Arbitration has not been at the top of the agenda when it comes to the discussion around data privacy. Much of the focus has gone on corporate hacks, breaches and the implementation of the General Data Protection Regulation (GDPR), which came into force almost two years ago.
However, this is not to say that data privacy rules have little or no relevance in arbitration.
The GDPR rules might affect arbitration proceedings in the UK, where protocols and guidance have been slower to develop. Contrast the EU to New York, where a detailed set of guidelines (the Cybersecurity Protocol for International Arbitration 2020) were released in November 2019. These guidelines establish the cybersecurity measures to be taken when handling personal information in the context of arbitration proceedings. The guidelines have the twin goals of providing a framework for determining reasonable information security measures for individual arbitration matters, and increasing awareness about information security in international arbitration.
The issue with arbitration and data privacy compliance is the same issue faced in any other context when “personal data” (defined exceptionally broadly in the EU) is “processed”. The broad definition of “processing” under EU law encompasses the application of a litigation hold and all aspects of the performance of disclosure, as well as all other data handling activities in connection with arbitration proceedings, which give rise to myriad obligations on the parties (including the arbitrator) in arbitration proceedings.
For litigation in the English courts, processing data is lawful under GDPR where it is necessary to comply with a legal obligation, which includes a court order to disclose documents. However, the same cannot be said for the consensual process of arbitration, where the legal obligation processing ground cannot apply; the exemption only covers legal obligations created by member state law, and does not extend to those created by an arbitral tribunal order. The arbitrator’s directions potentially give rise to contractual or quasi-contractual obligations; arguably, therefore, disclosure obligations in arbitral proceedings may fall within other grounds of lawful processing provided for in the GDPR, whether it is necessary for the performance of a contract, or more likely, the processing is necessary for the data controller’s legitimate interests. However, processing on grounds of legitimate interests is a more objective standard, and the data controller’s legitimate interests must be weighed against the rights and freedoms of the individual data subjects.
Furthermore, the general scheme of GDPR is to require processing to be limited to that which is proportionate and necessary to achieve the stated purpose for which personal data was collected. In a discovery exercise, this might be interpreted as limiting what documents it is acceptable to search for, collate, and disclose. Instead of reviewing all “relevant” documents, the principle of proportionality requires a more focused process of identification of relevance to manage the risks of GDPR.
Discovery exercise by third party provider
Where the document review process is outsourced to a third party provider, the GDPR requires a contractual safeguard to be put in place with the third party data processor in order to protect the personal data. These contractual arrangements must be in writing and include certain requirements to ensure that the data processor does not use personal data for any purpose other than in connection with the services it provides to the data controller. They also bind the processor to the same security standards as those that apply to the data controller.
Another area where data protection issues arise in the context of arbitral proceedings is in dealing with expert witnesses when personal data is shared for the purposes of the expert forming an opinion and giving expert evidence in a specific area. An expert witness is likely to be classified as another data controller in these circumstances, and whilst the GDPR does not include a statutory requirement for a data controller to enter into written terms with another data controller when sharing personal data, good practice dictates that an agreement which manages the obligations for both sides is put in place.
Transfer to non-EU countries
Arbitral proceedings are almost without exception international, which raises another area of required compliance with the GDPR. The provisions on the transfer of personal data from the EU to other jurisdictions require there to be a contractual or other GDPR approved mechanism in place in order that personal data is lawfully transferred. Companies which have self-certified under the EU/US Privacy Shield can receive personal data from the EU lawfully. Post-Brexit, the UK will be a “third country” for the purposes of the GDPR’s provisions on the regulation of data transfers. In the context of disputes, transfers of data may fall under the exemption of “necessary for the defence of a legal claim”. The standard for necessity is high, however, and documented and adequate steps are required to ensure that only relevant documents are transferred.
Managing the new risk landscape
Strategic planning is required to manage the risks from the outset of a dispute, including for the initial investigation, litigation holds, the selection of arbitral institutions, the instruction of external counsel, discovery providers, working with experts, the nomination of arbitrators and so on. Having a strategy in place to manage dispute-specific data protection strategies at the outset of a dispute is vital.
Experience has shown that it makes sense to ensure that the parties and the tribunal collaborate at an early stage to manage the data protection issues and risks. A written protocol agreed between the parties and the arbitrator could identify what data is relevant, where and by whom it will be processed in the discovery stage, if there will be a transfer of data outside the EU, as well as setting out measures to ensure that data processing is kept to a minimum, and how data protection responsibilities will be documented with third parties.
The reason for the concern: the GDPR provides for substantial penalties in the event of breach, including fines of up to 4% global turnover or EUR 20 million (whichever is the greater). The regulators have proven their intent in their first enforcement actions since the GDPR came into effect, in particular the UK data protection regulator, the Information Commissioner’s Office (ICO), which unveiled a £183.39 million fine for British Airways last year under the GDPR for its data breach. However, it is not just the wrath of the regulators about which organisations need to be concerned.
There has been growing interest in civil litigation as a recourse to data breaches. This pattern is well documented in the US class action market, but it has been gaining more prominence in the European market. Indeed, under the GDPR there are provisions for civil recourse, specifically:
“Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
The risks of non-compliance are now significantly greater, and parties will need to exercise greater care to ensure that they are not exposed to significant fines. Liability under the GDPR could potentially extend to law firms and e-disclosure solutions providers, and contractual disputes between parties about their failure to meet their statutory and contractual data privacy obligations are likely to be litigated more frequently.