Anyone in the U.S. involved with ediscovery issues in the European Union likely keeps a close eye on the European General Data Protection Regulation (GDPR), which went into effect in May 2018. Designed to standardize privacy regulations relating to how electronic information is maintained, processed, used, or transferred, the regulation continues to evolve while U.S. ediscovery practitioners are still trying to figure out its inherent impediments with regards to cross-border ediscovery. Not only does the GDPR influence what data might possibly be found in ediscovery, but also puts potential roadblocks in the cross-border ediscovery process. Of course, the same could likely be said of many EU country specific privacy rules, so perhaps nothing much has changed beyond the addition of ever more same old same old bureaucratic and legal hurdles.
Meanwhile, the European countries themselves are still trying to resolve differences between their existing privacy laws and GDPR dictates at the same time the European Data Protection Board (EDPB) continues to revise and update the regulation. In fact, last month the EDPB released its latest revision in the form of 169 guidelines on “consent.”
These guidelines are akin to U.S. Title IX Higher Education Act guidelines schools create to define what constitutes consent, and mandates how consent should be perceived to have been freely granted, for the purposes of determining legal consensual sexual intercourse between university students. With regard to the new GDPR guidelines, though, consent involves intercourse with a cookie—and no, not sexual; and no, not the kind you eat!
We’re talking about Internet web cookies that—among other things—help speed up a person’s browsing experience, but also allow companies to keep track of a person’s web browsing habits—among other things. As with sexual intercourse, we firmly believe that cookie consent should be mandatory, otherwise what your computer (and personal privacy) experience is non-consensual.
While the EDPB’s “Guidelines 05/2020 on consent under Regulation 2106/679 (Version 1.0)” will likely not prove to be a direct hindrance on any cross-border ediscovery, we suppose it could impact what data might potentially be found in ediscovery. If nothing else, it might limit data collected by companies given the new bureaucratic burdens of gaining lawful cookie consent.
Anyhow, college students can be thankful that those EU bureaucrats didn’t draw up the Title IX guidelines. If they had, figuring out how to have lawful consensual sex would take at least a half dozen hours and then you’d need a couple of more hours to assess the strength of all consent protocols.