iba

Clash of the Titans: GDPR and International Arbitration – a Look at the Future

Author: Neva Cirkveni and Per Neuburger

Introduction

In recent years, questions have presented themselves about the practical implications of personal data privacy and cybersecurity on the actual conduct of international arbitrations – especially when the constant pace of technological change is taken into account.

The General Data Protection Regulation (GDPR)[i] celebrated its second birthday in May 2020. The GDPR’s personal data protection framework aims to ensure the free movement of personal data of ‘identified or identifiable natural person[s].’[ii] It applies within the European Union and has an extra-territorial scope that may extend outside the EU;[iii] GDPR may affect not only all natural or legal persons but also subjects public authorities, agencies and other bodies – possibly including international organisations – to personal data protection obligations.[iv] GDPR sanctions may amount to 4 per cent of the breaching entity’s worldwide annual turnover of the preceding financial year or €20 million, whichever is higher.[v] The need to take its application seriously has already been established through multi-million Euro fines that have been imposed in multiple jurisdictions.[vi]

Although the application of personal data protection laws to arbitration is established, the way in which the laws should be applied is not. For that reason, the International Council for Commercial Arbitration (ICCA) and the International Bar Association (IBA) established a Joint Task Force on Data Protection in International Arbitration Proceedings in February 2019, with the aim of producing a guide that provides practical guidance to personal data protection in international arbitration. The Task Force published a consultation draft of this guide in March 2020.[vii] The present commentary will be based on this draft roadmap (the Roadmap),[viii] with the final, revised version of the Roadmap expected to be published in September 2021. Although the deadline for comments on the consultation draft has passed at the time of writing, the preliminary version of the Roadmap is nonetheless illustrative of the issues raised by GDPR in international arbitrations. It will therefore be used as the basis of discussion.

Most personal data protection laws are mandatory in arbitration proceedings, meaning they prescribe:

  • what personal data may be processed;
  • where;
  • by what means;
  • with which information security measures; and
  • for how long.[ix]

They do not address, however, how these binding obligations should be complied with in arbitral proceedings. In the absence of specific guidance from regulators, the Roadmap is intended to help arbitration professionals identify and understand the personal data protection and privacy obligations that they may be subject to in the context of an international arbitration. Furthermore, the extent of GDPR protection remains relevant in international arbitration proceedings, mainly whether GDPR laws apply to arbitrations seated outside the EU. There are various further implications if GDPR is found to apply to arbitration: firstly, whether personal data processing is prohibited and secondly, whether there are restrictions on transfers of personal data outside the EU. Finally, due to the growing frequency of cyberattacks, the consequences of such an attack on an arbitration could carry significant damages.

This article seeks to provide commentary on the Roadmap and explore practical measures that should be taken into account regarding personal data protection obligations in international arbitration proceedings. It identifies the Roadmap as a promising, albeit incomplete, tool to complement various soft law attempts to harmonise international arbitration so far, most notably instruments by the IBA and the United Nations Commission on International Trade Law (UNCITRAL).

Firstly, a brief summary of the Roadmap will be given which includes reference to GDPR principles. This is not intended to be a comprehensive overview but rather will introduce the Roadmap’s main points to give the reader context for the subsequent discussion. Secondly, a commentary will be provided that touches on six pertinent issues:

  • the applicability of GDPR to arbitrations held outside the EU;
  • GDPR in the context of North American Free Trade Agreement (NAFTA) arbitrations, as illustrated in Tennant Energy, LLC v Government of Canada;[x]
  • the issue of videoconferencing, which has greatly increased in importance throughout the Covid-19 pandemic, including references to the ‘ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration’ (Cybersecurity Protocol)[xi] the IBA’s Cybersecurity Guidelines[xii] and the ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic;[xiii]
  • ‘third-party funders’ and how they are taken into account in the Roadmap;
  • abuse of GDPR, especially as a shield for non-disclosure; and
  • the potential of using non-compliance with personal data protection requirements as a path to annulment or refusal of recognition and enforcement of the arbitral award.

Final thoughts will be provided in the conclusion.

The Roadmap

Individuals and legal entities are subject to obligations to protect the personal data of data subjects. Arbitration itself is not subject to personal data protection obligations. However, if only one participant of the arbitration is subject to personal data protection obligations, the arbitration may be impacted as a whole. Whether personal data processing falls within the relevant laws, material and jurisdictional scope will determine whether the personal data protection laws apply.[xiv]

