GDPR and International Arbitration at a Crossroads
The International Council for Commercial Arbitration (ICCA) and the International Bar Association (IBA) have established a Joint Task Force on Data Protection in International Arbitration Proceedings. The task force will develop guidance for arbitration professionals with regard to data protection in arbitration proceedings. This guidance, which is expected to be published for comment later this year or in early 2020, aims provide practical guidance on the potential impact of data protection principles. In particular, it will recommend how information and evidence subject to the European Union’s General Data Protection Regulation (“GDPR”) is to be handled in international arbitration proceedings.
The task force arose because of the supranational impact of GDPR. In international arbitration proceedings, information and evidence are gathered and transferred to the opposing party, counsel, arbitrators, and professional third parties across different jurisdictions. Because such evidence or information may be subject to the GDPR’s data protection framework, a careful review at the onset of the arbitration is required to determine whether electronically stored information can be transferred (and produced to other parties), and if so, how. Failure to comply with restrictions on the use of electronic data can result in punitive sanctions. For example, a violation of GDPR can lead to a penalty of up to 4% percent of a company’s global annual revenue or €20 million, whichever is higher.
The GDPR came into effect in 2018. It holds as fundamental that processing of protected personal information is prohibited unless expressly permitted by the GDPR. As an EU Regulation, no local law implementation is required to adopt the GDPR, and it applies directly in each member state of EU. Its application is broad. GDPR applies to any company or entity that controls or processes “personal data” as part of the activities of its branches established in the EU, or if it targets or monitors “data subjects” in the EU, regardless of the company’s location.
Protected “personal data” relates to the information of an identifier–data subject–and covers simple information such as work email address, telephone number or IP address, and generally anything through which a person can be identified. The “data controller” means any person or organizational body that determines the means of processing personal data. “The data processor” refers to any entity that processes personal data on behalf of the data controller. The GDPR also defines “processing” very broadly as any operation that is performed on personal data and specifically includes activities such as collection, use, disclosure by transmission, and dissemination, or otherwise making available personal data.
These broad definitions of personal data and data processing mean that GDPR can apply to any party, counsel, arbitrator, tribunal or professional third party participating in an arbitration within the GDPR’s reach. Personal data processing during an arbitration includes review of information or evidence by which an individual is identified or identifiable, even if the personal data is contained in a business-related document.
There are exemptions under GDPR which allow sharing of personal information under specified circumstances. These include, among other things, the explicit and well-informed consent from the data subjects, and, importantly, the necessity to process personal data for the performance of a contract, or to comply with a legal obligation, or for the purpose of a legitimate interest. Interestingly, while a document production in international arbitration would appear at first glance to fall into the category “compliance with a legal obligation,” the exemption only explicitly covers legal obligations created by Member State law such as a court order, not ones created by an arbitral tribunal order. Whether, in fact, data processing and sharing in international arbitration falls within this exemption, is still a matter of debate. Nonetheless, the general understanding is that disclosure obligations in arbitral proceedings satisfy at least the last exemption provided for in the GDPR, i.e., the processing is necessary for the purposes of legitimate interests pursued by the data controller.
How these exemptions would be interpreted for purposes of ensuring the integrity of evidentiary deliberation in an international arbitration would need to be carefully monitored. It certainly will require a careful balance between the data subject’s interests and the interest of maintaining a robust evidentiary process in an international arbitration proceeding. As it currently stands, the data controllers and processors, i.e., party, counsel, arbitrator, tribunal or experts, are required to ensure appropriate technical and organizational measures are in place to safeguard handling of personal data. This means that every arbitral participant has to consider at the outset of an arbitration whether or not GDPR applies to its use of personal data and, if so, what rules apply. Practitioners should be aware that the GDPR may be relevant to their arbitration, regardless of whether the parties are, or the arbitration is seated, in Europe.
The intersection, if not clash, of international arbitration and GDPR will certainly produce interesting decisions, awards and opinions for arbitration practitioners.