Previous posts have already covered various aspects of data protection in international arbitration proceedings and also in view of cybersecurity. Meanwhile, new and crucial data protection aspects have arisen with regards to video conferencing.
The ICCA / IBA’s Joint Task Force on Data Protection (“Joint Task Force”) in International Arbitration Proceedings has joined forces to produce a roadmap on data protection in international arbitration proceedings (“the Roadmap”). The Roadmap aims to provide practical guidance on the potential impact of data protection principles, in particular the European Union’s (“EU”) General Data Protection Regulation (“GDPR”), in international arbitration proceedings. Its main goal is to assist practitioners in identifying the ways in which data protection needs to be taken into account during the course of arbitration proceedings.
Why the Roadmap draft consultation paper should address data protection issues arising out of video conferencing
Many of the major arbitral institutions and interest groups have addressed various issues arising from video conferencing, inter alia, the following:
CIArb, the Hague Conference on Private International Law, the ICC, the ICCA, NYC Bar and CPR and ICSID, among other institutions, have released various guidelines regarding online video hearings.
However, most of these institutions fail to specifically address how data protection laws should be applied to proceedings when video conferencing is used. Therefore, it seems imperative for the Joint Task Force to address the relevant data protection issues for remote hearings in international arbitration proceedings. This will also encourage uniform standards to be developed in such area. In the Joint Task Force’s own words (page 1):
“In the absence of specific guidance, it is important to think through the steps of the arbitral process and document the measures adopted in the different phases of an arbitration within the framework of whatever data protection law(s) apply.”
The goal of the draft Roadmap will only be achieved if it also sufficiently addresses all questions pertaining to data protection that will arise during online hearings both now and in the future. In the years to come, we will likely record a significant increase in the use of video conferencing as an essential tool in international arbitration proceedings, as the significant financial and environmental benefits, expected from reductions in travel associated with virtual hearings, are evident. The necessary technologies required are also available at minimal expense – and amount to a fraction of the cost of travel for the arious participants to hearings and accommodation requirements over long periods.
Risks associated with video platforms
A number of video conferencing platforms have gained increased popularity in the past few months. While these platforms are most useful in enabling hearings to be held in different locations, the rapid uptake has given rise to various data protection concerns. These concerns were brought into sharp focus recently when some platforms were reported to have been subject to security attacks affecting numerous users.
Are video conferencing platforms GDPR compliant?
It is essential to commence a video conference in international arbitration proceedings under the GDPR with the description of the different roles of the parties involved. If the video conferencing software provider is processing any personal data from a party’s use of the service, they will be considered to be a “data processor” under the GDPR. This means that the video conferencing providers must take into account and adhere to the parameters of GDPR if any of the participants of the arbitration are domiciled in the EU or if the provider is established in the EU. In particular, they must ensure adherence to Article 28 of GDPR by having a contract in place setting out the incumbent data processing terms.
Since the Tribunal functions as “data controller”, the GDPR requires the Tribunal to ensure that any processors being used are GDPR compliant and that there is a comprehensive data processing agreement in place, to clarify and understand what the provider does with the data it collects through the software from the Tribunal and the parties.
In essence, the Tribunal should have appropriate technical and organizational measures in place in order to implement the data protection principles and safeguard individual rights with regard to video conferencing. This is also referred to as “data protection by design”, i.e. to consider all data protection issues up-front before the actual hearings commence.
The role of the Tribunal with regard to data protection issues when video conferences are held
The first item on the Tribunal’s list should be the selection of an appropriate video conferencing tool. For obvious reasons, the draft Roadmap could not provide recommendations on specific software providers. Tribunals themselves should carry out due diligence regarding the service provider in order to ensure that they are GDPR compliant. Particular attention should be paid as to what the service provider will do with the data that is being collected on behalf of the Tribunal. If such data is processed outside of the EU, the provider has to explain the protections in place to ensure the data security and compliance with the GDPR.
In addition, when choosing a video conferencing system, the Tribunal has to ensure certain technical minimum standards are reached, i.e. the video transmissions should have end-to-end encryption (Art. 32 GDPR). In addition, hearing access should be password protected to ensure that unwanted participants are kept out. Being able to control who is able to join hearings will also help protect the confidentiality of the hearings and prevent unwelcome interruptions. Certification of technical standards (ISO/IEC 27001) also seems desirable.
