Build Cross-Border Privacy Review Log (CSV/JSON)

Skill: Convert document-review results into a cross-border privacy review log

Region: United States Category: Legal / eDiscovery Does: Takes document-review results and production specifications and assembles a cross-border privacy review log (CSV or JSON) that records, per document, the personal-data categories present, the data-subject jurisdiction, the legal basis for production, the minimization applied, and the transfer mechanism — flagging documents that need minimization or a transfer-mechanism justification before production to a foreign party. Spec: GDPR Art. 5(1)(c) (data minimisation) · CCPA §1798.100 · HIPAA minimum-necessary §164.502(b)

Cross-border discovery sits at the collision of U.S. broad-disclosure rules and foreign data-protection law. Producing EU/EEA personal data to a U.S. party is a restricted transfer requiring a lawful basis (e.g., SCCs, adequacy, or a narrow litigation derogation) and data minimisation under GDPR Art. 5(1)(c); CCPA and HIPAA impose their own minimum-necessary and notice constraints. This log is a privacy-review and tracking artifact, not legal advice — counsel and the DPO own the legal-basis and transfer-mechanism determinations. Medium confidence. Field names below follow the log's columns, not a regulatory schema. The duty is to minimise, document, and justify before production.

When this applies

• A U.S. matter requires producing documents that originate in or describe individuals in GDPR/EEA, UK, or other data-protection jurisdictions, or that contain CCPA-covered personal information or HIPAA PHI.
• A review set is being prepared for production to a foreign party or transfer outside the originating jurisdiction.
• Counsel needs an auditable record that minimisation and a transfer mechanism were considered document by document before any restricted transfer occurred.

Structure (review + production specs → log)

Privacy review log (one row/object per document)
  document_id                  (Bates / control number)
  data_subject_jurisdiction    (EEA / UK / US-CA / other)
  personal_data_categories     (name, contact, ID number, financial,
                                special-category/Art.9, PHI, employee data)
  contains_special_category    (Y/N — GDPR Art. 9 / HIPAA PHI)
  legal_basis_for_production    (litigation necessity, consent, SCC-backed, derogation)
  transfer_mechanism            (SCCs, adequacy decision, BCRs, Art.49 derogation, none)
  minimization_applied          (redaction, pseudonymisation, withhold, none)
  minimization_needed_flag      (Y/N — open action before production)
  transfer_justification_flag   (Y/N — needs documented basis before transfer)
  reviewer / DPO_sign_off / date

Data rules

• Minimise first: under GDPR Art. 5(1)(c), only personal data adequate, relevant, and limited to what is necessary may be transferred; flag documents where redaction or pseudonymisation should precede production (minimization_needed_flag = Y).
• Special-category data (GDPR Art. 9 — health, biometrics, religion, etc.) and HIPAA PHI require heightened justification; mark contains_special_category = Y and require explicit sign-off.
• Every restricted-transfer document must map to a transfer mechanism (SCCs, adequacy, BCRs, or a narrow Art. 49 litigation derogation); a blank or none value sets transfer_justification_flag = Y and blocks production.
• HIPAA minimum-necessary §164.502(b): limit PHI to the minimum needed for the litigation purpose.
• CCPA §1798.100: record categories of personal information and ensure disclosure is consistent with notice/consumer-rights obligations.
• No document is marked production-ready while either flag is Y; resolve via redaction, withholding, or documented legal basis. Capture reviewer and DPO sign-off for the audit trail.

Worked example (outline)

document_id: ACME000123
  data_subject_jurisdiction: EEA (Germany)
  personal_data_categories: name, work email, salary, health note
  contains_special_category: Y   (health — Art. 9)
  legal_basis_for_production: litigation necessity (US matter)
  transfer_mechanism: SCCs (controller-to-processor) + supplementary measures
  minimization_applied: redact health note, pseudonymise non-party names
  minimization_needed_flag: Y -> action: apply redaction before production
  transfer_justification_flag: N (SCCs in place)
  reviewer: A.Reviewer  DPO_sign_off: pending  date: 2026-06-04

Document is held from production until the health-note redaction is applied and DPO sign-off recorded.

Validation checklist

• Every produced document has a row with document_id and data_subject_jurisdiction
• Personal-data categories and contains_special_category populated; Art. 9 / PHI flagged
• A legal basis for production recorded for each restricted transfer
• A valid transfer mechanism mapped (SCCs / adequacy / BCRs / Art. 49) — none blocks production
• Minimisation assessed; redaction/pseudonymisation/withhold recorded; minimization_needed_flag resolved
• HIPAA minimum-necessary and CCPA notice/disclosure constraints considered
• No document marked production-ready while a flag is Y
• Reviewer and DPO/counsel sign-off captured with date for the audit trail

Last updated: 2026-06-04 — this is a privacy-review and tracking artifact, not legal advice; cross-border transfer mechanisms and litigation derogations are counsel/DPO determinations. Confirm against current GDPR (Art. 5(1)(c), 9, 49), the applicable SCCs/adequacy status, CCPA §1798.100, HIPAA §164.502(b), and relevant authority guidance before any production.