In an ongoing NAFTA Chapter 11 investor-state dispute (Tennant Energy v Canada), the claimant raised the rather novel question about whether the EU General Data Protection Regulation (GDPR) was applicable to arbitration proceedings. Tennant Energy had, amongst other things, referred to the fact that one of the arbitrators, Sir Daniel Bethlehem QC, was a UK national with offices in London and thus fell under the GDPR. Since arbitration proceedings typically involve a huge amount of data (including personal data), which the arbitrators receive from the parties and which they must process, it is not far-fetched to argue for the applicability of the GDPR in arbitration proceedings.
However, the arbitral tribunal decided the issue as follows:
On the potential application of the General Data Protection Regulation 2016/679 (“GDPR”) to this arbitration, having carefully considered Parties’ submissions on this issue, the Tribunal finds that an arbitration under NAFTA Chapter 11, a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of the GDPR. Accordingly, the Confidentiality Order makes no reference to the GDPR. This is without prejudice to the importance of ensuring a high level of data protection, and language to this effect has been added into the Confidentiality Order.
Despite the rejection of the applicability of the GDPR, a closer look reveals that the interaction between the GDPR and arbitral proceedings is potentially much more complex and prone to raising difficult issues, which arguably require more pro-active measures by arbitral tribunals and arbitration institutions.
The main features of the GDPR
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world. Although the key principles of data privacy still hold true to the previous EU directive, the GDPR has introduced significant changes by stepping up the requirements of data protection and the rights of individuals.
Increased territorial scope (extraterritorial applicability)
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR; it applies to all companies processing the personal data of data subjects residing in the EU. Previously, territorial applicability of the EU directive was ambiguous and referred to data process “in context of an establishment”. This topic has arisen in several high-profile court cases. GDPR makes its applicability very clear: it applies to the processing of personal data by controllers and processors established in the EU, regardless of whether or not the processing takes place in the EU. The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to:
- Offering goods or services to EU citizens (irrespective of whether payment is required).
- Monitoring of behaviour that takes place within the EU.
Non-EU businesses processing the data of EU citizens also must appoint a representative in the EU.
Organisations in breach of the GDPR can be fined up to 4% of annual global turnover or EUR 20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, for example, not having sufficient customer consent to process data or violating the core of privacy by design concepts. There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply both to controllers and processors. This means that “clouds” are not exempt from GDPR enforcement.
The conditions for consent have been strengthened. The request for consent must be given in an intelligible and easily accessible form, using clear and plain language, with the purpose for data processing attached. Consent must be clear and distinguishable from other matters. It must be as easy to withdraw consent as it is to give it.
Data subject rights
Under the GDPR, breach notifications are now mandatory in all EU member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors are also required to notify their customers, the controllers, “without undue delay”, after first becoming aware of a data breach.
Right to access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain confirmation from the data controller as to whether or not, where and for what purpose, personal data concerning them is being processed. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be forgotten
Also known as “data erasure”, the right to be forgotten entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in Article 17, include the data no longer being relevant to its original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
GDPR introduces data portability, the right for a data subject to receive the personal data concerning them, which they have previously provided in a “commonly use and machine-readable format”. They also have the right to transmit that data to another controller.
Privacy by design
Privacy by design has now become part of the legal requirements concerning the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than adding it later. More specifically, the controller shall implement appropriate technical and organisational measures in an effective way. This is so as to meet the requirements of the GDPR and protect the rights of data subjects. Article 23 calls for controllers only to hold and process the data absolutely necessary for the completion of its duties (data minimisation). Article 23 also limits the access to personal data to those needing to process it.
Appointment of data protection officers
Organisations must designate a data protection officer in certain circumstances, including where either:
- The “core activities” of the controller or the processor consist of “processing operations which… require regular and systematic monitoring of data subjects on a large scale”.
- The “core activities” of the controller or the processor consist of the “processing on a large scale” of “special categories of data” (that is, “sensitive personal data”) and “personal data relating to criminal convictions and offences”.
Does the GDPR apply to arbitral tribunals and arbitration institutions?
From the above, it can prima facie be concluded that the GDPR is applicable to arbitral tribunals and arbitral institutions seated in the EU, and potentially also to arbitral tribunals and arbitral institutions seated outside the EU but targeting EU data subjects.
The rather formalistic argument of the Tennant Energy v Canada arbitral tribunal, that neither the EU nor its member states are parties to NAFTA, does not seem convincing considering the very broad extraterritorial scope of the GDPR.
In the Tennant Energy v Canada proceedings, it was argued that the Permanent Court of Arbitration (PCA), being an international organisation, could be excluded from the scope of the GDPR. It was also argued that the headquarters agreement between the Netherlands and the PCA, which grants certain immunities to the PCA, would exclude the PCA from the scope of the GDPR.
However, the GDPR explicitly covers the transfer of data to international organisations in several provisions. It makes the transfer of data to international organisations or third states dependent on an adequacy decision of the European Commission. However, so far, it appears that the European Commission has issued such a decision only regarding a handful of third states, such as Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States (limited to the Privacy Shield framework), but not regarding the PCA or the World Bank/ICSID.
Moreover, the headquarters agreement does not mention data protection at all, so it is not clear how it would be able to exclude the PCA from the applicability of the GDPR.
In sum, the better conclusion seems to be that Sir Daniel Bethlehem QC and, by extension, the whole arbitral tribunal as well as the PCA acting as the administrative institution in these proceedings, are all covered by the GDPR and therefore need to take all the appropriate measures in order to be compliant with it. This, for example, would mean that the arbitral tribunal and the PCA would need to obtain explicit consent from each individual whose data was processed in these proceedings and handle any related data erasure requests.
Considering the huge amount of data, which typically includes that of dozens, if not hundreds, of individuals, all parties and institutions involved in arbitration proceedings must adopt pro-active measures in order to deal with the data protection issues in an efficient and effective way. Moreover, because so far neither international investment agreements nor the arbitration rules of the arbitration institutions contain clear and binding guidelines regarding data protection, the development of a Data Protection Protocol for arbitrators, arbitration institutions and disputing parties is necessary. The ICCA – IBA Joint Task Force on Data Protection in International Arbitration Proceedings, which is currently working on this matter and is expected to publish a draft guide for public comment, could provide the necessary basis for such a Data Protection Protocol.
The need for such a Data Protection Protocol has been highlighted by another very recent procedural order of the arbitral tribunal in Elliott v. Korea, pursuant to the transparency regime established in the Korea-United States Free Trade Agreement (KORUS FTA), which governs the case.
Korea argued that the Korean Personal Information Protection Act (PIPA) required it to redact personal information from filings in the arbitration, in particular names and other information that make it possible to identify individuals. In contrast, Elliott argued in favour of full publication of documents in the case, since the PIPA did not apply in the case at hand because the information proposed to be redacted by Korea was already in the public domain.
However, the arbitral tribunal sided with Korea and accepted that the PIPA extended even to information that was already in the public domain due to prior disclosure by the media. In particular, the arbitral tribunal held that it was bound to apply Korean law on this issue.