• ILAPB

DATA PROTECTION IN THE AGE OF ARBITRATION: EU AND GDPR

- Yashvi Jain



INTRODUCTION


The issues related to data protection have been extremely sensitive in the age of rising privacy concerns that the world is grappling with. Similar concerns are being faced in arbitration events, round the year. There has been immense discussion on data protection and cyber security in light of the arbitral proceedings. The articles tend to analyse the practical side of the data concerns in, primarily, international arbitration. There have been many discussions regarding the provisions of data protection measures while conducting arbitral proceedings all around the globe, however, the different parts of the world have different laws on data privacy. [1]


GDPR AND THE USE OF DATA IN INTERNATIONAL ARBITRATION


The International Arbitral Proceedings work in a way where the evidence and other such information is collected and transferred to the legal counsel, arbitrators, opposing parties and some third parties in different jurisdictions. Such data is likely to be under the provisions of the European Union's General Data Protection Regulation. The GDPR is a body that protects the processing of personal data and information unless the same has been permitted by the body itself. It came into effect on May 25, 2018 and is applied on all the EU nations, directly, without any local law permit.[2]


GDPR has gained immense significance in the matters of data protection because of its wide ranging applicability. Its provisions apply to any company or entity that deal with data processing or have direct control over personal data. Such wide ranging applicability and broad interpretation of personal data leads to GDPR applying to any party, counsel, tribunal or a third party which is involved in an arbitral proceedings within the jurisdiction that GDPR covers. [3]


GDPR’S STRICT INTERPRETATION AND DUBOIS CONCEPT OF CONSENT


GDPR deals with data protection in two forms i.e. data controlling and data processing. Under Article 4 of the GDPR, definition of ‘personal data’ includes simple data like the email address, telephone numbers or the IP address, essentially, any information by which a person can be identified. And under ‘processing’ any operation with ‘personal data’ such as organising and use is covered.[4] Both the definitions are extremely broad and thus, increases the ambit of GDPR prohibiting any processing of personal data and its transfer to non-EU countries. However, it's application is limited to the EU countries.[5]


Though data protection has tightened in the EU due to GDPR’s strict approach, it provides certain exemptions which include the consent of the party who is the data subject. In case of the performance of the contract, a legal obligation or a legitimate interest is dependent on the processing of personal data, the data subject’s consent is a valid exemption under the provisions of GDPR.[6] However, this notion of consent is unreliable in nature. The primary problem with such a concept is that it can be withdrawn any time, as per the wishes of the party that gives consent.[7] This means that if the whole argument of data processing, which could be central to the proceedings, is based on ‘consent’, it can fall flat at any instance. In fact, such consent gives the right to the subject to transfer the accumulated data to any other enterprise. Thus, it is important that the consent of the data subject is used in their favour or else, may lead to withdrawal of such consent. [8]


In International arbitration, another roadblock in accessing data is, under the provisions of GDPR, is ‘internal review of old documents’. Even such documents constitute ‘processing personal data’.[9] It can only be accessed when the data subject provides the consent or the purpose of using the data is in line with the original purpose of collecting the date. However, it can be argued that that such regulations guard the data privacy in a manner that it respects the Right to Privacy of all individuals and companies in the wake of data driven world where misuse of data is very prevalent


CONFLICTING SITUATIONS


In the scenario of international arbitration, there is a lot of ambiguity because multiple laws of different jurisdictions apply since arbitration is not necessarily seated in a particular host country. It becomes difficult for the arbitrating parties to assess all the laws, some more strict than the laws of the parties’ host country. Thus, it is imperative for the parties to comply with all such laws which can be challenging.[10] There exists no clarity as to at what stage one needs to abide by multiple compliances. This is due the lack of a defined structure and legal framework regarding the same. In such proceedings, parties belonging to different jurisdictions share personal and confidential information.[11] Such information shared amongst parties which are governed by the same jurisdiction leads to the application of uniform laws. However, the issues arise when arbitration occurs with the parties belonging to different jurisdictions and thus, different laws.


There are times when a conflicting situation arises wherein a party ‘X’ is firm based in India with funding from an EU member country is engaged in an arbitration with a party Z from Singapore. For instance, two parties are engaged in the development of a device that collects certain personal data from the citizens of EU countries, with a branch and a server set up in the concerned EU nations. Such agreement was governed by the Singapore Law and the arbitration was seated in Singapore. There was dispute among the two parties when the servers were hacked by someone linked to the state.