Modern personal data protection laws apply whenever personal data about a data subject is processed during the activities falling within the relevant personal data protection laws’ jurisdictional scope.[xv] Personal data includes ‘any information relating to an identified or identifiable natural person’.[xvi] During typical arbitration proceedings, substantial portions of information are exchanged relating inter alia to the parties, their counsel, the tribunal and third parties. As such, they are likely to be seen as qualifying under the definition of ‘personal data.’ ‘Data subjects’ refers to the above-mentioned individuals who are identified or identifiable.[xvii] Processing includes active and passive operations, thus encompassing using, disseminating, and deleting personal data as well as receiving, organising and storing personal data.[xviii] The scope of application encompasses actions whenever personal data is processed in the context of the activities of an establishment of a controller or a processor in the EU[xix] and extraterritorially, such as when personal data is transferred outside the EU to entities or individuals who are not for other reasons already subject to GDPR.[xx]

Arbitrators will be qualified as data controllers, meaning that they will be responsible for compliance with personal data protection laws. However, based on the definition of ‘data controller’;[xxi] most arbitral participants[xxii] are likely to be considered as such, including counsel, parties, and the institution. Data controllers can delegate data processing to data processors,[xxiii] who will be under their control and will require data processing agreements on terms prescribed by the applicable law. Thus, secretaries, transcribers, translators, and others are all likely to be considered data processors. There is the further issue of joint controllers who jointly determine the purposes and means of data processing. Joint controllership is broadly interpreted, but the joint controller’s liability is limited to only the processing that the controller has determined, its purpose and means and not the overall processing.[xxiv]

In international arbitrations, the restrictions on personal data transfers between jurisdictions are an evident way in which personal data protection laws apply. The background of different arbitral participants will determine the application of different personal data protection regimes. Modern personal data protection laws restrict personal data transfers to third countries to ensure that legal obligations are not circumvented by the transfer of personal data to jurisdictions with lower standards of personal data protection.[xxv] The GDPR allows third-country personal data transfers if one of the following occurs:

  • the country has been deemed by the EU Commission to provide adequate personal data protection;
  • one of the expressly listed safeguards are put into place;
  • a derogation allowing transfers where necessary for the establishment, exercise or defence of legal claims; or
  • a party’s compelling legitimate interest.[xxvi]

These rules apply to arbitral participants and not to the arbitration as a whole, thus mandating that every arbitral participant considers what personal data transfer restrictions apply to them.

The personal data protection principles applicable in arbitration include fair and lawful processing, proportionality, data minimisation, purpose limitation, data subject rights, accuracy, data security, transparency and accountability.[xxvii]

A few of these principles require further comment. Fair and lawful processing means that personal data should only be processed in ways that data subjects would reasonably expect and that there must be a legal basis for processing. Applying the fairness principle, the party and its counsel should ask themselves whether, in the context of all facts, the individuals would have expected their personal data to be processed in such a way, whether it will have adverse consequences on them and whether these consequences are justified. This principle will not prevent personal data found in business emails from being admitted as evidence.

The notion of lawful processing entails a legal basis that is fact-driven and case-specific. Rather than relying on consent, specific legal bases in GDPR should be invoked.[xxviii]

Proportionality requires a consideration of the nature, scope, context, and purposes of processing in relation to the risks posed to the data subject.[xxix] Data minimisation requires arbitral participants to limit processing to personal data that is adequate, relevant, and limited to what is necessary.[xxx] Transparency requires data subjects to be notified of the processing and purpose of processing the personal data through either general notices, specific notifications, or both.[xxxi] Accountability relates to personal responsibility for data protection compliance, meaning arbitral participants should document all personal data protection measures and decisions taken in order to demonstrate compliance.[xxxii]

Personal data protection compliance affects individual steps of international arbitration proceedings, not only during the arbitration itself but also during preparations. From the outset, arbitral participants should consider which personal data protection laws apply to themselves and other arbitral participants, and which arbitral participants will be processing personal data as controllers, processors or joint controllers. Third-country personal data transfer rules and personal data processing agreements regarding third-party service providers should also be considered. During the document collection and review process, parties and their legal counsel need a lawful basis for processing activities and third country personal data transfers.[xxxiii]

The request for arbitration, as well as subsequent submissions, will include personal data which falls squarely within the realm of processing. If an arbitral institution is bound by the applicable personal data protection laws, it needs to consider potential personal data protection obligations that apply during each procedural step. If an arbitral institution is subject to GDPR, it will typically become a controller of personal data. To comply with Articles 13 and 14 of GDPR, such an institution should include information regarding security measures, the exercise of data subject rights, record maintenance, and data breach and retention policies in its privacy notice.[xxxiv] International organisations administering investor–state arbitrations, however, may be excluded from the scope of personal data protection laws due to privileges and immunities in the constituent state or in a host country agreement. Separate considerations thus need to be made here, including inter alia whether the organisation is bound by personal data protection laws and whether – and to what extent – arbitral participants would be covered by privileges and immunities.[xxxv]

During the appointment of arbitrators to an arbitral tribunal, significant amounts of potential arbitrators’ personal data are generally exchanged. Arbitral participants should include the legal basis for processing this personal data in their legal notices and expressly notify arbitrators that are being considered for appointment of the processing of their personal data, especially in case of third-country personal data transfers.[xxxvi]