Further, as controller, the Tribunal must decide how it plans to use the information, recordings, attendee lists that will be received as a consequence of the online hearing, taking into account the GDPR implications especially the lawful basis for processing and the parties’ consent. In this respect, a data protection impact assessment with the parties should be carried out before commencing the hearings.
The GDPR obliges Tribunals to provide information about the use of personal data and to inform users (“data subjects” in GDPR terminology) about their data protection rights (Articles 13 and 14 GDPR). Article 12(1) GDPR further requires that all such information must be concise, transparent, and easily accessible, using clear and plain language and includes evaluating tools, services and resources in terms of their intended use. This could be done during the initial communication with the parties.
Also, the Tribunals should consider whether parties should make use of screen sharing to discuss confidential (or special category) information. The information may be retained as part of the recordings, and for this reason consent should be obtained up-front for such processing of special category data.
To facilitate the Tribunal’s task in making sure that all of the above points are taken into account so that their video proceedings are GDPR compliant, it seems advisable to add a GDPR compliance checklist to the Roadmap.
Proposed Addendum to the Roadmap
Currently, the draft Roadmap is divided into two sections – the first section deals with “General Data Protection principles relevant to international arbitration”, the second section addresses “Data Protection Compliance during International Arbitration Proceedings”. Section II(A)(3) (page 34) of the draft Roadmap elaborates further on the “Use of Service Providers”.
As the name “Roadmap” suggests, this document is intended to serve as a comprehensive guideline for addressing all major data protection issues that may come up during the proceedings. Noticeably, since the first draft of the Roadmap, the circumstances in which international arbitrations take place have changed fundamentally as a consequence of the pandemic. Therefore, an addendum to the Roadmap seems necessary.
The authors recommend extending the second section of the Roadmap with a separate header and to address the changed landscape of arbitration proceedings with regard to video conferencing.
Conclusion
There is a surge in popularity of the use of video platforms in arbitration proceedings. However, recently some of the major video conferencing platforms have made headlines (e.g. Zoom) and have cast certain doubts on their commitment to data protection laws. In recognition of the need to better understand the role of data protection with regard to video conferences in international arbitration proceedings and to recommend/implement certain standards, it would be highly recommended to include a separate chapter in the ICCA/IBA’s draft Roadmap in relation to data protection issues with regard to video conferencing.
________________________
To make sure you do not miss out on regular updates from the Kluwer Arbitration Blog, please subscribe here. To submit a proposal for a blog post, please consult our Editorial Guidelines.
The issues here have become even more important since the CJEU’s decision in Schrems II. In EU terms the US Privacy Shield is no longer effective.
GDPR restricts the transfer of personal data outside the EU.
One of the ways of protecting those rights is by making certain the destination country is on the EU Commission’s White List. Another option is to make certain the transfer is governed by a Standard Contractual Clause (SCC), an off-the-peg set of terms already approved by the EU. However, SCCs cannot bind those who are not parties (public authorities, regulators or other parties) in the destination country. Further, Binding Corporate Rules (BCRs), pre-approved solutions between parties, will likely all need to be reformulated in the light of Schrems II.
The case makes it clear that it is not enough to rely on SCCs alone. The objective in Article 44 GDPR is that: “All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. And safeguards like SCCs can be relied upon “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” (Article 46(1) GDPR).
In short, if the domestic laws in the destination country cannot guarantee this standards then the SCCs are not a magic wand any more. They need to be supplemented.
So….here is the multi-million $ question: how are data transfers to the US to be achieved safely now? SCCs cannot insulate data from the problems that saw the court kill off Privacy Shield. Even if I could come up with some “supplementary measures” to reformulate SCCs, could any such measures be made GDPR-effective in the US? The answers to that have currently exhausted my brain processing capacity.
….and there is more information on the ICO having to get its house in order on this topic before the end of the UK/EU transition period (31 December 2020) by cutting/pasting the link below:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_informationnoteforgroupswithicoasbcrleadsa_20200722.pdf