[EDRM Workshop Transcript] Discovery at a Crossroads: Global Perspectives on Emerging Challenges

---

Transcript

Mary Mack
Hello, and a warm welcome to the EDRM Global Webinar Channel. I’m Mary Mack, EDRM’s CEO and Chief Legal Technologist. Today’s workshop is presented in collaboration with our trusted partner, HaystackID. It’s titled Discovery at a Crossroads: Global Perspectives on Emerging Challenges. Our faculty experts are Bryant Isbell, Ines Rubio, Jeff Shapiro, Mary Bennett as moderator, Martin Nikel, and myself. Today’s session is being recorded for future on-demand access, and as with all of EDRM’s webinars, it will remain available in the EDRM Global Webinar Channel throughout the next quarter to support your continued learning and reference needs. And all opinions expressed here are our faculty’s own, not those of their firms or clients. And we’re lucky to have Holley Robinson, EDRM senior marketing operations manager, here with us. Holley, can you please share what resources are available for our listeners today?

Holley Robinson
Thanks, Mary. And we’re loving ON24 and all the ways it lets you connect and engage. If you look at the top of your screen, you’ll see the EDRM logo, which you can click on to learn more about EDRM. You’ll also see an option to contact EDRM directly, as well as speaker bios where you can learn more about today’s presenters. Moving down, you’ll see the Q&A box where you can type in your questions for today’s faculty, and we highly encourage you to do so. Your questions will be answered both during and after today’s presentation. Below the Q&A, you’ll find today’s resources, including the slide deck, a link to learn more about HaystackID, and a link to learn more about HaystackID’s Global Advisory. There’s also a link to register for next week’s EDRM webinar, We Mean Business: Turning Validation Metrics into Defensible Decisions, next Tuesday, May 5th, at 1:00 PM Eastern. There are also links to register for HaystackID’s upcoming May and June webcasts: “AI eDiscovery Sea Change: Privilege, Work Product, and Hyperlink Productions” on May 20th, and “The Rising Tide of DSARs: Transforming Access Requests From Compliance Burden to Strategic Capability” on June 24th. Lastly, you’ll see some emojis down at the bottom of your screen. Please feel free to use them and react throughout the webinar. Over to you, Mary.

Mary Bennett
Mary Bennett, I presume. Hi, everybody. Welcome to today’s workshop. I will be the moderator. As Holley and Mary shared, this is a collaboration with HaystackID and the EDRM. Excited to be back in the workshop cadence here. I’m going to introduce our speakers, but before I do so, I really encourage you all to post in the Q&A. We want this to be as relevant and interactive as possible. So if you have specific questions or want to share your own experiences, I’ll do my best to monitor that throughout and ask in real time. But Martin, why don’t we kick it over to you? If you want to share a little bit about yourself and where you’re seated, given that this is a global focus here today.

Martin Nikel
Bonjour. I’m in Belgium at the moment. I have traveled around a bit. I’ve lived in Switzerland for a number of years. Now back to the UK and now in Belgium again. I’ve worked a lot in different European countries dealing with data. And for my sins, I’ve been dealing with eDiscovery and transfer of data for over 20 years now.

Mary Bennett
Great. Thank you. A wealth of experience to get into it. And then we have Ms. Mary Mack. You would share that you are in Portland, as many may or may not know.

Mary Mack
Yes. The international country of Portland. And I’ve been doing this for well over 25 years and have worked with global teams from the beginning, trying to get data across borders when it was a little bit easier, and I had the privilege of working with Jan Scholtes over at ZyLAB, based in the Netherlands. I got a good grounding in the different cultural differences that we see across the globe.

Mary Bennett
Thank you, Mary. And Inés in Dublin.

Inés Rubio
Yeah. Hi, everyone. Yeah, my name is Inés Rubio. I’m a senior director for FTI based in Dublin, Ireland. Originally from Spain and a bit like Martin, I’ve traveled a little bit around Europe, lived in Belgium and the Netherlands, and have been in Ireland for the last few years. And my background is predominantly eDiscovery, but in the last few years, my area of expertise has actually been privacy breach investigations. So, seeing what the data tells us, what personal data is there, and what business-sensitive data is there. So happy to talk about the cross-border implications of all that today.

Mary Bennett
Wonderful. Thank you. And Jeff, in London, but don’t be fooled, he is from the US, as a lack of an accent will show you all. That’s the only time I’ll make that joke, Jeff.

Jeff Shapiro
That’s quite all right. Yes. I’ve been here in London since 2013, originally from New Jersey. I am a licensed lawyer in Virginia. So primarily East Coast, United States, and London on the other side of the Atlantic. In terms of my role, I’m the managing director for Europe at HaystackID. I work a lot on cross-border regulatory investigations and litigation, cyber incident response, data privacy, and other types of disputes. The thing that I most enjoy is getting to collaborate with fantastic people, such as on this webinar here. So thank you so much, EDRM, for bringing us all together today. And I’m looking forward to our discussion.

