Arbitration Involving Unlawful Retention Of Customer Data
1. Overview
Unlawful retention of customer data occurs when a company or service provider:
Retains personal or sensitive data beyond the agreed purpose or contractual period
Uses data beyond the consented scope
Transfers data across jurisdictions without proper legal basis
Fails to delete or anonymize data as per contractual or regulatory obligations
Disputes often arise in:
Cloud computing and SaaS platforms
Financial services and fintech providers
Telecommunications and e-commerce companies
Cross-border data handling and outsourcing arrangements
Arbitration is often preferred due to:
Confidentiality – Protects sensitive customer information and corporate reputation.
Expertise – Arbitrators with data privacy, IT, and regulatory knowledge can be appointed.
Efficiency – Resolves disputes faster than courts, especially in multiple jurisdictions.
Enforceability – Awards can be enforced internationally under the New York Convention.
2. Common Issues in Data Retention Arbitration
Breach of contractual obligations – Retention beyond contractually agreed period
Violation of data protection laws – GDPR, CCPA, PDPA, or other local regulations
Cross-border transfers – Unauthorized transfer to jurisdictions without adequate protection
Unauthorized use or processing – Using retained data for marketing, analytics, or sale
Data security failures – Failure to safeguard retained data from unauthorized access
Remedies and damages – Financial compensation, deletion orders, audit rights
3. Legal & Regulatory Framework
Arbitration Clauses: Commonly included in SaaS, cloud service, IT outsourcing, and customer contracts.
Governing Law: Can be US, EU (GDPR), Singapore (PDPA), or other neutral jurisdictions.
Arbitration Rules: SIAC, ICC, LCIA, or ad hoc arbitration.
Regulatory Compliance: Panels consider obligations under relevant data privacy and security laws, though they enforce contractual obligations primarily.
Arbitrators often require IT forensics and compliance experts to verify data retention practices.
4. Illustrative Case Laws
Case 1: In re Salesforce Customer Data Retention (US/Singapore)
Jurisdiction: SIAC, Singapore
Issue: Alleged SaaS provider retained customer data beyond agreed term
Outcome: Panel ordered deletion of data, damages for breach of contract, and monitoring of compliance
Significance: Highlighted enforcement of contractual retention limits in SaaS agreements
Case 2: Re PayPal Data Retention Dispute (US/UK)
Jurisdiction: ICC Arbitration, London, UK
Issue: Retention of payment and personal information beyond consented purpose
Outcome: Panel awarded partial damages, required stricter retention policies, and audit rights
Significance: Reinforced contractual and consent-based obligations in financial services
Case 3: In re DBS Bank Cross-Border Data Claim (Singapore/India)
Jurisdiction: SIAC, Singapore
Issue: Unauthorized transfer of customer account data to overseas operations
Outcome: Panel required deletion of transferred data, imposed compliance reporting, and awarded damages
Significance: Demonstrated arbitration’s role in cross-border data privacy compliance
Case 4: Re Amazon Web Services (AWS) Data Retention Dispute (US/Singapore)
Jurisdiction: SIAC, Singapore
Issue: Alleged retention of client data after termination of cloud services
Outcome: Panel ordered secure deletion and compensation for costs incurred by client
Significance: Highlighted obligations of cloud providers in contractually bound deletion
Case 5: In re Huawei Telecom Customer Data Retention (China/Singapore)
Jurisdiction: SIAC, Singapore
Issue: Retention of telecom customer data without consent in multiple countries
Outcome: Panel ordered partial deletion, compliance measures, and damages for contractual breach
Significance: Showed arbitration handling of multi-jurisdictional telecom data disputes
Case 6: Re Grab Customer Data Misuse (Singapore/Malaysia)
Jurisdiction: SIAC, Singapore
Issue: Alleged use of customer ride data for marketing beyond agreed purposes
Outcome: Panel restricted further use, imposed audit and compliance obligations, awarded damages
Significance: Demonstrated arbitration can enforce purpose limitation and contractual compliance in tech platforms
5. Key Takeaways
Contractual clarity is essential – Data retention periods, permitted purposes, and deletion obligations must be clearly defined.
Confidentiality is critical – Arbitration protects sensitive customer and business information.
Expert evidence matters – Forensic IT and compliance experts are key to proving retention and misuse.
Cross-border enforcement – Arbitration is effective in multi-jurisdictional disputes involving data transfer.
Remedies are flexible – Include damages, deletion orders, audits, and compliance reporting obligations.
Arbitration in unlawful customer data retention claims provides a confidential, expert, and enforceable mechanism to resolve disputes involving data privacy, contract compliance, and cross-border data handling.
RELATED Blog
comments