An international manufacturer of defense products headquartered in Germany was involved in a massive litigation in the U.S. The litigation involved 50 custodians and two terabytes of network data, including technology-related data under export control sanctions. All of this highly-sensitive data needed to be collected, processed, reviewed,redacted, and produced in fewer than three weeks. The client required International Traffic in Arms Regulations (ITAR) data handling from Legility. Lotus Notes email and laptops were imaged as well.
In addition, because the documents were authored/created in Germany - they fell under German Federal privacy laws, labour law (Arbeitnehmerdatenschutz) and the General Data Protection Regulation of the European Union (GDPR), and were subject to an agreement between employee and employer - i.e. each employee must consent to process the data. These rules are more stringent than those in the U.S. / U.K., and therefore the document review needed to take place in Germany first where personally identifiable information (PII) was redacted on documents which are then produced to the U.S.
Our Germany-based review team redacted tax numbers, passports, birthdays, personal photos, and conversation of a personal nature. Further to this, the managed review team also identified and redacted potential technology relevant data that would fall under export control sanction (Bundesamt für Ausfuhr und Exportkontrolle). Legility approached this requirement with segregated teams, so-called white glove teams.
We were quickly able to both understand and confirm specific data privacy and export control requirements, and immediately set about gathering consent of the custodians and the works council/data privacy officer. We supported custodian interviews and defensibly collected and culled the many diverse sources of data involved. We then processed and prepared the data in Germany.
Once we promoted the data, we hosted it securely in Relativity 9.6 in Frankfurt and Chicago, and put a white-glove in-country project management and review management team in place made up of local employees.
We then commenced:
Clearance and confirmation for collection with in-house legal team
Setup of a managed document review team within 48 hours
Definition and installation of a privacy review
Definition and installation of a privilege review
Definition and installation of technology/export sanction control review
Installation of a half automated/half manual redaction process
Rolling production to Legility U.S. instance of review
“Follow the sun” support
Continuous Active Learning (CAL) for quality control (QC) and PII identification
Production in four jurisdictions
The client was able to meet their regulatory deadline and complied with all applicable data protection regulations, including the EU’s GDPR and Germany’s Bundesdatenschutzgesetz (BDSG) as well as the company’s works counsil. Using continuous active learning,
we significantly reduced the mount of time it took to identify PII. Our automated and manual redactions for privilege and technology data sped the redaction process while also increasing accuracy. And the client was also able to meet export control regulations efficiently.