Mary Bennett
Thank you, Jeff. Bryant Isbell is joining as well, just having a little technical snafu, but if he joins, we’ll have him do an intro. But in the meantime, short and sweet, I’m Mary Bennett. I wear two hats today at HaystackID and the EDRM. I’m the senior director of content and have been putting on these workshops with Mary and Holley for, gosh, the last two years now. And it’s been great. Really, really excited to dig in today. Before we kick it off, I do want to note that Inés does have to jump 10 minutes early, and she’ll be really talking, as she noted, about cyber incident response. So if you do have a burning question about that, I encourage you to ask it in the first 50 minutes, but if not, she is available via LinkedIn if you have any follow-up questions as well. All right. I’m not sure if Bryant is on, but if not, why don’t we jump in here? Jeff, kicking it over to you. So when we talked about this webcast, what we wanted to discuss, we joked that we should really rebrand this as ‘You Don’t Know What You Don’t Know.’ And going from the US to the UK, what really surprised you when you first started handling data privacy and discovery issues in Europe, and how has that informed how you approach matters right now?

Jeff Shapiro
Yeah, thanks so much. I’d say the biggest aha moment early on was realizing the US philosophy of discovery fundamentally clashes with European views on privacy. So in the US, the default operational posture is generally to collect broadly and cull later. And there’s an assumption that if a judge signs an order, the data moves. When I first started practicing law in Virginia, I had an IP case where the opposing side invoked the French Blocking Statute, and counsel was initially at a loss for how to respond. So right there, you can see the concept of privacy as a fundamental right, and a US subpoena doesn’t magically absolve the transfer of the data. Now, I have moved to the UK, as I mentioned in 2013, and this was pre-GDPR. However, even then, we couldn’t just move data out of Europe to the US, and cross-border litigation and regulatory investigation, and that fundamentally and completely changed my operational approach. Now, today, I no longer think about exporting data to review it. Instead, I think about how we deploy technology and review, to where the data is. You want a process in place, utilize local data centers, strip out personal data before it ever crosses an ocean or a border. That allows you to solve some of the privacy problems locally before you handle the discovery downstream.

Mary Bennett
Thank you, Jeff. Inés, kicking it over to you. When you’re looking at approaching matters where there are a lot of jurisdictions at play, they each have their own requirements, which can be conflicting at times. How do you approach that from that lens? A lot is going on.

Inés Rubio
Yeah. So you usually start with an early assessment. The difference that we see usually in investigation matters related to privacy is that the data can reside in a particular country, but actually, it may contain information about somebody residing in a completely different country. And usually, that’s the criterion that is applied to consider which jurisdiction a person is in. So we ultimately need to figure out what the data’s telling us. We’re following the data, we’re understanding what we have there. And when there’s conflicting, I guess, jurisdictional guidelines, usually we just take the most conservative approach first, cast that web of what’s more, I guess, inclusive when it comes to data privacy and what triggers personal data notification. And as we get to know the data a bit better, then we might take different approaches for one jurisdiction or another, but ultimately trying to be as conservative as possible in the initial stages. And then once we get to know what we’re dealing with, then we can shape that legal strategy a little bit more.

Martin Nikel
I think a good principle to follow tends to be the highest common denominator. So, really just agreeing there with Inés. I think also, I mean, just having a good awareness of the cultural differences, what the expectations are when you’re reaching across borders, is a good approach. I think data is continuing to explode; everybody needs it now. I think a lot of the decisions and lots of the things that we’ll talk about throughout this conference are really related to business risk and how much when you assess a particular regulation or a particular issue in a particular country, it always boils down to business risk as to how you might approach that situation. And then on the cyber side of things, again, I’ve got some more recent experience like Ines on the cyber side of things, there are obviously considerations to make around the speed of that response. And so across Europe, there is a 72-hour breach response, even shorter in some cases. And so I think there are an awful lot of factors to consider whether you’re talking about litigation, the cyber side of things, breach response, et cetera.

Mary Bennett
Yeah, definitely going to get into the cyber and that 72-hour timeline. Thanks, Martin. Jeff, any additional flavor you want to add?

Jeff Shapiro
No, that’s great.

Mary Bennett
Awesome. Why don’t we get to cyber since Martin just brought it up, especially when you do have a breach, you don’t always know where your data lives until you start digging into it, but time is of the essence. So with the 72-hour breach notification, how do you coordinate a global response with different jurisdictions with different rules? And Martin and Inés, feel free to both take this one.