Once the arbitration is underway, personal data protection compliance responsibilities should be allocated early to minimise risks. Personal data protection should be included on the agenda of the first procedural conference, and arbitral participants should attempt to agree on how to address personal data protection compliance as early as possible. The parties, their counsel and the arbitrators should consider entering into a personal data protection protocol to manage compliance issues effectively. Where this is not possible, an alternative option is for the Tribunal to include them in Procedural Order Number One.[xxxvii]

In the document production and disclosure process, the principle of personal data minimisation is especially relevant. Under GDPR, this would likely require:

  • limiting the personal data disclosed to what is relevant and non-duplicative;
  • identifying the personal data contained in the responsive material; and
  • redacting or pseudonymising unnecessary personal data.

These issues should also be considered early in the proceedings, preferably at or before the first procedural conference.[xxxviii]

When it comes to the rendering of awards, arbitrators and institutions should consider the basis and necessity of including personal data in awards. If arbitration is confidential, there is nonetheless a risk that an award will become public when enforced. Even if personal data is redacted, it typically remains personal data as the data subject is identifiable from the remainder of the award or related materials.[xxxix]

Data retention and deletion are considered to be processing under GDPR, which provides that personal data shall be ‘kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed’.[xl] Controllers must consider, document and be able to justify the duration of storage. Arbitral participants need to consider what data retention period is reasonable and should take a proportionate approach to balance their needs with the impact of data retention on the subject.[xli]

The applicability of GDPR to arbitrations held outside the EU

The General Data Protection Regulation’s territorial scope is relatively broad. Practitioners should be aware of its application whether or not they are located, or the arbitration is seated, in the EU. GDPR applies to the processing of personal data by controllers or processors established in the EU, regardless of whether the processing itself takes place in the EU (Article 3(1)). Additionally, when it comes to offering goods or services to EU citizens or the monitoring of behaviour that takes place within the EU, GDPR applies to the processing of personal data by a controller or processor not established in the EU (Article 3(2)).

Applied to the arbitral context, GDPR imposes obligations on data controllers and processors – arbitrators, counsel, parties, and institutions – that fall within its material and territorial scope, rather than on the arbitration proceeding directly. Even if it is only one arbitral participant that has a connection to the EU, they will be obliged to process personal data in accordance with GDPR. Implications for the proceeding as a whole may arise.[xlii]

Perhaps most notable in the context of international arbitration, where the transfer of arbitration materials containing personal data is commonplace, are the restrictions placed on the transfer of personal data to ‘third countries’ outside of the European Economic Area (EEA). In such a scenario, one of four lawful bases is required for personal data transfers to be allowed. Firstly, transfer to a third country is permitted if the third country is subject to an adequacy decision (Article 45(1)).[xliii] If this is not the case, one of the appropriate safeguards (Article 46(1)) should be put in place where feasible.[xliv] If there is no adequacy decision and an appropriate safeguard is not feasible, a specific derogation can be relied upon (Article 49(1)).[xlv] Lastly, in the absence of the aforementioned, a party may rely on a compelling legitimate interest (Article 49(1))[xlvi] as a lawful basis for a third-party personal data transfer.

The Roadmap quite comprehensively lays out the necessary considerations that arbitral participants need to make. It emphasises on multiple occasions that it is the arbitral participants, and not the arbitration as such, to whom personal data protection principles and transfer rules apply.[xlvii] In line with this, the presumptive conclusion is that an EU-based arbitrator to a non-EU arbitration that is otherwise not subject to GDPR would nonetheless need to comply with GDPR’s personal data processing and transfer requirements. This is indeed generally accepted in commercial arbitration proceedings,[xlviii] but the situation is not as clear when it comes to investor-state arbitration.

The case of Tennant Energy, LLC v Government of Canada

In 2019, in the NAFTA Chapter 11 arbitration Tennant Energy, LLC v Government of Canada (Tennant),[xlix] Tennant, the claimant, raised the issue of GDPR applying to the proceedings in light of the UK nationality and domicile of one of the tribunal members. However, the Tribunal issued directions to the parties stating that ‘an arbitration under NAFTA Chapter 11, a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of GDPR’.[l]

It is important to distinguish between treaty-based and commercial arbitration, with Tennant falling into the former category. The Roadmap engages with this distinction, noting that international organisations may be excluded from the scope of personal data protection laws.[li] Tribunal members in the Tennant arbitration may be subject to certain immunities derived from the Permanent Court of Arbitration’s (PCA) Headquarters Agreement with the Netherlands. However, the NAFTA tribunal did not consider whether, as an international organisation, the PCA would be subjected to GDPR’s transfer rules or whether tribunal members would derive certain immunities from the agreement.

