Gartner estimates that 50% of the world’s population will have personal information covered under local privacy regulations similar to the EU General Data Protection Regulation (GDPR) within two years. Indeed, governments worldwide, including Australia, Canada and Brazil, are creating new privacy laws or updating existing ones. States in the U.S. are actively legislating in favor of this, with California, Maine and Nevada enacting comprehensive privacy laws.
While this represents a positive to individuals’ data protection, it adds a layer of complexity for companies working across states and countries. Jane A. Bennitt, founder of Global Legal Ebilling and president of the LEDES Oversight Committee for 14 years, talks with us about a development in European Data Privacy that directly impacts legal e-billing.
Q: Tell us about your e-billing and technology experience.
Bennitt: I have nearly a quarter-century of hands-on experience in implementing legal technology, and my specialty is global e-billing. Regularly I work with law departments, insurance claims organizations, law firms and vendors needing assistance with workflows, compliance, automation and metrics. With the nature of my job, I research rules and regulations which apply to electronic invoicing for my clients.
Q: What did you discover recently when looking into EU data privacy laws?
Bennitt: The U.S. government routinely requests information on users from large corporations like Google, Facebook and others. Based on a case out of Ireland, the European court has invalidated the data privacy shield that allows the transfer of personal information on EU citizens to U.S.-based servers. Contractual-based data transfer from the EU to U.S.-based servers is still allowed, which is fortunate because that is the basis for data transfer in legal e-billing. But that also may be challenged in courts.
Q: What are the implications for corporate legal departments?
Bennitt: Data privacy litigation is hot across the globe. More countries are considering and enacting stricter data privacy regulations, and it is not limited to the EU. I predict there will be a time when there are similar requirements all over the world. The California Consumer Protection Act, which went into effect on 1 Jan 2020, offers protections modeled on GDPR, for example. These regulations provide more comprehensive protections than seen previously, especially with GDPR. We’ve seen companies hit with massive fines for non-compliance with GDPR and we will see more in the near future.
If your corporate legal department is involved in e-billing and cross-border operations, find out where your e-billing data is hosted. You may need to consider storing e-billing data on multiple global servers in jurisdictions with stringent data privacy regulations. If you’re based in Europe, have a server in Europe. If you’re in Brazil, have your data stored in Brazil or South America.
Q: What advice do you have for corporate legal departments?
Bennitt: I’m not a lawyer, but here are common-sense steps to take to protect your e-billing and its data:
- Talk with your e-billing vendor and find out the steps they have taken or are considering regarding compliance to regulations such as the GDPR.
- Reach out to corporate counsel and look at your contracts. Make sure you have covered all the bases for contractual-based data exchange with your e-billing vendor. Also, consider your employee contracts to ensure they allow for the collection of this type of information that may survive their employment tenure.
- Contracts between legal e-billing vendors and their clients should identify the type of personal data collected and include a clause allowing data transfer.
- Outside Counsel Guidelines should similarly identify the personal data collected and grant permission for this collection.
- Companies should proactively explore options if contractual-based data transfers are invalidated. Better yet, work with your e-billing vendors. It’s better to work proactively.
To learn more about legal e-billing and legal spend management from Onit, visit here.