On November 30, 2018, I had the privilege of serving as a panel member on an International Association of Defense Counsel (IADC) presentation addressing GDPR in International Dispute Resolution. The other panel members were: Robert Bond, of Bristows, in London, England; Alexandra Simotta, of Six-Group, in Vienna, Austria; and Janis Block, of CMS in Cologne, Germany. The panel’s objective was to explore the issues arising under the GDPR in international dispute resolution, whether in arbitration or court litigation. My responsibility was to offer a U.S. trial counsel’s response to the subject. This article shares a few of the ideas raised during the panel, and a few which have occurred to the author in response to hearing from my fellow panel members.
For Counsel, Parties, Arbitrators, Arbitration Institutions and Vendors Subject to GDPR the Burden is Pervasive
As a threshold, there is no escaping the reach of the GDPR for companies subject to it- whether in the role of data Controllers or Processors- when they are involved in disputes implicating protected data subject information. The jurisdictional reach of the GDPR ensures that a significant number of businesses outside the EU, including many in the U.S., will have to consider how the GDPR affects their activities in investigating, pleading and responding to information requests in arbitration and court litigation. The breadth of the definition of protected personal data guarantees counsel and their clients will confront a host of unique questions and challenges complying with GDPR while pursuing and defending cases in all dispute resolution forums.
As Ms. Simotta observed, almost any interaction with personal data will amount to covered ‘processing’ under GDPR, including collecting, organizing, retrieving, using the data. As elementary elements of information-exchange in almost all dispute resolution processes, these data-use activities demand attention to GDPR in those processes. Ms. Simotta noted further, in dispute resolution processes occurring within the EU, the GDPR applies directly to arbitral institutions, the arbitral tribunal, and others typically involved in the process like experts and vendors. It applies to counsel for the parties. The conflict between overlapping and conflicting job responsibilities of those in the dispute resolution process and the potential liability imposed by the GDPR demand attention by the participants to responsibilities not previously an issue. Ms. Simotta illustrated the point by reference to cross-border litigation within the EU. Processes necessitating investigations in multiple member states with differing implementations of the GDPR will compel counsel to manage a new layer of complex compliance considerations in addition to the merits of the dispute, and the tribunals sitting in different states must satisfy the requirements of their host state’s implementation of GDPR.
Litigation Participants Subject to GDPR Must Justify their Use of Protected Data
Mr. Bond framed the compliance challenge to dispute resolution participants by noting the GDPR’s fundamental premise that processing of protected personal data is prohibited unless expressly allowed by the GDPR. The GDPR bases for legitimate processing, he noted, are limited and narrow. This priority structure, he observed, is the key to understanding how the GDPR applies to international arbitration and litigation, since the GDPR provides no specific authorization for processing of data in arbitration or litigation. Instead, he noted, litigants, their counsel, and the tribunals must find their authorization or justification for data ‘processing’ in litigation through the individual processor’s “legitimate interest” ground for lawful use of protected data. This is in contrast to the perhaps more intuitive GDPR basis for use of protected data, consent, which in the context of the parties might seem at first glance to suffice. Mr. Bond pointed out, however, the EU supervisory authority has explained that the level of data subject consent needed under GDPR is difficult to obtain in the litigation/arbitration context, and may be withdrawn, making it an unsatisfactory basis for dispute resolution use of protected data. This does not totally rule out consent as a justification for dispute resolution data processing, however it emphasizes its tenuousness and the threshold analysis which must occur under GDPR before reaching the substance of the data for purposes of the case.
GDPR Compliance in Litigation Increases the Cost of Litigation Raising the Floor of Cost-of-Defense Settlement
U.S. companies already financially repulsed by document privilege-reviews, and now subject to the GDPR, must gasp over the potential expense of threshold document processing authorization reviews, and the data-processing record-keeping required by GDPR which accompanies all stages of protected document processing. One need only consider the GDPR’s reach- it protects personal data wherever it appears is connected to an identifiable EU subject, e.g., emails, work logs, agreements, other business documentation- to appreciate the potential burden of justification analysis in document productions. The specter of this additional litigation burden prompted a U.S. attorney attendee to comment that by driving up the already high cost of litigation these protections drive up the value of cost-of-litigation settlements in otherwise unmeritorious cases.
This concern is justified, considering the typical components of a dispute which involve identification, review, assembly, transfer, storage, and disclosure of data containing individually identifiable personal data. GDPR concerns apply at every stage. Counsel and their clients engage in initial categorical reviews necessarily involving individual identification of relevant actors. Third parties assist in extracting and uploading data into sets. The attorneys, or hired third parties conduct substantive reviews. Documents are produced to opponents, government regulators, law enforcement, Courts and tribunals. Where data leaves the EU, additional GDPR concerns affect the transferring party.