The Tennant direction raises more questions than it provides answers regarding GDPR’s applicability to NAFTA proceedings and to treaty-based arbitrations more generally, a nuanced discussion of which is beyond the present scope. Nonetheless, the Tennant direction, viewed in light of the Roadmap, does demonstrate that this topic remains highly uncertain. It is questionable at best whether the Roadmap brings any clarity to arbitral participants faced with such an issue, considering especially that the Roadmap was issued after the Tennant direction was handed down but failed to grant the latter any consideration.

The issue of videoconferencing

The Roadmap recognises the importance of personal data security. However, with the recent use of additional technology to facilitate virtual hearings, as well as working from home – mostly fuelled by current circumstances imposed on us by the Covid-19 pandemic – this issue bears additional weight. The Cybersecurity Protocol[lii] and the IBA’s Cybersecurity Guidelines[liii] have shed some light on the issue.

Like the Roadmap, the Cybersecurity Protocol establishes several underlying principles. The principle of proportionality applies, the Tribunal has the authority and discretion for determining security measures in place, and information security is an issue that should be discussed at the first case management conference. Schedule A to the Cybersecurity Protocol provides a checklist that parties to an arbitration can use to safeguard the proceedings.

Following the recent shift in working patterns and environments due to the Covid-19 pandemic, these issues should be given more weight. In a world that has been pressed to find new ways of conducting business and adapt to times of uncertainty, one of the issues that the legal sector has faced is the issue of hearings combined with restrictions and the need for social distancing. As such, the popularity of video conferencing and the use of the same in international arbitration proceedings is something that the Roadmap should address but has not done so – or, at least, not yet.

Although many have discussed and pointed out the issues of video hearings, most have failed to address how personal data protection laws should be applied to them, not only with regards to personal data protection, but also to security, as some platforms have been subject to security attacks.[liv]

As discussed above, it is essential to understand the different roles of the parties involved in arbitration regarding GDPR, namely who are the ‘data controllers’ and ‘data processors’. If the video conferencing software is processing any personal data, such as the username and email address from a party’s use of the service, they will be considered a ‘data processor’. This means they must adhere to GDPR rules if any of the participants are domiciled in the EU. Since the Tribunal is the ‘data controller’, it will then be the Tribunal’s responsibility to ensure such compliance.

The International Chamber of Commerce (ICC) has issued a guidance note[lv] which provides parties with suggested clauses for cybersecurity protocols and virtual hearings. It aims to address the security aspect, but it does not address the aspect of personal data protection. The Roadmap should discuss the possibilities in which personal data protection would apply to hearings conducted virtually and also how to adhere to the same. While GDPR specifies requirements that have to be met with regards to video conferencing, it does not give guidance on the way its requirements are directly applicable.

Although the Roadmap does not provide recommendations on specific software providers, it could compile and provide practitioners with a list of the necessary specifications of an ideal software for video hearings, just as it provides checklists on various other matters within its annexes.

Where do third-party funders fit in?

A third-party funder is understood to be any non-party to the arbitral proceedings that enters into an arrangement to finance all or part of the cost of proceedings in return for a sum that is wholly or partially dependent on the outcome of the case.[lvi] Third-party funders have access to various personal data in arbitral proceedings they are funding, or are considering funding. Although the Roadmap is expressly addressed only to arbitral participants, it does state that the guidance is relevant for service providers who are also affected by personal data protection requirements.[lvii]

In the Roadmap, service providers include ‘e-discovery experts, information technology professionals, court reporters, translation services, etc’[lviii] but third-party funders are not explicitly mentioned. Under GDPR, the collection and storage of personal data is included in processing. Thus, if the third-party funders collect personal data from others, the personal data laws would apply to them too.[lix]

GDPR permits a party to process personal data if ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,’[lx] which may potentially be cited by arbitral participants as an applicable legal basis for processing relevant personal data. There is limited guidance on this topic.[lxi] The Roadmap states:

‘The first step in a legitimate interest assessment is to identify a legitimate interest – what is the purpose for processing the Personal Data and why is it important to you as a controller? In the context of arbitration, the legitimate interest may involve the administration of justice, ensuring the parties’ rights are respected and the expeditious and fair resolution of claims under the applicable arbitration rules, and many other interests as well.’[lxii]

The inclusion of ‘many other interests as well’ could possibly include the legitimate monetary interest of third-party funders. If so, they would then clearly be obliged to enter into data processing agreements with parties to the arbitral proceedings and be included in the scope of personal data protection regulations and requirements. Interestingly, the Roadmap omits to explicitly detail how third-party funders fit into the picture, particularly considering the rise of their inclusion in arbitral proceedings.

