Data Protection and Discovery - Chapter 22 - Handbook on International Commercial Arbitration
Peter Ashford is Solicitor of the Supreme Court and a Partner at Cripps Harries Hall LLP and is Head of the firm's Commercial Peter Ashford is a Partner and Head of commercial dispute resolution in the leading United Kingdom Firm of Cripps Harries Hall LLP, Tunbridge Wells, United Kingdom. Mr. Ashford advises on a wide range of commercial disputes with a particular emphasis on substantial commercial contract disputes, especially those involving an international aspect, partnership and LLP disputes, professional issues for solicitors and professional negligence. He is particularly experienced in complex, high value claims and acts for many international clients. He handles disputes in court, arbitration, mediation and disputes without any formal process. Mr. Ashford received his training in London and qualified in 1986. He joined Cripps Harries Hall LLP in 1987 and became a partner in 1991.
Originally from Handbook on International Commercial Arbitration
Data protection and discovery are not happy bedfellows; discovery is the disclosure of data under compulsion whereas data protection is intended to prevent such disclosure. The underlying legal principles of both are often in conflict in the context of commercial arbitration in the U.S. and in the Member States of the European Union. In this regard, neither the disclosure nor discovery rules of the U.S. and European courts have been harmonised with data protection laws. This often places in a dilemma companies that are doing business in the U.S., especially European companies doing business in the U.S. or that have their parent company, a subsidiary, or an affiliate in the U.S. because they are forced to either comply with compulsory discovery/ disclosure obligations or protect their employee’s and customer’s data.) The problem is not so acute for discovery given by U.S. companies as the U.S. does not have comprehensive data protection legislation. Although a signatory to the 1981 OECD Guidelines, the U.S. has not implemented them domestically. Instead, a sectoral approach, with a mix of legislation, regulation and self-regulation, is utilised. The introduction of European Directive 95/46/EC could have therefore restricted the ability of U.S. organisations to engage in transactions with their European counterparts, for it prohibited the transfer of personal data to non EU states that do not meet the “adequacy” standard for the protection of privacy.
As a result of this, the U.S. Department of Commerce developed the “safe harbour” system in consultation with the European Commission. This offers a method by which U.S. organisation can comply with the Directive. The EU approved “safe harbour” in July 2000. Organisations that sign up to the scheme are certified as offering “adequate“ protection under the terms of the Directive, thus enabling transactions between those organisations and European organisations to proceed smoothly and within the law.
The U.S. Department of Commerce Safe Harbour website provides:
The decision by U.S. organizations to enter the safe harbor is entirely voluntary. Organizations that decide to participate in the safe harbor must comply with the safe harbor's requirements and publicly declare that they do so. To be assured of safe harbor benefits, an organization needs to self certify annually to the Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements, which includes elements such as notice, choice, access, and enforcement.