David Horrigan of Relativity on the GDPR, mobile data and AI


A good interview does not have to be formal and structured to be effective and informative. By the time I came to interview David Horrigan, Relativity’s eDiscovery Counsel and Legal Education Director, at Legaltech, I had done 16 interviews over three days and this was our last. I had even discarded my tie.

David Horrigan is a fluent and articulate man, and we covered quite a lot of ground in our recap of the Relativity events at Legaltech and in looking forward to the next event (Relativity Fest London on 1 May).

We talked about the panel which I had just moderated for Relativity on cloud and regulation. It was part of a Relativity series on discovery at home and abroad and was, obviously, the “abroad” bit.

David Horrigan observed that many Americans still think that the General Data Protection Regulation is just an EU issue; part of our panel’s intent was to disabuse them of this notion.

We had also looked at one or two of the more obvious misunderstandings and misinterpretations of the GDPR. I had been less than polite, for example, about those who aver that the GDPR is about “citizens”, and had challenged the audience to find that word in the GDPR. David Horrigan says that he had hastily gone back through his own material on hearing this and (of course) had found no such reference.

The other bugbear for me is those whose first and only reaction on hearing about the GDPR is to talk about 4% fines. Fines are important, of course – some companies will indeed be heavily fined, and talking about it may well have got board attention in the early days of GDPR marketing. There is, however, so much more, and so much more constructive, thinking which the GDPR could be prompting.

As David Horrigan observes, Subject Access Requests will be a particular example of a specific problem for companies, but the need to meet them may prompt closer attention to day-to-day information governance.

What comes down from a regulator may be a strong recommendation to do something differently – that may prove to be the first step on a graded path of sanctions leading ultimately to a fine, but we can hope for more positive purposes behind regulators’ involvement.

The GDPR’s implementation date is, as we observe here, a stage on a journey, not a big-bang one-off event.

We had also talked on my panel about data breach notification requirements. Many have interpreted the GDPR’s 72 hour notification period as meaning that you must be able to inform the regulator (and, sometimes, affected data subjects) within 72 hours of the full scope and scale of a breach. In fact, what is required is to be able to say how big the problem is and what you intend to do about it, with other more detailed information following as soon as possible thereafter.

One of the points I had made on the panel is that the US has its own data breach notifications that are no less draconian in intent than those within the GDPR and are often different between different verticals in different states. The need to comply with short timescales is not a new concept here.

Part of the point of taking this line is that if we set the target higher than it actually is, many companies will just conclude that they cannot comply and give up. There is merit in encouraging them to pay attention at least to that which is achievable.

We talked a little about the other Relativity panels. One of these had been on legal and technical education and another was on mobile discovery. The latter, David Horrigan says, is getting particularly interesting, partly because of the case law, and partly because it personalises discovery cases as they become a consumer issue – they are not just dry stuff about business.

That in turn leads to the problem that while individuals may create all this data, it may be the responsibility of the employer, for example, to give discovery of it. This is a particular issue if the individual creator does not even know that he or she has created the data. It raises possession, custody and control issues which, in the US as elsewhere, are defined broadly.

A continuing theme at Legaltech had been the spread of artificial intelligence which, David Horrigan said, raises interesting questions of definition. You don’t just say “I’ll go and buy some artificial intelligence”. What do you mean? What is it for?

The cynical part of me has long said that lawyers will pay more attention to technology-assisted review once something new has come along. Artificial intelligence is perhaps that new thing, and lawyers are beginning to take the use of tools like technology-assisted review more for granted.

We end with a mention of Relativity Fest London, due to take place on 1 May – I wrote about it it here. Further on, Relativity Fest in Chicago is earlier this year than in previous years, starting on September 30.

More from Relativity