[REDACTED]: 10 DATA PRIVACY & PROTECTION COMMANDMENTS FOR INTERNATIONAL ARBITRATION
- By Christopher M. Campbell, Esq.
Keywords: data, privacy, international arbitration, GDPR, protection
You’ve just received procedural order number one, the hearing is set for 3 months from now, and there is a mountain of work you and your team need to do. You check your email and your colleague from IT is asking for a copy of your team’s Data Management & Protection Plan. What do you do?
When that moment comes, you will have to be sure that you have already familiarized yourself with the modern data privacy protection and security laws that apply to you, your clients, the arbitrator and even opposing counsel. This piece will provide a brief overview of the most prominent data privacy & protection laws, how they generally apply, and a checklist for the counsel to assist in their preparations. Of course, there is no uniform regulatory framework for data protection & management, thus, the topics discussed herein are generally applicable principles rather than advisory on any particular body of law and this writing should not be taken nor construed as legal advice.
Before getting into the various regulatory regimes, there are some vital and consistent terms that must be understood in order to navigate these rules—rather than restating those terms, summarization of the sources are included in the endnotes. 
The meaning of these terms is virtually interchangeable across various data privacy regulatory jurisdictions. These terms (among others) combine to compose the procedures and ethos around the collection and management of personal data.
Data Privacy Rules
There is a steady increase in the number of data privacy regulations worldwide as governments catch up to the current technological market. Some of the most common examples are the: i) the General Data Protection Regulation (GDPR) in the E.U.; ii) the California Consumer Privacy Act in the United States (CCPA); iii) the China Security Law in the P.R.C. (CSL); iv) Brazil’s General Protection Act; as well as forthcoming laws across the globe. Most of these regulations use similar, if not interchangeable terminologies relating to the regulation and treatment of personal data.
There are also comparison tables for reviewing the obligations under each, one such example can be seen, here.
For purposes of this piece, rather than restating what has already been provided in other sources, the focus will be to outline 10 Commandments (Read: guiding principles) disputants, counsel, institutions, and arbitrators should keep in mind when preparing for and proceeding through a dispute.
There are so many stakeholders, possibilities, and ways in which information could travel. The table below outlines common destinations for personal data related to each of the labeled categories.
During the pre-dispute phase, a prudent counsel will begin taking inventory of all of the stakeholders to the dispute, and by proxy, which data protection rules apply to them. Mercifully, many jurisdictions are still unregulated with regard to data privacy & protection, however, that is likely to change as data breaches pose greater threats to international commerce.
Begin by considering who are the;
iii) support staff,
iv) institutional actors, if any, and
Each of these parties may be subject to a data privacy regulation that each party processing data of the other parties must comply with.
One more important note is to consider where the information is being stored. Certain data regulations prohibit personal data from being stored or even passing through certain “third countries”. 
1) Identify what restrictions will apply to your organization. (And which will be outsourced)
Understand what you and your colleagues must do to be compliant—and importantly, be sure to confirm that any third parties (such as e-discovery platforms, experts, etc.) understand their obligations in handling such information.
2) Identify Data Subjects’ Rights.
Go through the relevant regulatory rule-set and make a checklist of the rights afforded to a data subject. Such rights often include:
- right to be informed;
- right to opt-out;
- right of deletion/erasure; and
- right of access and right to non-discrimination.
The data processor should be prepared to respond to a demand for these rights, should a data subject assert them.
3) Determine what data is needed and what data will be transferred.
Data management is a case where more is typically not better. Although large amounts of information may be needed, parties should bear in mind that every amount of data transferred imparts legal duties and liabilities to the processing party. Therefore, the parties should, to the extent possible, avoid collecting personal data that is not necessary to resolve the dispute. Understanding where that data will go once it is collected is an equally important part of quality data management practices.
4) Allocate Responsibility for processing and transferring data.
Although multiple parties might end up processing or possessing personal data, there must be a clear delineation of duties and responsibilities. Otherwise, there is the likelihood for data to be stored improperly, exposed, or mishandled in some other way.
5) Consult with tribunal & opposing counsel about data privacy matters (EARLY).
As parties become more aware of the best practices in data privacy & protection, arbitrators seeking appointments will need to demonstrate their comfort level with managing these types of issues. Raising these types of issues early on, during initial conversations or in the first procedural order allows for all parties to be on the same page—and, if they aren’t considering data privacy issues, to bring it to their attention as a violation could implicate all parties involved. Some qualification questions for arbitrators could be:
- What is your policy or plan for the management of personal data?
- Do you have a data controller or is it managed by someone else, like a tribunal secretary?
- How long do you maintain personal data after the conclusion of the proceedings?
- What is your plan in the case of a data breach?
6) Have. A. Data. Breach. Protocol.
