bratschi arbitration blog: The impact of the GDPR on arbitral proceedings – a gateway for new conflicts?
Rarely a new legal regime has had more far-reaching implications on arbitration proceedings than the General Data Protection Regulation (EU 2016/679, «GDPR»), which replaced the EU's Directive 95/46 on personal data protection and entered into force in May 2018. While it is still too early to predict what consequences the GDPR will eventually have for the conduct of arbitral proceedings, arbitration users should be aware of the GDPR requirements and their potential implications on arbitral proceedings not only because of the significant fines of up to EUR 20 million for non-compliance with the GDPR, but also in order to avoid jeopardizing arbitral proceedings as a result of a potential breach of the GDPR, e.g. by provoking protective interim measures or the like.
Application of the GDPR to arbitration proceedings
The GDPR aims to protect individuals and their personal data and lays down rules to protect individuals, or data subjects, with regard to the processing and the transfer of personal data. It regulates the processing activities of data controllers and processors within its territorial and material scope of application. Data controllers are natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data while data processors process the personal data on behalf of the controller (Art. 4 GDPR). The material scope of the GDPR broadly includes all processing of personal data «wholly or partly by automated means» (Art. 2(1) GDPR). There are certain exclusions from this material scope, including processing of personal data «in the course of an activity which falls outside the scope of Union law» (Art. 2(2)(a) GDPR). Because of the extensive territorial scope of the GDPR, however, this exclusion is of limited effect. The GDPR applies to the «processing of data by data controllers in the context of the activities of an establishment of a controller or a processor» in the EU (Art. 3(1) GDPR) or outside the EU when targeting sales of goods or services to data subjects in the EU or monitoring of their behavior inside the EU (Art. 3(2) GDPR).
Consequently, arbitration users may easily qualify as data controllers and data processors because they not only make decisions about the processing of data or process data on the behalf of a controller, but also because international commercial arbitrations are typically data-intensive and always include the processing of personal data such as names of individuals. Equally, arbitrations seated in Switzerland with a link to the EU will in most cases be impacted by data protection issues, although the Swiss data protection regime does not apply to arbitrations.
This said, any party, counsel, arbitral institution or a professional third party such as an expert might qualify data controllers or, in some cases, data processors. Whereas general data storage and transfer rules of the GDPR will often apply to all arbitration stakeholders, counsels may be affected in the way they gather documents to establish the facts of a case. Likewise, arbitrations may well involve documents from third parties, and counsels may have to deal with the processing of their personal data, too.
Main Obligations under the GDPR
Where the GDPR applies, personal data can only be processed by a data controller if at least one out of a list of six legal bases applies. One of those legal bases is consent. The consent option, however, should be carefully examined, but always applied with caution because the data subjects who have consented to the processing of their personal data may also withdraw their consent at any time. Furthermore, data controllers are also prohibited, as a general rule, from transferring data outside the EU unless it is to a country that provides equivalent level of protection to personal data, if the controller or processor has provided appropriate safeguards or if one of the exceptions in the GDPR applies.
The GDPR furthermore requires the data controller to adhere to certain obligations, including but not limited to: (i) informing the concerned data subjects about the processing (via documents such as privacy notices and privacy policies - Art. 12-14 GDPR); (ii) being able to handle requests for exercising the data subjects' rights (Art. 15-22 GDPR); (iii) regulating in an appropriate manner the relations with processors they might use (e.g. cloud service providers, translators, accountants, etc. - Art. 28 of GDPR); (iv) keeping records of processing activities (Art. 30 GDPR); (v) implementing appropriate measures for ensuring security of the personal data processed (Art. 32 GDPR).
Complying with the GDPR during the arbitral proceedings
To ensure compliance with the GDPR, arbitration stakeholders must consider data protection issues and ensure that processing and transfer of data is lawful. In this context, they shall apply minimization efforts in terms of data collection, processing and storage. For counsels, a first step towards data minimization might also include a request to its client to conduct (i) initial data reviews or (ii) apply measures to reduce the volume of documents sent to counsel for review.
Once the proceedings have started, the institution administrating the case as well as the arbitral tribunal will have to consider data protection issues, too. In this context, the ICC, in its updated Note to the Parties and Arbitral Tribunals on the Conduct of the Arbitration of 2019 («ICC Note»), has recognized the issue and states that «during the arbitration, the parties, their representatives and all other participants in the proceedings shall ensure the security of personal data processed under their responsibility. To that effect, parties and arbitrators shall ensure that secured means of collecting, communicating, and archiving data are used throughout the entire arbitration process and during the applicable retention period of such data». The ICC further encourages in its Note arbitral tribunals and parties to consult the Report on the Use of Information Technology in International Arbitration by the ICC Commission on Arbitration and ADR, which gives further guidance on IT related issues and how data shall be processed within the arbitral proceedings.
Arbitral tribunals may help avoid data protection issues by «addressing data protection early in the proceedings, for example in the case management conference», and by including in procedural orders, in a separate data protection protocol or in the terms of reference protective measures such as anonymization or a limitation on data protection exposure as also recommended by the ICC Note. As furthermore stated in the ICC Note, parties and arbitrators shall ensure that only personal data that are necessary and accurate for the purposes of the arbitration proceedings are processed, a fact of which the parties shall be reminded by the arbitral tribunal. In particular, discovery in international arbitration may give rise to violations of the GDPR. In this context, applying Art. 9 (1), (3) and (4) of the IBA Rules on the Taking of Evidence, arbitral tribunals may take into account data protection issues when deciding on discovery issues and make necessary «arrangements to preserve confidentiality and data protection».
Conclusions and recommendations
While the arbitration community agrees that the GDPR applies to arbitration proceedings if the processing of data related thereto falls within the territorial scope of the GDPR, the specific obligations thereunder are still hotly debated.
Even though the ICC Note addresses fundamental issues of data protection in international commercial arbitration, the need for more guidance is obvious and has also been recognized by the ICCA and IBA, which jointly launched a Task Force on Data Protection in International Arbitration Proceedings that is currently working on a Guide for data protection in international arbitration. The Guide is expected to clarify important questions on the handling of data protection issues in arbitrations and may at best, serve as worldwide benchmark for arbitration users on how to handle data protection issues throughout the arbitration proceedings.
Arbitration stakeholders are well advised to examine and anticipate data protection issues, comply with generally accepted data protection guidelines and follow closely the developments regarding the application of data protection issues, in particular of the GDPR, to arbitration. Finally, as disagreement on data protection issues may «flare up» at every stage of an arbitration, it is in the very best interest of all arbitration stakeholders to consider data protection issues carefully and diligently at every stage of the arbitration proceeding.
This arbitration blog represents the personal opinion of its authors.