The General Data Protection Regulation (GDPR) came into force on 25th May 2018, replacing the Data Protection Directive 95/46/EC. It regulates the processing, collection and disclosure of personal data, and envisages data protection principles such as fair and lawful processing, proportionality, data minimisation, purpose limitation, data subject rights, accuracy, data security, transparency and accountability. The framework attains great importance due to its expansive extra-territorial application which may render non-EU players liable. The GDPR imposes hefty penalties (in the form of civil, administrative and criminal liability), in case of a breach, amounting to U.S. $23.5 million or 4% of the annual turnover of the entity. Moreover, it also provides for entitlement to receive compensation and enables the respective member state to impose further penalties.
- Impact on International Arbitration
The GDPR delineates its extra-territorial applicability by stating that the framework would cover all data controllers and processors located in the EU or those who process the data of individuals in the EU (to offer services or monitor their behaviour). It is pertinent to note that commercial arbitration is not exempted from this since the regulations are also applicable to courts and other judicial authorities as well as lawyers. The broad definitions of personal data and data processing in the GDPR essentially indicates its application upon several players in an arbitration which includes, but not restricted to, the parties, the arbitrators and all the associated stakeholders. It has been concluded in the ICCA-IBA Roadmap and by UK ICO that arbitrators, lawyers and solicitors are most likely to hold the position of data controllers (the entity that determines the means as well as the purpose of processing data). On the other hand, interpreters, translators, transcribers, tribunal secretaries, etc., may be considered as data processors (the entity that processes personal data in accordance to the relevant law and the terms specified in the contract between the controller and the processor).
One of the primary issues that arise from such an arrangement is that the different players in an arbitration proceeding may be bound by different laws (or not bound by any law) which might overlap with the GDPR giving rise to competing obligations, especially with regard to data disclosure since the definitions provided by the GDPR are broader than other similar frameworks across the world and would, thus, cover data (which may include relevant information like evidence) that are, otherwise, routinely disclosed (for example, the clash between the USA and EU data protection regulations). This ordeal becomes particularly taxing in cases where a sole participant, or only a few participants of the arbitration, is subject to the framework. In the absence of any exemption, the presence of even one actor who is subject to the GDPR may have an impact on the other actors as well as the entire arbitral proceeding.
The GDPR enlists six grounds for processing personal data which are (1) consent, (2) compliance with legal obligation, (3) task in public interest or exercise of official authority of controller, (4) performance of contract, (5) vital interests of the data subject and, (6) legitimate interests. It is pertinent to note that arbitration is a consensual arrangement and the directions arising from the same attains a contractual or quasi-contractual nature and is, therefore, not a legal obligation. Disclosure of documents in pursuance of such directions would come under the ambit of legitimate interests which mandates that the disclosure must be necessary as well as proportionate to arrive at a resolution and, hence, dedicated methods to identify, weigh and assess the necessity of the documents must be undertaken.
Furthermore, a data protection impact assessment must be performed by the controller to assess the risk associated with the data called upon for processing, and adequate measures are to be undertaken accordingly. The controllers must also regulate processors, maintain records and handle requests for exercising data subject rights. Moreover, contractual terms are to be clearly delineated to reconcile the overlapping obligations of varying data protection laws and regulations. Apart from this, the respective data subjects must be informed about the processing of their data, and preventive policies are to be undertaken in case of data transfers to entities outside the scope of GDPR.
- The ICCA-IBA Roadmap to Data Protection in International Arbitration
The International Council for Commercial Arbitration (ICCA) and the International Bar Association (IBA) seek to release a roadmap to render assistance to arbitration professionals (parties, arbitrators, counsels, arbitral institutions, service providers, tribunal secretaries and other experts) regarding data protection. A public consultation draft has been released for comments from the international community.
The roadmap suggests for the identification as well as documentation of possible third country data transfers (countries outside the jurisdiction of GDPR) and appropriate measures that can be taken to comply with all the applicable laws. A data protection protocol (a documentation of the application of data protection regulations) should be agreed upon to manage data protection issues effectively and ensure compliance with various related laws. Further, the arbitral participants (parties, legal counsels, arbitrators and arbitral institutions) should undertake necessary information security measures. Apart from this, the nature of the data (personal, sensitive, and criminal offence data) must be considered, and records of all safeguards and decisions should be maintained, even when not necessary. Moreover, confidentiality must be maintained even during the publication of an award lest unrequited disclosure of personal data may occur.
- Tennant Energy v. Canada
The ruling of the Permanent Court of Arbitration (PCA) attains crucial importance while studying the implications of GDPR on international arbitration. In this case, one of the arbitrators was subject to the GDPR by virtue of their residence in the UK. It was argued that since the GDPR bound one arbitrator, the entire arbitration would be brought under its ambit. This was, however, rejected on the ground that the EU (as well as its member states) is not a party to NAFTA Chapter 11 and, therefore, the arbitration does not come under the ambit of GDPR.
This stance was given further clarity by the Roadmap which discussed the exclusion of certain international organisations from the framework. This depends upon the privileges and immunities bestowed upon the arbitral participants by such organizations, the terms of the data protection laws applicable upon them, etc.
- Indian Personal Data Protection Bill, 2019
- Arbitration under the Draft Bill:
The Indian Data Protection Bill, 2019 has been primarily modelled after the GDPR. However, one of the key deviants, w.r.t. arbitration, is Clause 36(b) wherein disclosure of personal data “necessary for enforcing any legal right or claim, seeking any relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding” is exempted from the data protection framework.It is pertinent to note that in General Officer Commanding v. CBI, the court held that “legal proceedings” has a wider meaning in comparison to “judicial proceedings” and includes non-judicial and quasi-judicial proceedings like arbitration. This is also indicated, by necessary implication, in Clause 36(c) of the Bill which specifically delineates judicial proceedings. However, in the Report of the COE chaired by Justice B.N. Srikrishna, Arbitration and Conciliation Act, 1996 has been enlisted as one of the legislations that would be impacted by the Bill. This has brought in considerable ambiguity as to the potential implications of the data protection framework on arbitration in India.
- Absence of ‘legitimate interest’ as a ground for processing personal data:
The Bill falls short of recognising ‘legitimate interests’, however, it provides for another ground: ‘reasonable purposes’ under Clause 14; the latter, unlike the former, would be delineated by the data processing authority and not by the data controller. It is pertinent to note that the Bill places “consent” on a much higher level of importance since all the other lawful grounds (compliance with law or any order of the court, prompt action, functions of the state and purposes related to employment, and reasonable purposes) are situation-based and not general in nature. While this enables the data subjects to have control, it gives rise to practical difficulties in terms of receiving “consent” as well as the continuance of successful arbitral proceedings upon the revocation of the same, and it is for this reason that the White Paper suggested the addition of “legitimate reason”.
- The ‘Adequacy’ Status:
The EU grants the ‘Adequacy’ status to third countries whose data protection frameworks provide safeguards that are equivalent to the GDPR. Such a status entails the flow of personal data from the EU to that country without the invocation of additional safety measures, thus, assimilating it as inter-EU data transmission. India is yet to attain the status and, presently, transfers data per the standard contractual clauses under Directive 95/46/EC of the European Parliament. The attainment of the ‘adequacy’ status will go a long way in improving the seamlessness of arbitral proceedings and in establishing India as an arbitration hub.
- Aligning the PDP Bill, 2019 with the GDPR
As India aims to be an arbitration hub, it is crucial to enable Indian players to observe compliance with GDPR. A key example of this is Switzerland which is seeking to revise its Data Protection Act (DPA) to align the same with GDPR. This includes identifying businesses that are affected by the GDPR, entering/amending agreements with processors, obtaining consent where required, establishing technical and organisational protection methods, documentation, audits and assessments, etc. Moreover, extensive awareness should be raised to ensure compliance.
Author:- Harsshita Pothiraj
B.B.A. LL.B., Year III, University School of Law & Legal Studies (GGSIPU), New Delhi.
 ICCA-IBA Roadmap to Data Protection in International Arbitration (Public Consultation Draft), 7 ICCA Reports 14, 15, 18 (2020) [hereinafter Roadmap].
 Simon Tolson, Arbitrators, Adjudicators and GDPR: Is it Y2K all over?, Fenwick Elliot (Oct. 19, 2018), https://www.fenwickelliott.com/research-insight/articles-papers/other/adjudicators-arbitrators-gdpr.
 General Data Protection Regulation, Art. 3 (May 2018).
 Id. at Recital 20.
 Id. at Recital 90
 David Zetoony, GDPR: The Most Frequently Asked Questions: Is a Lawyer a Processor or a Controller, Lexology (Sept. 19, 2018), https://www.lexology.com/library/detail.aspx?g=0652a4f0-735c-484f-bb92-5b5a1de4fa6c.
 General Data Protection Regulation, Art. 4(7) (May 2018).
 Roadmap, supra note 1, at 10.
 General Data Protection Regulation, Art. 4(8) (May, 2018).
 Karen Maxwell, The GDPR and the disclosure of documents in arbitration, Thomson Reuters (Mar. 29, 2018), http://arbitrationblog.practicallaw.com/the-gdpr-and-disclosure-of-documents-in-arbitration/.
 Emily Hay, The Invisible Arm of GDPR in International Treaty Arbitration: Can’t We Make It Go Away?, Kluwer Arbitration Blog (Aug. 29, 2019), http://arbitrationblog.kluwerarbitration.com/2019/08/29/the-invisible-arm-of-gdpr-in-international-treaty-arbitration-cant-we-make-it-go-away/?print=print&doing_wp_cron=1597386764.6166419982910156250000.
 General Data Protection Regulation, Art 6 (May, 2018).
 Maxwell, supra note 10.
 General Data Protection Regulation, Recital 90 (May, 2018).
 Roadmap, supra note 1, at 6, 7.
 Id. at 2.
 Id. at 15, 28, 29, 33, 34, 42, 41, 44.
 Tennant Energy, LLC (U.S.A.) v. Government of Canada, PCA Case No. 2018-54.
 Roadmap, supra note 1, at 34.
 Personal Data Protection Bill, 2019, Clause 36(b).
 General Officer Commanding v. CBI, (2012) 6 SCC 228.
 Personal Data Protection Bill, 2019, Clause 36(c).
 COE under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, Annexure C [hereinafter Report].
 Personal Data Protection Bill, 2019, Clause 14.
 Id. at Chapter 3.
 Report, supra note 23, at 107.
 Adequacy Decisions, European Commission (last visited Aug. 8, 2020), https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
 Sharmin Godrej Irani, Application of General Data Protection Regulation on Indian Processor, SCC Online (May 12, 2020), https://www.scconline.com/blog/post/2020/05/12/application-of-general-data-protection-regulation-on-indian-processor/.
 Oliver Kunzler & Martina Braun, Switzerland: EU General Data Protection Regulation: Implocations For Swiss Business, Mondaq (Mar. 22, 2018), https://www.mondaq.com/data-protection/672830/eu-general-data-protection-regulation-implications-for-swiss-businesses.