Only half of US businesses affected by the California Consumer Privacy Act of 2018 expect to be compliant by the 2020 deadline, according to a PwC survey of more than 300 executives at US companies with revenues of $500 million or more.
The law — CCPA for short — is expected to provide state residents sweeping data-privacy rights that most businesses will only be able to honor by first overhauling their personal data-governance capabilities.
The US retail sector — largely unaffected by last year’s scramble for compliance with the EU’s General Data Protection Regulation — may be particularly challenged in meeting the deadline: less than half (46%) of retail and consumer respondents say they will be compliant by 2020. Confidence in meeting the deadline is similarly lacking in the industrial products (44%) and health (47%) sectors.
Respondents from financial services (58%) and telecommunications, media and technology (TMT) (56%) sectors are relatively more confident about meeting the deadline.
The CCPA mandates a wide range of safeguards to protect the personal data of California consumers and employees. The act significantly broadens the definition of personal data to include a range of individual, or household, identifiers. It defines consumer as a “natural person who is a California resident.”
CCPA’s impact will extend well beyond the Golden State and its 39.5 million residents. More than three quarters of respondents to our survey say they collect personal information on California residents. Many are considering whether to extend CCPA’s rights to all of their US employees and consumers for operational simplicity and long-term readiness for potential federal privacy legislation.
Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your activities.
Personal data is information that relates to an identified or identifiable individual.
What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.
Information which is truly anonymous is not covered by the GDPR.
If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.
What is personal data?
The GDPR applies to the processing of personal data that is:
wholly or partly by automated means; or
the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who:
can be identified or who are identifiable, directly from the information in question; or
who can be indirectly identified from that information in combination with other information.
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
Information about companies or public authorities is not personal data.
However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
What are identifiers and related factors?
An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.
A combination of identifiers may be needed to identify an individual.
The GDPR provides a non-exhaustive list of identifiers, including:
identification number; location data; and
an online identifier.
‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data. Other factors can identify an individual.
Can we identify an individual directly from the information we have?
If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).
You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
If an individual is directly identifiable from the information, this may constitute personal data.
Can we identify an individual indirectly from the information we have (together with other available information)?
It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
Even if you may need additional information to be able to identify someone, they may still be identifiable.
That additional information may be information you already hold, or it may be information that you need to obtain from another source.
In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.
When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).
What is the meaning of ‘relates to’?
Information must ‘relate to’ the identifiable individual to be personal data.
This means that it does more than simply identifying them – it must concern the individual in some way.
To decide whether or not data relates to an individual, you may need to consider: the content of the data – is it directly about the individual or their activities?; the purpose you will process the data for; and
the results of or effects on the individual from processing the data.
Data can reference an identifiable individual and not be personal data about that individual, as the information does not relate to them.
There will be circumstances where it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.
Inaccurate information may still be personal data if it relates to an identifiable individual.
What happens when different organisations process the same data for different purposes?
It is possible that although data does not relate to an identifiable individual for one controller, in the hands of another controller it does.
This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them.
However, when used for a different purpose, or in conjunction with additional information available to another controller, the data does relate to the identifiable individual.
It is therefore necessary to consider carefully the purpose for which the controller is using the data in order to decide whether it relates to an individual.
You should take care when you make an analysis of this nature.
Further Reading: Relevant provisions in the GDPR - See Articles 2, 4, 9, 10 and Recitals 1, 2, 26, 51
The European Union’s widely anticipated General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Designed to provide EU citizens with better control over their personal data, this comprehensive reform of data protection in the EU has far-reaching implications. But how and to what extent will this new regulation affect electronic discovery in U.S.-based civil litigation? Organizations subject to the GDPR should think critically about what specific steps to take when handling personal data before, during and after litigation.
Before Litigation: Focus on Information and Organizational Governance
Before litigation ensues, you should understand everything you can about your organization’s data. Conducting data inventories and mapping allows you to identify potential information governance issues, such as what types of data your organization handles, where that data exists within your systems, and how information generally flows within your organization.
It is also imperative to assess your organization. Do you have a Data Protection Officer? Are you currently subject to the U.S.-EU Privacy Shield? Does your organization have binding corporate rules (BCRs), model contractual clauses or other adequate transfer safeguards in place? The GDPR changes the existing data transfer mechanisms available to organizations subject to it, and the applicability of these mechanisms may depend on the answers to these questions.
For an in-depth analysis of preparing for GDPR compliance, see our previous client alert on connecting information governance and the GDPR.
During Litigation: Identify and Manage Risk
Does the GDPR apply?
Once you are facing litigation – or the threat of litigation – you should first determine whether the GDPR applies. It is important to highlight that an organization cannot avoid application of the GDPR because it operates outside the EU. Territorially, the GDPR applies to the processing of EU citizens’ personal data when that processing relates to (1) the offering of goods or services to EU citizens or (2) the monitoring of EU citizens’ behavior within the EU. The GDPR defines “processing” broadly as any operation that is performed on personal data and specifically includes activities such as the collection, use, disclosure by transmission, and dissemination of or otherwise making available personal data. Thus, the activities undertaken to preserve, collect, process, analyze and produce personal data during litigation all constitute “processing” under the GDPR.
You should also determine whether the litigation implicates “personal data” under the GDPR, defined as “any information relating to an identified or identifiable natural person (‘data subject’).” This includes examples such as name, identification number, location data, online identifiers, or factors that are specific to a data subject’s physical, physiological, genetic, mental, economic, cultural or social identity.
The GDPR also governs the movement of data across borders pursuant to U.S. discovery obligations. The GDPR applies to “[a]ny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization.”
Handling Personal Data
Once you have determined applicability of the GDPR, your immediate goal should be to identify and minimize the scope of relevant personal data preserved under a legal hold. In parallel, you should also investigate whether you are able to secure relevant evidence through alternative means, such as interrogatories and/or deposition testimony.
It is also prudent to include explicit requirements regarding the handling and protection of personal data within a joint ESI protocol. The protocol should state that personal data preserved, collected, produced or otherwise processed should be the minimum necessary for the purposes of the litigation. Furthermore, any personal data should be processed lawfully, fairly and in a transparent manner; collected and used only for the specified, explicit and legitimate purposes of the litigation; handled in a manner that ensures appropriate technical and organizational security of the personal data; and deleted if and as soon as determined to be unnecessary for the litigation.
Beware of Custodial Content
Practitioners should beware of issues pertaining to custodial consent. It will be much harder to obtain valid consent from data subjects under the GDPR, which requires that consent be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” (Recital 32). In other words, data subjects must be given an informed and meaningful opportunity to consent and also to withdraw that consent at any time. As such, practitioners should not pursue consent-by-default or mass opt-out consent strategies for multiple data subjects in litigation. Caution should also be afforded in circumstances involving power imbalances, such as when an employer is seeking to obtain consent from employees, because it is questionable whether any consent in those circumstances can be freely given.
Moreover, when discovery obligations under U.S. law and the protection of personal data under the GDPR conflict, a custodian may refuse to comply with U.S. law and not give consent. It might be possible in this scenario to redact the personal data from this custodian’s documents, but this approach is often not feasible when, for example, the redactions needed would be too numerous or unduly burdensome to complete, or the data subject is an important custodian in the litigation. It is not yet clear how and to what extent U.S. courts will handle this tension, but you should be aware that it exists. There might be room to argue that a custodian’s refusal to consent to the processing of their personal data for U.S. litigation purposes and the monetary threat of violations under the GDPR are factors that should be considered when weighing proportionality under amended FRCP 26(b), specifically “whether the burden or expense of the proposed discovery outweighs its likely benefit.”