Data Protection and International Arbitration: How to make these two different worlds coexist in the digital era

1. Introduction
International Arbitration[1] is not immune to the different challenges posed by this new era of digitalization. Not only “modern international society and commerce are characterized by a complex, and sometimes disordered web of interrelationships”[2], as well as it is necessary to adapt its system to the different issues arising. Regardless, even though international arbitration is not “a flawless system”[3], this does not mean that it is void of advantages.[4] Thus, we live in a world where data is considered to be “the new oil”[5] and, for that reason, new divergent regulations have been created. The prime example is the General Data Protection Regulation (“GDPR”)[6], which is considered to be the leading legislation in data protection law. Therefore, with different treaties side to side[7] and reinforced data protection rules, especially in the European Union (“EU”) when compared to other countries[8], new challenges are arising in how to apply (or not) these rules to international arbitration proceedings’, leading some to consider this “the clash of the titans.”[9]
Even if the EU is considered to be the role model on this subject, we cannot ignore that other countries have adopted its own regulations.[10] This issue is recent, but not completely ignored by the authorities in regards to arbitration. In fact, the International Council for Commercial Arbitration (“IBBA”) has published a RoadMap to Data Protection in International Arbitration[11], which is a clear demonstration of the importance that the topic is starting to assume.
Are these two different worlds colliding? Due to technology’s preponderant role in every field of law, it is more important than ever to ensure a coherent approach. Therefore, this essay aims to analyze different points of crossover between these two branches of law and the main problems that might arise from the applicability of the GDPR. This is not so far a hot topic in the doctrine, even though it is possible to find a few written articles.[12] Consequentially, we will further reflect on (i) the possibilities of the application of the GDPR within the context of international arbitration (including the ones held outside the EU), (ii) which data is processed during these proceedings, (iii) the issue of virtual arbitration hearings, as well as electronic data and (iv) the use of the GDPR as a potential way to annul or refuse the enforcement of an arbitral award. 
 
 
2. The applicability of the GDPR 
Nowadays, as Kathleen Paisley outlines, “data processing is an essential component of modern international arbitration.”[13]Digitalization has led to the change of paradigm within different branches of law, which has resulted in “conflicting requirements, not only within the field of data protection itself but also between data protection regimes and other areas, e.g international arbitration.”[14]
There are no doubts on the impact that a strict regulation like the one foreseen on the GDPR, which is also the most known regime in data protection law, might have in dealing with these proceedings, due to the significant number of obligations and legal norms that have to be fulfilled. In order to assess the possibility of the application of the GDPR, we have to take into consideration two different scenarios: the material requirements and the territorial scope.
 

2.1. Material Scope of the GDPR 
According to article 2(1) of the GPDR, the regulation is applicable to the processing of personal data wholly or partly by automated means.[15] Focusing on the concept of personal data, article 4(1) defines it as “any information relating to an identified or identifiable natural person.” Thus, it is possible to point out four different elements: (i) any information[16], (ii)relating to[17], (iii) identified or identifiable[18] and (v) natural person.[19]
Thinking about International Arbitration, several types of personal data might be included on this. It is actually interesting, since the International Council for Commercial Arbitration-International Bar Association and International Bar Association (“ICCA-IBA”) give relevance not only to the GDPR, as well as to the Brazilian legislation[20], by pointing out that under these regulations “a substantial portion of the information exchanged during a typical international arbitration is likely that qualifies as personal data.”[21] Almost everything will fall within the concept of personal data if the requirements are met[22], being irrelevant that it is “contained in a business-related document.”[23] Nevertheless, this does not include data related to companies, because the aim of the GDPR is to protect individuals. Thinking about arbitration, as Kathleen Paisley outlines, this also might include witness statements, expert reports and the award itself, because they “are likely to identify individuals.” ^[24] [25]
On the other hand, under Article 4(2) of the GDPR, processing[26] means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.[27] Once again, there is a broader definition and, as Kathleen Paisley affirms, “virtually any activity undertaken during an arbitration relating to documents is likely to be covered by the GDPR.”[28] The same is held in the ICCA-IBA’s reports, as it is also recognized that “most activities undertaken in a typical international arbitration are likely to constitute processing.”[29] From the interpretation of the different provisions, the GDPR is also applicable (in general) to arbitrations.[30] If it might be easier to establish its applicability to commercial arbitration, regarding non-commercial arbitrations, where bilateral and multilateral treaties are celebrated, it might be harder.[31]
There is also a problem that is very relevant to this topic. In fact, as we’ve had the opportunity to affirm, the GDPR clarifies that the regulation does not apply to the processing of personal data “in the court of an activity which falls outside the scope of Union Law.”[32] This provision must be interpreted strictly, as the ECJ (“European Court of Justice”) has stated.[33] On the other hand, Recital 16 gives as example activities concerning national security.[34] Thus, one of the most interesting cases is Tenant Energy, LLC c. Canada[35], an international arbitration under NAFTA, whose applicable law was the 1976 United Nations Commission on International Trade Law (“UNCITRAL”) Arbitration Rules. In casu, the Tenant argued that the GDPR should be taken into account.[36] The Government of Canada rejected this request, as it argued that the country already addresses confidentiality issues in the proceedings and that the “potential application of the GDPR should not prevent arbitration from moving forward.”[37]Consequentially, the Claimant delivered its response to the tribunal[38] and made a compelling argument, as it outlined that one of the arbitrators had an EU establishment and, as a result, the GDPR would cover him, as he would be considered a processor and controller.[39]
Nevertheless, the Tribunal refused the application of the GDPR, as it considered that neither the EU nor its Member States were parties and would not, presumptively, come within the material scope of the GPDR.[40] Martin Zahariev argues that “having in mind that investment arbitration is transnational by its nature, it can reasonably be argued that the rules it is subject to go beyond national or even regional legislation such as the EU.”[41] The doctrine outlines some incoherences and issues that seem to derive from this position adopted. Some argue that the Tribunal’s perspective is not “consistent with the latter case law decided by the Court of Justice”, which requires that the provision should be interpreted strictly.[42] Hence, Jie Jeanne Huang considers that this is very “questionable.”[43] On the other hand, Emily Hay mentions an important point, in our opinion, which is related to the fact that the provision at stake is “essentially made for internal EU Law.”[44] Of course that we do not have any doubts about the fact that neither the EU nor its Member States are parties to NAFTA. Still, having in mind the strict interpretation made by the ECJ, only activities concerning public security, defense, state security and activities in areas of criminal law.[45] Could the Tribunal have followed this path, by considering that the simple membership of NAFTA could relate to one of these topics? This would lead us to another discussion.[46]
We cannot forget that one of the arbitrators was from the United Kingdom (“UK”), which was still a member of the EU at the time. As Kathleen Paisley clarifies “it is inherent in the arbitral tribunal’s function that the arbitrators control the purpose and means by which they process the documents and evidence presented by the parties.”[47] ^[48] Therefore, that arbitrator would always be considered a controller in accordance to article 4(7) of the GDPR[49], due to the fact that there is processing of personal data on his own authority, which is “not based on instructions given.”[50] Even if the GDPR was not to be applied, being the arbitrator a UK’s national, the issue of applying the UK Data Protection Act 2018 should, at least, have been mentioned.[51]Thus, from this point of view, it seems that the direction chosen “raises more questions that it provides answers regarding GDRP’s applicability.”[52]
As Jie Jeanne Huang and Dan Xie clarify, having in mind that article 2 stands “as a prerequisite” to article 3, that is why tribunal did not even bother to analyze if this situation could have fallen within the territorial scope of the GDPR. 
