Cross Border ESI: Considerations for Time Sensitive Data Handling
In today’s ever-changing world of technology and legal requirements, data handling considerations have become of critical importance. There are multiple levels of consideration including legal obligations, privacy, and logistics. This is one example of how European based clients can carefully and strategically provide data for a US-based dispute or litigation.
It should be noted that none of the content here is intended to be legal advice, but rather a demonstration of our technical and industry experience dealing with the transfer of data across borders. Legal issues should ultimately be evaluated by counsel.
Consider the following “facts” for the illustration of this example.
- This matter involved a set of company data that had been created and stored within individual custodian profiles employed by a company based in Germany and the US.
- Although the custodians granted access and permission to the data, there were still certain workflows and precautions taken to ensure that the data had been properly handled by the “data processor” before it was ultimately accessed by the US legal team.
- The data sets included: a set of email (thousands being S/Mime encrypted), loose efiles (aka non-email documents), and data collected from a document management system.
- The data was to be “decrypted”, “processed” and “searched” in Europe and resulting data transferred to the client’s European counsel for further handling according to the standard contractual clauses or binding corporate rules held by the firm.
When operating in Europe, one would be remiss not to take into consideration the many rules and regulations that help define data accessibility from one jurisdiction to the next. In 2018, the European General Data Protection Regulation or “GDPR” came into force helping to create some uniformity across member states. Enforcement may differ slightly between members of the European Union, but the underlying guidance is one that can be relied upon to help dictate the process of extracting information for use in legal or regulatory matters. It is important to understand the roles various parties play in ensuring data subject rights are not infringed upon.
In the scenario presented here, data resided in Germany. The company at the center of the US-based legal dispute had been charged with extracting information related to certain key individuals of interest for further investigation.
- Data Controller: Under the GDPR, the company along with its external counsel are in the position of the “data controller”, which can be defined as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Data Processor: iDS was placed in the position of the “data processor”. Under the GDPR, this role can be broadly defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
As an experienced data processor, we were able to draw the attention back to legal counsel on issues related to data protection, ensuring that any instruction related to the processing of said data was in accordance with the regulation. While we do not provide legal advice, we know the law and as such must ensure that our own actions are properly accounted for from a data protection perspective. This required careful coordination and clear understanding, both of which were well covered by the parties involved.
In this scenario, left with only one viable option and an aggressive deadline, the consulting team was able to pivot, using the law firm’s own resources and existing transfer framework to effectuate the task at hand. This did not necessitate the lengthy process of formulating from scratch a detailed outline of the actions required (which could not be achieved under the agreed-upon timeline). By positioning the law firm as the transferring party, iDS was able to focus on processing data and getting it into the hands of local resources, i.e. the offices of external counsel in Europe. With accessibility and transfer options understood it was time to focus on the nuts and bolts of getting the job done.
The Nuts and Bolts
The iDS team was able to ‘stand up’, within “The Cloud”, an entire server operation in 72-hours, inclusive of a third-party data processing platform, within the AWS Frankfurt region. To aid the solution, the team also leveraged an SFTP server within the AWS environment that is capable of talking directly to the processing platform, meaning data transferred by the company was already in the final staging area without the need to additionally move it in order to process and triage.
The Cloud – Dispelling some of the illusions
The primary perception among the risk-averse is understandable; however, data is not floating around in an unsecured ether. Computer power and storage are simply leased to customers and the infrastructure powering this hardly differs from an in-house, bare-metal server configuration. The term ‘cloud’ is great marketing but is equally difficult to navigate within data protection conversations owed to a lack of consensus and understanding.
Security by Design
If customers are looking to rent secure data centre space in a given location, the selling point of those facilities are in touch with the concerns of the buyers –building access, floods, earthquakes, tornadoes, wildfires. Amazon Web Services (AWS) select their sites on the same criteria. Remember: they’re protecting some of their own systems in these centres, not just the Virtual Private Cloud (VPC) customers’ environments. These sites are also fully-equipped with multi-factor entry for staff, airlock doors, CCTV –the works.
Using EC2 Compute (AWS’s virtual PC’s) instead of bare-metal servers have many advantages. The more obvious benefits are time-to-operation and the ability to be further reaching geographically (mobility).
If operations are cleverly monitored by consultants familiar with the framework, it can deliver some overt cost savings as well, as the resources are at-the-ready rather than fixed costs.
In a recent engagement with over 400GB of mail data from a German client, the team was able to take in and subsequently process 80 – 100GB of data per day in near real-time. This success is twofold; 1) the bandwidth conditions were favorable for both the Client and the iDS team such that the SFTP transfer (upload) of mail data was 4-5X faster than market averages , and 2) the data processing platform was very easily unpacking, parsing and processing data for triage at speeds unseen in nearly every other platform using this same configuration. The iDS team was able to have documents loaded, culled, searched and produced within 24 hours of receiving the first large tranche.
There have been a number of engagements where Clients insist that heavy, bare-metal equipment be taken on-site to a location in say, Austria or Germany. This will continue as certain companies and industries have strict perception concerns related to data leaving their own premises, let alone entering a server environment not controlled by their own team. This blog, however, demonstrates viable and acceptable alternative options.
 Regionally specific data protection
 Based on industry knowledge and experience of uploads in the 500k – 1MB range.