When discharging their disclosure obligations, parties should always be mindful of their duties under any applicable data privacy laws. The key piece of legislation in England is the European Union's General Data Protection Regulation (GDPR), which took direct effect in England on 25 May 2018. The GDPR regulates the 'processing' of 'personal data' and applies to both 'data controllers' and 'data processors' of personal data located in the European Economic Area (EEA).
Personal data is any information that relates to an identified or identifiable living individual such as name and surname, home address or email address. Processing includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. A data controller is someone who determines the purposes and means of processing personal data, whereas a data processor is responsible for processing personal data on behalf of a data controller.
Accordingly, the preservation, collection, processing, review and production of ESI by a party or its legal representatives in the context of disclosure is likely to constitute the processing of personal data by a data controller (the party) and potentially a data processor (the legal representative or any third party retained for disclosure purposes). Therefore, a party will need to ensure that it complies with its obligations under the GDPR before it processes any personal data.
The GDPR contains seven key data protection principles that a data controller must comply with. The first principle requires personal data to be processed lawfully, fairly and in a transparent manner in relation to individuals. There are six lawful bases for processing that are set out in Article 6 of the GDPR. At least one of them must apply. Three of the most relevant bases for disclosure are: (1) where the individual has given clear consent for a party to process their personal data for a specific purpose; (2) where the processing is necessary for a party to comply with the law (not including contractual obligations); and (3) where the processing is necessary for a party's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data, which overrides those legitimate interests. The data controller will still need to comply with its other obligations under the GDPR even if the processing is deemed lawful.
The GDPR also imposes restrictions on the transfer of personal data outside the EEA. However, the transfer will be permitted where:
- the proposed transfer is covered by an 'adequacy decision' of the European Commission, which is a finding that the legal framework in place in that country, territory, sector or international organisation provides adequate protection; or
- the transfer is made subject to appropriate safeguards, which are listed in the GDPR.
Examples of appropriate safeguards include:
- binding corporate rules that represent an internal code of conduct operating within a multinational group and that apply to restricted transfers of personal data from the group's EEA entities to non-EEA group entities; or
- a contract between the sender and receiver that incorporates standard data protection clauses adopted by the European Commission known as the standard contractual clauses or model clauses.