Inés Rubio
Yeah, happy to jump on. And mainly, my approach is usually to phase it out. So we start as an initial phase of really, as you said, understanding what we’re dealing with. And also, that leads us to know who regulators need to be notified. So we’d start with that governing regulatory notification, which would be slightly different, obviously, from an individual’s notification that they would receive, explaining exactly what data and personal data points have been exposed for them. So we start with that initial phase, and that ultimately just guides us through the process. And the notification to the regulator must be transparent. As much as you can provide at that time, you keep them informed as the investigation carries on, but ultimately, there is a separation between those two types of notifications. And really the reason because also the individual’s notification usually takes a lot longer. We’ve seen, Martin mentioned it there, the cultural considerations, language considerations. I’m a Spanish speaker, a native speaker, but I’m not fully versed on the details of personal data in every single Latin American country. So it’s important that if we know that that is a jurisdiction or there are different jurisdictions within that area in play, we need to adjust our approach or look for particular higher-risk data points that relate to that jurisdiction. And equally culturally as well, there is a lot of work that happens behind the scenes to really make sure that the person that is appearing in a particular document and another document and another document is the actual same one, so that when their notification goes out, they get informed about those three documents and the data points that are within them. In Spain, for example, we have a lot of last names. It blows people’s minds why we have so many last names, but we have two last names; everybody in the country does. And I worked in a matter with a jurisdiction, well, within a lot of data within the Philippines, and in the Philippines, they have a lot of last names as well, and they may not always appear in the same order in different documents and things like that. So that creates an extra layer of complexity, which is, again, a cultural one, but it trickles down into how you actually create that final notification. So the language and culture are very important to keep in mind as well.

Mary Bennett
Thank you. Martin, anything you want to elaborate on?

Martin Nikel
I think I’d share a similar experience, I think with Inés. I think when you take a look at data, I mean, searching data in any sort of way, there are always variations from a language perspective. And I think also just really from, if you take a look at how many people have been doing traditional keyword searches over many years, there’s always been, in discovery matters and in cyber matters, in fact, a leaning towards searching for what might be expected in the US. So I’ll often see lawyers send me a spreadsheet of keywords that they want to search for, and it will just say, “Social security number.” And of course, that doesn’t really apply in a country such as France or Belgium. And so I think it’s really simple things like that where you have to have a real idea that things may be different. And, obviously, in the US, it’s similar on a state-by-state basis. There may well be specific local laws or whatever that apply to your state, and I think Europe is no different from country to country.

Mary Bennett
Staying on that local laws, Martin, with you, how do local laws like the French Blocking Statute or Germany’s secrecy laws complicate what might seem like a pretty straightforward discovery process?

Martin Nikel
Well, I think, I mean, my personal view, many may not share this, is that a lot more is made of it than there needs to be. I think with good preparation, with good local legal advice, there is no reason that a particular data can’t be transferred. I think if you look at legislation across Europe, it always allows for or has exemptions for legal reasons to move data, but also those come with additional responsibilities like data minimization, making sure that it’s for a relevant and justified purpose. And so when you look across countries like France and Germany, although the laws are different, there are different approaches in each country. There are general principles at stake, and any sort of legal consideration that needs to be taken into account is the data proportionate to what’s at hand. When you look at the French blocking statute, it has obviously been invoked in some cases. Many of those go unreported. It’s often done behind the scenes. It’s various warrants and requests that you won’t necessarily see all of them in the news, but it’s much less common than people might think that a business need is a business need and nobody in Europe, nobody in those countries is anti the practice of business and anti the practice of seeing a litigation performed fairly or responding to things as needed, but it’s always done with this proportionality in mind and making sure that there are obviously certain regulations. So in Germany, for instance, where employee rights are involved, the email system could be construed as being personal to that individual, depending on the works agreements they have with their local works councils, or in France, again, there may well be CSE involvement. So if there are economic or business secrets, et cetera, then there may well be elements of those types of things that you need to consider as well. But I think overall, Europe obviously does take a pro-business stance, as everyone does. It’s not all, no, no, no, you can’t have the data. Often it’s, do you really need this data, and what’s it for? And making sure that you are recording those purposes and those decisions that you make, I think, is probably the core thing that I would consider.

Jeff Shapiro
Yeah. Picking up on Martin’s point, there’s the procedural burden to fulfill in terms of requesting the data and then getting approval for that data to be transferred. Then there is the operational reality of how the data needs to be analyzed, reviewed, and potentially redacted before it is transferred. And it’s in that operational reality that a lot of complexity exists, as well as delays in the timeline. I can see in the QA, for instance, that the Hague Convention was brought up, and although that is the official mechanism for getting evidence back to the US, it’s notoriously slow. So how do you overcome those delays when you are in a time-sensitive litigation, regulatory investigation, or a merger and acquisition? And in terms of overcoming those delays, and I think we’ll touch upon this later during our webinar today, is around the use of AI and generative AI to help with the identification of irrelevant data and PII data, personally identifiable information, and other sensitive data, which either should not leave the country or location or should be redacted before it is transferred. And previously, before the use of AI and gen AI was available, you would need to set up very large review teams, conduct very extensive document review with lots of manual redactions. And now a lot of that can be automated. So we’re very much hopeful that although the operational reality is still, you must review the data typically before it is transferred, and you must redact the data typically before it is transferred, we think that the technology is catching up and is going to allow us to fulfill those requests much more quickly.

