In Tennant Energy LLC (USA) v. Government of Canada (PCA Case No. 2018-54), a NAFTA tribunal addressed the reach of the General Data Protection Regulation 2016/679 (“GDPR”). The EU-Regulation, which came into force in May 2016, introduced extensive obligations on data processors and data controllers. Since then, the Regulation has raised many questions. The tribunal now dealt with the question of whether the EU-Regulation affects arbitration under the North American Free Trade Agreement.

Background

On June 1, 2017, Tennant Energy LLC initiated arbitration proceedings against Canada which are being administered by the Permanent Court of Arbitration (PCA) in The Hague. The investor brought damages claims under Chapter Eleven NAFTA. The claims in the amount of $116 million relate to Claimant’s investments in a wind project in Ontario, Canada.

From the outset of the proceedings, issues of data protection were at the core of the discussions. Tennant Energy LLC urged the tribunal to strictly comply with GDPR’s data policies. Claimant argued that the Tribunal should address data protection in its Procedural Order and make sure that “a proper GDPR compliance mechanism [is] in place”, since, according to Claimant’s view, the EU-Regulation was applicable to the proceedings. It is not entirely clear from the reported case file why Claimant so heavily insisted on the compliance with GDPR.

Claimant’s argument was that one of the arbitrators was resident in the UK and thereby was subject to the GDPR. Claimant basically argued that if one arbitrator is from the EU, the entire tribunal needs to comply with the GDPR and address data security in its Procedural Order. Also, Claimant pointed to the PCA being regarded a supranational institution under EU data protection law. Consequently, GDPR obligations would arise whenever there is a transfer of personal data between the PCA and the tribunal.

Canada, however, refused to accept GDPR related provisions in the Procedural Order and claimed that NAFTA in its entirety fell outside the material scope of the GDPR.

Discussions followed on the applicability of the GDPR and whether compliance mechanisms had to be included in a Tribunal’s Procedural Order.

Decision

The arbitral tribunal did not share Claimant’s view. On 24 June 2019, the tribunal informed the parties in only two paragraphs why it would not apply GDPR and would not amend its Procedural Order accordingly. The tribunal kept it short and simple by stating:

Arbitration under NAFTA Chapter 11, a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of the GDPR.”

No further explanation was given. In its prior communication, however, the tribunal already pointed to Art. 2(2)(a) GDPR which deals with the Regulation’s material scope. The provision states that the GDPR “does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law”.

The tribunal explained that the Procedural Order would make no reference to the GDPR, however, “without prejudice to the importance of ensuring a high level of data protection.”

Concluding remarks

As of today, in practice, most Procedural Orders do not contain specific reference to GDPR and provisions on data security. It remains to be seen whether this will change in the future and whether there will be published case law on that question.

The effects of the GDPR on arbitration in general are still not quite clear and continue to be a big topic in the arbitration community. The ICCA and the IBA have, for instance, established a Task Force on Data Protection in International Arbitration which aims at providing guidance on the GDPR’s impacts (https://www.arbitration-icca.org/projects/ICCA-IBA_TaskForce.html).

While the decision in Tennant Energy LLC (USA) v. Government of Canada concerns only the applicability in a treaty-based arbitration procedure, numerous articles have already dealt with the effects on commercial, contract-based arbitration (see e.g. http://arbitrationblog.kluwerarbitration.com/2019/09/07/gdpr-issues-in-commercial-arbitration-and-how-to-mitigate-them/; http://arbitrationblog.practicallaw.com/the-gdpr-and-disclosure-of-documents-in-arbitration/; https://globalarbitrationreview.com/article/1170035/managing-arbitral-data-under-the-gdpr; https://www.garrigues.com/en_GB/new/protecting-personal-data-under-gdpr-arbitration).