Snapshot on Data Protection from the 2021 QMUL Survey on International Arbitration: Adapting Arbitration to a Changing World

Share:

The School of International Arbitration at Queen Mary University of London in collaboration with White & Case LLP prepared the “2021 International Arbitration Survey: Adapting arbitration to a changing world” (the Survey). The Survey   examined current choices and future adaptations in international arbitration focusing on three decisive categories (i) diversity of tribunals, (ii) use of technology, and (iii) sustainability and information security including cybersecurity and data protection issues. Findings on cybersecurity from the survey were discussed previously in another post by CyberArb. 

The Survey was completed by 1218 respondents, who had varying roles practicing international arbitration. Majority of respondents were counsels/private practitioners (43 %), followed by other (17%), arbitration (15%), arbitrator and counsel (11%), in-house counsel for private sector (7%), arbitral institutional staff (5%) and finally in-house counsel for government or state entity (2%). The quantitative data were supplemented by video or telephone interviews. The Survey included a section on the impact of data protection on international arbitration. Despite the hurricane that the General Data Protection Regulation (the “GDPR”) (EU Regulation 2016/679) created around the globe, the arbitration community seemed to be unaffected. Data protection is tightly connected to cybersecurity. One of the obligations for data controllers and processors under the GDPR is ensuring the security of personal data, which also includes confidentiality. In fact, 30% of respondents stated confidentiality and cybersecurity concerns as a disadvantage of conducting arbitration proceedings virtually, yet, the respondents missed out on the data protection issues. When asked about the impact of data protection regulations on arbitration, only 3% of respondents said that they have “significant impact”, while 51% of the respondents indicated that it “depends on who is involved in the arbitration” and 44% stated that it “depends on the nature of the dispute”. Further, 34% of respondents mentioned that data protection regulations have “limited impact at present but likely to increase”. Only 9% of respondents opted for negligible impact.

Most of the respondents indicated that they were practicing in Asia-Pacific region (43%). The Europe was the second most common region of practice among the respondents (24%). This was followed by Caribbean/Latin America (10%), Middle East (9%), Africa (7%) and North America (7%). Interestingly, as the Survey noted the respondents expressly referred to the GDPR when formulating their answers, although the questions referred to data protection regulations in general. This fact confirms once again that the GDPR has had a huge impact on the general public and is seen as the leading instrument in the field. The majority of data protection legislation recently adopted around the globe is heavily influenced by the GDPR. In addition, the ICCA-IBA Joint Task Force on Data Protection in International Arbitration based its draft Roadmap on the GDPR (the final version is expected to be published in the next weeks).

Data protection regulations should not be overlooked by the arbitration community. Take e.g. the GDPR: it has a broad material scope (Article 2.1), wide territorial application (Article 3), and an impact even beyond its territorial reach due to its rules on data transfers to third countries (Articles 44-50) – driven by basic considerations such as the adequacy principle for third country transfers.

In this light, it is interesting that respondents stated that arbitration proceedings should be exempted from the scope of application of data protection regulations (p. 31).  This, however, is highly debatable to say the least.  Taking the GDPR as the leading example again: both the above mentioned territorial scope, material scope, impact, and the provisions specifically aimed at judicial proceedings and organizations such as those contained in Recital 20, provide strong indications that no such exemption could be made for arbitration proceedings. The Survey found that these results indicate a “lack of familiarity with the reach and applicability to international arbitration of many data protection regimes that are in place around the world”.

Are we missing the bigger picture?

The Survey strikingly showed that many arbitration practitioners are mostly unfamiliar with the implications of data protection rules. In general, the respondents showed an awareness of the potential financial consequences of non-compliance. This is unsurprising as the fines can reach up to 20 million euros or 4% of the global turnover in case of severe violations under Article 83(5) GDPR or 10 million euros or 2% of the global turnover for less severe violations under Article 83(4) GDPR. Yet, it  seems difficult for them to define the impact of applicable data protection rules on their day-to-day operations. On top of the overall indifference, the respondents indicated that they did not directly take care of data protection arrangements and they delegated that responsibility to others in their organizations.

The impact of data protection laws in international arbitration is likely to be a lot more significant than what was perceived by the respondents of the Survey. In arbitration, there is an intensive exchange of documents and communications, which by their nature will regularly contain personal data covered by data protection rules. Intrinsically, international arbitration requires cross-border transactions, hence triggering various data protection legislation.

To keep up with this chaos surrounding data protection in arbitration, practitioners may find some of the data protection studies targeting arbitration insightful. For instance, there are activities undertaken by some stakeholders to increase awareness about data protection in arbitration. The above-mentioned ICCA-IBA Roadmap to Data Protection in International Arbitration aims to enable participants in arbitration proceedings to identify and effectively address data protection issues in the context of such proceedings. The Roadmap will be released in Fall 2021.

GDPR and other data protection rules, in general, provide a provision for the territorial application of the rules. Issues such as where the arbitration is carried out, the residence of the parties and the location of the arbitral institution will all be relevant for determining the applicable data protection rules. For these reasons, the mapping studies carried out by UNCTAD and DLA Piper laying out the data protection and privacy legislation worldwide are also helpful while determining the seat or any relevant country for proceedings. Therefore, there is more to data protection rules than paying fines due to non-compliance as the rules could be used as strategical tools to shape the proceedings.

Transparency vs Data Protection

The Survey asked about adaptations that would make other institutions or rules more attractive.  The third most popular response , given by twenty-nine percent (29%) of the respondents, stated that the transparency of administrative processes and decisions – such as selection of and challenges to arbitrators – was most important. Given that many personal data are included in the decisions and awards and that selection of and challenges to arbitrators are by their nature personal data themselves, data protection rules may be at odds with transparency concerns. The interplay between the two should be watched closely by institutions and practitioners .

Institutions and Data Protection

The ICC, which is the most preferred arbitration institution (57%) amongst the Survey’s respondents, has a Model Data Protection Clause for Procedural Order One. This model aims to provide arbitrators with guidance in the drafting of a data protection clause in Procedural Order One when the GDPR or other similar data protection laws and regulations apply to the arbitration.

As one of the five most preferred institutions (39%) according to the Survey, the LCIA has a specific rule on data protection. Rule 30 A of the 2021 LCIA Rules on International Arbitration, titled Data Protection allows the tribunal to adopt specific information security measures and addressed the processing of personal data in consultation with the parties and the LCIA. The Arbitral Tribunal may issue directives addressing information security or data protection, which shall be binding on the parties. LCIA has also published a Data Privacy Notice, which was last updated in September 2020 for arbitration and mediation proceedings to describe how the institution collects and processes the personal data in the context of those services and activities.

In conclusion, the Survey showed that the respondents associated data protection with GDPR. Although they were aware of the general notion and financial consequences of non-compliance, there seems to be a prevailing inattentiveness to the data protection issues. As the national rules and regulations with cross-border effects become prevalent around the globe, effects of data protection on arbitration will become unavoidable. It is therefore important for the practitioners to look out for guidance from recent studies. CyberArb, an organization focusing on cybersecurity and its connection to data protection in arbitration, is also a good source for practitioners to consult. Furthermore, it seems like the arbitration institutions also need to be cautious about these issues as practitioners seek aid navigating through the so-called unknown waters of data protection. This way, the institutions addressing data protection concerns will be a step further from their competitors.