U.S. Litigation Counsel and Courts Confronting Client/Party GDPR Compliance Duties have a Steep Learning Curve
GDPR considerations confront E.U. counsel, already accustomed to operating under the Data Protection Directive in place before May 25, 2018, with significant new challenges. At least E.U. counsel, and their clients, have the benefit of experience with challenging data protection concepts. For most U.S. trial counsel, however, the considerations are totally new and potentially intimidating. Consideration, however, of the situations where U.S. counsel will likely encounter GDPR issues can help diffuse some of the shock. As a starting point, U.S. Courts are not themselves subject to GDPR. Arbitration organizations and tribunals seated in the U.S. may or may not be, depending on their connections with European counterparts, or their direct activities in the E.U. Although some U.S. lawyers will be in firms subject to GDPR due to their international reach, most U.S. lawyers and their firms will not be subject to the GDPR. It is certain, however, that non-GDPR-subject Courts, tribunals, and attorneys in the U.S. will have litigants and clients subject to the GDPR, which will compel attention to GDPR issues in the context of those disputes and engagements. In many instances they will confront GDPR for the first time in litigation or arbitration.
GDPR considerations will be mutual when both parties to a U.S. dispute are subject to the GDPR. In such cases there should be some mutual understanding of the issues, if not perfect agreement on execution of the responsibilities. Both parties U.S. will be obliged to address and protect their client’s GDPR interests in all phases of the representation, e.g., as requesting and responding parties, correspondents with the court/tribunal, dispute related vendors and experts, and third-parties. That does not mean, however, opposing counsel will not seek advantages or leverage against the other party by exploiting discovery or other data-related processes in situations where GDPR risks or burdens affect the parties or third-parties differently. It also does not mean those parties will not encounter problems with Courts, law enforcement, regulatory or other U.S. entities unconcerned with the parties’ GDPR burdens and conflicts.
One-sided Compliance Obligations Present Substantial Opportunities for Conflict
The potential for misunderstanding, unbalanced expectations and anxiety arising from GDPR compliance conflicts is most acute when only one side of the transaction is subject to GDPR. The pertinent litigation/dispute data transaction involves a demanding and producing party. The potential for conflict is greatest when the producing party is GDPR-subject, but not the demanding party. The reflexive tendency of non-GDPR bound parties and counsel can easily be, “not my problem”.
Counsel for the GDPR-subject producing party has, thus, distinct internal and external challenges- to protect the client under the GDPR on the one hand, and to avoid sanctions/dismissal by responding adequately under U.S. rules (e.g., FRCP 26(a)(1) initial disclosures; FRCP 33 interrogatories; FRCP 34 Request for Production; FRCP 45 (subpoena for documents and things) on the other. In addition to assisting the client meet its internal obligations under GDPR (and with vendors, consultants and other outside assistants), Counsel for the GDPR-subject producing party has an educational challenge with opposing counsel and the Court/tribunal. GDPR explanations may or may not satisfy requesting counsel, who, in the worst instance may be less interested in the things sought than in creating pressure and conflict under GDPR with their demands.
Solutions for Conflicted Parties Lie in GDPR Literacy, Process Competence and Case Mastery
Where consent resolution of requests within GDPR-based-limits on a client is unavailable use must be made of limiting tools like protective orders and use of sealed document filings. This reopens the educational task of producing party’s counsel. The extent to which Courts and non-GDPR-subject tribunals will accommodate and balance the producing parties GDPR obligations against the demanding parties’ right to know remains to be seen. Courts and tribunals are not, however, strangers to analyzing impediments to production. Court and tribunal balancing of issues involving proprietary and competitive secret information, and traditional privileges, provide a somewhat analogous starting point for balancing the producing party’s GDPR based duties against its production obligations. The educational task may be very difficult where producing counsel argues a refusal to produce under the GDPR. (e.g., compliance with request would require transfer of data to an unapproved country recipient, or may not be minimized or pseudonymised). Tactically motivated data requests, however, with little or no substantive discovery value may be poorly received. Experience teaches Courts and tribunals will likely be more receptive to discovery-limitation requests of a producing party accompanied by a plan to meet the conflicting burdens of the GDPR and duty to produce. Thorough knowledge of GDPR burdens and Court/tribunal processes are the key to successful construction of discovery solutions which will keep the client GDPR compliant and avoid sanctions in the dispute. Indeed, knowledge and understanding of GDPR burdens will equip counsel to craft arbitration clause language calculated to protect the parties’ GDPR in authorized discovery processes.