By Gabriel ‘Femi Adewara, MCArb and Foluke Adewara, LLB; BL
“The future is already here – it is just not very evenly distributed yet’– William Gibson (Renowned Science Fiction Writer)
INTRODUCTION
In this digital age, data or information flow is the ‘New Life’ (NL)! New Regulation (NR), likeNew Technology (NT), disrupts and normalizes. Format of the Data protection/privacy (DP)regulation being adopted in droves around the world, is disruptive and normalizing in all sectors.
Until the 2018 EU General Data Protection Regulations (GDPR), DP was not given the prime attention it is now demanding. The ‘demand’ is in terms of ongoing, unobtrusive and resilient diffusion of GDPR’s provisions, into the realm of personal data protection, arbitration proceedings not exempted.
THE EVOLVING DATA PROTECTION/PRIVACY REGULATIONS
DP involve policies, laws and regulations on data collection, processing, retention, and security. DP-related rules and activities are based on mandatory, jurisdictional, requirements. It is becoming obligatory and prudent for arbitrators to fulfill these requirements based on the new reality of civil/criminal liabilities orbiting arbitral proceedings. The regulatory mien, deriving from GDPR’s benchmark provisions on fines, for non-compliance, is fierce. For instance, since mandatory Data Compliance Audit commenced in October 2019, under the Nigerian Data Protection Regulations (NDPR) 100 non-compliance notices have been issued by the regulator, NITDA, for breaches. Soko Loans, an online lending platform, was fined =N=10 million.
NDPR applies only to personal data and natural persons, excluding other types of data and corporate entities. A Data Protection Bill is in the National Assembly, seeking to establish the Data Protection Commission as an impartial regulatory agency to regulate/oversee data protection issues in Nigeria. But, ironically, the Bill is quite deficient in its overall purport/provisions when compared with a subsidiary legislation like NDPR. For instance, it lacks provisions for Third Party Processing Contracts, concerning which NDPR provided for licensed Data Protection Compliance Organizations (DPCOs) which could support arbitration in expert advisory.
DATA PROTECTION OBLIGATIONS IN ARBITRATION
Jurisprudentially, DP obligations apply to individuals and legal entities. Arbitration being private and ‘non-legal’, is, ordinarily, not subject to data protection obligations. But as data/information flow is the blood/life stream of every human interaction/activity, arbitration as a means of dispute resolution between persons/parties cannot be exempted from personal DP obligations.
Most GDPR-inspired regulations concur. The twin principles of ‘Data Subject’ and ‘Participants’ in DP regulation illustrate this obligation. They make the data integrity of every natural person sacrosanct. Invariably, the conduct of an arbitration is impacted. Yet, arbitration is blindfolded, walking on information minefields, because DP laws still inadequately address how the laws/regulations should apply to arbitration.
Arbitrators’ blindfolds are removed by initiatives like the Draft ICCA-IBA Roadmap to Data Protection in International Arbitration, released in March 2020; finalized version expected soon.
Helpful guidance, gleaned from the Roadmap, and other conversations on DP, surrounds the arbitrator’s early consideration of the following matters:
- Holistic view of or data-mapping all potential information/activities flow expected in the arbitration.
- Determining territorial and material scope of all applicable data protection rules for such flows.
- Deciding on who the Participants, Data Controllers and Processors are or persons responsible for compliance (Data Custodians) and how to handle Data Subject Access Requests (DSARs)
- Establishing and recording compliance procedures efficiently and cost-effectively, to minimize arbitral process disruption.
- Being mindful of all arbitral, shared/transferred documentation and contemporaneous evidence likely to be implicated. These are pleadings, witness statements/other submissions and express reports/awards and emails, letters, log-ins, notes, reports, photos and video/audio recordings, respectively.
- Deciding on deployment mode of the required Data Protection Officer (DPO), whether by designating a person or by use of a DPCO
- Conclusively, arbitrators’ careful evaluation of what, where, means, security measures and processing timeframe relating to the data being processed, for compliance with DP regulations.
Hurry now and join other professionals at NICArb’s 2021 Hybrid Annual Conference for a robust discourse such as this and many more, on how to improve the use and practice of Arbitration and other ADR as a dispute resolution mechanism in Africa and across the globe.
Register Now!!
https://forms.gle/eW4HUjPim74jbtvv8
Date: Thursday, 18th – 19th November 2021
Time: 10:00AM – 4:00PM
Venue: Eko Hotel and Suites/Whova Platform.
For advert bookings and Reservation, kindly contact Tolani on 09087187407 or Peace on 09087187408
