In international arbitration, particularly where US parties are involved, the parties frequently agree on the exchange of documents, although the exchange is usually more limited than in US pre-trial discovery. Such disclosure proceedings often are not limited to physical documents but also include electronically stored information (ESI). However, to the extent that European parties are involved, the processing and transfer of ESI may conflict with European data protection law if such information contains personal data, which is data that identifies an individual or makes that individual identifiable.
Any request for the production of ESI may lead to a clash between the obligation to disclose information and the duty to protect personal data. The controller of the information faces severe sanctions when breaching either of these obligations. On the one hand, non-compliance with a request for production of data may lead to the drawing of adverse inferences, to a shifting of the burden of proof and/or to a negative decision on costs. On the other hand, the violation of data protection law may trigger damage claims, fines and, in some Member States, even criminal prosecution. In this article we will provide practical guidance on how to deal with this dilemma.
In the European Union (EU), as well as in the European Economic Area (EEA), data protection law is based on the European Directive 46/95/EC, dated October 24, 1995 (the Directive). This Directive is concerned with protecting individuals with regard to the processing of their personal data as well as with the free movement of such data. The data protection laws of the Member States are based on this Directive: for example, the German Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) and the British Data Protection Act of 1998. However, while based on the same principles, as implemented, the national laws may vary in certain details.
These national laws, which do apply to arbitration, limit requests for disclosure of information in foreign jurisdictions from a national law point of view. However, US courts have characterised these laws as Blocking Statutes and have rejected arguments that such laws provide a valid defense against disclosure requests in relation to US litigation.1
Pursuant to the general principles established by the Directive, the collection, processing and use of personal data is only lawful if the data subject has consented, or if the preconditions for another justification explicitly acknowledged by the Directive are fulfilled. The same is true for the transfer of personal data to a third party, whereby additional requirements have to be met if personal data is transferred to third parties located outside of the EU or the EEA (as we discuss below). In practice, consent of the data subject can rarely be used as a justification. This is because, firstly, the law sets high requirements for a declaration of consent and, secondly, the volume of data typically requested in disclosure proceedings makes it impossible to procure the written consent of every person whose data might be concerned. For that reason we will focus below on other available grounds for justification.
Parties should prepare for the exchange of ESI long before arbitration or litigation is anticipated. As a general rule, subject to legal requirements for retention of data for regulatory and other purposes, data controllers may choose to retain as little ESI as is legally required. They also can implement efficient data retention policies to ensure that ESI that is not needed anymore, and which will not be required to prove a party’s own case in the event of a dispute, is routinely deleted. However, as soon as arbitral proceedings can reasonably be anticipated, the data controller is usually required to implement a “litigation hold” in order to ensure that data, which might be decisive in the arbitral proceedings, is preserved.
Under the Directive, any active retention, preservation or archiving of data in anticipation of arbitral proceedings amounts to the processing of data, which requires special justification. The same is true for the search for, and compilation of, personal data in order to comply with a document request.
Pursuant to Article 7(c) of the Directive, the data controller may process personal data if the processing is required in order to comply with other legal obligations. However, disclosure in arbitral proceedings is based on an agreement between the arbitrating parties. Such agreement does not constitute a legal obligation within the meaning of Article 7(c) of the Directive. Hence, Article 7(c) of the Directive does not provide a justification to process personal data for use in arbitral proceedings.
However, Article 7(f) of the Directive allows for the processing of personal data if such processing serves the legitimate interests of the data controller, as long as these interests are not outweighed by the data subject’s fundamental rights and freedoms. Hence, Article 7(f) of the Directive requires a balancing of the legally protected interests of the data controller and those of the data subject. As a consequence, the data controller should liaise with the arbitral tribunal at an early stage in order to prevent overly broad production requests. Only if the requested personal data reasonably appears to be relevant for the arbitral proceedings can its processing be justified under Article 7(f) of the Directive. Moreover, the data controller should explore with the arbitral tribunal the extent to which the personal data can be rendered anonymous or pseudonymous without deleting data relevant to the arbitral proceedings.
Once the requested data has been collected, it has to be transferred to the requesting party. Here, one has to differentiate whether this other party is located within the EU, the EEA or another country that provides for a comparable level of data protection.
The transfer of personal data to an opposing party based in the EU, the EEA or in a country that is considered by the European Commission to have an adequate level of data protection (i.e., Argentina, Canada, Guernsey, Isle of Man, Jersey and Switzerland) is lawful if this transfer is necessary to serve the legitimate interests of the controller, unless such interests are overridden by the fundamental rights and freedoms of the data subject. The transfer of personal data in arbitral proceedings does serve the legitimate interests of the controller to the extent such data can be reasonably regarded as relevant for the outcome of the case.
