Protecting personal data under the GDPR in arbitration

Joe Tirado (London) and Markus Gómez (Madrid)

Many readers will have no doubt received numerous notices recently, often from sources that one may not have known held information on the individual, advising him or her of the mandatory application of the European Union´s (EU´s) General Data Protection Regulation (GDPR) on 25 May 2018. The GDPR is wide ranging and has prompted debate as how it will impact on international arbitration. In this article we highlight the implications for parties, counsel, arbitral institutions and third party providers and consider how to best deal with GDPR compliance including assessing if consent is necessary, obtaining consent when and if needed, gathering documents, rights of access, denial and deletion, and transfer of personal data outside the EU.

What is the GDPR?

The GDPR replaces the EU’s Directive 95/46 on personal data protection. It aims to protect individuals and their personal data. The GDPR creates a system in which personal data can only be processed by a data controller if at least one out of a list of six legal bases can be applied. One of those legal bases is consent, along and at the same level with compliance with legal obligations, necessity for the performance of a contract or the legitimate interest of the data controller or a third party. While the consent option should not be the first choice and should be used carefully, those individuals who have consented for the processing of their personal data, may also withdraw their consent at any time.

Furthermore, data controllers are also prohibited, as a general rule, from transferring it outside the EU unless it is to a country that provides equivalent level of protection to personal data, if the controller or processor has provided appropriate safeguards or if one of the exceptions in the GDPR apply.

Why is the GDPR relevant to arbitration?

The broad definition of “data subjects” contained in the GDPR means that, in the absence of an exemption, its provisions extend to virtually the personal data of any individual when the GDPR applies. And it applies to all data controllers and data processors who are located in the EU or, if they are not in the EU, who process data of individuals who are in the EU, where the processing activities are related to the offering of services (i.e. arbitration) to such data subjects or the monitoring of their behavior, as long as it takes place within the EU.

Taking into consideration that any party, counsel, arbitral institution or a professional third party such as an expert can be considered data controllers or, in some cases, data processors, the GDPR shall apply to many situations which were not subject to a specific regulation on this matter before 25 May 2018.

For counsel, the GDPR may affect how they gather documents to establish the facts of a case. While there are legal bases which allow for a proper processing of data without obtaining consent, practitioners will have to be aware and trained in these bases. Likewise, arbitration may well involve documents from third parties, and counsel may have to deal with the processing of their personal data, too.

Tribunals and arbitral institutions (in addition to companies selling arbitration databases) will have to ensure compliance with the GDPR as implemented in each respective jurisdiction, and protect, amongst other rights, the absolute right of access upon a request from an individual on the personal data available and the rest of the data subjects rights.

As the recipients of data, tribunals will have the task of complying with one of the six different legal bases for the processing of personal data and respect the rights of the data subjects. The right of access, which is almost absolute, poses a particular challenge as a tribunal cannot in principle object to a request from an individual to see what information it has on him or her. Tribunals must also ensure that data is adequately protected.

The GDPR also poses challenges for arbitral institutions which keep databases on cases and arbitrators. It could be possible that a disgruntled arbitrator, for example, might ask for access to the institution’s data following a challenge or might request to see a firm’s data on him or her to ascertain why he or she was not appointed in a particular case.

All those parties involved should prepare their Record of Processing Activities and include with all detail the specific contents established in the GDPR.

Regarding the international transfers of personal data, the GDPR sets up a system of compliance based on a hierarchy of means of transfer. While there is a specific provision in the GDPR (article 49.1.e), that could be applied in order to transfer personal data outside the EU when the transfer is necessary for the establishment, exercise or defense of legal claims, this provision can only be applied when there is no other means available such as an adequacy decision, the execution of approved model clauses or the existence of binding corporate rules. It is therefore very important to understand this architecture in order to properly organize and carry out, for example, service of injunctions or interim measures in support of arbitration proceedings.

The GDPR has further implications for companies and individuals that sell knowledge about arbitration, including those with databases that compile information on arbitrators. Hence, companies gathering the information will also need to meet the requirements under the GDPR.

Why can´t we just ignore the GDPR?

The GDPR creates administrative, civil and, depending on each domestic legislation implementing the GDPR, potential criminal liability for those who breach it (the latter appears not to be the case in Spain for the time being). Local independent institutions will be in charge of monitoring compliance with the GDPR. They may impose administrative fines up to 4% of annual turnover or €20 million (US$23.5 million), whichever is higher. Similarly to the former Directive 95/46, the GDPR also provides that any person who has suffered damage is entitled to receive compensation. Member states can rule on other penalties, along or independently from the fines that can be imposed in all cases of infringement.

How best to meet the challenges of GDPR?

As with other areas of compliance, such as anti-bribery and antitrust, GDPR compliance requires parties to adopt data protection protocols and other preventive measures, so that when proceedings start all these issues are already studied and duly organized.

The arbitration community needs to lobby their governments for national legislation implementing the GDPR that includes specific mentions to arbitration. While some countries (most notably Ireland) have made significant progress in this respect, despite the desirability, it seems unlikely that uniformity can be achieved in this regard between the EU member states.

All in all, while the GDPR entails enormous opportunities for companies, it also involves complying with a number of rights and obligations which need to be assessed in detail and may require a comprehensive compliance work, which the arbitration world needs to be aware of.