Brazil’s new data protection law, the Lei Geral de Proteção de Dados (LGPD) (September 18, 2020), has important implications for international arbitration users and practitioners.1)On August 2018, the law was approved with an effective date of February 2020. Because of the COVID-19 pandemic, the effective date was postponed and the law came into force in September 18th, 2020. The impact of the emerging data protection regulation in international arbitration is triggering new rules and guidelines that aim to accommodate compliance with data protection obligations. The International Chamber of Commerce (ICC), for example, recognizing the “importance of effective and meaningful personal data protections”, addressed protection of personal data in its Note to Parties and Arbitral Tribunals on the Conduct of Arbitration under the ICC Rules (Note). In another example, the London Court of International Arbitration (LCIA) released its 2020 LCIA Rules, which came into effect on October 1st, 2020, providing a new Article 30A addressing “applicable data protection legislation”.
Brazil’s new law requires participants to take steps to safeguard the personal information of any Brazilian participant and the personal information of any Brazilian third parties that might form part of the evidence of the case, as well as the personal information of any data processed2)Processing has a broad definition within the LGPD. It involves any operation carried out with personal data such as collecting, producing, using, accessing, transferring, modifying, storing and deleting data (Article 5). in Brazil regardless of that person’s nationality.
The LGPD was inspired by the European General Data Protection Law (GDPR), and it is largely aligned with the GDPR’s principles. Like the GDPR, the LGPD imposes obligations on the processing of personal data, including before, during and after the arbitral proceeding. However, the particular provisions of each regulation may end up affecting international arbitration proceedings differently.
Personal data may be used in international arbitration
Under the LGPD, processing personal data is permitted when doing so complies with one of the lawful bases enumerated in the regulation. Articles 7, VI, and 11, II(d) allow the processing of personal data for the regular exercise of rights, including arbitration. Such provisions strengthen the use of arbitration and they are in harmony with the regular exercise of rights under the Brazilian Arbitration Law. The LGPD’s specific reference to arbitration adds a degree of certainty over the GDPR, which only provides four general bases for the potential use of personal data in an international arbitration (i.e., to satisfy a contract to which the data subject is a party; to comply with a legal obligation; to perform a task in the public interest or to carry out some official function; and when there is a legitimate interest to process someone’s personal data) (Article 6; GDPR).
Personal data may be transferred to another country for use in international arbitration
The LGPD allows cross-border data transfers whenever it is necessary to comply with the regular exercise of rights, including arbitration proceedings (Article 33, IX). This provision is an express exception for international arbitration to the general rule by which the LGPD permits the international transfer of personal data only to other countries with a similar level of protection (Article 33).
The GDPR likewise permits the international transfer of personal data when it “is necessary for the establishment, exercise or defence of legal claims” (Article 49(e)). Although the provision does not mention expressly arbitration, the GDPR’s broad definition would seem to apply to international arbitration.
Material and territorial scope of the LGPD
The LGPD protects any data that relates to an identified or identifiable Brazilian individual, such as name, identification number, location and genetic or biometric data (Articles 5 and 11). The LGPD is triggered whenever personal data is processed. Moreover, the regulation adopts an extra-jurisdictional approach, reaching businesses overseas where (Article 3):
- the data processing operation is carried out in Brazil;
- the processing activity aims to offer or supply goods or services to persons located in Brazil, even when data processing is carried out outside Brazil;
- the data being processed belongs to individuals located in Brazil at the time of its collection; or
- the data has been collected in Brazil.
The GDPR and the LGPD have a fairly consistent approach in terms of material and territorial scope of the law.3)Articles 3 and 4; GDPR. Nevertheless, given the particularities of each regime, arbitrators may reach different outcomes depending on which regulation is being under review. For example, in Tennant Energy vs. Canada, an international arbitration under NAFTA, the investor addressed the subject of GDPR because one of the tribunal members was based in the United Kingdom which, at that time, was a member of the European Union (here). However, without further explanation, the tribunal held that an arbitration under NAFTA does not “come within the material scope of the GDPR” because “neither the European Union nor its Member States are party” to the treaty invoked in the arbitration.
