We live in a world of disruption in which the scope and pace of change are unprecedented. This disruption is pervasive, and technology being prone to constant change is challenging traditional constructs, services, and institutions, and is even being used as a weapon. In the current scenario, arbitration has become the preferred mode of dispute resolution in international business owing to the various benefits that it entails. Among the most important grounds influencing parties’ decisions, most of them choose arbitration for resolving their disputes. This makes data protection a bigger priority than ever. With the world constantly changing after the effects of COVID-19, most arbitration procedures shifted to virtual hearings. The impact of COVID-19 on international arbitration compelled stakeholders involved in arbitration to adapt to video conferences and virtual meetings, exchanging information and documents digitally, as it was not possible to conduct hearings physically. Many consider it an evolution in dispute resolution and have realised the potential of technology in resolving disputes effectively. Though virtual hearings may seem fascinating, they involve serious concerns regarding the protection of data exchanged. While focusing on the growth of effective digital communication in arbitration, it is equally important to focus on the protection of data in arbitration hearings as it is not uncommon to see cyberattacks and hacking in international arbitration. Even otherwise, effective case management mandates that data be protected, and confidentiality be maintained at all stages of arbitration.
In various jurisdictions, failure to comply with data protection regulations results in significant risks and penalties. Data protection mainly involves the relationship between the collection and dissemination of data and technology. It intends to find the right balance between individual privacy rights and the use of data for business activities. However, it is essential to note that while cybersecurity laws vary from country to country, associations have come together to create solutions to the issue of cybersecurity in international arbitration. Examples: the ICC-NY Bar CPR protocol, IBA cybersecurity guidelines, and ICCA-IBA road map to data protection in international arbitration.
As mentioned above, in the current scenario, international regulations on data protection are vague, but after the digital shift in international arbitration, institutions like ICC have updated themselves by creating guidelines like principle 10 of the ICC-NYC Bar-CPR Protocol, which states that the very first case management meeting should bring up and address data security concerns, where “reasonable informational security measures, issues about the willingness of the parties to engage in specific security measures, and disputes concerning reasonable information security measures” should be addressed. This shows a significant step toward data protection and its rising importance. Moreover, the ICC-NYC Bar-CPR protocol states that the parties to the arbitration are jointly responsible for ensuring that all parties involved in the arbitration are aware of and comply with any cybersecurity measures imposed1. Given that arbitral institutions hold large volumes of high value, highly commercial, and sensitive information about matters they administer, institutions need to take all preventative measures to ensure all parameters of data protection, privacy, confidentiality, and cybersecurity are met. However, this may have a significant impact on data protection, but looking at the past scenarios, it very much varies on its implementation and adherence by the parties. Data protection becomes clear in cases such as the July 2015 hack on the Permanent Court of Arbitration during a maritime border dispute between China and the Philippines. Further, the need for protocol becomes clear in cases such as Conoco Phillips v. Venezuela2and Caratube International Oil Co. LLP v. Republic of Kazakhstan3, where parties relied on evidence obtained from WikiLeaks. While following the shift towards virtual hearings, institutions like Hong Kong International Arbitration Centre (HKIAC) and London Court of International Arbitration (LCIA) include clauses addressing the cybersecurity issue. The most recent is LCIA’s updated 2020 rules that allow the Arbitral Tribunal to determine “any specific information security measures to protect the physical and electronic information shared in the arbitration and any measures and means to address the processing of personal data produced or exchanged in the arbitration in light of applicable data protection or equivalent legislation”. However, it is pertinent to note that the LCIA is one of the first arbitral institutions to include such a requirement.
Moreover, the situation in the EU with the General Data Protection Regulation (GDPR) has significantly altered the data protection landscape. Applying to personal data, the GDPR has a broad scope of application, entailing entities in the EU and entities outside the EU processing data for EU-based individuals.
In major international institutions, there has been a considerable amount of upgradation towards the digital aspects of arbitration. However, coming to the forte of India, there have been amendments to the Arbitration and Conciliation Act to tackle data protection. Furthermore, since there is a lack of domestic collective approaches to maintain whenever drafting the arbitration clauses takes place, extra care must be taken to ensure confidentiality in arbitration. The Arbitration and Conciliation Act, 1996, was recently amended in 2019 and Section 42-A was introduced to tighten data confidentiality during arbitration proceedings. The amendment also makes it possible for the “Arbitration Council of India” to serve as the “keeper” for arbitral proceedings. It is important to note that the amendments raise some questions about the Personal Data Protection Bill, 2019, as it remains unclear whether an arbitrator or an arbitral institution is a ” data fiduciary ” under the PDP Bill.4 Further, the PDP Bill stipulates that only information required to assert a legal claim may be revealed. However, the conditions for revelation are still not clear, and the Bill does not explicitly cover arbitration.
Cyber threat in context of arbitration
Cyber threats in an arbitration range from tampering with data or falsifying data, penetration of systems and databases to obtain information, sabotage and hacks. In a maritime territorial dispute involving China and the Philippines, the website of the Permanent Court of Arbitration (PCA) was hacked where malware was implanted on the website of PCA which affected computers of visitors.5 Therefore, it is important that institutions must ensure appropriate technical and organisational measures to safeguard the security of data.
It is thus necessary to have a proper cybersecurity policy in place and while implementing such policy, it is vital to keep in mind the risks relating to third parties. Further, all parties involved may consider the possibility of all members destroying the information on their devices from a remote location if the device is lost or stolen and contains dispute-related data. And ensuring that institution-related devices do not include programs from unknown or not trusted sources, e-mails containing links and requesting input data must be checked beforehand, and file attachments from unknown origins should not be opened as they give a high risk of unwanted malware. Documents exchanged between parties should be password protected to enhance the security of files transferred across internet connections. The parties can also use safe platforms for sharing critical documents used during proceedings.
In the current scenario, a stringent data protection framework is needed in India, given the irregularity in the existing framework. Though one can argue that there are domestic legislations that have provisions for data protection. However, in the context of arbitration, the solution lies in moving towards institutional arbitration that can assure greater compliance requirements and put in place reliable data protection measures and cybersecurity policy.
On the other hand, arbitral institutions must come up with guidelines and protocols to govern the virtual hearings and incorporate some of the best practices like usage of software having authentication process, using encrypted correspondences, having robust administrative controls to ensure that integrity and security of data in arbitration is maintained. Parties must also draft confidentiality clauses that provide for proper protection and serious consequences in case of a breach. Also, use of secure networks must be encouraged in the arbitration proceedings and at the same time, staff should be trained about the importance of protection of data.
† The article has been authored by Tariq Khan, Advocate and Registrar, International Arbitration & Mediation Centre. He was assisted by Purushraj Patnaik, 3rd Year B.B.A L.L. B student at KIIT Deemed to be University. Views are personal.
1. International Arbitration Report – Norton Rose Fulbright. <https://www.nortonrosefulbright.com/-/media/files/nrf/nrfweb/knowledge-pdfs/international-arbitration-report—issue-14.pdf?la=en&revision=6edf090e-2dae-4845-a812-c912f12016d0>.
2. ICSID Case No. ARB/07/30.
3. ICSID Case No. ARB/08/12.
4. Guest, and Guest. (22-7-2020). “Data Confidentiality under the Indian Arbitration Regime: Challenges and Opportunities”. IndiaCorpLaw. Retrieved 15-10-2022, from <https://indiacorplaw.in/2020/07/data-confidentiality-under-the-indian-arbitration-regime-challenges-and-opportunities.html>.