This made party X want the discovery of documents against Party Z while they contended that this would violate their data protection as per the EU’s GDPR. Many questions would arise in such a situation; if GDPR would apply in an arbitral proceedings which are seated outside the EU nations, if, in case, it applies, will the implications of Article 6(1)[12] also apply that talk about prohibition of data processing unless it falls in the ambit of the said Article.[13] This confusion occurs due to the lack of a widely accepted set of data regulation rules.


CONCLUSION


Thus, this interplay of data protection in International Arbitration is a hot topic since both, data protection and arbitration, have been in news. Arbitration is opted by tech giants, conflicting countries and many others because it is an easier way for dispute resolution. However, in the age of data being aggressively used for advertisements, search engine optimisation etc., its privacy and protection is a huge concern. The GDPR has strict data protection regulations that govern all the EU nations. At times, abiding by such regulations is difficult for the legal counsels and parties to since there are multiple laws that apply across different jurisdictions. Some countries have a strict interpretation of laws and some are lenient in such matters. However, the GDPR regulations set an example for fierce ‘protection and processing of data’ by broadening their ambit of definitions.[14]


The way forward for the world, in order to avoid such confusion and chaos regarding the same is to agree upon and lay down certain basic principles governing data protection, especially while conducting arbitration proceedings. As the scope of arbitration increases, more such conflicts regarding data privacy can be witnessed. This would defeat the essential purpose of law which is to be clear and certain. Though, the different nations will continue to have different data protection laws, having said that, basic principles can be looked upon as uniform.

[1] Manas Raghuvanshi, Personal Data Protection Bill, 2018 and Arbitration: An Examination of the Proposed Data Protection Obligations in Arbitration, RMLNLU Arbitration Law Blog (Oct. 28, 2019), https://rmlnluseal.home.blog/2019/10/28/personal-data-protection-bill-2018-and-arbitration-an-examination-of-the-proposed-data-protection-obligations-in-arbitration/. [2] Matt Burgess, What is GDPR? The summary guide to GDPR compliance in the UK, Wired (Mar. 24, 2020), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018. [3] Natalia M. Szlarb, European Union: GDPR And International Arbitration At A Crossroad, Mondaq (Dec. 5, 2019), https://www.mondaq.com/unitedstates/arbitration-dispute-resolution/871962/gdpr-and-international-arbitration-at-a-crossroad. [4] Dr. Markus Burianski, Data Privacy in International Arbitration, White & Case (Oct. 19, 2018), https://www.whitecase.com/publications/alert/data-privacy-international-arbitration. [5] 2016/679, art. 4, 2016 O.J. (L 119). [6] 2016/679, art. 7, 2016 O.J. (L 119). [7] 2016/679, art. 7(3), 2016 O.J. (L 119). [8] Consent, GDPR, https://gdpr-info.eu/issues/consent/. [9] Supra Note 3. [10] Out-Law News, Data protection roadmap issued for arbitration professionals, Pinsent Masons ((Mar. 16, 2020, 11:17 AM), https://www.pinsentmasons.com/out-law/news/data-protection-roadmap-arbitration. [11] EU's Data Privacy Reg Still Has Arbitration Attys Confused, Law360 (Oct. 3, 2019, 9:08 PM), https://www.law360.com/articles/1205568/eu-s-data-privacy-reg-still-has-arbitration-attys-confused. [12] 2016/679, art. 6(1), 2016 O.J. (L 119). [13] Gerald Leong, How Do You Deal With Data Protection And Cybersecurity Issues In a Procedural Order?, Kluwer Arbitration Blog ( Feb. 19, 2020), http://arbitrationblog.kluwerarbitration.com/2020/02/19/how-do-you-deal-with-data-protection-and-cybersecurity-issues-in-a-procedural-order/?doing_wp_cron=1594320313.9969959259033203125000. [14] Pierre Bienvenu, Data protection and cyber risk issues in arbitration, Norton Rose Fulbright (Sept., 2019), https://www.nortonrosefulbright.com/en/knowledge/publications/3974fe18/data-protection-and-cyber-risk-issues-in-arbitration.

INDIA LAW AND POLICY BLOG

  • LinkedIn
  • Instagram

© 2020 INDIA LAW AND POLICY BLOG. All Rights Reserved.