The General Data Protection Regulation (EU 2016/679, GDPR) has just celebrated its first birthday on 25 May 2019. The Regulation lays down rules relating to the protection of natural persons with regard to processing and free movement of personal data. In doing so, it adopts a stricter approach than its predecessor. In addition, the administrative fines for non-compliance are significantly higher; up to EUR 20 million or 4% of the total worldwide annual turnover of the company. In arbitration disputes vast amounts of – frequently personal – data are processed. Thus, users of this alternative dispute resolution method need to be vigilant of GDPR requirements.
Before invoking an arbitration clause, parties will have counsel prepare a merits review to assess the potential success of a claim. While counsel review vast amounts of material for this purpose, often only a small portion will be filed as evidence in a proceeding. Pursuant to the GDPR, counsel will be required to apply minimization efforts in terms of data collection, processing and storage. A first step towards data minimization could be a request to the client to conduct (i) initial data reviews or (ii) data scrubs to reduce the volume of documents sent to counsel for review .
Once the initial filings have been submitted, a newly constituted Arbitral Tribunal will be well advised to address data protection issues in the Case Management Conference. Such issues may include a procedure for limiting data protection exposure, pseudonymization or other reasonable measures to avoid unnecessary third country data transfers. This could be included in the Procedural Order No 1 or a Data Protection Protocol.
During an arbitration US style discovery raises a number of data protection issues. Arbitration users may seek guidance from the IBA Rules on the Taking of Evidence. For instance, Article 9 of the IBA Rules provides Arbitral Tribunals with the possibility to exclude evidence due to a legal impediment or because the burden of producing documents is unreasonable. While this provision does not specifically apply to data protection, the underlying principles are applicable and could be availed of by an Arbitral Tribunal to minimize data transmission. From a party perspective, data protection concerns will likely be raised more often as (a general) objection to discovery requests.
In relation to the increasing practice of arbitral award publications by arbitral institutions, institutions will be advised to exercise "data protection by design and by default". Once an arbitral award has been rendered the question of “erasure or destruction” must be considered unless there is a justification not to delete the data (e.g. tax, commercial or labour law obligations, regulatory obligations or statute of limitations considerations).
The effects of the GDPR regulation is most relevant to international arbitration moving forward. This has been recognized by the ICCA-IBA Joint Task Force on Data Protection in International Arbitration Proceedings that is currently working on a guide for data protection in international arbitration, due to be issued this year.