The GDPR checklist for ADR Neutrals
Arbitrators, Mediators, Evaluators, Adjudicators and the General Data Protection Regulation
This article does not provide legal advice but a checklist of issues under the GDPR that every arbitrator, mediator, evaluator or adjudicator needs to ask him or herself every time an instruction is accepted.
Our briefing provides a summary of the key challenges we believe are central to the role of every ADR neutral which can be solved by using DisputesEfiling.com (DEF). For legal advice about the issues to which we draw attention please consult your authorised and regulated lawyer.
In preparing the DEF Checklist and accompanying commentary DEF acknowledges the work done by Dr Martin Zahariev in his book: “GDPR in International Arbitration” and the work of the ICCA, NYC Bar and CPR in publishing their Cybersecurity Protocol.
Article 5(2) of the GDPR provides:
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Article 5 paragraph 1 sets out the Six Principles for processing personal data:
(a) lawful, fair and transparent
(b) specific purpose
(c) adequate, relevant and limited to what is necessary for the stated purposes
(d) accurate and, where necessary, kept up to date
(e) storage limitation
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
This is of direct concern to all ADR Neutrals because:
- Neutrals’ primary duty is to protect the confidentiality of proceedings entrusted to them
- In consequence they are given personal data in the course of their ADR business
- Therefore Neutrals become data controllers under the GDPR
This is made clear by Article 4(7) where ‘controller’ is defined by the GDPR so as to include natural or legal persons which, alone or jointly with others, determine the purposes and means of the processing of personal data, thereby including arbitrators, mediators evaluators, adjudicators and any other neutral together with their scheme administrators.
Personal data is being processed not only by automated means in a computer but also when held in paper form, Article 4(2).
The reach of the GDPR is international as Article 3(3) makes clear:
[The GDPR] applies in any place where Member State law applies by virtue of public international law whether arbitrators and mediators are established in the EU.
One exception to this was found in the application of the North American Free Trade Agreement (NAFTA) in a dispute between Tennant Energy LLC and The Government of Canada (2019) in which the preliminary issue arose of whether GDPR applied so as to determine the standard of data protection required. The applicability of GDPR was not accepted by one party and the Arbitrators held that GDPR did not apply as the NAFTA was not the subject of either EU law or the law of any Member State. Nevertheless, in their decision (Order of 24 June 2019) the Arbitrators made clear that they expected a high degree of cybersecurity to be provided:
“Accordingly, the Confidentiality Order makes no reference to the GDPR. This is without prejudice to the importance of ensuring a high level of data protection, and language to this effect has been added into the Confidentiality Order.” https://pcacases.com/web/sendAttach/3741
The Confidentiality Order does not appear on the Permanent Court of Arbitration’s website leaving every ADR neutral to ask what is “a high level of data protection” and how is the ADR neutral (qua Data Controller) to prove this standard has been achieved so as to discharge his or her duties either under the Confidentiality Order, the GDPR or both?
Neutrals would do well to familiarise themselves with recent hacks of ADR proceedings. The following are good examples for understanding what went wrong.
Libananco Holdings Co. Limited v. Republic of Turkey – 2013 ICSID – hack with loss of 2,000 emails
South China Sea Arbitration – 2015 – infamous cyber-security hack via unpatched Adobe.
What are the issues that every Neutral needs to address at the outset of each ADR proceeding?
