By Chuck Kellner, SVP Discovery Engineering
Privacy is a major battlefield in the Internet age. Every day, we are under attack to divulge our shopping or entertainment preferences as we surf the Internet. More maliciously, we are under attack for our usernames, passwords, social security numbers, banking and credit card information. Our workplaces have complicated structures in place to protect infrastructure from outside attack and to protect trade secret from theft, from the outside or inside.
Even as we are increasingly interactive (or narcissistic) with growing circles of friends, colleagues and acquaintances in our social networks, we struggle to protect privacy. Who has access to our family photos, our email addresses, our home addresses and phone numbers? Defense to the invasion takes many forms. We get unwanted emails despite opt-outs and spam filters. We get home telephone calls despite increasingly strict laws against and an impossibly overburdened FTC Do-Not-Call program.
At work, most of us have employer-issued computers, mobile devices, and email accounts. We understand the rules: anything we do on company equipment or company servers gives us little or no expectation of privacy. Sometimes we make bad but convenient choices to send that personal email through the Yahoo account from the company device or do a little Internet shopping in the off-hours, or set up the iTunes, or even use the company email to make remarks that aren’t exactly in the line of work. Our mobile devices contain the most inane text messages and, potentially, an alarmingly detailed log of our travels and whereabouts.
Those of us working in Computer Forensics know the results. If we become custodians in litigation, all of this personal activity is laid bare, and except for the occasional legal privilege or other exception, it becomes fair game. To complicate the privacy issues, eDiscovery in the US is a high-stakes endeavor. Even with all of this personal fingerprint on our workplace devices, the law unequivocally requires preservation with the whiff of litigation. And violation can carry serious penalties.
High-stakes eDiscovery in the US causes us to scoff sometimes at what appears to be inattention or indifference, or even wrong-headedness, about eDiscovery across The Pond. Why should corporate email not be easily and willingly forthcoming? Why does it belong to the individual employee and not the business?
Our enlightening and energizing keynote speaker at Georgetown this past month, J. Trevor Hughes, taught that need for privacy is primal, even instinctive to our species. He illustrated with artwork from antiquity, examples from anthropology, and performance art from modern culture. He reminded us that behavior changes under observation. We justify giving up some privacy by saying to ourselves and each other, “If you don’t want it known, then don’t say it or write it.”
But it is precisely that chill against which the EU Privacy directives are targeted. The Georgetown panel on eDiscovery in the EU (1) told us that as you move east and south across the EU, the privacy laws become more stringent and the penalties for violation more dramatic. Over two centuries here in the States we have give our freedom of speech a healthy if not exhausting aerobic exercise. But in much of the EU, such rights have been fleeting, or they are new, and the exercise of them posed real danger.
One speaker told the story of discussing privacy rights at a conference on the subject in a country formerly in the Eastern Bloc. A colleague there told him that we could not fully understand how seriously they take their privacy rights unless, because of some personal communication, a neighbor is taken from his home and executed by the authorities.
The panel went on to explain that privacy directives and national and local rules in the EU are becoming more restrictive, not less. Judge Scheindlin indicated that courts often do not know that parties have international discovery at issue unless they are directly told. She advised that if conflict of laws interferes with a discovery request and response, it is important to notify the court and seek resolution with some judicial supervision. US practitioners are advised to consult with local counsel who would have better knowledge of procedures within local work collectives. Technical staff are advised to avoid ingenious workarounds and follow the instruction of US and EU counsel.
As an industry, we take EU privacy concerns lightly at our peril. Penalties for violation are stiff, and they include imprisonment. Perhaps we should take our own privacy more seriously as well. US Supreme Court Justice Elena Kagan highlighted in a December 13 speech that privacy in a changing world is a big issue likely to come before the court. Praising Justice Brandeis for his prescience on the issue, Justice Kagan said Brandeis “understood how new technologies interfere with privacy, which I think will be one of the most important issues before the court in the decades to come” (3).
(1) Jonathan Armstrong, Kenneth Rashbaum, Hon. Shira Scheindlin, Matthew Knouf, Stephanie Mendelson, Fernando Pinguelo. (Refer to materials below.)
(2) Georgetown Law Advanced Institute on eDiscovery, Course Materialshttp://www.law.georgetown.edu/cle/materials/eDiscovery/2012.Part-One.pdfhttp://www.law.georgetown.edu/cle/materials/eDiscovery/2012.Part-Two.pdf
(3) http://www.politico.com/blogs/under-the-radar/2012/12/elena-kagan-talks-diversity-and-disagreement-on-the-151963.html; http://tinyurl.com/ca3ooh9