Mary Bennett
Thank you, Jeff. And why don’t we stay on the AI thread here? It seems you can never get away from the AI discussion, but it is super relevant. So I’ll open it up to Mary, Inés, Martin, or Jeff, if you want to add more. With AI, the proliferation of these tools brings a lot of risks, but a lot of great capabilities. How are you using it, or how are you seeing teams use it to identify where the sensitive data is, especially in the early stages of an incident?

Inés Rubio
Yeah, I can jump in. You mentioned risk, which is a big one, right? I mean, I usually suggest to clients or anyone I’m speaking with using AI at a higher level in a low-risk environment, and then maybe at a higher, more scrutinized level if you’re going to use it for a higher-risk use. I mentioned earlier, for example, in a lot of the matters I work on, we have these phased approaches, and we talk about speed. Jeff mentioned, “How do we speed this up? How do we use AI to speed up the process?” And in our initial phases, where we don’t know what data is contained in this data set that has been breached, I think the use of AI for identification of personal data is really, really good in categorization because I see that as a lower risk situation than using it to notify particular individuals of, this is the data that has been breached for you. So it just helps to speed up that initial couple of days from when we have a data set that we know has been part of a security incident to really understand, okay, what are the categories that we’re dealing with? And not only from a personal data point of view, but also from a business sensitivity point of view. It helps teams discuss their legal strategy and regulatory requirements, whether they need to contact colleagues in another location across the globe, or what exactly is at play based on what we’re seeing. It doesn’t have to be perfect in terms of the categorization. It may be slightly off or over-inclusive, but as long as you caveat that, that is a great starting point to get speed. We mentioned before, I mentioned in passing that when we were doing that identification of personal data, we used AI for this particular purpose, and it was able to identify that a particular field in an Excel was referring to a national identifier that is typical of a country in Latin America that I had no idea was referred to that way because it was using the acronym. So I was like, “Oh yeah, this is great.” I actually Googled it afterwards during my validation of this output, and it was absolutely correct, and it was great because I probably, if I had done it manually or with search terms as Martin mentioned earlier, that probably would’ve been missed because we didn’t even know that country was a potential jurisdiction. So this is the kind of stuff that it’s really powerful for, I think.

Mary Bennett
Right. And that validation is imperative, as you noted, like any tool that you’re using.

Inés Rubio
Exactly. Yeah. And just to be able to tailor your workflows to what you’re using it for. So if it’s a higher risk use, use it as something that’s going to speed up your first pass and then you really focus on validating with a human during your second pass, whether it’s a hundred percent of what the output is or it’s a percentage that you’re happy with based on what you’ve seen, that is obviously up to the use case, the risk level, and just the situation. I’ve seen GenAI work really well in particular data sets and not very well at all in other data sets. So that’s a big thing too. It’s making sure that you’re running your sampling and you’re happy with the output, and a human has actually confirmed, yeah, this is actually working properly as we expect it to, but that’s just part of following that process and making sure there’s guardrails set up for it.

Mary Bennett
Right. And I think that speaks to my next question, that you have to be very on top of your game here and stay up to speed on the latest tech, the limitations, but also all the different rules in different jurisdictions. So, Mary Mack, the EDRM, you work with people all over the globe. What resources do you think would be beneficial for folks when they’re handling cross-border discovery to really stay on top of everything that’s going on and make sure they’re executing well?

Mary Mack
Well, certainly webinars like this with practitioners who know from the ground up what the practice is, I think that’s a fabulous resource. We’ve got a couple of webinars earlier in the year that Redgrave did with us about where the AI is putting the data in the Microsoft stack, and all of that is very tailored to what we need in the eDiscovery community. And then also the various organizations, IAPP or the ISC2, for the security. And popular press, I would say Ars Technica is a technical publication, but it has a really good legal beat. And so you can keep up with some of the things on the ground there. And I’d be remiss if I didn’t say the wonderful resource of ComplexDiscovery. Rob Robinson has been traveling the globe and having those hallway conversations, and he surfaces great insights like we’ll be talking about the EU E-Evidence Act, I think, a little bit later.

Mary Bennett
Thank you, Mary. Jeff, what do you use to stay up to speed on everything that’s going on?

Jeff Shapiro
Without naming any specific names, I think what I’d like to focus on is how to approach the news and how to approach this industry and this profession. From my viewpoint, you need to remain open and chiefly curious. You need to understand the types of pain points that clients have, that law firms, outside counsel, and other third-party providers may be experiencing. You need to network and speak to colleagues both within your company and with collaborators and competitors. It’s that aspect of being curious that really drove me to RSS feeds, to workshops, webinars, in-person or hybrid or remote conferences. And this goes back to when I was in law school all the way through to today. And it’s why I have such dark circles under my eyes, because I’m always reading, watching, or listening to something about what I do. It keeps me interested and invested. And it also means that I can give back in terms of being able to present at a workshop like this or give back to my team so that they have the insights they need to be able to handle their particular matters. And it’s a really fulfilling way to involve yourself in this industry.