Speaking of data breaches — upon notification by the arbitrator, opposing counsel, or someone in your data management ecosystem is too late to begin developing a data breach protocol. Two of the referenced regulations; GDPR and CCPA have specific requirements as to what must be done in such a case.
Unfortunately, there is a reasonable likelihood of such occurrence and you must be prepared for it when it occurs, the lack of a plan or mechanism could increase (or create) liability as to the processor’s duty of care in managing personal data.
7) Define an internal and long term policy for data privacy and protection.
The ideal scenario for regular disputants or counsel is to develop a detailed and comprehensive policy identifying who will be responsible for ensuring compliance with data privacy regulations and how they plan to do so. Having such a plan in place allows for a level of comfort and attention to remain on the dispute at hand.
8) Report Data Breaches Immediately.
Just do this. There is nothing to be gained by concealing this information and in fact, doing so may only worsen the problem as exposure of personal data exposes the data subject to personal and direct harm. The notification not only includes other parties involved in a dispute but also the relevant authorities as outlined in the applicable data regulations.
9) Delete Personal Data that is no longer needed.
Many lawyers are notorious for having years and years of personal data records stored, either in physical or electronic copy. In fact, some jurisdictions and legal ethical rules require that such information be kept for a certain amount of time. However, upon resolving each matter, parties should:
- assess what personal data remains in their possession;
- determine if it is still necessary;
- affirm that the data subject has consented to the maintenance of said data; and
- periodically review to make sure any data retained is necessary.
Again, violation of these rules may be considered as a violation of the applicable data privacy regulations.
10) Update your plan as necessary.
Given the rate at which the world of technology changes, having a static defence or procedure is a poor strategy. Ensure that someone on your team is tasked with making sure your procedures meet best practices, industry standards, and legal/regulatory compliances.
Existing Problems & What Comes Next.
Existing Threats to Data Privacy
Notwithstanding the principles outlined above, there are a number of factors that complicate efforts to maintains high-quality data protection. Such factors include:
A) Increasing volume of data - As greater amounts of traditional physical data are digitized and transmitted (especially in the age of Covid-19) the sheer volume of information being processed is likely to increase. Despite this increased volume, parties must be prepared to diligently deal with all information transmitted into their possession.
B) Cost of Maintaining Best Practices - Part of building up the capacity to deal with such high volumes of data is having technology and staff or personnel that are trained and calibrated to deal with these demands. Both of which represent an increase in cost to the parties maintaining the personal data.
C) Evolving nature of Vulnerabilities & Technology Integration - Parties will constantly need to update their tactics to keep pace with the evolving nature of cyber-security and aspire to meet industry best practices.
This includes integrated 5G technology and the differences between using mobile networks as well as traditional internet or WiFi capabilities. Each poses its unique requirements.
D) Human Error - At times, the weakest link in these highly technical and specialized information chains can be, we, the humans. A lapse in judgement, a lack of training, or a genuine error can all lead to data breaches. Thus, personnel handling personal data should be trained and simulate scenarios of handling data to increase their chances of success when disputes arise.
Some useful parting sources in planning for international disputes:
- Draft Joint ICCA-IBA Road Map. Here.
- Article from the Hong Kong Lawyer. Here.
- Data Privacy & Protection HUB from Linklaters. Here.
- Thomson Reuters Practical Law Blog Post. Here.
The below graphic has been created by the author and is provided to be a quick reference guide and/or checklist in executing your own due diligence as it related to data privacy and protection. Feel free to use or re-produce with due attribution to the author. 
Given the rapid rate at which technology and industry practices are evolving, it is very well possible that industry standards may have well changed by the time you are reading this. However, the principles remain the same. As long as personal data is being exchanged during the resolution of parties, considering how that is done and by whom will be of critical importance to all the parties involved.
Finally, the only other thing that the author would recommend is a simple strategy to ensure a victory for parties to a dispute—all a disputant must do is [Redacted].
Christopher M. Campbell, Esq., is currently a senior litigation counsel at Baker Hughes. He holds an LLM in Chinese Law and International Arbitration from Tsinghua University.
Preferred Method of Citation - Christopher M. Campbell, ‘[Redacted]: 10 Data Privacy & Protection Commandments for International Arbitration’ (ICAR, 15 October 2020) <insert link here>.
 Third-Countries: https://gdpr-info.eu/issues/third-countries/
 Author and creator of the graphic is: Christopher M. Campbell, Esq. who created this graphic on September 26, 2020.
The views and opinions expressed in the article are those of the author(s) solely and do not reflect the official position of the institution(s) with which the author(s) is /are affiliated. Further, the statements of the author(s) produced herein should not be construed as legal advice, nor should they be taken with any reference to any matters or legal work related to the author.