Data security is a hot topic at the moment. Putting to one side the lurid details of the Cambridge Analytica/Facebook debacle, many lawyers are focused on the (perhaps less thrilling but nonetheless important) provisions of the EU General Data Protection Regulation (GDPR), which comes into force in May of this year. Much has been written about the GDPR and its potential consequences (and costs) for companies and individuals. The extensive duties placed on data controllers and processors, and the potential for significant penalties, has given rise to a burgeoning consultancy industry aimed at managing and reducing risk. One aspect that has perhaps received less attention, however, is the extent to which EU data protection rules might affect disclosure of documents in arbitration proceedings.
The problem with regard to disclosure generally arises from a mismatch between the rules governing data protection and disclosure. This has traditionally been most apparent where disclosure requirements in US litigation clash with EU data protection rules. The definition of “personal data” for the purposes of EU law is very broad. It is broader than under US law and certainly broad enough to catch some of the documents that would routinely be disclosed in litigation or arbitration. For example, email negotiations carried out by an employee of a company with a third party might well constitute the “personal data” of that employee or third party and, therefore, subject to the constraints imposed by the GDPR. Similarly, the broad definition of “processing” under EU law would certainly encompass the application of a litigation hold and all aspects of the performance of disclosure.
This means that the performance of discovery obligations may be, prima facie, inconsistent with EU law data protection constraints on the processing and transfer of data. What is to happen if a party to litigation is ordered to disclose documents that are subject to data protection constraints? In the context of English court litigation, any contradiction is addressed by the provision in the GDPR recognising that processing of data is lawful where it is necessary to comply with a legal obligation, including a court order to disclose documents.
However, no such legal obligation arises from arbitration, which is consensual and in which the arbitrator’s directions give rise to contractual, or perhaps quasi-contractual, obligations. This has led commentators to argue that disclosure obligations in arbitral proceedings may fall within a further ground of lawfulness provided for in the GDPR: that the processing is necessary for the purposes of legitimate interests pursued by the data controller. However, this is a much more fluid and nebulous ground, and may be displaced where the interests of the individual data subject outweigh those legitimate interests. Furthermore, the general scheme of the GDPR is to require processing to be limited to that which is proportionate and necessary to achieve the stated purpose. This introduces a still further level of nuance and fluidity. It suggests, for example, that it may no longer be acceptable to search for, collate, and disclose all “relevant” documents. Instead, considerations of proportionality may point towards a more focused process of identification, assessment and weighing, in order to ensure that data protection obligations are not breached.
The GDPR also imposes obligations to ensure the security of any data when transferred outside the EU. Again, this issue has been most acute in the context of US proceedings. By way of background, the 2000 EU-US Safe Harbor framework, which set out mutually agreed principles governing the flow of data from the EU to the US, was struck down by the European Court of Justice (ECJ) in the infamous Schrems case. Schrems may be seen as part of the post-Snowden fall-out: an individual Facebook user complained that the Irish data protection authorities had failed to protect his data when it allowed Facebook to store it in the US, where it was potentially vulnerable to US intelligence authorities. This argument was upheld by the ECJ. Safe Harbor was replaced in 2016 by the Privacy Shield, which imposes more stringent obligations on US parties to protect personal data. The Privacy Shield will continue to apply when the GDPR is in force, though there are reports that it, too, may be vulnerable to challenge in the ECJ. Outside the US, however, parties engaged in disclosure will need to consider whether the somewhat complex provisions of the GDPR are observed. It should be borne in mind, in this regard, that even if the substance of the GDPR is maintained in English law post-Brexit, the UK will, technically, be a “third country” for these purposes.
The reason this all matters so much is that the GDPR provides for substantial penalties in the event of breach, including fines of up to 4% global turnover or EUR 20 million (whichever is the greater). The risks of non-compliance will now be significantly greater, and parties will need to exercise greater care to ensure that they are not exposed to significant fines. Many lawyers and commentators have predicted a wave of complaints by individuals, leading to penalties and, potentially, to civil liability (certainly a possibility in the UK following the Court of Appeal decision in Vidal-Hall v Google, confirming that misuse of private information potentially gives rise to tortious liability even where there is no pecuniary loss). Liability under the GDPR and at common law could potentially extend to law firms and e-disclosure solutions providers.
However, the good news, in the context of arbitration, is that the procedural requirements can more easily and swiftly be tailored to the new regulatory environment. There may well be arguments for the tribunal to become more actively involved in defining the scope of disclosure at an early stage, particularly where there are likely to be issues relating to proportionality or the potential consequences of disclosure for individual data subjects. Time will tell, though, whether satellite disputes relating to the scope of disclosure in the context of the new data protection rules becomes a regular feature of international arbitration.