Mary Bennett
Yeah. I think in this industry, you can’t be complacent. There’s so much going on. You have to be curious and passionate. I would argue about what this is because the stakes are high. So, really being curious and understanding. And I think there’s been a lot of sharing. I think, Mary, we’ve talked about this in past workshops, especially with AI and all the advancements. There’s been a lot more collaboration than maybe in the past about workflows that are working or what you’ve seen successful with your team. So I think that’s been wonderful as well. Martin, Inés, anything to add on what you use to stay up to speed, or tips for those that are looking to learn more?

Martin Nikel
Yeah. I mean, I probably shouldn’t name-drop law firms, but I’ll mention one that I like, the Freshfields podcast. So often, they have some very good up-to-date information. And obviously, I like digesting things through audio much more. There’s just too much to read. Listening to things while I’m falling asleep is always a good way to stay up to date, I think. And then the other thing I wanted to raise, when you’re thinking about EU regulations and law in another country, often the best place to go is obviously that regulator. And what I find is that a lot of people tend to rely on summarized articles and various sayings from the industry rather than going right to the source. And many of the European websites, like the EU AI Act website, for instance, are incredibly well laid out and informative about that regulation, what things apply, and what don’t. And so, actually, it’s sometimes best to go straight to the horse’s mouth. That’s what I find.

Mary Bennett
Do an audio right before bed. It’s getting into your subconscious, Martin.

Inés Rubio
Yeah. Not sure what kind of dreams you’re going to get from that, but… I think to add to that, I really like to try to collaborate and get as much as I can from other departments that work around me within my organization. So, staying curious, but also reaching over and saying, “Oh, you’re in the innovation team. And so is there an easier way to do this, or is this coming down the pipeline, or should we add it as a request in the pipeline?” I’ve collaborated a lot with our innovation team and FDI, and it’s worked really well. And I think Jeff mentioned it about what we see, or Mary mentioned it about what we see as practitioners, is like, that’s the thing. I have a lot of difficulties sometimes, in the stages of a project. And if we can build something to address that, then it’s great, but they need to know about it. So certain people need to know about these difficulties. So, making sure that if you’re lucky enough to be in an organization that has multiple departments, that has an innovation team, that has an AI go-to person, to reach out to them and say, “Is there any way that this could be fixed with AI or otherwise, or automation of some other sort?” I think that’s what we all do anyway, to stay curious and to solve problems that we deal with every day, but just you might get an answer, or at least build on something that can be reused down the line when somebody else comes into the same difficulty as you have.

Mary Bennett
Definitely. A lot of resources internally. Oh, Jeff, go ahead.

Jeff Shapiro
Yeah, just one other thing to add. We discuss AI in the use of high-risk incident response. Well, you can use AI for slightly lower-risk things like research, news, and summarization. And you could even create your own private LLM notebooks now with certain technologies. So let’s say that you subscribe to 15 different websites, these social media accounts, and these podcasts. You could put all of those sources into a private LLM-enabled notebook and create your own knowledge base where you could then query questions of just those news sources to get verifiable results. You can, of course, use your general LLM as well. So you can just say, “Hey, what’s going on in Europe these days?” But this goes back to our opening point, that you don’t know what you don’t know. And what I mean by that is when you’re using an LLM, how are you using it? Are you asking for verifiable sources? Are you asking for a consensus? Are you asking for things that are coming from reputable places? If you’re not doing those, and then if you’re not cross-checking and validating, you can end up with hallucinations. So it’s incredibly important that when you use these powerful technologies, you’re aware of the best practices of how to prompt them, but then also, to an earlier point that was made, how to keep the human in the loop and verify the output.

Mary Bennett
Definitely. And even from a marketing point of view, when we’re using these tools, sometimes I’ll use Claude and then ChatGPT and have them QC each other. And I think having that human there who knows the expert is imperative. So you aren’t just taking something at face value. Why don’t we shift gears slightly? Mary Mack, I’m going to go to you, getting into cross-border discovery across the globe, and might hear that it can’t always be managed from a distance. It’s really important to have boots on the ground. Why is it important to have people in those jurisdictions, and what are the repercussions if you don’t have boots on the ground there?

Mary Mack
Well, let’s talk about boots on the ground and whose boots.

Mary Bennett
Yeah. How many times can we say boots in a sentence here?

Mary Mack
I mean, sometimes it’s critical to parachute people in with their boots, but more often the boots should be resident in the jurisdiction and walk the walk with the clients, understand everything from the holidays on the calendar to the holidays not on the calendar. When does work start? When does it stop? What is the expectation? That’s just for general deadline hygiene, if you will, because cross-culturally, things are much different. The other thing is getting visas and authorization to work for people from one country to another. You need to know from the people on the ground what is possible in what timeframe, what’s the easy path, and what’s the path of most resistance, if you will. And then something I’m curious about, we’re talking about AI, and as an enabler, I’ve been really thrilled with AI’s ability to translate. And I would never have used a translation app in a cross-border dispute. I’m wondering, is it good enough now to translate some of these requirements, or do you still need that human communicator? I think I’ll ask Inés since you are verifiably multilingual.

Mary Bennett
Yeah. Inés, this is yours, my friend.

