10 Jul 2018
The General Data Protection Regulation (“GDPR”), a new data protection framework that replaced the Data Protection Directive 95/46/EC, went into effect in the European Union on 25 May 2018. The GDPR basically contains rules that govern the processing, collecting, and disclosure of personal data by the Data Controller or Data Processor irrespective of where the processing takes place.
Personal data[1] relates to information of an identifier (“Data subject”) which can be obtained either offline (such as name, location, mental, economic or social identity of a natural person) or online (such as internet protocol address, cookie identity, radio frequency identification tags, etc). The data processor[2] is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller, who determines the purposes and means of the processing of personal data[3].
Article 79 of the GDPR grants the Data subject who has suffered “material or non-material damages” as a result of a violation, the right to an effective judicial remedy against a controller or processor and to receive compensation from them[4]. This right to effective judicial remedy pertains to litigation, although, the transfer of data for use in litigation to countries outside of Europe is restricted by Article 48.
But, what happens when the GDPR Privacy Notice or Privacy Policy of a Corporation includes a clause that in the event of a dispute between itself, and the Data subject, such dispute shall be resolved through Arbitration?
In this instance, arbitration is not a judicial process but a non-judicial process with a contractual or quasi-contractual obligation. Thus, a Data subject has no right to bring issues for an effective judicial remedy to an Arbitral tribunal except the Arbitrator(s) is/are appointed as the Data Protection Officer(s)? The designation, position and tasks of the Data Protection Officer (“DPO”) are covered under Articles 37-39. Under Article 38, the Data subject may contact the DPO if there are issues related to processing of their personal data and Article 4(2) provides that “Processing means any operation or set of operations which is performed on personal data or set of personal data, whether or not by automated means, such as...disclosure by transmission....” In an arbitral proceeding, an issue by a Data subject requires disclosure. This disclosure obligations falls within the purview of the GDPR and is necessary for the purposes of legitimate interests of both the data controller and data subject. The only exception is when it involves a breach of the data protection obligation.
However, the U.S. Supreme Court held in Société Nationale Industrielle Aéreospatiale v. U.S. Dist. Court for the Southern District of Iowa[5] that the “blocking statues” or restriction of transfer of personal data do not apply to the American courts, but, this decision has not been tested on GDPR. Thus, businesses and corporations engaged in international arbitration can through the DPO order the disclosure of personal data stored in Europe, if such data will resolve an issue or legitimate interest.
[1] GDPR Articles 4(1), Recital 30.
[2] GDPR Articles 4(8)
[3] Articles 4(7)
[4] Articles 82(1)
[5] 482 U.S. 522, 544 n.29 (1987)