DATA PROTECTION IN INTERNATIONAL ARBITRATION
Updated: Sep 7, 2021
Introduction: Confidentiality has historically been regarded as a fundamental principle of International Commercial Arbitration. In fact, in a survey held in 2018 by White & Case and Queen Mary University of London, it was found that 87% of the respondents believed that confidentiality in international commercial arbitration is of great importance. Therefore, confidentiality has often been deemed as the reason for the successful practice of International Commercial Arbitration and the reason why it is preferable over litigation. Therefore, given the trend towards greater adoption of technology in the process of international arbitration, the threat of data protection and cyberbreach can cause a direct threat to the confidential nature of the process. This threat is heightened by the fact that arbitral institutions or even ad-hoc arbitrators possess highly valuable, commercially sensitive information in their database while administering the process of arbitration, making them a prime target for such attacks. This is evident from cyberattacks in the Libananco v. Republic of Turkey case where crucial correspondence was intercepted and most infamously, the case of the cyber breach in the Permanent Court of Arbitration during the China-Philippines maritime arbitration. Therefore, we will attempt to understand the various instruments by which arbitral institutions and parties can improve their cyber-security and protect data while arbitrating.
Institutional Rules: Since the advent of virtual arbitrations in the institutional level, several institutions such as the HKIAC and LCIA have taken heed and incorporated provisions in their rules to address the issue. Such as the HKIAC in its 2018 Administered Arbitration Rules, wherein it provided that it is mandatory for parties to upload their files to a secured online repository where the parties have mutually agreed to. The other notable example is the LCIA 2020 Arbitration Rules which have included provisions that empower the tribunal to determine whether it is appropriate to adopt “any specific information security measures to protect the physical and electronic information shared in the arbitration and any measures and any means to address the processing of personal data produced or exchanged in the arbitration in light of applicable data protection or equivalent legislation”.
Application of GDPR in International Arbitration: The applicability of the General Data Protection Regulation (GDPR) to arbitration procedures has always been a debate fraught with criticism due to its unresolved possibilities. At the outset, the primary question is as to the possibility of the applying GDPR as the mandatory law where neither the parties nor the lex arbitri is the governing law of EU. To address the issues of applicability of the GDPR to an arbitration, it is pertinent to understand the scope of the matters that fall within the scope of the Regulation. Pertinently, the GDPR applies to all matters that fall within its material scope i.e., to all “processing of personal data wholly or partly by automated means” and its territorial scope i.e., to any data controller or processor established in the EU, as well as to one outside the EU if he/she offers goods or services to data subjects in the EU. The GDPR envisioned a wide provision for matters falling within its scope and considering that as a matter of practice, especially in the post-Covid scenario where parties have resorted to remote hearings, exchange of documents through automated means has become common, thus allowing for the possibility of GDPR applying to arbitrations. Therefore, it would not be far-fetched to say that GDPR impacts the arbitral process, an assumption that was first pointed out in Tennant Energy v. Canada. Once, the GDPR is found to be applicable to the arbitration proceeding there are two primary implications:
a. data processing is prohibited unless one of the grounds in Article 6(1) of GDPR is found to apply, of which Article 6(1)(f) maybe most pertinently noted which states that the legitimate interests of the data controller.
b. restrictions on the transfer of personal data outside of the EU, barring the grounds of derogation under Article 49 and appropriate safeguards applicable under Article 46.
Hence, by nature of these obligations, the GDPR covers a wide range of activities performed by Participants in arbitration, including those related to the preparation and sharing of arbitration documentation, which includes pleadings, witness statements, express reports, submissions and awards, along with those contemporaneous evidence, such as, emails, letters, logs, reports, notes, photos, video recordings and audio recordings.
Cybersecurity Protocol for International Arbitration: The most significant step towards ensuring better cyber security and data protection in conduct of international arbitrations is the ICC-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration. According to Principle 10 of the Protocol, the issues of the data security should be raised and addressed at the first case management conference. The tribunal should be arranged to include the counsels in a discussion about the reasonable informational security measures, issues about the willingness of the parties to engage in specific security measures, and to talk about disputes concerning reasonable information security measures. It has been noted by studies that while there is no fool-proof solution to party concerns over cybersecurity, but the tribunal should highlight the gravity of the concern. Furthermore, it must be noted that Principles 11 and 12 of the Cybersecurity Protocol empowers the tribunal to determine any appropriate cybersecurity measures. Therefore, the Cyber Security Protocol has been quite greatly impactful in ensuring that the data generated during the course of the arbitral process is protected and that no undue breaches affect the arbitral process.
Conclusion: Therefore, with the increasing trend of gravitating towards virtual hearings in international arbitration, it is important that all arbitral institutions adopt an approach by virtue of which they would be able to protect the data and confidentiality during the arbitral process. To this end, the adoption of the Personal Data Protection Bill, 2019 can also have serious implications for international arbitrations seated in India. It has been abundantly clear parties and institutions are in favour of adopting data protection regimes such as the GDPR to the arbitral process, which means that the PDP Bill once adopted can positively impact and make India a favourable location for international arbitrations. Since, arbitral tribunals and parties both have a key role in enforcing guidelines to prevent data leaks and cyber breaches, it is important for arbitral institutions to emphasise on the need for the same in order to protect the confidentiality between the parties.
 ICSID Case No ARB/06/9.
 Article 3.1 (e), Hong Kong International Arbitration Centre (“HKIAC”) 2018 Administered Arbitration Rules.
 Article 30A, LCIA 2020 Arbitration Rules, 2020.
 Article 2(1), General Data Protection Regulation.
 Tennant Energy, LLC (U.S.A.) v. Government of Canada, PCA Case No. 2018-54, Tribunal’s Communications to the Parties (June 24, 2019).
 International Arbitration: A Miscellany of Data Protection Regimes and its Impact on Secured Arbitration, http://blogs2.law.columbia.edu/aria/international-arbitration-a-miscellany-of-data-protection-regimes-and-its-impact-on-secured-arbitration/