[Rishav Ray is a 4th year B.A. LL.B. (Hons) student at the School of Law, Christ (Deemed to be University), Bangalore]
One of the fundamental underlying principles of arbitration is ‘confidentiality’. Confidentiality and privacy act as counterparts in protecting the essence of arbitration. While confidentiality refers to the non-disclosure of materials placed during proceedings and the award without the consent of the parties, privacy makes sure that no third-party has access to the proceedings of the arbitration without the consent of the parties. These twin features of arbitration give it an edge over traditional litigation and have greatly contributed to its popularity. However, with the growing adoption of technology in arbitration proceedings, this benefit is on the verge of facing a compromise. The rising number of cyberbreaches have increased the need for data protection exponentially since it poses a direct threat to the confidential nature of the arbitral process. A glaring example of such a compromise is the 2015 cyber breach of the Permanent Court of Arbitration’s (PCA) website using a malware to cause data theft during the China-Philippines cross border dispute. The interception of crucial correspondence during Libananco v. Republic of Turkey is another addition to the list. The cyber-attacks are no longer limited to data breaches during arbitral proceedings. The use of evidence obtained through data theft has seen a rise in the international arbitration regime. Evidence obtained from Wikileaks was presented before the tribunals in a number of cases including the Yukos disputes and the Conoco Philips case. These incidents clearly reflect that data protection in arbitration is the need of the hour.
GDPR and its Role in Data Protection in Arbitration
The General Data Protection Regulation (“GDPR”) was framed with the objective of ensuring the free movement of personal data of ‘identified or identifiable natural person[s]’. Its scope is not only restricted to individuals but also covers legal persons, agencies, public authorities, and international organizations. The sanctions imposed by the GDPR may amount to 4 per cent of the breaching entity’s worldwide annual turnover of the preceding financial year or 20 million Euros, whichever is higher. Even though arbitration as a process is not under the purview of the GDPR, the individuals and legal entities involved in the process have an obligation to follow GDPR principles. Even if one participant of the arbitration is a subject under GDPR, the entire process gets subjected to it. This is where the extra-territorial application of the regulation comes into play. For example, a witness based in the European Union (“EU”) who is subjected to the GDPR shall bring the principles into the arbitral process even if the arbitration is based out of EU and is completely independent of it. With the increase in remote hearings, the applicability of GDPR in arbitration too has increased owing to the automated means of document exchange. The substantial amount of information that is transacted or exchanged between the parties, the counsels, the arbitrators and third parties during the proceedings qualifies as ‘personal data’, and the above named entities qualify as “identified or identifiable” data subjects. Additionally, the arbitrators can be considered to be the data controllers. Data Controllers are entities who are responsible for compliance with data protection laws. Arbitrators being the adjudicating authority in the process would be responsible for such compliance. The obligations encompass the need to establish a legal basis for processing data and ensuring that necessary organisational and technical safeguards are in place to safeguard agaisnt data breaches. Another requirement is to ensure that the data is not transferred outside the EU, baring a few situations. Secretaries, translators, transcribers, and others are considered to be data processors who can be delegated the task of data processing. The GDPR provides detailed guidelines as to how the task of the data processor will be limited to processing data based on the documented instructions from the controller.
In 2019, the ICCA and the IBA established a Joint Task Force on Data Protection in International Arbitration Proceedings. This Task Force was aimed at producing a consultation draft dealing with several data protection issues in arbitration and providing practical guidance on impact on data protection principles including those of the GDPR. Outside the EU, there have been parallel developments which strive toward ensuring data protection in arbitration.
Institutional Response Across the Globe
The ICC-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration can be regarded as one of the most significant milestones in the path of ensuring data protection in arbitration. The Protocol focuses on addressing the issues of data security at the earliest and suggests that it should be done in the first case management conference itself. The tribunal has been shouldered with the responsibility to encourage discussions about reasonable informational security measures to ease party concerns about data and cyber security during the proceedings.
The London Court of International Arbitration in its 2020 Arbitration Rules empowered the tribunals to determine the situation when it would be appropriate to adopt specific information security measures and means to address processing of personal data produced from or during arbitral proceedings.
Another jurisdiction which has shown a tremendous concern towards the growing concerns of breach of data and cyber security is the South East Asian Jurisdiction. International Arbitration has grown immensely in South Eastern Asia and one of the primary reasons for this has been the growth and popularisation of institutions like SIAC (Singapore International Arbitration Centre), HKIAC (Hong Kong International Arbitration Centre), and KCAB (Korean Commercial Arbitration Board). The expansion of institutions like the CIArb (Chartered Institutes of Arbitrators) and the ICC (International Chamber of Commerce) into the Asian domain has acted as a catalyst to the popularisation of arbitration in the area. During the pandemic, there has been a great shift to Online Dispute Resolution and these virtual arbitrations came with their inherent risk of data breach. Thus, it was pertinent for the leading arbitral institutions to respond to this growing need of a robust data protection system in arbitration.
Data security in case of virtual arbitrations is the primary requirement of securing the dignity of any arbitral proceeding. The institutions give the parties the option of choosing their preferred platforms and ensure encrypted communication channels. This is common to all the institutions. However, the document sharing mechanism is different in each institution. For example, while the IAF and SIAC leave it to the parties to choose a secured sharing platform, HKIAC provides for an electronic presentation of evidence manager who shall be supplied with the documents for their safekeeping.
The ‘recording’ of proceedings requires the consent of parties and tribunal. The method of giving consent varies with change in jurisdictions. Under the Seoul Protocol, the discretion lies with the tribunal whereas in case of HKIAC the parties as well as the tribunal exercise their right to decide. SIAC and IAF are stricter with respect to the question of consent.
Arbitration being a private settlement requires maintaining confidentiality. Unlike litigation, here third parties cannot have free and unchecked access to the proceedings. The institutions provide provisions for maintenance of pre-approved list of participants who would be given access to the hearings. While HKIAC’s tracking is limited to recording the location of the participant, SIAC also tracks the duration and level of access provided to each participant in addition to other basic information.
Conclusion
There has been a great institutional response from across the globe in order to address the grave issue of data protection in arbitration. The ICCA – IBA Roadmap has done a significant job in filling the gaps. The parties as well as the institutions are in favour of implementing frameworks like GDPR owing to its wide range of coverage which includes most of the activities undertaken in an arbitration process. While institutions have shown a positive approach toward addressing this problem, one aspect that cannot be ignored at this juncture is the legal backing by domestic laws. While jurisdictions like EU, Singapore, Hong-Kong, Korea have a robust mechanism for data protection which is beneficial from the arbitration regime, the situation in India is not well settled yet since there is no proper backing for the IAF. The Personal Data Protection Bill, 2019, which addressed specific concerns related to confidentiality and explicit consent, has been withdrawn by the Government. It is to be seen what the revised data protection law of the country brings to the table. As far as the jurisdictions bereft of data protection laws are concerned, adoption of the ICCA-IBA Roadmap to Data Protection in International Arbitration can be a prudent way forward.
– Rishav Ray