Inés Rubio
Do you know what? I haven’t been using AI for translations that much, to be honest with you. I think in other matters adjacent to mine, it has been used, but I can’t really speak to it from personal experience. And I think from what I’ve heard, it certainly has been very successful. So I think you’re not the only one there, Mary. So it’s looking like it’s definitely going to bridge that gap, I guess. Now, again, because I haven’t seen it firsthand or haven’t used it, needed it firsthand, I can’t really speak to it personally, but yeah, it sounds to me like others are, and it is very, very successful. So that’s good.

Mary Bennett
I will chime in. If there is anybody on the call who wants to post in the Q&A, if you’ve done so, please let us know because we’d love to hear that perspective if anybody’s used it. Jeff, were you going to speak before?

Jeff Shapiro
Yes. On translation, so GenAI, most studies show that it can be very accurate when it comes to translating text and spoken words. Where you still require a human, however, is in building up trust and confidence in that you are both aligned with the same objectives and goals in mind. So when I speak with a friend and a friend says something sarcastically to me, I will assume that it is done in a friendly, kidding, and loving way. When I don’t know the individual, and I hear them speak, I may not assume the same thing. And that is where translation tools can fail, in that you don’t have that human-to-human connection. And I think that is something really key for us to consider in terms of the spoken word versus the written word.

Mary Bennett
Thank you, Jeff. Great point. Moving on, and Jeff, we’ll stay with you here. We’ve talked a lot about Europe, but looking outside of Europe, where do you see a lot of complexity with this cross-border discovery, Asia-Pacific, China, and Latin America, and what do you think teams need to laser focus on when working in those jurisdictions?

Jeff Shapiro
Yeah. I mean, again, this really goes back to having local expertise. We’re seeing a massive acceleration in Latin America right now. And so while Europe is currently focused on implementing AI frameworks, you’ve got Latin American jurisdictions that are rapidly pursuing their own nuanced privacy legislations, such as Brazil’s general personal data protection law, and you also have similar laws getting pushed forward in Argentina. If you look at APAC, the complexity there comes from the extreme fragmentation. You have things from a few years ago, like the Vietnam Personal Data Protection Decree, or China’s Personal Information Protection Law. And the challenge when it comes to dealing with either in-country or cross-border in any of these regions is that you can no longer rely on a one-size-fits-all playbook. Your playbook needs to consider where the data is coming from and where it is going. How will it be used? Are there data subjects from other regions involved? And what that means is you have countries that have their own unique interpretation of data sovereignty, and that means that your collection strategies, your processing analysis, and review strategies might need to be customized border to border.

Mary Bennett
Thank you, Jeff. Open it up to the panel if there’s anything you want to add, or if you’re happy to move on. We’ve talked about this a little bit, but when we look at cross-border discovery, we’re looking at the legal and regulatory parts at play, but there’s a geopolitical layer here as well. So when we’re looking at politics, whether that’s state ownership or sovereign interest, how does that impact whether you can actually move data out of that jurisdiction? It’s a big question there, so I’ll open it to whoever wants to take it.

Martin Nikel
I can go first. It’s a difficult area to speak about, and one I tend to avoid talking about in the pub, but the geopolitics of everything obviously shapes how ultimately regulation is shaped. And so as I look across Europe at the moment, I think there is an obvious trend towards data sovereignty, but also a real movement in the past couple of years towards segregating its particularly state-owned systems, but also some big examples of companies moving away from resources like Azure, et cetera, to local or European-based cloud providers. I think there is an additional layer of complexity and a movement towards that sort of separation from dependency on US-based cloud providers, for instance. That will obviously be slow because there has been an ingrained… Everybody is quite embedded with Azure, AWS, et cetera. But I do see some conscious moves and from the European Commission here, some conscious moves to really focus on platforms that are hosted and owned wholly in Europe. And so there are some, particularly technology-wise, some moves towards that. And then from a legal perspective, I think everyone’s on heightened alert, if you like, from the point of view of the awareness of the sovereignty of data and protection of borders more generally. And so I think with that increased risk, there is this movement in Europe generally towards a slightly more restrictive view. But then at the same time, if you go and talk to the people in the corridors of the European Parliament here, there is also a push towards being more business-friendly at the same time. And so I’m not saying that one stops the other; it’s moving in sync. I mean, there is a general view I have personally that European regulators are becoming more and more business-friendly, let’s say, less bureaucratic. They need to because obviously there’s pressure all over the place in Europe from different positions. And so I think they’re evolving in multiple ways at the same time. So I guess that’s all I’ll have to say on that without getting too controversial.

Mary Mack
I think, given there’s a highly polarized political and geopolitical climate, and so just being sensitive to the way in which communications may be received, highly directive communications may be the way to go for a particular culture, but it also may be extremely offensive and have people decide not to cooperate. So having people who understand the nuances of those geopolitical considerations is highly critical.

Mary Bennett
Thank you, Mary. Jeff.

