Tribunal Directions re GDPR in Tennant Energy vs. Canada
A NAFTA tribunal in the Tennant Energy vs. Canada case recently issued directions by email to the parties stating that “the Tribunal finds that an arbitration under NAFTA Chapter 11, a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of the GDPR”.
The tribunal had received submissions from the parties in which the claimant argued that EU General Data Protection Regulation 2016/679 (“GDPR”) should be taken into account and procedures developed to comply with it, since one of the tribunal members is based in the UK. Canada, on the other hand, argued that the GDPR does not generally govern the arbitration proceedings because, among other things, the claim was made under a treaty to which neither the EU nor its Member States are a party, and the arbitration is therefore outside of the material scope of the GDPR.
The tribunal appears to have accepted Canada’s argument that the entire arbitration proceedings fell outside of the material scope of the GDPR. This decision is premised on the fact that Tennant is a treaty-based arbitration. The finding is therefore not relevant to the application of GDPR in commercial arbitration, which has not been questioned.
GDPR: Can’t We Make It Go Away?
The GDPR came into effect on 25 May 2018. The GDPR’s obligations are onerous and the sanctions for non-compliance are strenuous. With the aim of ensuring the effective protection of personal data in a world of rapid technological change, the GDPR is a regulation with broad material and territorial scope of application. In international arbitration proceedings, where parties, counsel and tribunal members may be based in different jurisdictions, which may or may not coincide with the place of arbitration and law governing the parties’ relationship, the envisioned broad reach of the GDPR presents a particular conundrum. This is particularly the case when only one or some of the participants in an arbitration have a link with the EU.
In this context, the Tennant tribunal’s directions raise several interesting points about the application of GDPR to international arbitration proceedings, some of which are addressed below.
Territorial Scope of the GDPR
The Tennant tribunal concluded that “an arbitration under NAFTA Chapter 11” does not fall within the scope of GDPR since “neither the European Union nor its Member States” are a party to the treaty from which the tribunal derives its mandate. This finding is difficult to reconcile with the provisions on the territorial scope of the GDPR.
Provided the activity comes within the material scope of the regulation, the GDPR does not purport to regulate activities, but rather the actors that undertake such activities. The GDPR’s obligations attach to processing by data controllers and data processors “in the context of the activities of an establishment of a controller or a processor” in the EU (Article 3(1)) or where those outside the EU have targeted sales of goods or services to data subjects in the EU or monitored their behaviour inside the EU (Article 3(2)).
The GDPR therefore does not regulate any arbitration proceedings in the abstract, but it does regulate the processing activities of data controllers and processors that fall within its territorial and material scope. This was highlighted by Canada before the Tennant tribunal in response to the tribunal’s question as to “the applicability of the GDPR to the proceedings in question”. Canada stated that the question as to whether the parties, the arbitrators or the Permanent Court of Arbitration (“PCA”) which administers the dispute are subject to the GDPR “is a separate issue that they each bear the responsibility to determine independently” (Canada’s submission of 11 June 2019, p. 3). This highlights the point that data protection obligations attach to arbitrators, counsel, parties, and institutions across all of their cases, rather than being a set of rules attaching to a particular arbitration.
The question is what are the consequences for the arbitration proceedings when only one or some of the participants in the arbitration are subject to the GDPR. It may be that only one member of the tribunal, or counsel for one party, is a data controller under the GDPR. In that case, the data controller may have obligations under the GDPR even though they are the sole EU “connection” in the proceedings. There is no general exemption for arbitration that would relieve the data controller of its obligations, although there may be specific exemptions under the GDPR or national legislation that are relevant to particular aspects of arbitration proceedings. In practice, the fact that even one tribunal member, party, or counsel is subject to GDPR may potentially have implications for the other participants in the arbitration and the arbitration proceedings as a whole. Whether specific data protection arrangements should be put in place, as well as the nature of such arrangements, must be considered on a case-by-case basis.
