Originally from The American Review of International Arbitration (ARIA)

GDPR has become virtually synonymous with the term “data privacy” around the world. Given the vast amount of data shared in the arbitration process, compliance with local data protection laws may pose a significant and onerous obstacle during proceedings, particularly where the participants may come from different jurisdictions, each with their own set of data privacy laws. Yet, there is a dearth of specific guidance on how to adequately address the potential problems which may arise, as well as a lack of a data protection framework for commercial arbitration. As such, this paper will discuss the challenges arising at this crucial nexus of data privacy law and international commercial arbitration. This article starts by addressing the applicability of GDPR and other such data privacy laws to arbitration proceedings and if applicable, how parties may deal with the scope of such laws. Further this article examines specific issues which may arise at different stages of the arbitration proceedings and will offer practical guidance for parties on how to deal with data privacy in international commercial arbitration.

I.     INTRODUCTION

In Europe, there are four letters that are completely unavoidable at this point—GDPR. The shorthand for the European Union’s General Data Protection Regulation has come to be synonymous with the world’s strictest regime of data protection and privacy in the world. The Regulation, which is 99 articles strong, covers every aspect of data protection, from collection to storage and erasure.  Consequently, its impact is felt by every EU citizen in the minutiae of their daily lives since it governs each and every one of their online (and even many offline) interactions.

The digitalization of the global economy has led to incredibly data-heavy modern lifestyles which require people to routinely share personal information freely online. Consequently, lawmakers are now playing catch-up when it comes to securing and regulating people’s digital footprints. According to the UN Conference on Trade and Development (UNCTAD), data protection and privacy legislation has been implemented in 137 out of 194 countries and a further 9% are currently in the process of drafting such legislation.  Some commentators have predicted that by 2023, “65% of the world’s population will have its personal information covered under modern privacy regulations up from 10% in 2020.”

Arbitration is no exception—while the process is already incredibly data-heavy, COVID-19 has compelled the increased uptake of new digital mechanisms to help, from e-discovery to virtual hearings. Given the vast amount of data shared between arbitral institutions, arbitrators and parties, compliance with local data protection laws may pose a significant and onerous obstacle during proceedings, particularly where the participants may come from different jurisdictions, each with their own set of data privacy laws. Yet, there is a dearth of specific guidance on how to adequately address the potential problems which may arise as well as a lack of a data protection framework for commercial arbitration. As one commentator has opined “the discussion in the arbitration community on how privacy laws can be implemented in an arbitration has been short in time, professional and ultimately inconclusive.”

As such, this paper will discuss the challenges arising at this crucial nexus of data privacy law and international commercial arbitration. Section ‎II of this essay will discuss the right to privacy in the digital age and how the GDPR has come to dominate the field of data privacy. Section ‎III will examine how to determine if data privacy laws are indeed applicable to arbitration proceedings and if so, how parties may deal with the scope of such laws. Section ‎IV of this essay will examine the interaction between data privacy and cybersecurity. Sections ‎V and ‎VI of this essay will examine specific issues which may arise at different stages of the arbitration proceedings and the impact of data privacy on the arbitral award. Last, ‎section VII of this essay will offer practical guidance for parties on how to deal with data privacy in international commercial arbitration.