Data Privacy in Arbitration

Leave a Comment / Blog / By

Introduction

The success of arbitration has significantly transformed the global legal landscape, with private industries, companies, firms, and government entities increasingly adopting the alternate dispute resolution mechanism. The key factor contributing to its burgeoning success is its time efficiency. As arbitration gains popularity, there is a parallel rise in the prominence of technology and privacy laws. The intersecting point between the two spheres arises due to the increasing utilisation of the digital context of arbitration proceedings and also, the swelling sensitivity of politically and commercially oriented arbitration matters underscoring the imperative to maintain confidentiality in handling the data involved in this process. In a 2022 survey conducted by ICC, 65% of those surveyed (counsel, arbitrators in-house counsel and corporate representatives) were more inclined towards adopting a specific measure to safeguard the privacy and security of electronically stored information, such as encryption 1). There have been constant strides in order to bring an extent of stability in term of granting protection to the multiple stakeholders involved in any such arbitration proceeding. Therefore, in line with these efforts, this blog aims to explore the relevance of data privacy within the realm of arbitration and examines the measures taken to safeguard against potential threats. Additionally, it further analyses India’s position on this issue.

Data Privacy in International Arbitration

As we go deep into the world of arbitration, we are realising an urgent necessity to develop a robust data protection framework circumventing the arbitration regime all over the globe. If one has to view the susceptibility of a data breach in the arbitration proceeding, it is evident that now, the original documents of most of the evidence are in a digital format and accessed by counsels and arbitrators alike electronically. Further, the correspondence over time has shifted to online mode especially post COVID-19. The documents that are being transmitted online do not generally have any trail of modification attached to them, thus there is a potential risk of a cyber-attack. The data can easily be modified or changed or even erased entirely. During the height of a maritime border conflict between China and the Philippines in July 2015, the Permanent Court of Arbitration (PCA) experienced a cyberattack on its website. Hackers inserted malware into the PCA’s site, leading to the potential compromise of visitors’ computers and the risk of data theft 2).  

Even though this prime event of cyberattack prompted the International and National arbitral institutions to discuss the urgency of data protection rules to safeguard the interest of every stakeholder, but there is still much left to be done. Similarly, the case of Libanaco vs Republic of Turkey 3 is another addition to the list, where an interception happened online during a crucial correspondence between the parties. In 2018, a survey was conducted by the Queen Mary school of Internation Arbitration to detect the major problems surrounding arbitration, wherein the majority of the respondents listed “the security of the electronic communications and information” as an issue that needs to be addressed in arbitration institutions 4. The institutions ushered the expansion of GDPR in arbitration, given its wide scope and effect. The concept of ‘personal data’ has been defined naturally in a wide context and includes by design any private information that is transferred during any fixed process or in any varied setup 5). Thus, at times the EU exports the GDPR obligations in the arbitration disputes in order to secure the interest of the parties involved. The most prominent reaction to the attack on PCA is the Cybersecurity Protocol for International Arbitration published by the ICCA, the New York City Bar Association and the CPR Institute in the year 2019. The Protocol once adopted gives the tribunal the power to determine what security measures are reasonable for the case, taking into account the views of the parties 6). Moreover, the London Court of Arbitration has also in its 2020 Arbitration Rules (revision of 2014 Arbitration rule), granted tribunals the authority to decide when it is suitable to implement particular information security measures and methods for handling personal data generated during arbitral proceedings. The harrowing concerns around the indubitable risk of data breaches and theft has significantly caused major positive disruptions in the furrow of international arbitration, but if we care to look at the domestic framework of India in the same context we find a dearth of data protection rules and regulations in relation to its arbitration landscape. 

Position in India

India stands at a crucial juncture presently to further the discussion of the pertinence of data confidentiality in the field of arbitration. In 2019, the Indian legislature made some progress by adding sections 42A and 43K in the Indian Arbitration and Conciliation Act, 1996. Section 43K dictates the Arbitration Council of India to maintain an electronic depository of the arbitration awards and such other related documents as may be specified. Section 42A on the other hand promotes the duty on the part of the arbitrators, arbitration institution and the parties to maintain the confidentiality of the arbitration proceedings other than the awards. Although 42A provides for an obligation to maintain confidentiality, it certainly lacks the power to investigate whether there has been any breach of confidentiality or not. To create more confusion the provision also does not provide for the consequences in case of a breach nor it is clear on its nature of application i.e., retrospective or prospective 7

Besides the predicament of section 42A being poorly drafted, section 43K creates a challenge for the smooth application of the confidentiality clause. The High-Level Committee, chaired by retired Justice Krishna Iyer, proposed that for optimal enforcement of the additional sections, access to the repository, as mandated by provision 43K, should be restricted solely to courts, specifically for designated arbitral cases. However, this recommendation was entirely set aside and finds no indication in the repository provision making it inadequate to deal with the concerns of the data privacy in arbitration 

Conclusion

In conclusion, the increasing reliance on arbitration as a dispute resolution mechanism, coupled with the rapid digitalization of proceedings, underscores the critical importance of data privacy and security in international arbitration. The evolving landscape of arbitration demands a robust framework to safeguard against potential cyber threats and breaches, which can compromise the integrity and confidentiality of proceedings.

Instances like the cyberattack on the Permanent Court of Arbitration and interception during critical correspondence highlight the vulnerabilities inherent in the digital arbitration process. In response, international and national arbitral institutions have begun addressing these concerns, with initiatives such as the Cybersecurity Protocol for International Arbitration and the expansion of GDPR principles into arbitration frameworks. However, despite these positive strides, challenges persist, particularly in jurisdictions like India where there remains a gap in comprehensive data protection regulations concerning arbitration. Bridging this gap is essential to ensure the credibility and effectiveness of arbitration proceedings in such jurisdictions.

Moving forward, a collaborative effort involving stakeholders, arbitral institutions, and policymakers is imperative to establish robust data protection frameworks tailored to the unique needs of arbitration. This includes implementing stringent security measures, promoting awareness and education on data privacy best practices, and harmonizing international standards to ensure consistency and effectiveness across jurisdictions.In doing so, we can reinforce trust in arbitration as a fair, efficient, and secure means of resolving disputes in the global arena, while upholding the fundamental principles of confidentiality and privacy for all parties involved.

  1. Queen Mary University London, Report on Adapting Arbitation to a changing world, (2022[]
  2. The Republic of Philippines v. The People’s Republic of China, 55 ILM 805 (2016[]
  3. ICSID Case No. ARB/06/8[]
  4. Supra note. 1[]
  5. Data protection and cybersecurity in internation arbitration remain in the spotlight, available at: https://www.freshfields.com/ (last visited on 26 Janurary[]
  6. ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (revised in 2022[]
  7. Jaideep Krishna, “Confidentiality under the Indian Arbitration Regime”, 3 IALR (2021) 84[]

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top