Another important case, even if it does not relate directly to EU Law, is Elliott Associates v. Korea[53], where the Korean Government defended the application of Personal Information Protection Act (“PIPA”) whereas the other party was against it. This makes a considerable difference, as Elliott Associates wanted the full publication of the documents in the case, because, in their opinion, PIPA could not be applicable to the following case. It argued, therefore, that the Respondent did not explain correctly why the different actors should be qualified as controllers, as well as the information had lawfully been published in press articles and were in the public domain.[54] This issue was related to the transparency regime established in Korean-United States Free Trade Agreement (“KORUS”). Under Article 11.28 of the Agreement, protected information is considered to be “confidential business information or information that is privileged or otherwise protected from disclosure under a Party’s Law.” Therefore, having in mind that PIPA is Korea’s Law, the problem arose. The Permanent Court of Arbitration (“PCA”) began by pointing out that PIPA does not merely regulate the processing of personal information for purposes of operating personal information files by personal information controllers, as it also protects information relating to a living individual that makes it possible to identify by his/her full name.[55] Moreover, the PCA ended up concluding that PIPA had to be applicable to the case. 
 
 
2.2. Territorial Scope of the GDPR 
Under article 3, it is established the territorial scope of the GDPR.[56] Therefore, the regulation will be applicable when: 
(I) In the context of activities of an establishment of a controller or a processor in the Union, regardless whether the processing takes place in the union or not (article 3(1)).[57] Some situations might be considered from this perspective. Cleary, when we think about courts established within the EU, there will be no doubts on the applicability of the diploma. Let’s think, for example, about the Vienna International Arbitral Centre (“VIAC”). It will also be possible to establish jurisdiction over the establishment criterion whereas an arbitrator exercises its regular practice within EU.[58] Additionally, Jie Jeanne Huang and Dan Xie raise an important question[59]: what happens to those cases where only one of the parties is from the EU? The authors give as an example the Energy Charter Treaty (“EGT”)[60], as it will be highly likely that at least one of the parties are bound to the GDPR. Having this in mind, and being combined articles 2 and 3, if one of the parties is established in the EU, then the GDPR should be applicable to that particular case. 
(II) The GDPR will be applicable even when the controller or processor are not established in the EU, if the processing activities are related to the offering of goods or services,[61] irrespective of whether a payment of the data subject is required, to such data subjects in the union or there is the monitoring of their behavior as far as their behavior takes place within the EU.[62] ^[63]From what we can see, the “GDPR has a broad application.”[64] Having in mind the intention of a global reach, it is necessary to reflect on the several possibilities of applying the GDPR even when the arbitration occurs outside the EU. On the basis of article 3(2)(a), Martin Zahariev states that a situation that might fall within the scope of this provision is the one where an arbitral institution located in a third-country maintains on its website the tariff for the provision of arbitration services or a calculator for estimating the arbitration costs in United States Dollar and Euros.[65] In fact, in order to determine whether a controller/processor is offering goods or services, it won’t be enough that there is a mere accessibility of a website in the EU. On this matter, Recital 23 mentions that the use of language or the currency used in one of more member states is another factor.[66] From an abstract point of view, this could be a feasible option. Nevertheless, it is still difficult to see the GDPR being applicable on this situation to international arbitrations. 
This will further depend on a case-by-case analysis, but one thing is certain: even if the GDPR is not applicable to a certain arbitration, we will have to take into consideration the possibility of occurring international data transfers and, therefore, the GDPR might still be considered. 
 
 
2.3. Transfers of Personal Data to third countries 
From an international arbitration’s perspective, it is also quite important to take into consideration the problem of transfers of personal data to third countries, as “inconsistencies among the data-sharing regimes of foreign countries frustrate the efficient exchange of personal data.”[67] On this matter, Elena Mazetova inclusively states that an analysis of the cross-border data transfer and identification of those who should be applicable to a certain case has to be the first step[68], in order to “provide the parties with clear guidance concerning the applicable rules and potential risks.”[69] Hence, a transfer of personal data outside of the EU[70] can be justifiable on the basis of four different grounds, namely: 
(I) There is an adequacy decision[71], which correspond to formal decisions adopted by the Commission declaring that a third country, a territory or one or more specified sectors within that third country, or the international organization in question ensure an adequate level of protection.[72] This is really important, as if there is an adequacy decision, then, no further authorization will be required in order for the transfer to take place. At the moment, the European Commission has recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, New Zealand, Republic of Korea, Switzerland, the UK and Uruguay as providing adequate protection. On the other hand, this is not permanent, as there is a constant obligation to monitor developments in third countries and international organizations that could affect the functioning of decisions adopted.[73] However, transposing this to the arbitration framework “may be difficult (if not impossible) to create an environment fully covered by adequacy decisions”.[74] Thus, within the context of international arbitration, most of the transfers normally happen to countries that don’t have an adequacy decision. Let’s think on the example of the Singapore, Hong Kong, India, Australia, among others, which are really important countries in terms of arbitration.[75] Recently, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, but we will still have to see its impact and, above all, the ECJ’s reaction towards it.[76] Still, having in mind the limited scope for these decisions, in regards to international arbitration, most times it will not be very helpful. 