The Material Scope of the GDPR
The Tennant tribunal held that an arbitration under NAFTA does not “presumptively” come within the material scope of the GDPR. While the tribunal’s communication does not reveal the details of its analysis, it seems to refer to Article 2 of the GDPR, entitled “Material scope”.
The material scope of the GDPR broadly includes all processing of personal data “wholly or partly by automated means” (Art. 2(1) GDPR). However, there are certain exclusions from this material scope, including processing of personal data “in the course of an activity which falls outside the scope of Union law” (Article 2(2)(a)).
Canada argued, and the tribunal appears to have agreed, that arbitrations based on treaties to which the EU is not a party are governed by rules that do not constitute Union law (in this case, NAFTA Chapter Eleven), and therefore fall outside the material scope of the GDPR under Article 2(2)(a).
The excluded subject matter would therefore be “all treaties to which the EU is not a party”. This proposed carve-out is difficult to square with the fact that Article 2(2)(a) GDPR is geared at the internal competence of the EU under the EU treaties, and with the broad application of the GDPR generally.
Article 2(2)(a) was intended to define the internal competence of the EU and its Member States, in particular with respect to national security. Recital 16 of the GDPR sheds some light on this. It states that “[t]his Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security”.
The specific subject matter of national security is one which “falls outside the scope of Union law”, in that it is not within the EU’s competence under the treaties between the EU and its Member States.
Indeed, in the draft text of GDPR proposed in 2012, the original wording of Article 2(2)(a) was an exclusion of processing “in the course of an activity which falls outside the scope of Union law, in particular concerning national security” (25.1.2012 COM(2012)11 final). This follows similar language in Article 2 of the previous Data Protection Directive 95/46/EC, which excluded a number of further subject matters as falling outside the scope of EU law.
The Explanatory Memorandum to the Irish Data Protection Act 2018 (Ireland’s national legislation implementing the GDPR) states that in light of the case-law of the Court of Justice of the European Union, the exclusion in Article 2.2(a) “appears to be limited in practice to data processing in the context of national security, defence and the international relations of the State” (p.4).
Recital 16 of the GDPR is non-exhaustive, in that it lists subject matters outside EU law “such as” national security. There is room for debate about which activities fall outside the scope of EU law. However, regardless of whether the subject matters excluded from the GDPR are limited to those identified in the Irish Explanatory Memorandum, the issue remains that Article 2(2)(a) is essentially a provision made for internal EU law.
International Organisations and Privileges and Immunities
A further issue that was the subject of the parties’ submissions in the Tennant case was whether the PCA is subject to the GDPR because of its status as an international organisation and whether the arbitrators benefited from privileges or immunities derived from the PCA’s Headquarters Agreement with the Netherlands. The Headquarters Agreement governs the PCA’s relationship with the Netherlands and grants certain immunities to “PCA Adjudicators” within the meaning of that Agreement. The issue of the status, and privileges and immunities, of international organisations and their consequences under data protection law (including for any obligations of arbitrators) is a complex one which is outside the scope of the present contribution. For present purposes, it suffices to say that the Tennant tribunal made no finding with respect to the privileges and immunities of the PCA.
As illustrated above, the reach of the GDPR can easily be both overestimated and underestimated. Because of the fact that it may appear to merely add complexity to arbitration proceedings, tribunals could be reluctant to recognise and accommodate the obligations arising from this regulation. However, with GDPR serving as a standard for updates to data protection regimes globally, and the growing centrality of data and its protection to doing business, data protection is here to stay. Along with issues of VAT compliance, sanctions, legal privilege, and the protection of sensitive commercial information, it is one more legal regime to factor into the constellation of international arbitration.
In recognition of the need to better understand the role of data protection in arbitration proceedings, ICCA and the IBA have established a Joint Task Force on Data Protection in International Arbitration Proceedings. The task force is developing much-needed guidance to assist arbitration professionals with their data protection obligations during arbitration proceedings, which is due to be issued for public comment later in the year.
Emily Hay is rapporteur to the ICCA-IBA Joint Task Force on Data Protection in International Arbitration Proceedings. The views expressed here are her own.