Following the decision of the French data protection authority against Spartoo, which we previously discussed, we have seen one of the largest fines ever imposed under the GDPR (€35.2 million). This time against the Germany-based subsidiary of multi-national clothes retailer ‘H&M’.  

In this update, I look at the lessons this provides for ediscovery, particularly where customers are located across borders. 

What did the data authority decide?

The fine was imposed for unwarranted surveillance of employees.  Since 2014, the retailer had been making extensive recordings of employees private, personal, and sensitive information. Some of this was acquired by supervisors in one-on-one ‘water cooler’ type conversations. On other occasions this information was gleaned from ‘Welcome Back’ talks with team members who had been on leave. This information was recorded and saved on internal systems at the Nuremburg service center so that up to 50 other managers could access the information.  

It appears this information was then used by supervisors and managers for performance and employment decisions. 

This practice only became widely known when, due to an IT error, the information was accidentally made accessible company-wide for a few hours in October 2019. 

What’s wrong with that?

Under the General Data Protection Regulation (GDPR), the data protection law that applies to the personal information of all European residents, there are strict rules for the control and processing of personal data. While it has not been specifically set out in the press releases published so far, we can identify some key provisions of the GDPR which may have been breached: 

-The duty to inform data subjects of the reason for collecting and processing their personal data (see article 13, GDPR). In this case, it appears employees were neither informed why information was being gathered, nor explicitly asked for their consent; 

-The obligation to secure data (see article 32, GDPR). Given the amount information being gathered, the retailer was under a duty to keep that information secure. The IT fault that allowed sensitive employee data to be broadcast across the organization should not have happened;

-The obligation to process sensitive data (such as data relating to health matters or religious beliefs) only under very specific conditions (see article 9, GDPR). Here it appears sensitive personal data was processed without, for example, seeking the explicit informed consent of the employees. 

What does any of this have to do with eDiscovery?

GDPR data protections are not just relevant to European companies. They also apply to organizations anywhere in the world that are processing the data of European data subjects. In addition, there are a host of other data protection laws and regulations around the world which apply similar rules, such as the California Consumer Privacy Act (CCPA) which applies to California residents. Slowly but surely, European data rules are becoming world privacy requirements. 

In ediscovery, it is extremely common to come across employee personal data when sorting through emails, documents, messages and meta-data (that is the information identifying authors and editors attached to documents). When supervising ediscovery technology projects, it is essential that you check: 

-That filters and search terms applied through ediscovery software are set to recognize any personal data for potential redaction (whether or not that data does in fact need to be redacted will depend on where you and the data subject are located); 

-That any sensitive data is treated separately from general personal data; 

-That security and access protocols in place are robust enough to prevent personal data being inadvertently released. This means for example, that access to the ediscovery application should be strictly limited to those working on that particular project. 


European data authorities appear to be getting bolder: Organizations that act in flagrant disregard for data protection regulations will be handed out crippling fines. This is not the first time, nor will it be the last, that we need to consider the impact of European data authorities on eDiscovery processes, as global data privacy standards begin to take hold.  

The post Big Brother Was Watching – And Now He is Paying For It! appeared first on Lumix.