A shield for non-disclosure

Personal data protection obligations lead to the potential for abuse. Arbitral parties may use GDPR as a shield in bad faith to prevent information disclosure relevant to the proceedings or requested by the counterparty. For instance, a party may object to a disclosure request claiming that the documents contain personal data unrelated to the dispute, or that redacting personal information would be unduly burdensome.[lxiii]

The Roadmap addresses the potential for abuse. It suggests raising and clarifying personal data protection obligations as early as possible to reduce the risk of these impacting proceedings. Participants should consider entering into a ‘data protection protocol’ – an agreement on how personal data protection will be applied in a particular context. Alternatively, where it is not possible to achieve a signed data protection protocol, these issues should be addressed in Procedural Order Number One.[lxiv]

By way of comparison, one can look at GDPR compliance during discovery in US litigation. US federal courts have employed balancing tests to decide whether or not to order disclosure or compliance with subpoenas or discovery orders that are potentially in violation of foreign statutes, including personal data protection laws.[lxv] A non-exhaustive list of factors looked at by U.S. federal courts is:

  • the importance of the documents or other information requested to the litigation;
  • the degree of specificity of the request;
  • whether the information originated in the US;
  • the availability of alternative means of securing the information; and
  • the extent to which non-compliance would undermine important interests of the US.[lxvi]

More often than not, federal courts require disclosure despite potential violations of foreign personal data protection laws.[lxvii]

Arbitrators face different considerations than courts when deciding whether to order disclosure by a party. It is correct, as argued in the literature,[lxviii] that tribunals must be cognisant of competing rights and duties in light of the threat of annulment or refused enforcement under the 1958 Convention on the Recognition and Enforcement of Foreign Arbitral Awards (New York Convention). However, this view fails to account for the fact that disclosure orders are subject to minimal review by state courts, given the principle of judicial non-interference.[lxix] Examples of state courts refraining from engaging in a review of disclosure orders abound.[lxx]

In light of the discretion given to tribunals in procedural matters, the threat of annulment or refused enforcement is unlikely to be a central consideration. The inevitability of parties attempting to abuse GDPR’s obligations to gain a potential procedural advantage will put tribunals in difficult positions of balancing the data subject’s interests on the one hand, and maintaining a robust evidentiary process on the other.[lxxi] Clarifying personal data protection compliance obligations at the outset of the proceedings – preferably in a signed data protection protocol – in line with the Roadmap’s recommendations appears to be a prerequisite step to check this behaviour.

Non-compliance with personal data protection requirements as a path to annulment and refusal of recognition and enforcement

The Roadmap does not deal with whether non-compliance with personal data protection requirements could be used to set aside an arbitration award, or to refuse its recognition and enforcement. Parties have very limited means of recourse against awards. Nevertheless, an unsuccessful party may wish to challenge its outcome and use one of the main common grounds to challenge the award or to prevent its recognition or enforcement.

The New York Convention currently has 168 contracting states, making it the primary legal basis for the recognition and enforcement of foreign awards in international commercial arbitration. The Convention provides, in Article V, limited grounds upon which the recognition and enforcement of an arbitral award may be refused. Most notably for present purposes, Article V(2)(b) recognises the possibility for the competent authority of a signatory state to refuse the recognition or enforcement of an award that violates public policy.[lxxii]

The grounds on which an arbitral award may be set aside vary among different jurisdictions. The UNCITRAL Model Law on International Commercial Arbitration, which has been widely adopted, sets out a list of grounds for annulment in Article 34(2). This list was closely modelled on Article V of the New York Convention.[lxxiii] Article 34(2)(b)(ii) states that an arbitral award may be set aside by the court if the award is in conflict with the state’s public policy.[lxxiv]

The European Court of Justice (ECJ) held in Eco Swiss v Benetton that overriding mandatory provisions of EU law can constitute fundamental rules of public policy, the violation of which can constitute a ground for annulment of an arbitral award based on such a ground in national law.[lxxv] Whether or not an award may be set aside, or its recognition or enforcement refused, due to non-compliance with personal data protection requirements will therefore depend on whether the rules of GDPR are to be regarded as overriding mandatory provisions, whose violation is contrary to national public policy.[lxxvi]

Article 9 (1) of the Rome I Regulation defines overriding mandatory provisions as provisions ‘the respect for which is regarded as crucial by a country for safeguarding its public interests… to such an extent that they are applicable to any situation falling within their scope, irrespective of the law otherwise applicable.’ As Cervenka and Schwarz have previously recognised, most of the rules of GDPR likely may be considered overriding mandatory provisions pursuant to EU law. As such, their violation may be considered a violation of public policy.[lxxvii]

The possibility that non-compliance with personal data protection requirements may lead to the annulment or the non-recognition and non-enforcement of an arbitral award raises various concerns. Firstly, it should be defined precisely which personal data protection obligations would constitute overriding mandatory provisions, as not all violations carry the same weight. Ultimately, the ECJ will likely be called upon to provide further clarification. Secondly, the potential abuse of the possibility to challenge or contest the enforcement of an award on the basis of violation of GDPR should also be taken into account, to prevent parties from intentionally breaching personal data protection rules in order to have the possibility of recourse against the award at a later time. Finally, it should be defined whether personal data protection regulations would form part of procedural or substantive law and in what way.[lxxviii]

Although there is much to be defined, the consequences of non-compliance with personal data protection requirements on the annulment, as well as the recognition and enforcement arbitral awards, should be addressed. It is most interesting that no mention of this is to be found within the Roadmap.

