This article has been written by Nabira Farman, pursuing the Certificate Course in International Commercial Arbitration and Mediation from LawSikho.
Data protection laws have become more general, nuanced, and comprehensive in today’s digital society, exacerbated by the COVID-19 pandemic. Given the pace of introduction and evolution of this legislation, arbitral members seldom have exhaustive and current awareness of their data security responsibilities and severe penalties they may not comply with. For instance, under General Data Protection Regulation (Articles 83 and 84), civil liability could arise for parties failing to comply with the law, with penalties of up to 4% or €20 million of the total gross revenue of the contravening company whichever is higher. Criminal responsibility can also apply to parties, for instance, as laid down in Section 170 of the United Kingdom’s domestic law on Data Protection.
In the last two years, several major arbitral provisions and recommendations have been revised with the general obligation on tribunals and parties to communicate and deal with data security issues at an early stage in the arbitration. For e.g., the 2019’s Notes on arbitration for parties and arbitral tribunals under the ICC Rules’ (Paragraphs 80 to 91), the 2020 London Court of International Arbitration Rules (Article 30), and the 2020 International Bar Association Rules on the admission of evidence international arbitration (Article 2(e)).
The obligations of the parties to international arbitration
Parties to international arbitration have various obligations towards the protection of data that may compete with one another and overlap, creating the complex framework for compliance, particularly in disputes involving, typically, significant amounts of personal data (for example, large-scale building, technological and digital information). The lawyers, members of the tribunal, and the arbitral institution (the “participants”) need to strictly comply with these obligations.
A draft guideline, the Draft ICCA-IBA Roadmaps to Data Protection for International Arbitration (the “Draft Roadmap”), was released in March 2020 by the International Bar Association (IBA) and the International Council for Commercial Arbitration (ICCA) to be consulted. The current version offers a very comprehensive guide for the participants although the draft roadmap will not be officially published until September 2021.
This article outlines the fundamental data protection obligations of the participants, as well as illustrating their references to the Draft Roadmap and General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), which introduced several other principles of modern data protection legislation, in addition to the consideration of which information constitutes personal data to be protected in international arbitrations. It outlines who is responsible for complying with the laws of data protection in international arbitration and defines the main rules and principles that may apply to participants.
What constitutes personal data in arbitration proceedings?
The GDPR defines ‘personal data,’ which may include the name, address, and contact information of an individual, or even its physical, financial, or social identity. What is important is that it is possible to identify an individual with the data or a combination of data. The reach of GDPR is extensive in international arbitration. All activities relating to the collection, use, distribution, deletion, receiving, organisation, and preservation of personal data are covered by processing.
It shall be prohibited to process any data that is of a “special category,” such as information that reveals ethnic origins, political or religious beliefs or concerns genetic data, biometric data, health, etc. However, in the event that the processing is required for the establishment, exercise, or defence in lawful claims or where courts act in their capacity for judicial purposes, it can be allowed. Processing may also be permitted in extraordinary circumstances such as when the data subject (person with whom personal data is concerned) has expressly consented. There is a broad scope for the inclusion of personal data in international arbitration. Some of the examples include:
- Witness statements typically contain the name, location, address of a witness and may also include data of specific categories such as political views depending on the substance of the document. Parties also agree on the practice of using a CV or a snapshot of the witness that may also constitute personal information in witness statements.
- Expert reports also include the names, location, address, and resume or photograph of experts. This may include data of the special category, depending on the content of the study.
- Statements of a case can also contain personal details, for instance, depending on the content of the statements provided by witnesses.
- Exhibits and documents generated in response to requests for documents, based on the nature of the document in issue, can also contain personal data.
- Besides the arbitration data, the internal papers can also include personal information, such as minutes of meetings with testimonials, experts, and customers, and internal email correspondence.
What laws refer to data protection?
The GDPR is often referred to as modern legislation for data protection. In the wake of its implementation, many jurisdictions around the world have implemented new regulations, including the United Kingdom, the DIFC in Dubai, Brazil, California, Singapore, and Virginia, with parallels to the GDPR (and also variations in their particular nature). Data Protection Law No. 5, 2020 (the New DP Law) came into force on 1 July 2020.
As a result of the ongoing pandemic, businesses have been issued with a three-month grace period lasting until 1 October 2020. The data protection law stipulates rules governing the collection, handling, disclosure, and use of personal data under DIFC, the rights of those who are subject to personal data, and the duty of the Commissioner of Data Protection to perform his duties in the processing, management and use of personal data. The Personal Data Protection Act 2012 (‘PDPA’) regulates the collection, use, and disclosure by the organisation of personal data by individuals so that the rights of persons to the protection of their personal information and the requirements for collecting, using and revealing personal data by organisations for the purposes considered appropriate by reasonable people in circumstances are acknowledged. It was recently updated with an amended Act of 2020 and in February 2021 provisions were enforced. The California Consumer Privacy Act is one of the most comprehensive laws adopted by a US state to promote consumer protection. California Consumer Privacy Act, which will fall under the GDPR, may form the basis of tighter US protection of consumer privacy.
