Preparing for New European Union Data Privacy Regulations

February 3, 2014 Chris O'Brien

For some time, European Union leaders have debated the creation of a single, “harmonized” data protection law among the member states. Last year, the European Parliament published its draft text for a comprehensive new law that would modernize the 1995 Data Protection Directive.

The proposals seek to create tougher standards governing data collection, affording EU citizens greater rights to control their personally identifiable information (PII). They strengthen individual privacy rights by creating the “right to be forgotten,” which would mandate the deletion of PII when there are no longer legitimate grounds for keeping it. They would also require companies and organizations to notify a new national supervisory authority as soon as possible in the event of a serious data breach. The new provisions would be accompanied by increased regulatory enforcement efforts. A key goal of the proposed directive is to encourage businesses to adopt proactive governance structures to manage privacy risk and to build privacy-friendly default settings into consumer products and services like social networks and mobile apps.

Although some Big Data analysts predict the changes will be finalized later this year, much controversy still surrounds the new proposals. One recommendation fueling the controversy is a scheme to levy fines of as much as $136 million against tech companies that violate privacy regulations when processing the data of EU citizens.

In the interim, organizations should take a number of steps to prepare for compliance—and to ensure they do not run afoul of current EU law. In addition to monitoring legal developments, organizations should continue to adopt measures that protect PII during discovery. First, organizations should collect documents from data sources abroad carefully, narrowing the scope of the discovery and, in turn, reducing the collection, processing, and transfer of documents as much as possible. In many cases, it will make sense to collect and process the data in the country where the data resides, which should limit the amount of PII that must be transferred to the United States. Finally, organizations should take advantage of anonymization techniques and automatic redaction tools to remove PII from documents. These tools can be extremely effective when data volumes are high by eliminating two sources of liability-creating errors: (1) the subjectivity of human reviewers and (2) the tedious, error-prone manual application of redactions to each page in a collection of hundreds or thousands of documents.

Chris O’Brien is chief operating officer at Conduent. He can be reached at

About the Author


Previous Article
The Best Defense in E-Discovery Is a Good Offense

A recent case from the Fifth Circuit interpreting Federal Rule of Civil Procedure 54(d)(1) serves as an imp...

Next Article
The State of Technology-Assisted Review in 2014

In 2013, technology-assisted review (TAR) became more than just a judicially approved discovery tool: it be...