Conclusion

The Roadmap is intended to help arbitration professionals identify and understand the personal data protection and privacy obligations they may be subject to in an international arbitration context. However, as discussed earlier, it still does not address some specific issues that are relevant and pressing today. The six issues identified and elaborated on in this paper are:

  • the applicability of GDPR to arbitrations held outside the EU;
  • GDPR in the context of NAFTA arbitrations;
  • the issue of virtual arbitration hearings;
  • third-party funders and their place in the Roadmap;
  • potential abuse of GDPR; and
  • potential non-compliance with GDPR as a pathway to annulment or refusal of recognition and enforcement of the arbitral award.

These issues will each warrant further reflection, as they are predicted to only become more relevant in coming years. The hope is that it has been shown that these are worthy of inclusion into the Roadmap.

The Annexes[lxxix] added to the Roadmap are intended to help professionals deal with these requirements practically. The addition of the Data Protection Checklist, the Legitimate Interest Assessment Checklist, Example Privacy Notices and the EU Standard Contractual Clauses are all extremely valuable resources and should be used by professionals in making sure that they are GDPR compliant.

However, in a conflict situation between different jurisdictions, the differences among various domestic legislations pertaining to personal data protection can lead to ambiguity. Even though the guidelines provided by the Roadmap are wide-ranging, they are still not binding. In the past, UNCITRAL and the IBA have leaned towards providing harmonisation in international arbitration through their rules, guidelines and similar; although these are not binding, they most certainly are persuasive. As UNCITRAL and the IBA have attempted to do with various aspects of international arbitration, there is also a dire need for harmonisation in personal data protection requirements regarding arbitration; thus, requisite guidelines should be put in place with harmonisation in mind.

While harmonisation, understanding, and awareness of GDPR compliance requirements and its implications in the context of international arbitration remains lacking, we as arbitration professionals will continue to make do with the legal framework currently in place. Nevertheless, despite its flaws, the Roadmap presents a much-needed and encouraging step in the direction of a common understanding of personal data protection obligations for arbitral participants.

[i] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

[ii] ‘Personal data’ is defined in Art 4 of GDPR as:

(1) ‘“personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’

[iii] The territorial scope of GDPR is defined in Art 3 as follows:

  1. ‘This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

  1. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.’

[iv] See the definition of ‘processor’ in Art 4 of GDPR.

[v] Art 83(4), GDPR.

[vi] ‘Largest fine under GDPR levied against Google’ (Simmons + Simmons, 22 January 2019), see www.simmons-simmons.com/en/publications/ck0cq8kiru2hf0b36maziwal9/220119-largest-fine-yet-under-the-gdpr-levied-against-google>; Joe Tidy, ‘British Airways fined £20m over data breach’ (BBC, 16 October 2020), see www.bbc.com/news/technology-54568784.

[vii] ‘ICCA-IBA Joint Task Force on Data Protection in International Arbitration’ (ICCA), see www.arbitration-icca.org/icca-iba-joint-task-force-data-protection-international-arbitration, accessed 18 August 2021.

[viii] The ICCA-IBA Roadmap to Data Protection in International Arbitration’ (ICCA, February 2020), see https://cdn.arbitration-icca.org/s3fs-public/document/media_document/roadmap_28.02.20.pdf, accessed 18 August 2021.

[ix] Ibid, 1.

[x] PCA Case No. 2018-54.

[xi] ICCA and New York City Bar and International Institute for Conflict Prevention & Resolution, ‘ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020 Edition)’, see https://cdn.arbitration-icca.org/s3fs-public/document/media_document/icca-nyc_bar-cpr_cybersecurity_protocol_for_international_arbitration_-_electronic_version.pdf, accessed 18 August 2021.

[xii] ‘Cybersecurity Guidelines’ (IBA, October 2018), see www.ibanet.org/LPRU/Cybersecurity, accessed 1 December 2020.

[xiii] ‘ICC Guidance Note on Possible Measures Aim’ (International Chamber of Commerce, 9 April 2020) accessed 18 August 2021.

[xiv] Roadmap, Section B.

[xv] Ibid.

[xvi] Art 4, GDPR.

[xvii] Ibid.

[xviii] Art 4, GDPR

[xix] Ibid, Art 3(1).

