“After a while you learn that privacy is something you can sell, but you can’t buy it back”
―Bob Dylan, Chronicles: Volume One
When you do something online – almost anything – you trade your data privacy for something. You don’t actually need to click ‘purchase’ on that bulk order of toilet paper – your IP address and other personal data is now a commodity to be on-sold to marketers.
Powerful new data protection laws are being introduced across the world to bring some semblance of privacy back to consumers. For example, the new California Consumer Privacy Act (CCPA) means that, as of January this year, you have the right to direct businesses in California, covered by the CCPA, not to sell your personal data.
No matter what the jurisdiction, one ongoing source of privacy risk is documents released through litigation discovery processes: Does the world really need to know you panic-purchased 3-ply Jumbo in a court action occurring three years from now?
Here I want to talk about two challenges for personal data protection and court discovery processes, using Australia (whose legal system this author knows best), as an example.
In a discovery, one party requests a set of documents (usually a very large set) from the other party, as evidence for upcoming proceedings. eDiscovery speeds up this process, and enhances its quality, through ‘predictive coding’: reviewers code a sample of documents which are fed into a computer algorithm which, in turn, ‘learns’ from those documents in order to automatically categorise and tag a whole batch of documents.
A basic principle of Australian data privacy law is that personal data must not be used or disclosed, other than for the purpose for which it was collected (see Australian Privacy Principle 6). One of the established exceptions to this is where disclosure is required under a court or tribunal order.
You can see where this is going: Through an automated process your TP-purchasing proclivities could end up being released incidentally through a court discovery process.
The solution? While there is the possibility of redacting such information under certain conditions, the lawyers for both sides should consider how they will deal with personal data when agreeing on the scope of ediscovery at the early stages (such as through a ‘discovery plan’ under Federal Court Rules).
Far less litigation occurs in Australia than the United States, though the quantity is growing. This means that most ediscovery service providers are located overseas. As discoverable documents are likely to contain personal data, this means ‘cross-border’ transfer of personal data is likely to occur.
Lawyers sending documents overseas for processing by a service provider, may be liable for any authorised use or disclosure by them.
The key to mitigating this risk is taking “reasonable steps” to ensure that the overseas company complies with privacy obligations. This could include:
– a contract requiring the third party to protect that information in line with Australian law;
– monitoring of the third party’s compliance;
– checking that the third party has the right policies and employee training in place to protect the information.
For more information see Sending personal information overseas.
Unless you are part of a COVID-19 toilet paper-hoarding cartel, you probably won’t be caught short: Your personal data is not likely to meet the ‘relevance’ standard for release through a court discovery process. Nevertheless, businesses and lawyers do need to mitigate against this possibility through ediscovery processes which robustly protect consumer personal data.