Mark Twain may or may not have had the GDPR in mind when he observed, “Data is like garbage: you’d better know what you are going to do with it before you collect it.” More recently, the decision in Tennant Energy LLC v Government of Canada has again raised the vexed question of the effect of data protection legislation, and specifically the GDPR, on international arbitration. Tennant was a PCA arbitration in which one of the arbitrators was based within the EU, in chambers in London. The claimant investor argued that this sufficed to engage the provisions of the GDPR, with knock-on effects for the approach to confidentiality in the arbitration.
In Tennant, the objections were dealt with shortly: in a communication to the parties, the tribunal indicated that an arbitration under NAFTA Chapter 11 (a treaty to which neither the EU nor its member states are party) did not, presumptively, fall within the material scope of the GDPR (though the tribunal indicated further that this was without prejudice to the importance of ensuring a high level of data protection.) But such a speedy exit route is unlikely to be available in the context of ordinary international commercial arbitration, where it would be much more difficult to argue that the relevant processing took place in the context of an activity not governed by EU law.
The submissions made in Tennant give a fascinating insight into the sort of detailed issues that might arise in the future in international commercial arbitration. Most individuals involved in an arbitration (parties, lawyers and arbitrators) are potentially data processors or data controllers (or both) for the purposes of the GDPR. Further, and as has been previously noted, the GDPR has a very broad territorial scope, and is potentially engaged if a party or arbitrator or arbitral institution is based in the EU. Even non-EU arbitrators, or data processing that takes place outside the EU, could be caught by the regulation if either the data processing takes place in the context of an establishment (for example, a set of chambers) that is situated within the EU, or where the data processing relates to the offering of goods or services to data subjects within the EU. The situation is particularly complex where the arbitrators are established in different territories. In such a case, the non-EU arbitrators (whose activities would not otherwise attract the operation of the GDPR) might arguably be brought within the scope of the regulation by means of being a “joint processor” or “joint controller” with an EU arbitrator appointed to the panel, as was, indeed, argued in Tennant.
Disclosure of documents in arbitration presents some particularly tricky issues because many, probably most, documents will contain third parties’ data. Consider, for example, the email correspondence that forms a routine part of disclosure in most cases. Many such emails will contain names, email addresses or job titles of individuals (employees, consultants, customers). How are the rights of those individuals to be squared with the parties’ disclosure obligations?
The potential issues for parties is compounded by the very broad definition of “processing”. Searching for and storing data amounts to “processing”, so the GDPR is relevant right from the initial litigation hold (and possibly even before that). Even instructing lawyers to review documents and give advice would arguably fall within the scope of the regulation. In all such cases, the GDPR requires the lawfulness of the processing to be justified by reference to specified grounds. One such ground is consent, but this is unlikely to be a secure basis for processing because it would require every third party data subject to give consent; further, such consent can be withdrawn at any time. (The updated Note to Parties and Arbitral Tribunals on the Conduct of Arbitration under the ICC Rules of Arbitration, published earlier this year by the ICC, seeks to address consent to some extent. The note provides that, by participating in the arbitration, parties and witnesses accept that data may be processed, and further requires the parties to ensure compliance with witnesses’ consent and data protection regulations. However, these provisions will not affect non-witness third parties whose data is contained in disclosed documents, so it is only a partial solution.) A further ground arises where the processing is necessary to comply with a legal obligation, but this is unlikely to apply to consensual arbitration. That leaves the more nebulous ground where processing is necessary for the purposes of the “legitimate interests pursued by the controller or by a third party” unless such interests are outweighed by the data subject’s rights. It is immediately clear that this is a less predictable yardstick and that considerable care is, therefore, required to ensure that the relevant processing is justifiable.
The process of transferring documents to an opponent and the tribunal in order to comply with disclosure obligations is particularly problematic where the documents (and data contained in them) are to be transferred from within the EU to a non-EU territory. In such a situation, particularly stringent requirements for the protection of data are imposed. Such transfer is permissible where there are legally binding safeguards (as defined by the GDPR) of an adequate level of protection (which in many cases will not exist). The regulation also contains a provision allowing the transfer of data without any such binding safeguards if necessary for the establishment, exercise or defence of legal claims. However, it appears that views differ as to whether this provision extends to arbitration, partly because the German language version of the text refers only to court proceedings. Further, an arbitrator would not have the same power as a court to make orders that bind third parties with a view to protect data, factors which further suggest that the relevant provision may not extend to arbitration.
One of the key principles underlying the GDPR is the minimisation of processing to that which is necessary. That is, on its face, inconsistent with the usual approach to a litigation hold, and to subsequent disclosure, where the usual advice is to retain and disclose everything potentially relevant. Further, data controllers are required to set retention periods at the time of data collection and to inform data subjects. These requirements are reflected in the ICC note, which requires parties and arbitrators to ensure that only data necessary for the arbitral proceedings is processed and states that third party data subjects may seek access to data from the secretariat or the arbitrator. Any third party data subjects are entitled to be informed about processing and are conferred rights relating to transparency in the use of their data. This approach is substantially different to the disclosure exercise with which lawyers and arbitrators are familiar.
Tantalisingly, the submissions in the Tennant case referred to a draft of the forthcoming ICCA-IBA Task Force report (publication of which is expected imminently). It is to be hoped that the report will address the many grey areas so that arbitration can continue to be carried out as efficiently as possible.