release of the Court of Justice concerning this case is available here.

What is the background of the case?

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by US public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2002 the European Commission considered that, under the ‘safe harbor’ scheme, the United States ensures an adequate level of protection of the personal data transferred.

Mr. Schrems appealed the decision of the Data Protection Commissioner before the Irish High Court. The Court decided to stay the proceedings and to refer questions to the European Court of Justice for a preliminary ruling.

The European Court of Justice ruled that the so-called “Safe Harbor Agreement” was invalid because it allowed US government authorities to gain routine access to Europeans’ online information. The court also explained leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

What are the next steps following this judgment?

The Court of Justice ruling is effective immediately and declares the current “Safe Harbor Agreement” invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the EU Data Protection Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

What are the practical implications of this judgment for US-based companies who used to transfer personal data from EU citizens to the US under the “Safe Harbor Agreement”?  

As we know, the recent Court of Justice judgment declared the “Safe Harbor Agreement” invalid. This means, under a strict interpretation, data transfers concerning personal data from EU citizens to the US cannot rely on the “Safe Harbor” anymore since it has been declared invalid.

Nevertheless, US-based companies should still be able to transfer data from EU citizens to the US by using alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations.  Standard contractual clauses are model clauses that have been issued by the European Commission and are designed to facilitate transfers of personal data from the European Economic Area (EEA) to third countries that are not designated to be ”adequate” for the processing of personal data by the European Commission. The model clauses  provide sufficient safeguards for the protection of the privacy of individuals.

“BCR” are internal rules such as a Code of Conduct adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. To that extent, “BCR” ensure that all transfers are made within a group benefit from an adequate level of protection. Once approved under the EU cooperation procedure, “BCR” provide a sufficient level of protection to companies to obtain authorisation of transfers by national data protection authorities. It should be noted that the “BCR” do not provide a basis for transfers made outside the company group.

As to derogations, the EU Data protection rules include derogations under which personal data can be legitimately transferred to the US on the basis inter alia of[1]:

  • performance of a contract [e.g. If you book a hotel in the U.S., my personal data are transferred there in order to fulfil the contract];
  • Important public interest grounds [e.g. cooperation between authorities in the fight against fraud, cartels, etc.];
  • The vital interest of the data subject [e.g. it means in urgent life or death situations, personal data such as medical records can be transferred internationally in the person’s own interest];
  • Or if there is no other ground, the free and informed consent of the individual;

From a pragmatic standpoint, although there is no official “grace period” following the invalidity of the Safe Harbor, US-based companies that transfer personal data from EU citizens to the US cannot be expected to cease such transfers immediately since this would affect numerous business operations.

Frans Timmermans, the First Vice-President for the European Commission, who will be charged with carrying out the ruling, and Vera Jourová, EU Commissioner, tried to ease the concerns of companies. Their official press release is available here. They said businesses could still move European personal data to the United States through other mechanisms including standard contractual clauses, binding corporate rules (“BCR”) and derogations.

How will this judgment affect the ongoing discussions concerning the new Safe Harbor Agreement, the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector?

Frans Timmermans, the First Vice-President for the European Commission and Vera Jourová, EU Commissioner, explained that the European Commission has been in discussions with the US over the past two years to revise the existing Safe Harbor. Negotiations are still ongoing but the aim is “to step up discussions with the US towards a renewed and safe framework for the transfer of personal data across the Atlantic”.

As to the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector, they explained that both are well on track and will most likely be finalised this year. The Data Protection Reform which will see the passing of a new EU Regulation to replace the Data Protection Directive aims amongst other things to strengthen the powers of national data protection authorities, which have an essential role in upholding individuals’ rights to data protection. In their view, this is fully in line with the recent Schrems’ ruling.

The EU-US Umbrella agreement differs from the Safe Harbor. It does not itself enable data transfers. Rather, it sets high data protection standards in the area of police and criminal justice cooperation. They explain that the Umbrella agreement will improve the protection of personal data of Europeans in the U.S. as it will make sure that citizens will have recourse to judicial redress possibilities in the U.S. in case of privacy breaches, once the US Congress has adopted the respective draft Bill.

Finally, Mr. Timmermans and Ms. Jourová explained that the European Commission would work with national data protection authorities to ensure that the court’s decision (Schrems’ recent judgment) is carried out in a uniform fashion across the European Union. They concluded saying “As citizens need robust safeguards and businesses need legal certainty; the guidance should help avoid a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike”.

What should companies do while the current legal situation is being clarified?

  While the new Safe Harbor Agreement is being discussed between the EU and the US and the EU Data Protection Reform is finalised, companies that used to transfer personal data from the EU to the US under the Safe Harbor Agreement should now use alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations described above.  We also suggest that companies seek guidance and approval from the respective national data protection authorities in the countries in which they have business operations.

In addition, if companies, for example, are in litigation in the EU that requires the services of an ediscovery provider or at least they need to process and host EU citizen’s personal data, we recommend that they opt for in-country solutions within the EU so as to comply with EU data protection regulations. In practice, this means for example, that if a German company has to collect data from their employees based in several locations in Germany with the assistance of an ediscovery provider, that data should be processed and hosted in a German data centre so as to comply with strict German and EU data protection regulations. The data should thus not leave the German borders. In our view, the Schrems’ recent judgment reinforces the need to use local solutions so that when data is processed and hosted to carry out electronic searches, data remains within the respective countries of the custodians concerned and above all remains within the EU. If data from the European custodians does have to leave the European Union and needs to be transferred to the US then it will have to be within the framework of the alternative mechanisms described above.

[1] For further derogations please refer to Article 26 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.