Embodying best international practice standards
The data protection law embodies international best practice standards, and is consistent with EU regulations and OECD guidelines, and is designed to balance the legitimate needs of businesses and organisations to process personal information while upholding an individual’s right to privacy. The UK maintained the GDPR in the context of the United Kingdom GDPR after Brexit which is applicable in conjunction with any amended Data Protection Act 2018. A useful, albeit non-exhaustive list of national and regional data protection laws in key arbitration jurisdictions, is given in Annex 9 to the draft roadmap.
Some examples include Russia’s Data Protection Act No. 152 FZ dated 27 July 2006 (DPA), amended on 22 July 2014, Switzerland’s Federal Act on Data Protection of June 19, 1992 (DPA), together with Ordinance to the Federal Act on Data Protection (DPO) and the Ordinance on Data Protection Certification (ODPC) which is in a process to be aligned with the GDPR, and the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, published on August 15, 2018. It is almost aligned with the EU’s GDPR. Brazil’s Lei Geral de Proteção de Dados (LGPD) has significant consequences for consumers and practitioners of international arbitration. The LGPD, like the GDPR, places duties on the treatment of personal data, also before, during, and after arbitration.
Identifying the data privacy laws at the beginning of the arbitration
It is essential that all data privacy laws applicable to arbitration are identified at the start of the arbitration. This exercise includes participants who examine the possible activities and flows affecting personal data pragmatically and identify the geographical and material scope of all data protection laws that may be applicable.
For instance, the GDPR shall apply when personal data is processed within the GDPR’s jurisdictional competence. It is germane to understand the terms ‘personal data’ and ‘processing’ as per the GDPR. Article 4(1) of the GDPR says that any details related to a data subject which means an identified or identifiable natural person is personal data. A natural person is an identifiable person and is identifiable, directly or indirectly, particularly by reference to identities such as name, ID number, location information, an online identification, or one or more factors unique to the natural person’s physical, neurological, genetic, emotional, economic, cultural or personal identity in the society.
Article 4(2) of the GDPR defines ‘processing’ as any processing or series of activities performed on or under personal information data, whether or not automatedly collected, registered, structured, stored, adjusted or modified, recalled, consulted, used, and divulged by transmission, disseminated or otherwise made available, aligned or compatible.
The processing within the jurisdiction may refer to either:
- In relation to the operations involved in the establishment of a controller or a processor in the European Union (EU); or
- In connection with the providing of goods or services to different individuals in the EU.
Who is responsible for observing the data security laws applicable to this?
Data protection laws usually assign main responsibility for enforcement to those who decide upon the collection and processing means of personal data in a particular operation often called ‘controllers’ and ‘joint controllers’ if they are jointly identified by two or more people. The data protection rules generally allocate the main responsibility.
The participants will be considered controllers in the sense of the arbitration process and are, therefore, responsible either individually or jointly for the observance of the data protection regulations, if applicable. Under the draft roadmap, at the start of the arbitration, participants should consider, firstly, all possible flows and other actions involving personal data processing, secondly, the rules governing data protection applicable to these flows and activities, thirdly, the person(s) accountable for compliance with these standards and fourthly, how they should comply effectively and cost-efficiently with these rules.
Through data protection protocol they should assign responsibility for compliance.
- For example, when they are joint controllers in some given activity, they may be needed to do so under relevant data protection laws. However, there may be conflicting responsibilities resulting from various activities in which the same personal data may be processed separately by individual participants. For instance, if a party collects records that contain personal details, it may provide its attorneys who may later use such personal data in pleadings or statements. The allocation of these responsibilities between participants prevents duplication of work and arbitration inefficiency.
Participant may transfer to a third party ‘processor’ under their control the output of a processing operation (such as a translator, a transcriber, or a supplier of reprography), whereby they are usually obligated to sign data processing agreements with processors to ensure that the rules of data protection apply.
Looking at the responsibilities of the participants
Assuming that they are data controllers (usually participants), in international arbitration, the following rules are potentially applicable to the participants.
Transfer of data between jurisdictions may be limited
Under GDPR, participants can only transmit their personal details to a non-EU third country, if:
- The EU Commission has issued the ‘adequacy decision’ which considers that appropriate data security will be provided in the third country. (GDPR, Article 45(1))
- In the absence of a decision, the Participants shall, in combination with their commitment to uphold data privacy rights in the importing country, adopt proper security (e.g., “standard data protection clause”) in accordance with Article 46 of GDPR.
- There must be reasons to derogate pursuant to Article 49 of the GDPR if such protection is not accessible. A derogation may occur in some international arbitration cases where the transfer is required to create, exercise, or defend a legal claim.
