Key issues for e-discovery and legal compliance
Companies may from time to time be involved in litigation, e.g. as defendants or third parties, and they may also be subject to investigations by authorities. The ability to find, hold and produce information when requested by a court or regulator is critical for a company.
By Jeppe Songe-Møller
Electronic discovery – sometimes known as e-discovery – is the aspect of identifying and collecting electronically stored information in response to a formal request in a lawsuit or investigation.
What is e-discovery?
E-discovery means that a company identifies and collects any electronically stored information that the company has available, e.g., emails, files, databases, social media posts, voicemail – even text messages stored on smartphones. There is essentially no limit as regards type of content or platform that can be part of e-discovery as long as the communication or information might be useful in legal action. E-discovery can occur on desktop computers, laptop computers, file servers, smartphones, tablets, backup tapes, and even employees' home computers and other personally owned devices.
The purpose of the e-discovery is to preserve the electronic content and metadata of a company in order to deliver it as part of litigation or investigations and eliminate claims of tampering with evidence. E-discovery is linked to the concept of "legal hold", meaning electronic content cannot be modified, deleted or otherwise destroyed by a company.
Why focus on e-discovery?
The volume of electronic content that companies generate, receive and store is growing rapidly. As new content types become part of a company's "archive", coupled with the rapid growth in data from “Internet of Things” devices, the volume of electronic content that companies hold will accelerate.
Most companies are not adequately prepared to address key e-discovery requirements. It is also a responsibility that, if not performed appropriately, can cost a company in the form of fines, sanctions, lost revenue and higher legal costs. In our experience, the costs and risks of e-discovery increase rapidly when a company does not have control of its data and cannot find the information requested for a legal action within the timeframe allowed by a court or regulator.
What are the requirements for conducting a compliant e-discovery?
There are several technical and legal issues that arise before, during and after an e-discovery process. For the purpose of this newsletter, we will focus on how companies can safely navigate when it comes to identifying, collecting and reviewing emails. Most e-discovery processes will focus on retrieving employee emails, and there is often a high number of emails to be collected and reviewed for the purpose of a lawsuit or investigation.
A company's access to employee emails is subject to requirements in the GDPR, the Norwegian Working Environment Act (the "WEA") and the Regulations concerning employer's access to email accounts and other electronically stored materials (the "Regulations"). Accordingly, a company may only access an employees' email account when certain specific conditions and procedural requirements are complied with.
In Norway, employee consent is neither sufficient nor required in an e-discovery process that will collect employee emails. However, a company may choose to obtain consent from the employee due to other reasons, e.g., internal policy, appropriate communication or social causes.
In addition to the specific conditions in the Regulations, which are usually fulfilled in an e-discovery process initiated by litigation or investigations, there are a number of mandatory procedural steps when it comes to access and reviewing emails. A company may also have its own policies or procedures with respect to accessing employee emails. If so, these may contain requirements in addition to the ones described in the following.
Information to and consultation with employee representatives
The WEA Section 9-2 (1) stipulates that the company is obliged, "to discuss needs, design, implementation and major changes to control measures in the undertaking with the employees' elected representatives". The consultations shall be conducted "as early as possible", meaning before the decision to initiate the e-discovery process is made.
It is worth noting that consultations with employee representative concerning the company's review of employee emails may have been conducted in the past for general compliance reasons. In such case, further information and consultation subject to this provision do not have to be carried out again, assuming that the e-discovery process is conducted in accordance with the routines previously consulted upon.
The employee representatives do not have a right of veto, but the consultations shall be held in good faith and the point of view of the employee representatives shall be taken into consideration.
Notification to the employees and their right to object
According to the Regulations Section 3 (1), the employee shall be notified and has a right to provide his comments before the company accesses the email account. In the notice, the company shall explain why the conditions for access the email account are deemed to be met, and the employee shall be informed of his rights.
Further, the company shall, before implementing the email access, provide the employee with information concerning the purpose of the access, the practical consequences of the access, including how it will be implemented, and the assumed duration of the e-discovery process.
The notification and information requirements described above are usually complied with by issuing the employee with a letter containing the necessary information.
The employee has a right to object to the access, though the employee – similarly as the employee representatives – does not have a right of veto.
The employees' right to be present
According to the Regulations Section 3 (3), the employee shall have the opportunity to be present during the email access. Further, the employee also has the right to be assisted by an employee representative or other representative of their choice during the access.
The right to be present during the email access could raise certain practical issues, but we have seen that some companies have solved it by offering the employee an opportunity to follow the process online, e.g., via Teams. However, in our experience, the employee would in most cases not exercise his/her right to be present.
The obligation to provide prior information to the employee and the employees' right to be present do not apply if secrecy is required in the interests of the prevention, investigation, and prosecution of criminal activities. This could be relevant if the e-discovery is triggered by a request from a court in a criminal case.
If the access is made with no prior warning, the employee shall receive subsequent written notification of the access once the access has been conducted. The notification shall contain details of the technical methods used, the emails or other documents that were opened and the results of the access.
Data minimization and proportionality
The email access shall be conducted in such a manner that the data are left unchanged and in a manner which enables that information obtained can be verified, cf. the Regulations Section 3 (6).
The access should be limited to emails, contracts and other information that are within the scope of the purpose of the e-discovery. Private emails and correspondence subject to legal privilege shall as main rule be excluded.
We recommend that companies prepare relevant search words in advance, as to limit the review of emails to what is strictly necessary for the purpose of the e-discovery. The search words should be notified to the employee in advance, as to obtain their comments, if any.
Further, the number of persons involved in the access should be restricted. The same applies to the number of persons that will review the emails.
For the purpose of compliance with the above requirements, we recommend using software that is tailored to e-discovery, and also using a third-party professional service provider for purpose of identifying, collecting and reviewing emails.
The review of email accounts shall also be made in compliance with other relevant data protection and privacy requirements. In this regard, companies should be able to evidence that they have routines for deletion of personal data, that they maintain strong IT security and have implemented general data protection policies.
How will cloud services impact e-discovery?
A growing portion of electronic content will be stored by companies in the cloud, such as Microsoft Azure, Google Cloud or Amazon Web Services. There is a myriad of cloud-based communications, collaboration and archiving tools that are replacing on-premises solutions. This could make it harder for companies to identify and collect information that is requested by a court or regulator.
Once information stored by a company in the cloud is subject to e-discovery, it would mean that the information is stored electronically outside the company's facilities, perhaps in another country. It could also mean that certain limitations to information may exist, e.g., slower access to data since a foreign cloud service provider needs to assist in the data collection.
We recommend that companies maintain control of its data by keeping records of data processing and conducting risk assessments prior to engaging cloud service providers. Compliant data processing agreements and cross-border transfers that fulfil Schrems II requirements are essential to exercise an efficient and legal e-discovery process.