[xx] Roadmap, 7.

[xxi] Art 4, GDPR.

[xxii] The Roadmap defines ‘arbitral participants’ as ‘including the parties, their legal counsel, the arbitrators and arbitral institutions (only).’ See Roadmap (n 3), 2.

[xxiii] Art 4, GDPR.

[xxiv] See Judgment of 29 July 2019, Fashion ID GmbH & Co KG v. Verbraucherzentrale NRW eV, C-40/17, ECLI:EU:C:2019:629, paras 74, 85. See also Judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein C-210/16, EU:C:2018:388; Judgment of 10 July 2018, Jehovan todistajat, C-25/17, EU:C:2018:551.

[xxv] Roadmap, 11

[xxvi] Ibid, 12.

[xxvii] Art 5 and 12–22, GDPR; Roadmap 14–15.

[xxviii] For instance, under GDPR, the processing of personal data in the context of international arbitration is lawful when it is necessary for the purposes of the legitimate interests of the data controller – subject to limitations based on the interests and fundamental rights of the data subject – and sensitive data may be processed under the legal claims derogation (Art 9(2)(f)) in the context of arbitration.

[xxix] Roadmap, 19.

[xxx] Ibid, 20–21.

[xxxi] Ibid, 30–31.

[xxxii] Ibid, 32.

[xxxiii] Ibid, 33–36.

[xxxiv] Ibid, 37–39.

[xxxv] Ibid, 37.

[xxxvi] Ibid, 39.

[xxxvii] Ibid, 40–41.

[xxxviii] Ibid, 42.

[xxxix] Ibid, 43.

[xl] Art 5(1)(e), GDPR.

[xli] Roadmap, 44.

[xlii] Emily Hay, ‘The Invisible Arm of GDPR in International Treaty Arbitration: Can’t We Make It Go Away?’ (Kluwer Arbitration Blog, 29 August 2019), see http://arbitrationblog.kluwerarbitration.com/2019/08/29/the-invisible-arm-of-gdpr-in-international-treaty-arbitration-cant-we-make-it-go-away/#:~:text=Territorial%20Scope%20of%20the%20GDPR,the%20tribunal%20derives%20its%20mandate, accessed 18 August 2021.

[xliii] The EU Commission has deemed the country to provide adequate data protection.

[xliv] In the case of international arbitration, this would most likely be a standard contractual clause.

[xlv] The legal claims derogation, allowing transfers where ‘necessary for the establishment, exercise or defence of legal claims’ is the most applicable in the arbitral context.

[xlvi] Due to its high threshold and notification requirement, reliance on compelling legitimate interests has little practical relevance. See EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 6 February 2018 (Data Transfer Guidance).

[xlvii] Roadmap, 8, 13.

[xlviii] Emily Hay, ‘The Invisible Arm of GDPR in International Treaty Arbitration: Can’t We Make It Go Away?’ (Kluwer Arbitration Blog, 29 August 2019), see http://arbitrationblog.kluwerarbitration.com/2019/08/29/the-invisible-arm-of-gdpr-in-international-treaty-arbitration-cant-we-make-it-go-away/ [accessed 18 August 2021].

[xlix] PCA Case No 2018-54.

[l] Ibid, Tribunal’s Communication to the Parties (Perm Ct Arb, 2019).

[li] Roadmap, 37.

[lii] ICCA and New York City Bar and International Institute for Conflict Prevention & Resolution, ‘ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020 Edition)’ (ICCA), see https://cdn.arbitration-icca.org/s3fs-public/document/media_document/icca-nyc_bar-cpr_cybersecurity_protocol_for_international_arbitration_-_electronic_version.pdf, accessed 18 August 2021.

[liii] ‘Cybersecurity Guidelines’ (IBA, October 2018), see www.ibanet.org/LPRU/Cybersecurity, accessed 1 December 2020.

[liv] Andreas Respondek, Tasha Lim, ‘Should the ICCA/IBA’s Task Force on Data Protection ‘Roadmap’ address the impact of GDPR on Video Conferencing in International Arbitration Proceedings?’ (Kluwer Arbitration Blog, 18 July 2020), see http://arbitrationblog.kluwerarbitration.com/2020/07/18/should-the-icca-ibas-task-force-on-data-protection-roadmap-address-the-impact-of-the-gdpr-on-video-conferencing-in-international-arbitration-proceedings, accessed 18 August 2021.

[lv] ‘ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic’ (ICC, 9 April 2020) accessed 18 August 2021.

[lvi] ‘Third-Party Funding in International Arbitration: The ICCA-QMUL report’, (ICCA, May 2018), https://cdn.arbitration-icca.org/s3fs-public/document/media_document/Third-Party-Funding-Report%20.pdf, accessed 18 August 2018.

[lvii] Roadmap, 2.

[lviii] Ibid, 23–25.