(II) Another possibility is using article 46 of the GDPR, which foresees the possibility of transferring personal data to a third country or an international organization if the controller or processor has provided appropriate safeguards.[77] Related to this, article 46(2) foresees some examples of what might be considered an appropriate safeguard. ICCA-IBA Report outlines that the most adequate is the standard contractual clauses and, on Annex 6, it gives a sample standard of how this should be addressed.[78] However, as David Rosenthal prescribes, this might be tricky in regards to arbitration, due to the fact that these standard clauses have to be used with no changes[79] and some parties might have not signed the clauses, as they may lead to the increase of the liabilities.[80] Even though safeguards are the preferable option (before trying to apply article 49), within the context of litigation, this may not be feasible.[81]
(III) Additionally, article 49 is another alternative for international transfers. When applying this article, the “data exporter transferring personal data to third countries or international organizations must also meet the conditions of the other provisions of the GDPR.”[82] Article 49 is also seen as a last resource, as data exporters should first explore possibilities to frame the transfer within other mechanisms included in articles 45 and 46(1) of the GDPR.[83] For this reason, the European Data Protection Board clarifies that such transfers may happen more than once, but they cannot be considered regular.[84] By analyzing the different possibilities, we believe that the most adequate is article 49(1)(e), under which the transfer of personal data will be possible whenever it is necessary for the establishment, exercise or defense of a legal claim.[85] The European Data Protection Board defends a broad interpretation, as it considers that many activities can be included (for example: criminal or administrative investigation in a third country, data transfers for the purpose of formal pre-trial discovery procedures or anti-trust investigations).[86] However, it is clarified that this does not include the mere possibility of those legal proceedings being brough in the future.[87] Arbitration is a form of resolving disputes that offer involved parties an alternative to classic litigation, which has its own formal and legal proceedings. As a consequence, article 49(1)(e) has to be considered a feasible option. This position is also shared by David Rosenthal.[88] In addition, Elena Mazetova also states that within the context of arbitration, the transfer of personal data will occur “on an ad hoc basis.”[89] It is a requirement, if this basis is invoked, that the transfer is necessary[90], occasional[91], being also mandatory that the personal data subject to it is minimized to what is strictly essential.[92]
Thus, David Rosenthal proposes that an agreement could be made between the parties, the counsel and the arbitrators, in order to clarify that “each party should only submit personal data that is necessary for the proceedings, to keep such personal data confidential, and use it only for the arbitration and related purposes.”[93] Hence, the Author further points out that everyone should sign it, regardless of the level of data protection in the country.[94] Moreover, and regardless any considerations on this point, we think that Elena Mazetova has a point when the author argues that assessing the necessity test is not always easy when we think about arbitration. In fact, if a party requests a certain document, then it will be easy to assess if that request will be helpful and meet the criteria defined under the GDPR. Moreover, if it is something introduced in a memorandum or other document voluntarily introduced, as the author prescribes, a more detailed explanation will be needed.[95]
Finally, as a last resource, a mention should be made to article 49(1)§2 of the GDPR, which provides that, even if none of the derogations foreseen on article 49(1) are applicable, the transfer might occur if (i) concerns only a limited number of data subjects, (ii) is necessary for the purposes of compelling legitimate interests and (iii) the controller has assessed all the circumstances surrounding the data transfer and has provided for suitable safeguards. Additionally, the supervisory authority of the transfer shall be informed, as well as the data subjects. Even if, from an abstract point of view, it might be applicable, due to the strict requirements, we do not see as this could be a suitable mean for the different parties.[96]
As the doctrine identifies, it seems that the best option for international transfers within the context of international arbitration, will be article 49(1)(e) of the GDPR. What this represents is that, even if the material and territorial requirement is not met, the GDPR may still apply, even if incidentally, to arbitrations being held outside the EU. 
 
 
3. Specific issues regarding the Arbitral Proceeding 
3.1. Online Hearings 
Hearings are a very important step within the context of international arbitration, as a proceeding won’t probably end without one occurring.[97] With COVID’19, it became normal to hold these hearings online, due to the requirements of non-personal contact. This has several advantages, as it allows to reduce costs[98] and increase efficiency.[99] Thus, these advantages can be also seen from a different perspective, due to the problems that arise. Firstly, it creates a higher risk for cyberattacks[100], as well as it might be problematic from a data protection point of view (we’ll have the change to analyze the challenges on regards to the GDPR later) and may emerge problems related to confidentiality.[101] After all, as some doctrine outlines, “there is no longer any question of if one’s digital infrastructure and data will be hacked, but only when.”[102] Additionally, issues might be raised relating to the authenticity of the hearing itself, as a personal contact might be better (at least for some) to assess the authenticity of what is being said.[103]
Despite these factors, it is important to point out that this is a matter to which a significant importance is given. Nevertheless, the answer to the question to know if the hearing can happen online, “entails a case-by-case analysis.”[104] In fact, article 28(4) of UNCITRAL Arbitration Rules[105] foresees that “the arbitral tribunal may direct that witnesses (…) are examined through means of telecommunication that do not require their physical presence at the hearing.” A similar provision might be found on article 24(4) of International Chamber of Commerce (“ICC”) Rules of Arbitration[106], article 19(2) of The London Court of International Arbitration Rules (“LCIA”)[107] or article 30(1) of VIAC Rules.[108]
Arbitration operators and arbitration institutions, as Pilar Perales Viscasillas states, “were catalysts for this process of adaptation, even before the Covid, especially in matters related to the security of new technologies.”[109] Besides, several reports have been adopted on this matter, which corroborates the fact that this is an important topic for arbitration.[110]
As we already know, these online hearings will lead to the processing of personal data. Therefore, if it is a situation that falls within the scope of the GDPR, then some additional steps must be taken into account in order to fulfill its demands. It will depend on the case-by-case analysis to know who might in the specific case be considered the controller[111] or a processor[112], being possible to also exist a joint controllership.[113] Moreover, and regardless of deeper considerations on this matter[114], obligations arise due to the application of the GDPR in the arbitration. 
Firstly, during these online hearings, it results from article 32 of the GDPR an obligation to ensure security of processing. This is a previous obligation, as Maria da Graça Moniz outlines[115], which means that the responsible entities for the processing shall implement appropriate, technical and organizational measures to increase the level of security. In fact, some doctrine argues that Recital 81 of the GDPR should be seen as a new “criterion for the choice of arbitrators and arbitral institutions.”[116] On this matter, the ICCA-BY Bar-CPR Protocol on Cybersecurity has as principle, among other things, the determination of reasonable cybersecurity measures[117].
Even though this has been thought from a cybersecurity perspective, we shall not ignore that under the GDPR this is very important.[118] Therefore, the regulation gives some examples of what might lead to the increase of security system, namely: pseudonymization and encryption of personal data[119], ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services[120], restore availability and access to personal data in a timely manner in the event of a physical or technical incident[121], create a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.[122]
On this matter, Marc Henry advocates that the best way during an international proceeding to fulfill this intention is the use of platforms, because that might, in his opinion, “level up the overall security of the custody chain as long as the relevant functions are enable and used.”[123] However, it will depend on the type of platform, because it is necessary to ensure its safety.[124]After all, this will mean that “the infrastructure used by the Arbitral Participants to secure the arbitration ought to be state of the art.”[125] Thus, it is up to the Tribunals to play a crucial role when assessing and choosing the tool for video conferencing. ICCA-IBA’s Joint Task Force points out that the tribunal must consult with the parties to establish a remote hearing protocol to address issues like (i) the technology used, (ii) advanced testing of the technology or training, (iii) starting and ending times, having in mind the different time zones, (iv) how documents will be placed before a witness and (v) measures to ensure that witnesses giving testimony are not distracted or improperly.[126] Additionally, Emily Hay outlines the importance, as article 32(1)(b) of the GDPR demands, of ensuring that the video transmissions have end-to-end encryption.[127]
On a further note, special emphasis should be made to the legal basis of processing. Under article 6 of the GDPR, processing shall be lawful only if it is possible to invoke one of the following legal basis: consent, contract, legal obligation, vital interests, public task or legitimate interests. 
Under article 4(11) of the GDPR, consent is lawful whenever it is freely given,[128] specific,[129] informed[130] and unambiguous.[131] One must carefully assess whether consent can be seen as a good legal basis for the arbitration’s context, especially for online hearings. In abstract, we could argue that, before the online hearing, the data subject could freely give its consent for the processing of personal data. Regarding litigation, Article 29 Data Protection Working Party has outlined that there may be situations where individuals are aware of, or even involved in the litigation process, and consent may properly be relied upon as a ground for processing.[132] Nevertheless, Article 29 Data Protection Working Party has also clarified that relying on consent may prove to “be a false good solution, simple at first glance but in reality complex and cumbersome.”[133]
From our point of view, there are two difficulties that may lead to the impracticality of invoking this legal basis in regards to online hearings. On a first note, the data subject may withdraw its consent at any time[134], which means that this will “present a challenge where arbitration proceedings been initiated.”[135] Therefore, this could endanger the proceeding itself, as at any time the data subject would maintain the possibility to revoke its consent for the processing of personal data. Even though that is applicable to the future, it does not seem easy to prevent the effects on the arbitration’s proceeding, especially when the online hearing constitutes a crucial element of proof.[136]
Additionally, we must also take into consideration that invoking consent would be impractical due to the complexity of the proceeding[137], as in each case it would be necessary to demonstrate that the data subject participating in the online hearing had given its consent for that act. This would create more unnecessary bureaucracy, when there may be more suitable options to invoke as a legal basis. The ICCA-IBA’s Roadmap to Data Protection in International Arbitration adopts the same position, as it clarifies that the Arbitral Participant is the one providing the personal data, “including each data subject identified or identifiable from the submissions or evidence”.[138] This level of uncertainty is not desired for arbitrators and the parties.
For online hearings, this does not constitute, in our line of thought, the legal basis. The use of consent must be accompanied by a meticulous evaluation of its practicability in the specific context. As a consequence, one suitable legal basis might be the legitimate interest, under article 6(1)(f) of the GDPR.[139] This requires a three-step analysis, namely: (i) there is a legitimate interest, (ii) it is necessary and (iii) these interests are not overridden by the interests or fundamental rights and freedoms of data subjects. As David Rosenthal points out, having in mind that arbitration aims to ensure confidentiality and have to adopt specific criterion and determine the different facts, there is a legitimate interest and, by taking into consideration, the two sides, it seems justifiable.[140] One should also bear in mind that “the data being processed during the arbitration is proportional, relevant and adequate safeguards are put in place to protect the data subject, including culling data before disclosure and where possible anonymizing or pseudonymizing the data.”[141] In what concerns online hearings, a step-by-step analysis must be considered, in order to evaluate the type of platform used, how the data is collected and which preventive measures can be adopted in order to balance this situation. 
Additionally, even if relying on this type of legal basis, the data subject still has to be ensured the different rights conferred by the GDPR. Therefore, the importance of the right to information cannot be ignored. During the initial communications with the parties,[142] the necessary information shall be provided, in order to fulfill what is consecrated on articles 13 and 14 of the GDPR.[143]
There is, as Niccolò Landi points out “a general duty to avoid unauthorized interference by third parties.”[144] A breach of security might undermine not only the process itself, as well as leading to the liability under Chapter VIII of the GDPR, whose fines might achieve significant values.[145] For this reason, despite the responsibilities that might result from the applicability of the GDPR, some doctrines argues that from an arbitration’s perspective, the arbitrators’ duty to an obligation to take these measures should be limited whenever he/she “deems reasonable in light of the relevant facts and circumstances.”[146] Marc Henry sums it all:
“[O]nce the data (just like pollen) is brought into the arbitral hives, the data needs to be protected from external predators. In the same way that soldier bees protect the hives from external attacks, arbitrators will assume the role of soldiers in the fight against cyber-attacks, and therefore contribute to the security of the arbitral process.”[147]
 
 
3.2. Evidence 
One question that also might arise is related to the disclosure of evidence, namely to know if a party can refuse giving it on the basis of the GDPR. Evidence assumes a crucial role in International Arbitration, as each party will aim to provide to the arbitral tribunal the most coherent material in order to prove its assertations. Each party, due to its autonomy, will have to carry out a careful assessment of the evidence delivered to the tribunal. It is not, therefore, enough to affirm a fact, as everything has to be proven. 
As Tanmayi Sharma recalls, “the general practice of arbitral tribunals is that the weight of evidence is assessed depending on the nature of the proposition it seeks to prove.”[148] Hence, ICCA and IBA also recognize this as one of the key aspects during the arbitration.[149]
We should point out that this is not a mere academic problem, as it might raise important problems, not only regarding the GDPR (and other data protection’s regulations), as well as cybersecurity. For example, in ConocoPhillips v. Venezuela[150], after issuing the award, the tribunal had to deal with new facts, as Venezuela sent a letter to the Tribunal contesting the decision, by invoking evidence that was obtained via WikiLeaks which demonstrated that communications were made between diplomatic officials in the US’s Embassy and Conoco Philips’ executives discussing the offer of compensation made the Venezuela Government. 
The Tribunal, nevertheless, did not addressed this issue, as it only pointed out that it did not have the power to reconsider the decision adopted on 3th September 2013.[151] Hence, we are confronted with the issue to know which framework shall be given to these kinds of situations.[152] We should also bear in mind that this might impose issues in regards to the GDPR, as evidence obtained due to a hacker’s attack raises questions from a data protection’s point of view. 
We should now enter the main focus of this chapter, namely to know if it is possible for the parties to invoke the breach of the GDPR and refuse certain evidence. First and foremost, a brief look at the different rules demonstrates the importance of it. For example, Article 27(1) of UNCITRAL Arbitration Rules clearly points that each party has the burden of proving the facts relied on to support its claim or defense, adding that any time during the proceedings the tribunal may require the parties to produce documents, exhibits or other evidence.[153] The ICSID Convention also foresees, except if the parties otherwise agree, that the Tribunal may, if it deems necessary at any stage of the proceedings, to call upon the parties to produce documents or other evidence.[154] IBA has also adopted a document based on the Rules on the Taking of Evidence in International Arbitration.[155]Many more could be mentioned, but it would fall outside the scope of this study. 
It remains open the question of whether it is possible for a party to refuse the disclosure of a document, for example, on the basis that its processing is prohibited by the GDPR. Nothing can expressly be found on its provisions. Hence, this is interesting, because recently the ECJ has addressed this issue (even if within the context of civil litigation) in case Norra Stockholm Bygg AB v. Per Nycander AB, Entral AB.[156] It argued that, when assessing the production of a document containing personal data, the national court has to take into account the interests of the data subjects and balance the different interests depending on the circumstances of each case.[157] Further, the Court defended that, when the production of a document proves to be justified, the national authorities still have to take additional measures of protection, in order to increase the level of protection of the processing for these goals.[158]
Applying this, mutatis mutandis, to International Arbitration, we will also need a case-by-case analysis. We do not think, however, that a party can per se refuse the disclosure of a certain document due to the GDPR. As David Rosenthal points out, stakeholders “should not gather evidence under false pretext or in an illegal manner.”[159] After all, it will always depend on the necessity in each case to produce certain evidence.[160]
As we have seen, almost everything during the proceedings will constitute personal data and there will be a processing in accordance to the GDPR. Still, not any document will be justified, being essential that the party only has to disclosure what is really necessary for the proceeding. Special attention should be given to the principle of data minimization.[161] This has three essential pillars, namely: adequacy, relevancy and necessity.[162] Therefore, as the ECJ has pointed out, “the national court is required to determine whether the disclosure of personal data is adequate and relevant for the purpose of attaining the objective pursued by the applicable provisions.”[163] On the other hand, as Célie de Terwangne underlines, “it is accordingly clear that one may not process an excessively large amount of personal data.”[164]
Besides, Article 29 Data Protection Working Party in the Guidelines on pre-trial discovery for cross border civil litigation[165] has clarified that each of the different stages in civil litigation process will require an appropriate condition in order to legitimize the processing. We can apply this, mutatis mutandis, to the arbitration context. In what concerns documentary evidence, it does not seem suitable making its submission dependent of consent. The different documents may entail personal data of a certain identified or identifiable individual. Therefore, the reasoning made for online hearings can be applicable, mutatis mutandis, to this context. Making the tribunal and the parties being dependent in each case of consent would undermine and make the proceeding slower. Consequentially, we may think about invoking, as a legal basis for processing, the legitimate interest, under article 6(1)(f) of the GDPR. Nonetheless, it is important to note that “it is possible for member states to supplement these grounds with specific requirements that must be satisfied.”[166] For this reason, a careful evaluation must be made concerning these different jurisdictions. 
We must also reflect about the processing of special categories of personal data.[167] It is possible that a certain piece of documentary evidence implies its processing. As we know, under article 9(1) of the GDPR, the processing of sensitive data is generally prohibited, except in the situations foreseen on article 9(2) of the GDPR. It will be crucial that in that case not only one of the legal basis foreseen on article 6 is invoked, as well as one of the exceptions mentioned on article 9(2). 
This is not an easy topic. At first sight, we can evaluate the possibility to apply article 9(2)(f), which relates to the processing necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.[168]However, we must take into consideration that international arbitration has its own specificities when compared to traditional litigation. In addition, it is not well clarified what “necessary” means on this context and, due to the fact that this is not a traditional case of litigation, from a literal point of view, it could be difficult to apply. Nonetheless, from all the options available, it seems the only one that can be invoked. 
The Tribunal should ensure all the safety measures when sensitive data is included on the documentary evidence, in order to balance these different interests: not only the ones regarding the proceeding itself (namely, matters of confidentiality), as well as the data subject’s rights. This will depend on a case-by-case analysis, which can only be done by the tribunal. It seems that a good step would also include eliminating sensitive data before the data is processed for the arbitration’s context, as Kathleen Paisley defends.[169]
The fact is that arbitration is becoming more aware of the problems related to data protection (in general) and more references are being made in different documents. As an example, article 9(2) of IBA’s “Taking of Evidence in International Arbitration” foresees a number of reasons of why some kind of evidence might be excluded. One of them resides, precisely, on the “legal impediment or privilege under the legal or ethical rules determined by the Arbitral Tribunal to be applicable” (article 9(2)(b)) and “grounds of commercial or technical confidentiality that the Arbitral Tribunal determines to be compelling” (article 9(2)(e)). A commentary to IBA’s Rules foresees that personal data considerations may come under this limb. Nevertheless, it seems that a mere refuse per se is not admissible, unless it is possible to find a solid ground. Even when this happens, “the arbitral tribunal may order appropriate measures to preserve confidentiality of the evidence.”[170]
This can be articulated with the GDPR. In fact, attending to what the privacy by design demands, the controller has to implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and rights of data subjects (Article 25(1) of the GDPR). This provision aims to ensure that the controller takes into consideration the rights of the data subject from the beginning of the processing. On this matter, A. Barreto Menezes Cordeiro outlines that this provision cannot be applicable to all situations that are directly or indirectly related with the processing, because in its opinion this would make article 24 GDPR useless.[171] Lee Bygrave states, on the other hand, that “the duty under article 25 expressly applies not just at the time of processing but also beforehand when the controller determines the means for processing.”[172] Additionally, privacy by default (Article 25(2) GDPR) prescribes that the “controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” The latter is intrinsically related to the minimization and the extent of processing.[173]
Hence, whenever necessary, it is up to the controllers within the context of an arbitral processing to ensure all the adequate measures that are accepted by the GDPR and will allow to ensure the security of personal data (pseudonymization and mechanisms to ensure ongoing confidentiality, for example).[174] Nevertheless, in our opinion, it seems that is it not possible to use the GDPR as shield for the disclosure of documents. That permission would have a significant impact in the production of evidence within this proceeding and that is why, in our point of view, a case-by-case analysis will always be required, as well as – whenever necessary – additional measures should be adopted (but this will, of course, depend on the case itself). A cybersecurity and data protection approach will be essential. As David Rosenthal states, “if a party is not happy with the tribunal’s decision, it may raise data protection claims against the tribunal, or have a data subject do so.”[175]
 
 
3.3. Refusal of the Award on the Basis of GDPR’s violation 
One last issue that we will further analyze is related to the question on whether it is possible to annul the award and refuse the recognition and enforcement on the basis of non-compliance with the GDPR. J. G. Merrills points out that “an arbitral award is binding, but not necessarily final”[176]. Nevertheless, it has to be mentioned that “the award is usually the outcome of arbitral proceedings that have been contested throughout.”[177] The question, if it is possible to challenge the award on the basis of the non-fulfillment of the GDPR, is not innocuous, as for the unsuccessful party that will be crucial. 
Hence, this will depend on the different ways that this matter is regulated. Under a Non-ICSID Arbitration, the enforcement as a foreign award will occur under the New York Convention[178], setting-aside under the lex arbitrii. Article III of the Convention foresees that each contracting state shall recognize arbitral awards as binding and enforce them in accordance with the rules of procedure of the territory where the award is relied upon. Besides, article V consecrates a number of reasons why the enforcement of the award might be refused. The only one that can be equated is article V(2)(b), because the recognition or enforcement of the award contrary to the public policy of the country[179].
There is, therefore, a difference between domestic and international public policy, because as Albert Jan Van Den Berg points out, “what is considered to pertain to public policy in domestic relations does not necessarily pertain to international policy in international relations.”[180] Even though there are not cases at the time, this does not mean that it will not be problematic in the near future.[181] Thus, we might ask ourselves if the GDPR’s articles can be considered public policy. We have to agree with the doctrine that defends that not all the provisions foreseen on the GDPR will allow this, as not all “obligations carry the same weight.”[182] Still, the ECJ might have an important impact in analyzing which kind of articles will play the decisive role. One example that can create several problems, and plays an important role in ensuring the free flow of data (and also respect data subject’s rights) is related to International Transfers. From what we have seen, it is very hard to allow for these transfers to happen, especially when we think about the USA – which, most likely, will create direct conflicts between the USA and EU. There is, as Alexander Blumrosen states, “a risk that EU Member State National courts could refuse enforcement of international arbitration awards that are based on unlawfully transferred personal data in violation of such rules in application of the public policy exception.”[183]
Regarding ICSID Convention, there is an automatic enforcement in any ICSID Parties. Therefore, each contracting state party shall recognize an award as binding and enforce the pecuniary obligations (see article 54(1) of ICSID Convention). Under article 52 of ICSID Convention, and contrarily to the New York Convention, no public policy exception is allowed. Looking at the reasons on which the parties may request the annulment of the award, it is quite hard to find something that might be suitable to this situation.[184] Having in mind all of these options, none seems adequate. As a last resource, it could be argued that there had been a serious departure from a fundamental rule of procedure, but again this will depend on the consideration of the data protection regulations as procedural or substantive law.[185]
The GDPR cannot be used as a way to react against decisions, just because the parties did not like the outcome. One final note should be made to the case Eco Swiss China Time Ltd vs. Benetton International NV[186], where the ECJ held that the provisions of Article 81 EC (ex Article 85) may be regarded as a matter of public policy within the meaning of the New York Convention.[187] Thus, it after concluded that a national court where an application is made for annulment of an arbitration award must grant that application if it considers that the award in question is in fact contrary to Article 81 EC (ex Article 85) of the Treaty, where its domestic rules of procedure require it to grant an application for annulment founded on failure to observe national rules of public policy.[188] We shall see in the following years if any development on this regard is made.[189]
 
 
4. A data protection agreement as a path to follow? 
In order to prevent many of the issues analyzed throughout this essay, it may be necessary to put in place a data protection agreement, in order to address the requirements demanded by different legislations[190], such as the GDPR. Kathleen Paisleystates that this might take several forms. For example, party agreement, a stipulation or a tribunal order.[191] After all, in a case where the application of the GDPR is possible, it is essential to guarantee that not only the parties, as well as representatives, witnesses, experts, the tribunal, comply with the different provisions of the regulation.[192]
We cannot forget that a process of arbitration implies different flows of personal data processing[193] and, as we have already pointed out, this is a new issue. Thus, the provisions of the regulation are not helpful in order to know what to do in these situations. Additionally, the biggest advantage of this process is related to the increase of “arbitral efficiency while minimizing data protection risks.”[194] Moreover, we say that this should be a practice inherent to all proceedings and not only the ones involved the GDPR, because there are multiple data protection laws on this matter. By doing their own Agreement, it will be easier for the parties, as well as the Tribunal to ensure that the GDPR is not used in a way to gain a certain advantage in the proceeding (for example, refuse an award on the basis of the non-fulfillment of the GDPR or refuse to present an evidence), as well as it might solve in advance some of the points that later will be problematic.
 
 
5. Conclusion 
To sum up, throughout this article, we have seen how the GDPR impacts the proceeding of an International Arbitration. The reality is changing which day, not only in International Treaty Arbitration, as well as in International Commercial Arbitration. Moreover, different protocols are being adopted by the different tribunals, which is a clear sign of the growing significance that is being given to it. On the other hand, from a GDPR’s point of view, it is clear that the proceeding of an international arbitration implies the processing of different personal data.
Additionally, we have seen how it might be tricky to consider the extraterritorial application of the GDPR, as some case law demonstrates a strict approach when it comes to know if the regulation can be applicable and many countries, even though some evolution has been made, do not have similar rules to the GDPR. Therefore, international data transfers are difficult, namely because the Commission hasn’t adopted so many adequacy decisions so far, as wel as article 46 and 49(2) seem difficult to be applicable. One last resource might reside on invoking article 49(1)(e) by demonstrating that the transfer is necessary for the establishment, exercise or defense of a legal claim.
Thus, and we enter the analysis of the GDPR itself, we may see how hard it is to articulate the rules with the needs of international arbitration, namely on regards to online hearings and evidence. In our point of view, when it is possible to apply the regulation, it is essential for the different processors and controllers to take into consideration the requirements demanded, but we do not think that the GDPR can be used as a “shield” for the different parties in order to maneuver the arbitration itself. There must be a solid and coherent ground on its application, by taking into consideration all the specifications inherent to international arbitration. 
We do not know what the future holds, as it seems that only now we are starting to take more seriously data protection issues. In the future, the different tribunals will have to adapt themselves and, above all, be prepared for the digital transformation, which means that the GDPR will continue to play a crucial role in the following years. After all, in this new era, it seems that International Arbitration and Data Protection Law, will collide to offer a better approach of the law. The future starts now. 
 
 
Bibliography 
Afonso, Filipe Galvão Teles Sanches, “The fifth arbitrator? The Role of Artificial Intelligence to Tribunals in International Arbitration”, in Revista International de Arbitragem e Conciliação, Volume XIII, 2020, pp. 147-188 
Alamdari, Bahar Hatami, “The Question of Remote Hearings in International Commercial Arbitration”, in Lalani, Shaheeza / Shapiro, Steven G. (ed), The Impact of Covid on International Disputes, Leiden, Brill Nijhoff, 2022, pp. 141-156 
Ayala, Madalena Dinis, “The Rising Inefficiency in Arbitration: is Technology the Solution?”, in Revista de International de Arbitragem e Conciliação, Volume XVI, 2021, pp. 115-145
Bajpai, Ananya / Kala, Shambhavi, “Data Protection, cybersecurity and International Arbitration: Can they reconcile?”, in Indian Journal of Arbitration Law, Volume 8, Issue 2, 2020, pp. 1-18
Barbosa, Mafalda Miranda, “Do Juiz Árbitro ao software juiz árbitro: uma evolução possível?”, in Revista Internacional de Arbitragem e Conciliação, Volume XIII, 2020, pp. 37-64 
Berg, Albert Jan Van Den, The New York Convention of 1958: An Overview, https://cdn.arbitration-icca.org/s3fs-public/document/media_document/media012125884227980new_york_convention_of_1958_overview.pdf (02.02.2024)
Bermann, George A., “The Future of International Commercial Arbitration”, in Lim, C. L. (ed) The Cambridge Companion to International Arbitration, Cambridge, Cambridge University Press, 2021, pp. 138-175
Bienvenu, Pierre / Grant, Benjamin, “Data Protection and Cyber risk issues in Arbitration”, in International Arbitration Report, Issue 13, Norton Rose Fulbright, 2019, pp. 19-21
Blackbaby, Nigel, et. al., Redfern and Hunter on International Arbitration, Oxford, Oxford University Press, 2015 
Blumrosen, Alexander, “The Allocation of GDPR Compliance in Arbitration”, in Dona, José R. Mata Dona / Lavranos, Nikos (ed) International Arbitration and EU Law, Cheltenham, Edward Elgar Publishing, 2021, pp. 92-109
Bygrave, Lee. A., “Article 25”, in Kuner, Christopher / Bygrave, Lee A. / Docksey, Christopher (ed), The EU General Data Protection Regulation (GDPR), Oxford, Oxford University Press, 2020, pp. 571-581
Carvalho, Jorge Morais, Direito do Consumo, 7.º Edition, Coimbra, Almedina, 2021
Cirkeveni, Neva / Neuburger, Per, “Clash of the Titans: GDPR and International Arbitration – A Look at the Future”, Rechtsanwälte Attorneys Law, 2021, available https://oblin.at/publication/clash-of-the-titans-gdpr-and-international-arbitration-a-look-at-the-future/ (13.09.2023)
Cohen, Stepanie / Morril, Mark, “A Call to Cyberarms: The International Arbitrator’s duty to avoid digital intrusion”, in Fordham International Law Journal, Volume 40, Issue 3, pp. 981-1022 
Cordeiro, A. Barreto Menezes, “Dados Pessoais: conceito, extensão e limites”, in Revista de Direito Civil, Ano 3, Volume 2, 2018, pp. 297-321
Cordeiro, A. Barreto Menezes, Direito da Proteção de Dados à luz do RGPD e da Lei n.º 58/2019, Coimbra, Almedina, Reimpressão, 2020
Cordeiro, A. Barreto Menezes, “Artigo 2.º”, in Cordeiro, A. Barreto Menezes (Coord.) Comentário ao Regulamento Geral de Proteção de Dados e à Lei n.º 58/2019, Coimbra, Almedina, 2021, pp. 66-70 
Cordeiro, A. Barreto Menezes, “Artigo 3.º”, in Cordeiro, A. Barreto Menezes (Coord.) Comentário ao Regulamento Geral de Proteção de Dados e à Lei n.º 58/2019, Coimbra, Almedina, 2021, pp. 70-77
Douglas, Zachary, “The Hybrid Foundations of Investment Treaty Arbitration”, in British YearBook of International Law, Volume 74, Issue 3, 2003, pp. 151-289
Egan, Mo / Yu, Hong-Lin, “Intersecting and Dissecting Confidentiality and Data Protection in Online Arbitration”, Journal of Business Law (forthcoming), 2022, pp. 1-27, available at https://dspace.stir.ac.uk/handle/1893/31758 (29.04.2024)
Franck, Susan D., “The Legitimacy Crisis in Investment Treaty Arbitration: Privatizing Public International Law Through Inconsistent Decisions”, in Fordham Law Review, Volume 73, Issue 4, 2005, pp. 1521-1625
Georgaki, Konstantina, “Conflict Resolution between EU Law and Bilateral Investment Treaties of the EU Member States in the Aftermath of Achmea”, in Yearbook of European Law, 2023, pp. 1-27, available https://doi.org/10.1093/yel/yeac012(19.09.2023)
Giupponi, Belen Olmos, “Virtual Dispute Resolution in International Arbitration – Mapping its advantages and main caveats in the Face of Covid-19”, in Lalani, Shaheeza  / Shaprio, Steven G. (ed) The Impact of Covid on International Disputes, Leiden, Brill Nijhoff, 2022, pp. 62-83
Gordon, Clara-Ann, “The Impact of GDPR on International Arbitration – a Practical Guideline”, in Dispute Resolution Journal, Volume 74, Issue 4, 2019, pp. 27-34
Hay, Emiliy, “The Invisible Arm of the GDPR in International Treaty Arbitration: Can’t we make it go away?”, in Kluwer Arbitration Blog, 2019, available https://arbitrationblog.kluwerarbitration.com/2019/08/29/the-invisible-arm-of-gdpr-in-international-treaty-arbitration-cant-we-make-it-go-away/ (11.11.2023)
Henry, Marc, “An Arbitrator’s Perspective: Confidentiality – Privacy – Security in the Eye of the Arbitrators or the Story of the Arbitrator who Became a Bee”, in Vicente, Dário Moura Vicente / Oliveira, Elsa Dias / Almeida, João Gomes de (ed) Online Dispute Resolution – New Challenges, Baden-Baden, Nomos, 2022, pp. 181-204
Hirsch, Dennis D., “The Glass House Effect: Big Data, The New Oil and the Power of Analogy”, in Maine Law Review, Volume 66, 2014, pp. 373-495
Houser, Kimberly A. / Bagby, John W., “The Data Trust Solution to Data Sharing Problems”, Vanderbilt Journal of Entertainment & Technology Law, Volume 25, Issue 1, 2023, pp. 113-180
Howard, David, “Foreign Data Protection in International Arbitration and United States Litigation”, in Texas International Law Journal, Volume 55, Issue 3, pp. 395-407
Huang, Jie Jeanne, “Conflicts and Tentative Solutions to Protecting Personal Data in Investment Arbitration”, in The European Journal of International Law, Volume 32, no. 4, 2021, pp. 1191-1220
Huang, Jie Jeanne / Xie, Dan, “Data Protection Law in Investment Arbitration: Applicable or Not?”, in Arbitration International(forthcoming), pp. 1-47, 2021, available https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3763222 (02.10.2023)
Kelleher, Denir / Murray, Karen, EU Data Protection Law, London, Bloomsbury Professional, 2018
Klar, Manuel, “Art. 3 Raumlicher Anwendungsbereich”, in Kühling, Jürgen / Buchner, Benedikt (ed), Datenschutz-Grundverordnung/BDSG Kommentar, 2.ª Auflage, Munich, C.H. BECK, 2018, pp. 109-137
Kranenborg, Herke, “Article 2 Material Scope”, in Kuner, Christopher / Bygrave, Lee A. / Docksey, Christopher (ed), The EU General Data Protection Regulation (GDPR), Oxford, Oxford University Press, 2020, pp. 60-73
Kuner, Christopher, “Article 45. Transfers on the basis of an adequacy decision”, in Kuner, Christopher / Bygrave, Lee A. / Docksey, Christopher (ed), The EU General Data Protection Regulation (GDPR), Oxford, Oxford University Press, 2020, pp. 771-796
Landi, Niccolò, “Remote Hearings: Observations on the Problem of Personal Data Protection and Cybersecurity”, in Does a Right to a Physical Hearing Exist in International Arbitration?, International Council for Commercial Arbitration, 2022, pp. 127-165, available http://www.arbitration-icca.org/ (12.12.2023)
Lavranos, Nikos, “The Need for a Data Protection Protocol for Arbitration Proceedings”, in Pratical Law Arbitration Blog, 2019, available http://arbitrationblog.practicallaw.com/the-need-for-a-data-protection-protocol-for-arbitration-proceedings/(03.02.2024)
Mazetova, Elena, “Data Protection Regulation and International Arbitration: Can There be Harmonious Coexistence (with the GDPR Requirements Concerning Cross Border Data Transfer?)”, in Legal Issues in the Digital Age, 2/2021, 2021, pp. 21-48
Merrilis, J. G., International Dispute Settlement, Sixth Edition, Cambridge, Cambridge University Press, 2018
Moniz, Graça Canto, Manual de Introdução à Proteção de Dados, Coimbra, Almedina, 2023
Paisely, Kathleen, “It’s All about the Data: The Impact of the EU General Data Protection Regulation on International Arbitration”, in Fordham International Law Journal, Volume 41, Issue 4, 2018, pp. 841-936
Pinheiro, Alexandre Sousa / Gonçalves, Carlos Jorge, “Artigo 45.º Transferências com base numa decisão de adequação”, in Pinheiro, Alexandre Sousa et. al. (ed) Comentário ao Regulamento Geral de Proteção de Dados, Coimbra, Almedina, 2018, pp. 504-512 
Pinheiro, Alexandre Sousa / Gonçalves, Carlos Jorge, “Artigo 49.º Derrogações para situações específicas”, in Pinheiro, Alexandre Sousaet. al. (ed) Comentário ao Regulamento Geral de Proteção de Dados, Coimbra, Almedina, 2018, pp. 524-530
Pollicino, Oreste / Bassini, Marco / Gregorio, Giovanni de, Internet Law and the Protection of Fundamental Rights, Bocconi, Bocconi University Press, 2022
Poulsen, Lauge N. Skovgaard, “The Investment Treaty Arbitration”, in Pevehouse, Jon C. W. /  Seabrooke, Leonard (ed) The Oxford Handbook of International Political Economy, Oxford, Oxford University Press, 2021, available https://doi.org/10.1093/oxfordhb/9780198793519.013.26 (accessed 01.05.2023) 
Rosenthal, David, “Complying with the General Data Protection Regulation (GDPR) in International Arbitration – Practical Guidance”, in Asa Bulletin, Volume 37, Issue 4, 2019, pp. 822-837
