E-Discovery no longer dominantly involves emails and shared drive documents. With the increasing prevalence of mobile devices in the workplace and new apps being developed daily, mobile data and other non-email communications are moving to the forefront of discovery. Times have changed, and attorneys have professional and ethical obligations to keep up. To effectively and competently represent clients, attorneys must stay apprised of how to work with these ever-changing forms of data – or get help from someone knowledgeable. To do so, we have set out some suggestions below organized around common stages of the discovery lifecycle of digital evidence.

Identification. In conducting custodian interviews, ask questions to target the data types the custodian works with. Start broadly by determining if the company has a BYOD policy and asking if they allow the use of personal devices for work purposes. Confirm which messaging tools they use for business purposes, with the understanding that people tend to play down such use. For each messaging application, ask how they are used and with whom they communicate. Discuss these same topics with your client’s IT team to better understand  the company’s policies and capabilities for controlling the use of personal devices, as well as employees’ actual practices.


Continue Reading Best Practices for Navigating Discovery of Mobile Data and Alternative Communication Tools in Today’s Digital World

On February 8, 2016, the French Data Protection Authority (CNIL) publicly issued a formal notice to Facebook, following a joint investigation with four other EU regulators, asking the U.S. social network provider to comply with the French Data Protection Act within three months’ time. The notice (unofficial English translation available here), outlined several alleged violations of the law, including:

  1. collection of non-user data;
  2. collection of sensitive data (sexual orientation and political/religious views) without users’ “explicit consent” (i.e., a tick box);
  3. collection of “excessive” information to verify identities (e.g., requesting medical records when users replace their surname with that of a celebrity);
  4. use of cookies without notice or consent;
  5. failure to define and observe proportional data retention periods and failure to ensure data security (e.g., stronger password requirements);
  6. failure to obtain CNIL authorization for processing related to preventing fraud and banning users; and
  7. transfer of data to the U.S. under the invalidated U.S.-EU Safe Harbor (Safe Harbor) (alleged based on the company’s privacy statement).


Continue Reading Facebook Hit with French Data Protection Authority Action – Including a Safe Harbor Count

Certain European Union (EU) Member States’ data protection authorities (DPAs) have already started to announce investigations and or “prudential measures” for data transfers solely relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor).

In the aftermath of the announcement of the “EU-U.S. Privacy Shield” (Privacy Shield), the Article 29 Working Party (WP29), comprised of all EU Member State DPAs, announced an extension of the “grace period” for U.S. data transfers based on alternative transfer mechanisms (e.g., EU standard contractual clauses and Binding Corporate Rules) other than Safe Harbor, at least until the Privacy Shield has been reviewed by WP29 (likely by the end of March 2016).


Continue Reading EU Member States to Investigate EU-U.S. Transfers That Rely Solely on Invalidated Safe Harbor: Starting Now

In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy