The implementation of the GDPR in May 2018 brought data protection to the forefront as a major commercial consideration.
The scope of the GDPR is wide, applying to any businesses outside the EU providing goods or services to individuals in the EU, in addition to businesses based in the EU. It is therefore important for international law firms to be aware when the GDPR is triggered and what their obligations are, especially where fines for contravention are significant.
To assist arbitration practitioners to comply with their data protection obligations, the International Council for Commercial Arbitration (ICCA) and the International Bar Association (IBA) have launched a joint task force to create a practical guide identifying data protection considerations in arbitration. The consultation period for the draft Roadmap ends on 30 June 2020.
With the challenges of 2020 brought by a global pandemic that has compelled firms worldwide to move to full time virtual operation, and with many hearings now being conducted remotely, such guidance will be welcome.
Marily Paralika and Sonia Morton consider the data protection implications for international arbitration in light of COVID-19 and provide an overview of the issues arising from data protection obligations; their impact on arbitration proceedings; and consider the initial findings of the Roadmap.
Law firms need to familiarise themselves with the application of the GDPR to arbitral proceedings, both to protect the privacy of the data subjects and to avoid fines and reputational damage. The new ICCA-IBA Roadmap seeks to increase awareness and understanding of these issues but responsibility rests with firms to ensure their GDPR obligations are met.
COVID-19 and data protection in international arbitration
What constitutes 'personal data' under the GDPR is widely defined and can include a person's name, address and contact details, or even their physical, economic, or social identity. The key element is whether the data, or a combination of data, would enable a person to be identified.
The processing of data where the personal data is a 'special category', such as information that reveals a person's ethnic origin, political, religious or philosophical beliefs, or which concerns genetic data, biometric data, health, is prohibited, save in certain circumstances, including where the data subject (the person to whom the personal data concerns) has given explicit consent (see below) and where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
In the context of international arbitration, there is wide scope for arbitration material to contain personal data. Examples include:
• Witness statements will usually include a witness' name, position, address, and depending on the content of the statement, can even include special category data such as political views. It is also common practice for parties to agree that witness statements should include a CV or a photograph of the witness which could also constitute personal data.
• Expert Reports will also include experts' names, position, address and a CV or a photograph. As with witness statements, depending on the content of the report, this could include special category data.
• Statements of Case may also include personal data depending on the content, for example, where witness statements are cited.
• Exhibits and documents produced in response to document requests can also contain personal data depending on the nature of the document in question.
In addition to arbitration materials, internal documents such as minutes of meetings with witnesses, experts and clients, and internal email communications regarding the case may also contain personal data.
'Processing' is broadly defined in the GDPR and includes collecting, storing, using or transmitting personal data. For example, this would include storing the data on a document management or filing system.
The processing of personal data is subject to a number of principles including that data should be processed "lawfully, fairly and in a transparent manner", be collected for a specific, explicit and legitimate purpose (and be adequate, relevant and limited to that purpose), be accurate and kept up to date, retained no longer than necessary, and be processed securely. It is the responsibility of data 'controllers' to ensure that these principles are complied with.
Data 'controllers' are defined as entities that determine the purposes and means of the processing of personal data (whether alone or jointly with others). A data 'processor' processes personal data on behalf of the controller. Current Law Society guidance in England and Wales indicates that law firms and providers of professional services will likely constitute data controllers and not processors, although may be considered processors in respect of certain sets of personal data. Similarly, the General Council of the Bar of England and Wales considers that barristers will also be data controllers. Accordingly, law firms can be subject to the principles for the processing of personal data set out in the GDPR.
In addition to establishing the principles for processing personal data, the GDPR also prescribes the circumstances in which processing is lawful. These include where the data subject has given consent to the processing of his or her personal data for one or more specific purposes, a relevant legal obligation has arisen, or processing is necessary for the purposes of legitimate interests. In the context of arbitration, law firms will likely rely on the provision that consent has been obtained. In such cases, the law firm will need to demonstrate that consent has been obtained. However, consent must be freely given by the data subject in the form of a statement or "clear affirmative action", and the data subject can withdraw such consent at any time.
The issue of consent is particularly relevant to witness statements in arbitrations which, as discussed above, will likely include personal data. To ensure compliance with the GDPR, law firms may wish to arrange for witnesses, and even experts, to confirm that they consent to use the processing of their personal data for the purpose of the arbitration in writing, or, for example, by including such a statement in the respective witness statement or expert report. There is a further consideration where a witness or expert later withdraws such consent, and law firms may wish to consider whether provisions should be in place procedurally to confirm that all parties have sought consent where applicable, and to enable the statement or report to be withdrawn or redacted where consent is later withdrawn, where necessary.
Data controllers also have obligations to provide certain information to data subjects and have ongoing notification obligations to those data subjects. Data subjects also have rights to access, rectify, erase and restrict the processing of their personal data. Law firms as data controllers may therefore wish to prepare standard form documents containing this information which can be provided to data subjects, such as witnesses, where necessary.
Further, data controllers are under various additional obligations under the GDPR including to maintain a record of its processing activities and to ensure the security of its processing. Law firms as data controllers may wish to have in place internal best practice guidance to ensure compliance with these obligations.
Where a data controller instructs a data processor to carry out processing on its behalf, the controller is under an obligation to ensure that the processor will provide sufficient guarantees to ensure that the requirements of the GDPR are met. For example, if a law firm as a data controller instructs an e-disclosure provider or any other external service provider that may constitute a data processor, the law firm may wish to ensure that its contract with those providers contain such guarantees.
In view of the obligations imposed on data controllers under the GDPR regarding the processing of personal data, and the wide scope of material in an arbitration that could contain personal data, law firms as data controllers need to carefully ensure that when collecting data, storing data, and transferring data to parties and the arbitral tribunal, they are complying with those obligations and monitoring and recording compliance. For example, where arbitration materials contain personal data, law firms may need to ensure that the necessary consents have been obtained and that those consents have been recorded where relying on such consent. They also need to ensure that the data is stored in their systems securely and that they have the necessary technology to safeguard that data. When transferring data, law firms will need to ensure that the transfer takes place securely, for example, when serving statements of case and delivering hearing bundles.
In addition, international arbitration proceedings raise issues regarding the transfer of personal data to 'third countries' and the use of personal data in virtual hearings.
1. Transfer of personal data to 'third countries" in cross border arbitrations
A major consideration in international arbitration is the restriction under the GDPR on the transfer of personal data to 'third countries', namely, a country outside the EEA. The GDPR requires the safeguarding of personal data in the event such data is transferred to a third country that does not have the same level of data protection regulation in place. Under the GDPR, the transfer of personal data to a third party can take place where the European Commission has decided that the country in question ensures an adequate level of protection. For example, the EU has awarded adequacy status for Switzerland, and partially for the USA (for personal data transfers covered by the EU-US Privacy Shield framework). Alternatively, the transfer of personal data may take place "only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available". Such safeguards are prescribed under the GDPR and include binding corporate rules or use of the European Commission's standard data protection clauses. There are exceptions to these requirements including where a data subject has consented to the transfer to the third country having been informed of the risks, or where the transfer "is necessary for the establishment, exercise or defence of legal claims".
In cross border arbitrations, such restrictions are of particular note when transferring arbitration material containing personal data to parties, tribunals or arbitral institutions outside the EEA, such as when serving statements of case and supporting evidence. This is also a consideration when sending material to party experts and witnesses based outside the EEA. The GDPR expressly notes that any "judgment of a court or tribunal" of a third country requiring disclosure may only be recognised or enforceable in any manner, if based on an international agreement. In such cases, the question arises whether a tribunal's rulings on document production requests ordering the disclosure of documents containing personal data is enforceable or contrary to the GDPR (without appropriate protections such as redactions), and may even be a shield for certain parties to object to such disclosure.
Law firms may be able to seek express consent or rely on the 'necessary for the establishment, exercise or defence of legal claims' exception where it is not feasible to agree safeguards such as the standard data protection clauses.
2. Personal data and virtual hearings
Of particular concern in the current climate is the increase of hearings taking place virtually and the risk of data protection breaches as a result. As discussed above, there is wide scope for personal data to be included in arbitration material which will be read and referred to during the hearing, in addition to live cross-examination from witnesses and experts. It is paramount that confidential hearings are secure and law firms should ensure that technology is in place to prevent unauthorised access to and/or unauthorised recordings of the hearing and hearing materials for non-parties. Following the hearing, any recordings of the hearing should also be securely stored and where such recordings will need to be transferred, such transfer should take place securely and any necessary safeguards should be in place, particularly if the recipient is based in an unsecure third country. As also noted above, law firms may wish to ensure that any necessary consents have been obtained for the use of personal data during the hearing where relying on consent.
* * *
Compliance with the GDPR is monitored by the relevant supervisory authority of each Member State; for example, in England and Wales, the Information Commissioner's Office. Depending on the nature of the breach, administrative fines can be up to €20 million or 4% of the total worldwide annual turnover. In 2019, Google was subject to a significant fine of €50 million by the French data regulator CNIL.
The European Commission recently published its review on the GDPR following two years of implementation on 24 June 2020. The report concludes that the GDPR has met its objectives of strengthening the protection of individual’s rights to personal data protection and guaranteeing the free flow of personal data within the EU. However, areas for future improvement have been identified such as greater harmonisation and guidance on international data transfers.
Following the implementation of the GDPR in May 2018, and in view of the current challenges introduced by COVID-19, guidance for arbitration practitioners on the practical impact of data protection regulations on international arbitration proceedings is becoming necessary.
The ICCA-IBA joint task force (mentioned above) consultation draft of its Roadmap to Data Protection in International Arbitration (available here) was released for public comment earlier this year, and recently the consultation period was extended to 30 June 2020. Once finalised, it is hoped that the Roadmap will serve as a universal guide for addressing data protection issues throughout arbitration proceedings.
The Roadmap is aimed at 'Arbitral Participants', defined as including the parties, their legal counsel, the arbitrators and arbitral institutions (only), although notes that the guidance is relevant for additional participants such as experts.
The Roadmap considers the issue of applicability of data protection issues to arbitration proceedings and notes that should even one participant in the arbitration be subject to data protection obligations, this could affect the entire proceeding. Each Arbitral Participant will inevitably be subject to the data protection laws of its State and so if one participant is based in or operates in the EU, the GDPR will likely apply. The Roadmap comments that where an Arbitral Participant is subject to the GDPR (such as an EU-based arbitrator) but the other participants are not, the parties and/or the tribunal may need to put agreements or safeguards in place ensuring that the non-EU based Arbitral Participants agree to be bound by the GDPR to allow the transfer of data in the arbitration.
The main practical aspects addressed in the current draft Roadmap include the following:
• At the outset of an arbitration, Arbitral Participants should identify and document the categories of any personal data including any special categories and the respective data subjects, and their obligations in this regard, including their approach to safeguarding such data and limiting data to what is adequate, relevant and necessary. Arbitral Participants may wish to consider data-mapping to identify where data will be processed and where it will need to be transferred. Participants will also need to identify what data protection laws will apply.
• In view that some Arbitral Participants may not be subject to the same data protection laws, the Parties may wish to agree a data protection protocol to address and reconcile any competing obligations, especially where Arbitral Participants could be considered joint controllers. If such a protocol cannot be agreed, the Parties can address data protection issues in Procedural Order No. 1.
• Arbitral Participants should have internal measures in place to address the rights of data subjects regarding notifications and data access requests. Similarly, internal procedures should be in place for notifications in the event of a breach.
• The Roadmap notes that although the arbitral community will usually rely on consent as the legal ground for processing personal data, this can be problematic, if, for example, that consent is later withdrawn. The Roadmap suggests that Arbitral Participants rely on an alternative legal ground, where possible, such as 'legitimate interests' for the process of personal data, and the legal claims derogation for special category data. For 'legitimate interests', the Roadmap will include a Legitimate Interests Assessment checklist to assist Arbitral Participants.
• Arbitral Participants should consider publishing privacy notices on their websites, addressing dispute resolution specifically, explaining to actual and potential data subjects why and how they process their personal data and what rights the data subjects have, in addition to considering obligations for specific notices and other transparency requirements.
• Arbitral Participants as data controllers will need to ensure that a GDPR compliant data processing agreement is in place with any data controllers such as e-discovery professionals, transcribers and interpreters.
• Arbitral Participants need to consider the restrictions on the transfer of personal data internationally, in particular if based in countries with strict transfer regimes such as China and Russia, and that such restrictions should be identified and documented at the outset of the proceedings. The Roadmap notes that where the third country is not the subject of an adequacy decision by the European Commission, and the appropriate safeguards such as the standard contractual clauses are not feasible, law firms would likely be able to rely on the legal claims derogation or alternatively, a fourth option of 'compelling legitimate interests' which the Roadmap comments is unlikely to be often applied in practice due to the high threshold and notification requirements.
• Arbitral Participants should consider whether personal data in any arbitration material is necessary and could be redacted or replaced with the use of pseudonyms.
• Arbitral Participants should apply a proportionate, risk-based approach to information security. The Roadmap suggests that practitioners refer to the IBA Cybersecurity Guidelines (2018) for guidance.
• Arbitral Participants should document all measures and decisions taken regarding data protection compliance.
• Arbitral Participants should consider taking out insurance to mitigate any risks in the event of a breach.
• Following the completion of an arbitration, Arbitral Participants should consider how long to retain personal data connected with completed proceedings and the time after which such personal data and/or the documents containing it should be destroyed or permanently deleted.
The Roadmap highlights a number of risks for parties, arbitrators and counsel and the need to consider data protection obligations early in arbitration proceedings. The Roadmap is intended to be a living document and it will be interesting to see how the guidance develops following the consultation.
The UK Government has announced intentions to incorporate the GDPR into UK law so that the regulation continues to apply following the expiry of the UK's Brexit transition period on 31 December 2020. In the meantime, the Data Protection Act 2018, the UK's implementation of the GDPR, will continue to apply.
Law firms should be aware of their obligations under the GDPR when advising in arbitration proceedings, particularly on the safeguarding of personal data in arbitration materials in an increasingly virtual climate. The ICCA-IBA Roadmap will be a useful guide for law firms to ensure compliance with their obligations.
1. Articles 3, 4(1)(2)(7)(8)(11), 5(1)(2), 6(1)(3), 7(1), 9(1)(2), 12 to 51, 83, 97 General Data Protection Regulation. 14 April 2016 https://gdpr-info.eu/
2. The Draft ICCA-IBA Roadmap to Data Protection in International Arbitration February 2020 https://www.arbitration-icca.org/media/14/18191123957287/roadmap_28.02.20.pdf
3. ICO guidance note 'Determining what is personal data' Undated https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf
4. The Law Society guidance note 'GDPR - Controllers and processors' 31 October 2018 https://www.lawsociety.org.uk/communities/the-city/articles/gdpr-controllers-and-processors/#
5. General Council of the Bar guidance note 'Joint Data Controllers under the GDPR' May 2018 https://www.barcouncilethics.co.uk/wp-content/uploads/2018/05/Joint-data-controllers-under-the-GDPR-pdf.pdf
6. ICO guidance note 'International transfers' Undated https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
7. BBC article 'Google hit with £44m GDPR fine over ads' 21 January 2019 https://www.bbc.co.uk/news/technology-46944696
8. European Commission press release 'Commission report: EU data protection rules empower citizens and are fit for the digital age' 24 June 2020 https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1163