This is the decision making process:
DEF’s GDPR Checklist for ADR Neutrals
|GDPR Article||Requirement||ADR Neutrals should consider|
|31, 51||Have you registered with the relevant supervisory authority?||Failure to register incurs a criminal conviction and a fine|
|6, 7, 8, 9||Determine the type of personal data being processed and identify relevant basis for processing each type||Does any of the processed data include data within the Special Categories e.g. health and/or children|
|44-49||Do you make international transfers of data?||If so, to which countries? How does your customer agreement provide for such transfers? If transferring data to the US are the transfers to companies certified under the EU-US Privacy Shield?|
|27, 44-49||How have you accommodated a Hard/Harder Brexit?||Consider compliance with Art 27 and how data transfers from the EU can be made lawfully post such a Brexit.|
|5, 6, 13, 14,||The agreement for ADR services between you and the parties||Are the grounds for processing relevant to the type of data being processed and are those grounds adequately set out in your ADR agreement|
|32, 33, 34||Put in place appropriate policies including: data protection, information security, process tests, device management, back-up measures, HR, data breach notification process, archiving and deletion.||For each policy include a review mechanism and processes for acting on the outcomes of those reviews identifying who is responsible for undertaking these tasks.|
|24||Controllers to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.||Consider your actions in relation to all other issues raised in this Checklist – can you demonstrate compliance with Art 24? Note the requirements for: a review process, a system to implement outcomes of reviews and the need to identify the individual responsible for each policy and process.|
|25||Privacy by default and by design||Do your systems adhere to these requirements?|
|30||Put in place the 7 different categories of appropriate records; if required, see Art 30(5)||Ensure records kept if obliged to keep and that the policies relevant to record keeping reflect how those records are to be maintained and state by whom|
|28, 33||Contractual arrangements with outsourced provider of data processing service.||Ensure guarantees required under 28.1 are obtained in writing. Check they carry over your obligations under the GDPR into any contracts between you and the provider(s) of outsourced service(s) especially as to Article 33 and the structure for compliance with this Article|
|37-39||Appoint a Data Protection Officer||Consider whether required and document outcome of that consideration process and reasons for the outcomes.|
|35, 36||Undertake a Data Protection Impact Assessment||Consider whether required and document outcome of that consideration process and reasons for the outcomes.|
|31||Contractual arrangements with employees and/or self-employed workers||Ensure such contracts are binding with regular review systems and that such contracts impose on such persons the relevant GDPR obligations.|
|44-49||In the event of a Brexit that does not continue the data transfer arrangements under GDPR: have you provided for a legal basis to continue transferring data to and from the EU?||Check your supervisory authority’s website (e.g. the UK ICO) for guidance about how to address this important issue. See also Art 27 issue, addressed above|
With requirements as extensive as this little surprise that CEDR’s 2018 Survey of Mediators found the fastest growth in terms of mediation volumes was coming from administered schemes where issues such as GDPR fall on the scheme (as a data controller) and are addressed by the Scheme for member-Neutrals.
For the Neutral confronting the challenge of GDPR for the first time help is at hand:
- Join one of the schemes using DEF
All administered schemes supported by DEF comply with the rules highlighted in the checklist and more. The list of schemes using DEF is in the Appendix below. The list grows every month so if your Scheme is not shown below email email@example.com to check the latest listing.
- Pre-2018 Rules
If your Institution is using a set of rules in force before mid-2018 (at present most Institutions are) then cyber-security is highly unlikely to be addressed save in vague terms. Suggest the Scheme builds a platform, as the Arbitration Institute of the Stockholm Chamber of Commerce did recently. However this option is usually a 2 year project from design to launch and so far from a quick fix. In the short term, and for your particular case, ask your Institution to contact DEF to provide a Platform. We can deploy a GDPR compliant solution within 24 hours of your Scheme providing all the relevant information and signing our Heads of Terms.
- Solo Neutral?
If working as a solo Neutral then develop a process based on the DEF Checklist and make sure you raise the above issues with the parties immediately on an appointment being accepted.
Alternatively, contract with DEF to use our GDPR compliant Platform to solve these issues in less than 24 hours of signing our Heads of Terms and providing us with all relevant information to enable us to roll out the Platform.
- Cybersecurity Protocol
Read the Cybersecurity Protocol prepared by the ICCA, NYC Bar and CPR which can be found at: https://www.arbitration-icca.org/media/10/43322709923070/draft_cybersecurity_protocol_final_10_april.pdf
This is in draft at present but the Protocol is due to be launched in Final form at the ICCA Conference in Edinburgh in April 2020.
If your scheme has not yet put in place a solution such as the DEF Platform questions should be asked why you as a Neutral continue to use that Scheme. Working in paper, by email or, worse, working via the very toxic mix of email and paper leaves Neutrals badly exposed to sanction by the relevant Data Protection Authority, significant fines and reputational disaster.
Schemes using the DEF Platform
(in alphabetical order)
International Dispute Resolution
International Institute for Conflict Prevention and Resolution (CPR)
Karolina Jackowicz (solo mediator)
King’s College, London, Bar & Mooting Society
NHS Resolution Mediation
Personal Injury Claim Arbitration Service (PIcArbs)
Schemes join the DEF Platform every month – if your Scheme is not yet listed above please let us know via firstname.lastname@example.org and we will approach your Registrar or Administrator.