[lix] Art 4(2), GDPR, see n 1 above.

[lx] Art 6(1)(f), GDPR.

[lxi] Allan J Arffa and others, ‘GDPR Issues in International Arbitration’ (Lexology, 10 August 2020), see www.lexology.com/library/detail.aspx?g=49cf607b-d82f-4cb6-a2f7-2790f4cfeb91, accessed 18 August 2021.

[lxii] Roadmap, Annex 5.

[lxiii] Allan J Arffa and others, ‘GDPR Issues in International Arbitration’ (Lexology, 10 August 2020), see www.lexology.com/library/detail.aspx?g=49cf607b-d82f-4cb6-a2f7-2790f4cfeb91> accessed 18 August 2021.

[lxiv] Roadmap 40–41.

[lxv] See, for example: David M Howard, ‘Foreign Data Protection Laws in International Arbitration and United States Litigation’ (2020) 55 Tex Int’l L J 395.

[lxvi] Ibid; Richmark Corp v Timber Falling Consultants, 959 F.2d 1468, 1475 (9th Cir 1992).

[lxvii] ‘Foreign Data Protection Laws in U.S. Litigation and International Arbitration’ (Baker Botts, 6 February 2020), see www.bakerbotts.com/thought-leadership/publications/2020/february/foreign-data-protection-laws-in-us-litigation-and-international-arbitration> accessed 18 August 2021.

[lxviii] David M Howard, ‘Foreign Data Protection Laws in International Arbitration and United States Litigation’ (2020) 55 Tex Int’l L J 395. 406.

[lxix] Gary Born, International Commercial Arbitration (2nd edn, Kluwer Law International 2014), 2335.

[lxx] Ibid. Born cites the following judgments to reinforce this argument: Judgment of 22 January 2004, Société Nat’l Cie for Fishing & Marketing ‘Nafimco’ v Société Foster Wheeler Trading Co. AG, 2004 Rev arb 647 (Paris Cour d’appel): ‘the decision of the arbitral tribunal to order discovery is within its procedural discretion and cannot be reviewed by the Courts’; Karaha Bodas Co v Perusahaan Pertambangan Minyak Dan Gas Bumi Negara, 190 F Supp 2d 936, 952 (S D Tex 2001), aff’d, 364 F 3d 274 (5th Cir 2004): Disclosure requests are ‘well within the reasonable exercise of the Tribunal’s discretion’.

[lxxi] Natalia M Szlarb, ‘GDPR and International Arbitration at a Crossroads’ (The National Law Review, 4 December 2019), see www.natlawreview.com/article/gdpr-and-international-arbitration-crossroads, accessed 18 August 2021.

[lxxii] New York Convention, Art V(2): ‘Recognition and enforcement of an arbitral award may also be refused if the competent authority in the country where recognition and enforcement is sought finds that… (b) The recognition or enforcement of the award would be contrary to the public policy of that country.’

[lxxiii] UN Secretary-General, Analytical Commentary on Draft Text of a Model Law on International Commercial Arbitration, A/CN.9/264 (1985), Art 34, para 6.

[lxxiv] UNCITRAL Model Law on International Commercial Arbitration, Art 34(2): ‘An arbitral award may be set aside by the court specified in article 6 only if…(b) the court finds that… (ii) the award is in conflict with the public policy of this State’.

[lxxv] Judgment of 1 June 1999, Eco Swiss China Time Ltd v Benetton International NV C-126/97 [1999] ECR I-03055, paras. 39 and 41. For a detailed discussion of EU public policy, see: Sacha Prechal and Natalya Shelkoplyas, ‘National Procedures, Public Policy and EC Law. From Van Schijndel to Eco Swiss and Beyond’ (2004) 5 European Review of Private Law 589, 598.

[lxxvi] Anja Cervenka and Philipp Schwarz, ‘Datenschutz im Schiedsverfahren – die Rolle des Schiedsgerichts’ (SchiedsVZ 2020, 78) 84.

[lxxvii] Ibid.

[lxxviii] For a more detailed discussion of these and other issues, see: Alexander Blumrosen, ‘The Allocation of GDPR Compliance in Arbitration’ in José R Mata Dona and Nikos Lavranos (eds), International Arbitration and EU Law (Edward Elgar Publishing, 2021) paras 5.63 et seq; Cervenka and Schwarz, see n 76 above, 84-85.

[lxxix] ‘The ICCA-IBA Roadmap to Data Protection in International Arbitration, Annexes’, (ICCA, February 2020), see https://cdn.arbitration-icca.org/s3fs-public/document/media_document/roadmap_annexes_28.02.20.pdf, accessed 18 August 2021.

This article was first published in Dispute Resolution International, Vol 15 No 2, October 2021, and is reproduced by kind permission of the International Bar Association, London, UK. © International Bar Association.