Jeff Shapiro
It also, to Martin’s point, goes beyond looking at privacy regulations into the ramifications that a particular corporate, country, or region may have from a security standpoint, from a financial standpoint, or reputational standpoint, as well as the point of view on sovereignty and control. And so what that means is you need to evaluate this as a multifaceted prism. It is not just, “Let me look at this from a data privacy perspective.” And then that feeds into what Mary just said around the nuance that’s necessary to be able to respond correctly.

Mary Bennett
Awesome. And whether in your own experience of what you’ve seen, if data can’t leave a jurisdiction, and that’s not because of a law, but because of a business reality or the political environment, how can teams plan for that, or what would a plan B be if you can’t get that data?

Jeff Shapiro
Sorry, is that to me?

Mary Bennett
It’s to whomever I’m… It might look like I’m looking at you on your screen. So Jeff, yes, it is to you.

Jeff Shapiro
Okay. Well, think of it from the point of view that this doesn’t just occur because one state disallows data transfer. This could also occur in a business concept. Perhaps you had a joint venture and that joint venture fell apart, or some type of business relationship that dissolved, and that could lead to a breakdown in communication. I think it’s up to talented advisors, outside counsel, and in-house teams to figure out how to negotiate and reopen those lines of communication. How can you find the information that you’re looking for when you can’t get it from the source? And that just goes into the consultative mindset that we all need to have in this profession.

Mary Bennett
Thank you.

Mary Mack
I think one of the strategies here in the US in the meet and confer is to sequence discovery so that the cross-border data is at the end to allow for any delays or process. But I would say that between the quick response times for privacy and security-related things and the e-Evidence Act, those are very quick response timelines. So I don’t know how that sequence to the end thing is going to fly over the next, say, three years or so.

Mary Bennett
Yeah, for sure.

Jeff Shapiro
Mary, to that point, I think this goes back to having localized GenAI ready and available, either in situ within your organization or via third party provider, because as you raised, whether it’s the 72-hour cyber incident response timeline in Europe or the potential eight-hour or 10-day timeline that’s incoming in August 2026 under the EU e-Evidence framework for criminal prosecutions, those are extremely tight timelines. How are you going to be able to respond to that request within those timelines without the use of technology to be able to rapidly sift through your data and figure out the data subjects, what happened when, and how do you respond, or not respond, but by saying, “We are not going to provide you this data because of these exceptions or these reasons.” In both situations, you need to have a clear view of the data that you hold and the reasons why you, yes, will transfer or no, will not.

Mary Bennett
Thank you, Jeff. Ines talked about this earlier on the importance of culture and language, and how she didn’t know the acronym for a certain country, and AI helped her find that. So if we’re looking at the cultural part of this and how that shapes data privacy and enforcement across regions, do you all have an example of where understanding either a language or local context, excuse me, made the ultimate difference between identifying sensitive data, or how did you get to know the local jurisdictions? We’ve talked about local expertise, but is there anything you would all add when it comes to the cultural part of this conversation?

Martin Nikel
I will leave the names out to protect the innocent, but I do have an example. I mean, once, I mean, this was maybe 10 years ago now, and I had a colleague going to, on the request of a large law firm who perhaps should have done their research, went to a European country and found themselves literally arriving on site to a particular company subsidiary, walking in, talking to the IT person, and then starting to copy the data that they were requested to copy. And then by about midday that day, the local police turned up, stopped that person copying the data, and questioned them why they were there. They were at risk of being arrested because, in the meantime, local employees had realized that there was somebody there, and had been told by the IT person that they were copying data. The works council was informed, and then called the police because nobody knew who this additional person was on site. And so it was all resolved very quickly, but the situation was particularly fraught for the forensic individual who’d gone on site to collect the data, really because nobody had done their preparation in advance of understanding how that situation might be perceived. And so that’s one particular example I can think of, but there are lots of other examples across the 20 years I’ve been working in this, where I can think that it often is a range of lack of preparation or lack of understanding. And also the flip side of that is a lack of contemporaneous notes of decisions that are made throughout that process, and why they were made can end up falling afoul of those as well.

Mary Bennett
Glad it got resolved for that individual pretty quickly.

Mary Mack
Yeah. So early on, we had some attorneys school the EU attorneys in, “Oh, it’s just fine. Don’t worry. We’re going to review for privilege and things like that.” And privilege is something that is jurisdiction by jurisdiction, and they had it so, so wrong because there’s very little privilege for in-house folks. So that went right to the credibility. New personnel had to come in, and actually, there were flights over the ocean and things because at that point, you needed to rebuild relationships and rebuild trust. So that was one. And another one, using machine learning to look for evidence of fraud and transfers. And so that’s earlier technology than what we have today. And I think the AIs, especially if they’re captive, can be a great tool to surface those alternative phrases and words that people might use to cloak activity.