For the transfer of personal data to an opposing party located outside the EU, the EEA or another country that offers a comparable level of data protection, additional requirements have to be observed. In such cases, the transfer of personal data to the opposing party is only allowed if (i) the requirements of Article 7(f) of the Directive are fulfilled (as described above) and (ii) the receiving party can guarantee an adequate level of data protection. The following can ensure such adequate level of data protection:
- Both the data importer and data exporter sign the EU standard contractual clauses,
- The data importer is “Safe Harbor” certified, or
- The data importer has implemented “Binding Corporate Rules,” which have been certified.
However, in arbitral proceedings (as well as in litigation) the opposing party will most likely not be willing to agree to the EU standard contractual clauses. Moreover, the Safe Harbor Principles are both time- and cost- intensive to implement and are not applicable to all industries. Binding Corporate Rules are also of limited use in arbitral proceedings, as their approval and implementation often take several years until completion. Hence, in practice, the receiving party will in most cases neither be able nor willing to provide for a guarantee on an adequate level of data protection within the meaning of the Directive.
In these circumstances the provision of Article 26(1) (d) of the Directive may be considered. This article allows for the transfer of personal data without the need to guarantee an adequate protection level if the transfer is necessary “for the establishment, exercise or defence of legal claims.” It is worth noting that, for instance, the English-language version does not require the establishment, exercise or defence of legal claims to take place in a specific forum, while other language versions,2 such as the German version of the Directive, require “court proceedings.” Therefore, it is debatable whether Article 26(1)(d) of the Directive also covers arbitral proceedings.
One could argue that the legal interests of a party subject to arbitration are exactly the same as if this party litigated before a state court. However, Article 26(1)(d) of the Directive forms an exception to data protection, which has to be interpreted narrowly in order not to circumvent the European data protection standard.3 Moreover, as a means of private dispute resolution, arbitral proceedings are made to fit the needs of the parties and, in comparison to state courts, pay less attention to the needs and interests of third parties not engaged in the arbitration.
Most importantly, an arbitral tribunal derives its power from the parties’ agreement and, thus, lacks the power to issue orders that have negative effects on third parties. Therefore, a request to produce data by an arbitral tribunal cannot decrease the level of protection that the respective national law offers to the data subject. That leads to the conclusion that the exception of Article 26(1)(d) of the Directive is not applicable to arbitral proceedings. As a consequence, the transfer of personal data to a party outside of the EU or the EEA, in the arbitral context, usually violates European data protection law. Only if the requesting party seeks assistance from the state courts, for instance under 28 USC § 1782, are the preconditions of Article 26(1)(d) of the Directive fulfilled.4
The export of personal data outside of the EU and the EEA in arbitration proceedings remains a legal problem that requires careful consideration, particularly by the arbitral tribunal. On the one hand, the arbitral tribunal should be cautious not to force a party to violate data protection law. On the other hand, European parties requesting personal data must not be given an unfair advantage vis-à-vis parties from other countries, in particular the United States, which have less strict data protection rules. It would be against the principles of due process if a European party could request personal data from a US party but could block equivalent requests from the US party by reference to European data protection law.
The IBA Rules on the Taking of Evidence in International Commercial Arbitration (the IBA Rules), for instance, address this dilemma as follows: Pursuant to Article 9(2)(b) of the IBA Rules the arbitral tribunal shall exclude from production any document if such production is unlawful. On the other hand, Article 9(3)(e) of the IBA Rules expressly acknowledges the need to maintain fairness and equality between the parties, particularly if they are subject to different legal or ethical rules.
In practical terms, arbitrators should endeavor to restrict the disclosure to those documents that are likely to be of high evidentiary value and relevance to their decision. They can do so by structuring the dispute, identifying the relevant factual questions and giving close guidance to the parties from the beginning of the arbitral proceedings. If, nevertheless, ESI containing personal data needs to be disclosed, the arbitral tribunal should consider if, and to what extent, such personal data can be rendered anonymously or through the use of pseudonyms.
Moreover, if the receiving party is or could be represented by counsel located within the EU or the EEA, one could consider reaching an agreement that personal data is only disclosed to counsel. Parties, or potential parties, to arbitration should implement a strict document retention policy prior to arbitration. Subject to general retention obligations for regulatory and other legal purposes, and having ensured that documents that will be required to prove the party’s own case are preserved, the less personal data a party stores, the fewer conflicts with data protection law will arise when it comes to arbitration.