Sharma, Tanmayi, “Evidence in International Arbitration: Admissibility, Relevance and Differences between Common and Civil Law”, in Católica Law Review, Volume II, n. º 2, 2018, pp. 99-113
Stach, Christoph, “Data is the New Oil-Sort of: A View on Why this comparison is misleading and its implications for Modern Data Administration”, in Future Internet, 15, 71, 2023, pp. 1-49, available https://doi.org/10.3390/fi15020071 (13.11.2023)
Svantesson, Dan, “Article 3. Territorial Scope”, in Kuner, Christopher / Bygrave, Lee A. / Docksey, Christopher (ed), The EU General Data Protection Regulation (GDPR), Oxford, Oxford University Press, 2020, pp. 74-99
Teixeira, Dina Freitas, “Artigo 45.º Transferência com base numa decisão de adequação”, in Cordeiro, A. Barreto Menezes (Coord.) Comentário ao Regulamento Geral de Proteção de Dados e à Lei n.º 58/2019, Coimbra, Almedina, pp. 320-328
Teixeira, Dina Freitas, “Artigo 46.º. Transferências Sujeitas a Garantias Adequadas”, in Cordeiro, A. Barreto Menezes (Coord.) Comentário ao Regulamento Geral de Proteção de Dados e à Lei n.º 58/2019, Coimbra, Almedina, pp. 329-336
Terwangne, Célie de, “Article 5: Principles Relating to processing of personal data”, in Kuner, Christopher / Bygrave, Lee A. / Docksey, Christopher (ed), The EU General Data Protection Regulation (GDPR), Oxford, Oxford University Press, 2020, pp. 309-320
Viscasillas, Pilar Perales, “An Arbitrator’s Perspective: Online hearings in Arbitration: the taking of Evidence”, in Vicente, Dário Moura / Oliveira, Elsa Dias / Almeida, João Gomes de (ed) Online Dispute Resolution New Challenges, Baden-Baden, Nomos, 2022, pp. 107-131
 Vicente, Marta, “The European Union’s Proposal for the Modernization of the Energy Charter Treaty”, in European Energy and Environmental Law Review, Volume 31, Issue 3, 2022, pp. 124-134
Voss, W. Gregory / Houser, Kimberly A., “Personal Data and the GDPR: Providing a Competitive Advantage for U.S Companies”, in American Business Law Journal, Volume 56, Issue 2, pp. 287-344
Zahariev, Martin, “Mission (im)possible: Where GDPR Meets Commercial Arbitration”, in Klausegger, Christian et. Al. (ed) Austrian Yearbook on International Arbitration, Bern, C.H. Beck, 2020, pp. 3-21
 
 
Relevant Documents 
American Arbitration Association-International Center for Dispute Resolution, Virtual Hearing Guide for Arbitrators and Parties, adopted on 9^th may 2020  
Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data, adopted on 20^th June 2007
Article 29 Data Protection Working Party, Working Document 1/2009 on pre-trial discovery for cross border civil litigation, adopted on 11^th February 2009
European Data Protection Board, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25^th May 2018 
European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR, adopted on 16^th November 2018 
European Data Protection Board, Guidelines 3/2021 on the territorial scope of the GDPR (Article 3), adopted on 7^th January 2020. 
European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, adopted on 4^th May 2020
European Data Protection Board, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default, adopted on 20^thOctober 2020
Hong Kong International Arbitration Center, Guidelines for Virtual Hearings, adopted on 15^th May 2020, available https://www.hkiac.org/news/hkiac-guidelines-virtual-hearings (02.12.2023)
International Bar Association, Rules on the Taking of Evidence in International Arbitration, adopted on 17^th December 2020, available https://www.ibanet.org/ (13.11.2023) 
International Bar Association, Commentary on the Revised text of the 2020 IBA Rules on the Taking of Evidence in International Arbitration, 2021, available https://www.ibanet.org/MediaHandler?id=4F797338-693E-47C7-A92A-1509790ECC9D (02.01.2024)
International Council for Commercial Arbitration / International Bar Association, Joint Task Force on Data Protection in International Arbitration – Roadmap to Data Protection in International Arbitration, 2022, available  https://www.arbitration-icca.org/icca-reports-no-7-icca-iba-roadmap-data-protection-international-arbitration (15.10.2023).
International Council for Commercial Arbitration / International Bar Association / New York City Bar / International Institute for Conflict Prevention & Resolution, Protocol on Cybersecurity in International Arbitration, 2022, available https://cdn.arbitration-icca.org/s3fs-public/document/media_document/ICCA-reports-no-6-icca-nyc-bar-cpr-protocol-cybersecurity-international-arbitration-2022-edition.pdf (15.10.2023)
Korean Commercial Arbitration Board, Seoul Protocol on Video Conferencing in International Arbitration, adopted on 18^th March 2020  
 
 
Cases
European Court of Justice (ECJ) Eco Swiss China Time Ltd vs. Benetton International NV, 1/06/1999, C-126/97
European Court of Justice (ECJ), Lindqvist, 06/11/2003, C-101/01
European Court of Justice (ECJ), Maximilian Schrems v. Data Protection Commissioner (Schrems I), 6/10/2015 C-362/14
European Court of Justice (ECJ), B v. Latvijas Republikas Saeima, 22/06/2021, C-439/19 
European Court of Justice (ECJ), Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II), 16/07/2020, C-311/18 
European Court of Justice (ECJ), Norra Stockholm Bygg AB v. Per Nycander AB, Entral AB, 02/03/2023, C-268/21 
International Center for Settlement of Investment Disputes (ICSID), ConocoPhillips v. Venezuela, no. ARB/07/30. 
Decision on Respondent’s Request for Reconsideration, 10 March 2014, available at https://www.italaw.com/sites/default/files/case-documents/italaw3119.pdf       (19.11.2023)
Permanent Court of Arbitration (PCA), Tenant Energy, LLC v. Government of Canada, no. 2018-54
Claimant’s E-mail to the Tribunal regarding the Application of the EU GDPR, 2019, available at https://www.italaw.com/cases/7250 (20.10.2023)
Respondent’s Letter to the Tribunal regarding EU GDPR, 2019, available at https://www.italaw.com/cases/7250 (accessed 25.10.2023). 
Questions and Claimant’s Response to the Tribunal GDPR Questions and Data Privacy, 2019, available at https://www.italaw.com/cases/7250 (26.10.2023) Tribunal’s Communication to the Parties, 2019, available https://www.italaw.com/cases/7250 (29.10.2023)
Permanent Court of Arbitration (PCA), Elliott Associates, L.P. (USA) v. Republic of Korea, No. 2018-51
 
 
Legislation 
International Chamber of Commerce Rules of Arbitration, 1 January 2021
London Court International Arbitration Rules, 1 October 2020
Regulation (EU) 2016/679 of the European Parliament of the Council, 27 April 2016
UNCITRAL Arbitration Rules, General Assembly Resolution 31/98
Vienna International Arbitral Center Rules and Mediation, 1 July 2021