Jeff Shapiro
So I heard a few words from Martin and Mary that really resonated with me. Relationship, trust, openness, and what we spoke about earlier, curiosity. Those are all human traits. And what this brings me back to is even with all of the technology that we have at our disposal and that we must use to be able to respond to discovery today, you still need a human at the center. You need a human who is inquisitive and can ask, “What don’t I know about this culture or this region? Who should I speak to about it so I can learn and so that I can operate effectively?” That requires curiosity and openness, that requires relationship building to find those people, and of course, trust in that you’re going to get the correct response. Now you could verify some of those things with the use of technology, such as, “Person X told me I should be considering Y in jurisdiction Z. Is that correct, gen AI?” And then gen AI will say, “Okay, based on what you’ve told me, this is my opinion on this.” Et cetera, et cetera. But I think as long as you approach cross-border with those four key things in mind, relationship, trust, openness, and curiosity, you’ll get it right more often than not.

Mary Bennett
Thank you, Jeff. We have about three minutes here. So, about the last question I have for all of you, one takeaway you have if organizations are operating globally, and Martin, you actually talked about the highest common denominator. So how should they plan for the highest common denominator when it comes to privacy risk if they don’t know where their data’s going to lead them?

Martin Nikel
Well, I mean, I would say in particular with the UK and Europe, many regulations, and we’ve already seen a real embedding of GDPR over the past many years, and now the EU AI Act, there’s the digital omnibus that’s going to be launched soon with the EU. Many of those regulations come with extra responsibilities for those organizations. So if a subsidiary of a US firm needs to adhere to one of these regulations, it will already have mapped out its data. And often one of the things I would just give as a tip to everybody is that there is often someone in the organization who already knows what that data is and therefore can discount or include based on previous risk assessments and so on. But often the legal department isn’t aware of what the IT department or the compliance department has already done to categorize that data. Often, the regulations are built to avoid the need for an urgent situation and the lack of categorization. So I’d always say, try to look a little bit more to the left of the EDRM, which is what we say, Mary, is that right? In terms of when you hit that initial look, it may be that the data is already conveniently categorized. It’s already been looked at by somebody in some sense. And so it’s worth having those business discussions first before everybody worries about a particular category of data or whatever. Often, a lot of the work may have already been done in some sense, but you need to find out. So you’ll have to be asking questions, I guess.

Mary Bennett
Thank you, Martin. Mary?

Mary Mack
Well, Inés had referred to some of the other teams that she works with, and certainly the security team with disaster recovery, and application justification. There are all sorts of places for data maps so that you know where your data is. And if there is a dawn raid response team, a tiger team, it’d be good to get to know them and their ability to respond, and what data comes quickly and what data might take a little bit longer, as Martin said, some of it may already be reviewed and ready.

Mary Bennett
Thank you. Last but not least, Jeff.

Jeff Shapiro
So a lot of what we’ve been discussing is how to handle and respond to the risks that businesses face. We could potentially reframe this as what are the benefits businesses have if they fulfill this common denominator? So if your business is able to respond to the new EU e-Evidence framework, which means you’re able to locate and identify and either transfer across or say, “No, we’re not going to transfer across data,” within an eight-hour timeframe. If your business can do that, then you could also mine your data for intelligence. You can use that technology to create battle cards to compare yourself to your competitors. And there’s a whole host of business benefits that you can see. So, yes, do you need to fulfill your regulatory compliance? Absolutely. But let’s reframe this from a simple risk avoidance exercise into a business imperative exercise for the improvement of your bottom line.

Mary Bennett
I like that. I like the positive outlook and really seeing it as a strategy while being mindful of the rest. Thank you. And Mary, Martin, and Jeff, this was a great discussion. I can’t believe that hour already flew by. A lot more we can talk about, but thank you all for sharing your time and expertise, and encourage you all to register for HaystackID’s May webcast, which will be talking about AI Sea Change, which is Privilege, Work Product, and Hyperlink Productions. That will be on May 20th at 12:00 PM Eastern. We encourage you to check that out on the HaystackID website. And with that, I think we will come to a close. Thank you to the EDRM for hosting this great workshop.

Mary Mack
Well, and we too would love to thank EDRM’s trusted partner, HaystackID, for making Inés, Jeff, Martin, and you, Mary, available for this wonderful discussion. And thank you to the EDRM community for your kind attention. And if you enjoyed today’s presentation, show our faculty some love. Check the resources down at the bottom of your console and use some emojis or reactions. We’d love to see them, and we’ll see you next time on the EDRM Global Webinar Channel. Thank you.

---

Expert Panelists

---

About EDRM

Empowering the global leaders of e-discovery, the Electronic Discovery Reference Model (EDRM) creates practical global resources to improve e-discovery, privacy, security, and information governance. Since 2005, EDRM has delivered leadership, standards, tools, guides, and test datasets to strengthen best practices throughout the world. EDRM has an international presence in 145 countries, spanning six continents. EDRM provides an innovative support infrastructure for individuals, law firms, corporations, and government organizations seeking to improve the practice and provision of data and legal discovery with 19 active projects.

About HaystackID®

HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface and eDiscovery AI™ technology. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.

Assisted by GAI and LLM technologies.

SOURCE: HaystackID