The decision in Tennant raised several issues about the application of the GDPR in international arbitration, particularly with respect its Article 2(2)(a) which provides that the GDPR does not extend to the processing of personal data “in the course of an activity which falls outside the scope of the Union law”. One wonders whether the tribunal in Tennant would have reached a different outcome if the applicable regulation did not have a provision that limited its scope to European Union Law.
Given that the GDPR is inspiring emerging data protection norms worldwide, such as the LGPD, the issues involving the scope and application of the GDPR may also arise under these other regimes. The potential complexity that data protection regimes impose on arbitration participants highlights the need for a framework to address data protection regulation compliance in arbitrations.
Accommodating emerging data-protection laws
Because of the relevance of data protection in cross-border disputes, arbitral institutions and organizations have been working to standardize compliance practices in the protection of personal data in arbitration. For example, Brazil’s Câmara do Mercado (CAM), has responded to the rise of data protection norms by offering a digital platform for communication, file sharing, and control of costs (here).
The ICC provided new rules addressing Protection of Personal Data determining that (i) parties shall ensure that applicable data protection regulations are complied with, (ii) arbitrators shall ensure that only necessary and accurate data are processed, and (iii) any breach of the security and confidentiality of personal data must be reported (Section VI, D).
The LCIA reserved an entire article in its 2020 Rules to accommodate compliance with data protection legislation. Article 30A establishes that the arbitral tribunal shall, with consultation with the parties and/or the LCIA, consider (i) security measures to protect information shared in the arbitration, and (ii) means to process personal data in light of the applicable data protection law. The 2020 Rules coupled with its General Privacy Notice aim to protect and respect personal information.
The International Council for Commercial Arbitration (ICCA) and the International Bar Association (IBA) launched a task force to specifically discuss data protection in international arbitration. In 2020, this task force released a consultation draft of ICCA-IBA Roadmap to Data Protection for public comment. The ICCA-IBA Roadmap was open to public comment until June 2020 and its final form should be available in 2021.
Based on the ICCA-IBA Roadmap, and given that data protection regulation is on the rise in many other jurisdictions,4)For example, the California Consumer Privacy Act, the India Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Law of the People’s Republic of China on the Protection of Personal Information (draft released on October 21, 2020). we expect to see a continued proliferation of internal checklists and guidelines to ensure compliance with these new norms.
Breaches of the data protection obligations may result in fines of up to R$50 million reais (US$ 9.6 million) for each infraction and the blockage or exclusion of the personal data to which the infraction refers (Article 52; LGPD). In order to minimize such risks, each individual dispute requires a tailormade approach which can be an appropriate subject for the tribunal and the parties to address at the initial procedural conference of an arbitration and for the tribunal to establish finally in any terms of reference or first procedural order concerning the conduct of the proceedings.
The parties can also consider (i) data mapping to determine where the data to be processed during the arbitration is located and where it will be transferred and processed;5) See https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-data-inventory-and-mapping/ (ii) data processing agreements when personal data is being transferred to a third-party for the purpose of the arbitration (e.g. experts, translators etc.);6)See Article 39; LGPD and Article 28; GDPR. and (iii) data protection protocols to address mechanisms to allocate the risks of non-compliance and to provide data breach notification obligations. The ICC, for example, encourages the arbitral tribunal to include in the terms of reference a data protection protocol to remind the arbitration participants that data protection regulation “applies to the arbitration and that by accepting to participate in the proceedings, their personal data may be collected, transferred, published and archived” (here).
In summary, the rise of personal data protection norms is challenging and is likely to be more present in the context of arbitral proceedings, now including those with a connection to Brazil. The issues regarding personal data protection in international arbitration require a close look by international arbitration users and practitioners in each case. Early consultation and advice from experienced counsel is essential to ensure compliance with applicable laws throughout the arbitration.
|↑1||On August 2018, the law was approved with an effective date of February 2020. Because of the COVID-19 pandemic, the effective date was postponed and the law came into force in September 18th, 2020.|
|↑2||Processing has a broad definition within the LGPD. It involves any operation carried out with personal data such as collecting, producing, using, accessing, transferring, modifying, storing and deleting data (Article 5).|
|↑3||Articles 3 and 4; GDPR.|
|↑4||For example, the California Consumer Privacy Act, the India Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Law of the People’s Republic of China on the Protection of Personal Information (draft released on October 21, 2020).|
|↑6||See Article 39; LGPD and Article 28; GDPR.|