However, it is to be noted that the European Data Protection Board has advised businesses that this derogation can only be used if the transfer of personal data is indeed “required.” It also cautioned that the participants must do a precise evaluation of whether anonymised data will be adequate in the specific case before carrying out the transfer of data or alternatively pseudonymised data should be considered. No data should be transferred that is not applicable to a specific matter.
Processing of data is discouraged except for a legal basis for processing
Article 6.1 of the GDPR provides the basis for the processing of general personal data. The most suitable ground in international arbitration for the processing of personal data is where the processing is necessary for the legitimate interests of the controller or a third party. There is no basis for a participant to rely on this when the fundamental interests or rights and freedoms of the data subject override certain interests, for instance when the processing poses serious hazards to the professions or personal life of the subject. However, the participant shall conduct and document a valid interest assessment in order to depend on that ground. The guidelines for such an assessment are given in Annex 5 to the draft Roadmap.
Article 9.2 of the GDPR sets out the grounds for the processing of special categories of personal data (including racial or ethnic data, political views, faith, biometrics, etc.) Generally, where processing is required for establishing, exercising or defending legal claims, the basis for the handling of special category data is most appropriate.”
Participants must obey the relevant standards of data processing
When processing personal data, participants must obey all relevant data security principles. Modern legislation on data protection, like GDPR, generally requires the processing of personal information, which is legally processed with due respect to the person concerned in a fair and transparent manner. Furthermore, it must be collected for specific, explicit, and legitimate purposes and not further processed with the inappropriate effect of that purpose. The data must be adequate, pertinent, and restricted to what is required for the purposes for which the data is processed. It should be precise and, if required, up-to-date. It must be maintained in a way that allows for the identification of data subjects to be dealt with for purposes for which it is processed and processed so as to ensure adequate protection.
Participants are required to report and prove compliance.
Controllers must usually be in a position to show compliance and maintain a written record of the strategy and actions they have taken to implement the relevant data protection law(s).
The participants should consider starting the arbitration process with the implementation of the data mapping exercise and identify processing and personal data flows likely to take place, limitation on data protection for each processing and flow, the individuals likely that are duty-bound to comply with such limitation and the measures taken for compliance. It is especially important to remember when using cloud services, that personal data is uploaded to the respective provider’s server. That is the case in order to comply with the principles of GDPR Article 28. The data processing agreement (“DPA”) with the provider should in particular be concluded. The rules for data transfers in Chapter V of the GDPR should likewise be followed when selecting a cloud provider outside the EU. Alternatively, strong uploaded file encryption and the method of password communication should be taken into account. The specific shape and specifics of these actions should be discussed with the parties concerned.
Participants usually recognise the primary data privacy responsibilities in international arbitration. However, they should always carry out a factual thorough examination of all the possible data protection regulations and take account of their impact in preparation for, during, and after the arbitration. A good starting point for that review is given in Annex 3 to the draft roadmap. It offers a non-exhaustive data security checklist with possible impacts on GDPR participants. The rules and the appropriate regulatory bodies will provide useful guidance in the practical implementation of data protection obligations. The GDPR recitals, the recommendations of the Article 29 Working Group and of the European Data Protection Board, etc. are some examples. Nevertheless, none of these rules examine in detail how participants in international arbitration can apply data security laws. In arbitration proceedings, the law firms should be aware of their GDPR responsibilities, in particular in the protection of personal information in an increasingly virtual climate, on arbitration material. The ICCA-IBA roadmap will help law firms to ensure that their commitments are respected. Under these conditions, the draft roadmap is a much-appreciated initiative and, once completed, offers participants a much-needed mechanism to direct enforcement by international arbitration throughout their life cycle.
- M. Zahariev, “Data Protection in Commercial Arbitration in the light of GDPR” <http://arbitrationblog.kluwerarbitration.com/wp-content/uploads/sites/48/2019/09/M.-Zahariev-Data-Protection-in-Commercial-Arbitration_In-the-Light-of-GDPR.pdf > accessed May 8, 2021.
- “Arbitration—Data Protection and GDPR Considerations” (@lexisnexisApril 9, 2021) <https://www.lexisnexis.co.uk/legal/guidance/arbitration-data-protection-gdpr-consideration > accessed May 8, 2021.
- Ten Twenty | Web design, Web shops & E-marketing | Dubai, “DIFC | Data Protection” (DIFC2021) <https://www.difc.ae/business/operating/data-protection/ > accessed May 21, 2021.
- “What Is the California Consumer Privacy Act?” (Digital Guardian, November 5, 2018) <https://digitalguardian.com/blog/what-california-data-privacy-protection-act > accessed May 21, 2021.
- “Data Protection Obligations in International Arbitration | Insights | Greenberg Traurig LLP” (Gtlaw.com2021).
- EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 at 12 adopted on 25 May 2018.
Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: