As the European Union’s latest data protection law comes into effect, prominent French practitioner Philippe Pinsolle explored what the new regulation means for the world of international arbitration in a speech at GAR Live Stockholm.
Pinsolle, who leads the European international arbitration practice at Quinn Emanuel Urquhart & Sullivan, warned delegates that the General Data Protection Regulation or GDPR may have unintended consequences for arbitration and the administration of justice generally, even as it aims to protect individuals and their personal data.
The 88-page regulation, which was adopted by the European Parliament two years ago, replaces the EU’s 1995 law on data protection. With a small handful of exceptions, it applies to all “personal data” or any information relating to a “natural person,” including EU citizens, arbitral institutions, arbitrators and law firms operating in the EU. The regulation is so pervasive that it has caused one distinguished arbitration practitioner to joke that even Santa Claus is in breach of it, he said.
Pinsolle went on to note that the main principle of GDPR is consent. The regulation creates an “opt-in system” where individuals must agree to the ways in which recipients of personal data are using it. Individuals may also withdraw their consent at any time.
The regulation further creates an absolute right for individuals to access the personal data that is being held on him or her. This means that the “Googles of the world” must closely track and maintain a log of the information they have on an EU citizen. Recipients of personal data are also prohibited from transferring it outside the EU unless it is to a country that provides equivalent data protection.
So what do these protections mean for the arbitration world?
For counsel, GDPR will affect how they gather documents to establish the facts of a case. For example, practitioners typically create a working database to hold all the documentary evidence. In accordance with the regulation, however, they will have to obtain the consent of the relevant individuals to do so – a task that becomes trickier if the dispute involves documents from third parties, as is often the case in disputes concerning complex projects.
Counsel will also have to ensure that their clients agree to the use of their data in the arbitration and not just the database. This issue is of particular relevance when a tribunal issues a document production order, requiring counsel to entrust their clients’ data to the arbitrators and opposing counsel.
As the recipients of data, tribunals will have a responsibility to ensure that the documents before them are the result of consent. However, this is very difficult, said Pinsolle. There is no way for a tribunal to ask each individual whether they have consented, though witnesses and experts will have presumably agreed to the use of their statements or reports in an arbitration.
There are other issues that tribunals must address in the wake of GDPR. The right of access, which is absolute, poses a particular challenge as a tribunal cannot object to a request from an individual to see what information it has on him or her. Tribunals must also ensure that data is adequately protected. Arbitrators must therefore consider whether a special system for protection is required and whether it should be the responsibility of an individual arbitrator or the whole tribunal.
The right of an individual to withdraw consent will also be problematic for tribunals. As part of a tactical strategy by counsel, experts and witnesses may forbid a tribunal from using their opinions and statements in the arbitration. While tribunals can draw adverse inferences in such cases, it may be difficult to do so as parties now have a more credible excuse for withdrawing their expert opinions and witness statements, argued Pinsolle.
The regulation will also pose challenges for institutions, which keep databases on cases and arbitrators. For example, is the ICC International Court of Arbitration prepared to show an individual what information it holds on him or her? One cannot rule out the possibility of a disgruntled arbitrator asking for access to the institution’s data following a challenge, argued Pinsolle. (GAR is also aware of an arbitrator requesting to see a firm’s data on him to ascertain why he was not appointed in a particular case).
GDPR has further implications for companies and individuals that sell knowledge about arbitration, including those with databases that compile information on arbitrators, like GAR ART. From now on, companies and individuals gathering the information will have to ensure that arbitrators have expressly consented to the use of their data. It is no longer sufficient to publish the data and to provide arbitrators with the opportunity to correct any errors, he said.
While the compliance of practitioners and arbitrators with GDPR is likely to fly under the radar for some time, it would be unwise to ignore the regulation, warned Pinsolle. He observed that the regulation creates administrative, civil and criminal liability for those who breach it.
For example, local independent institutions that are in charge of monitoring compliance with the regulation may impose administrative fines up to 4% of annual turnover or €20 million (US$23 million), whichever is higher. The regulation also creates a new cause of action, providing that any person who has suffered damage is entitled to receive compensation.
GDPR also says that member states can rule on other penalties, especially those that apply to breaches that are not subject to administrative fines. “In other words, it’s a licence to kill,” he concluded.
So what are the solutions? There are two possible ways for the arbitral community to ameliorate the effects of the regulation, Pinsolle said. First, practitioners should lobby their governments for national legislation implementing GDPR that includes an exemption for arbitration. The preamble of the regulation indicates that a derogation is possible to enable the processing of personal data for legal claims, including those brought in an “out-of-court procedure.”
However, this would be a long-term solution that presupposes that each EU member state will have arbitration in mind when enacting legislation, which has not been the case so far, Pinsolle noted.
He observed that the UK government introduced a data protection bill in September 2017 containing derogations and exemptions from GDPR, but that a discussion in the House of Lords earlier this month revealed that the government had forgotten to include arbitration in the bill. Meanwhile, the French parliament has not even discussed the effects of the regulation on arbitration yet. The only country that has considered the issue is Ireland, which introduced a bill earlier this year in February containing exemptions for litigation and arbitration.
The second solution is risk management. Pinsolle recommended that practitioners and arbitrators change the way they operate at the outset of an arbitration. For example, parties could include a data protection protocol as part of an arbitrator’s terms of appointment, providing that arbitrators shall respect the regulation.
Parties could also state their intent to comply with the regulation to the arbitrators. Compliance would mean obtaining the consent of relevant individuals and requiring witnesses to expressly agree in their witness statements to the use of their personal data in the arbitration. These approaches will helpfully shift the burden of obtaining consent away from the tribunal to the parties, he said.
GAR Live Stockholm was held on 24 May at the Arbitration Institute of the Stockholm Chamber of Commerce chaired by Jakob Ragnwaldh of Mannheimer Swartling and James Hope of Vinge. The event was sponsored by Lindahl, Norburg & Scherp and Stephenson Harwood and supported by Young Arbitrators Sweden.