Authors: Smriti Shukla* and Yash Raj**
INTRODUCTION
With the onset of COVID-19, the world has gone virtual, and thus so have arbitral proceedings. Indeed, this new opportunity across the globe has numerous benefits, but then again, it has compelled us to look at the data protection and cybersecurity concerns in a whole different light and raised before us a puzzling question: How does data protection play out across jurisdictions in international arbitration? In this piece, the authors attempt to discuss how the data protection regime works in international arbitration, which involves multiple actors from different jurisdictions providing different kinds of protection. However, these problems are snowballing in the wake of COVID-19 where the constant flow of data is done via contactless hearing. Virtual hearings include the sharing of names, documents, email addresses, recording of video calls, and a lot more. Hence, it is pertinent to discuss the need for robust and arbitration specific data protection laws.
MULTIPLE DATA PROTECTION LAWS ACROSS THE GLOBE
After major developments across the globe (such as the enactment of General Data Protection Regulation (GDPR)[1] in the European Union), the Personal Data Protection Bill, 2019[2] based on GDPR model in India, and the declaration of the Right to Privacy as a fundamental right in jurisdictions such as India[3] have increasingly led the discussion of data protection and cybersecurity in the field of arbitration. With the recent tabling of this bill, it has a definite impact on Indian arbitration.
For instance, let’s suppose a hypothetical wherein a dispute arose between the EU and the USA, in which the arbitration is seated in Singapore or the arbitral institution is located in any third jurisdiction. As the information will be transferred through many jurisdictions the tribunal, parties and the counsels have to comply with the data protection laws of all three jurisdictions. Hence, due to the multiplicity of data protection laws in arbitration across the globe, there is a need for tailor-made guidelines specifically concerning international arbitration.
THE RESPONSE OF THE ICCA AND IBA: GUIDING DATA PROTECTION PRINCIPLES IN INTERNATIONAL ARBITRATION
The Intersection of International Arbitration and EU General Data Protection Regulation (GDPR)?
Recently, the International Convention for Commercial Arbitration and the IBA have established a joint task force to question and prepare the guide on the applicability of data protection laws in international arbitration for the participants. The task force prepared a roadmap which addresses the issue of data protection in arbitration and took a supranational legal framework, the GDPR, as its reference since it is the most adequate data protection regulation at present in the world.[4]
The GDPR specifically applies for personal data and has severe penalties for breach of the regulations.[5] Another intersectional feature of the GDPR and arbitration is that the GDPR can be applicable to the party completely independent of the EU as it provides a wide scope of application. It can be applicable to the entities in the EU and also outside the EU for processing some data relating to EU based individuals.[6] The whole process as to how the GDPR works is complex but in the area of international arbitration, it can be relevant even if the parties are not in Europe or the seat is not situated there. Therefore, it would not be far-fetched to say that GDPR impacts the arbitral process, an assumption that was first pointed out in Tennant Energy v. Canada.[7] The ICCA-IBA task force, in the guidelines, has addressed this concern and elaborated on how data protection laws will apply to the international arbitral community and have used the GDPR to discuss the same.
The GDPR defines the terms data “controller” and “processor” in Article 4(7) and Article 4(8) respectively.[8] Per the definition in the GDPR, solicitors and barristers could also be considered as controllers.[9] Relying on a similar concept in the GDPR, the ICCA-IBA task force, in its roadmap, regarded arbitral institutions, parties, arbitrators and counsels to be controllers or Arbitral Participants.[10] Hence, Arbitral Participants, per the GDPR guidelines, have to satisfy certain necessities such as, under Article 7(1), receiving the consent of the ‘data subject’ for processing data or informing them about the processing.[11] Under Article 32 of the GDPR, they have to safeguard the personal data that is being processed.[12] Furthermore, per Article 33(1) of the GDPR, Arbitral Participants also have to inform the supervisory authority, if there is any breach of data, within 72 hours of the breach.[13] Evidently, per the ICCA-IBA roadmap, Arbitral Participants and associated entities, such as service providers, experts and tribunal secretaries, have to make sure that they comply with these GDPR rules.
The Roadmap also discusses the difference in the application of data protection laws based on the type of arbitration. For instance, in regards to investor-State arbitration, ICSID or the PCA would be the steering wheel, and such international organisations would be omitted from the application of the data protection laws. The ICCA-IBA roadmap states that in abovementioned situations the treaties have some protection and privileges for Arbitral Participants and, hence, they are exempt from following data protection laws.[14]
Furthermore, the roadmap also recognizes certain universal principles in the data protection regime such as data minimisation, accuracy, data security, transparency, lawful and fair processing of data and proportionality and suggests the application of these principles in arbitration.[15]
Besides, per Article 15 of the GDPR, the data subject has the power to seek information from the controller concerning issues such as whether the personal data is being processed, for what purposes and to whom further the data can be disclosed.[16] However, in arbitral proceedings, it cannot be applied due to the reason of confidentiality. One of the major motives for opting for arbitration is the confidentiality that cannot be compromised by providing the data subject with the information as to how the data is being processed. Furthermore, the personal data can be of anyone, such as a contractor, a supplier or the employee which is being used for a claim, and it would not be sensible for the data controller (for instance, one of the parties in the proceedings) to disclose how the personal data is being processed as it is harmful to the arbitral strategy of the party. There has to be an equilibrium between transparency for the data subject and confidentiality of the proceedings. Hence, the ICCA-IBA roadmap suggests addressing the data subject’s rights at the beginning of the proceedings and also mentions this in the data protection protocol defined in the roadmap.[17]
But a few questions still remain unanswered in the roadmap. In arbitral proceedings, there are entities, such as third-party funders, that have access to the data. Although the roadmap is addressed only to Arbitral Participants, it specifically states that the guidance is relevant for service providers and thus service providers are affected by the data protection obligation.[18] As per the definition mentioned in the roadmap, “e-discovery experts, information technology professionals, court reporters, translation services, etc” were mentioned as service providers.[19] This leads us to a puzzling question: Are third-party funders included as service providers? However, per Article 4(2) of the GDPR, the collection and storage of data is included in processing[20] and, thus, if the third-party funders collect personal data from others, the data laws would be compulsory for them too. This issue is still to be settled.
Concomitantly, the ICCA in conjunction with the New York City Bar Association (“NYC Bar”) and International Institute for Conflict Prevention and Resolution (“CPR”) have also made positive developments in the area of cybersecurity issues by releasing “the Protocol on Cybersecurity in International Arbitration”.[21] According to Principle 10 of the Protocol, the issues of the data security should be raised and addressed at the first case management conference. The tribunal should be arranged to include the counsels in a discussion about the reasonable informational security measures, issues about the willingness of the parties to engage in specific security measures, and to talk about disputes concerning reasonable information security measures. There is no fool-proof solution to party concerns over cybersecurity but the tribunal should highlight the gravity of the concern.[22]
In summary, these are a few major key points mentioned the ICCA-IBA roadmap concerning data protection and suggested cybersecurity protocol by ICCA-NYC Bar-CPR in international arbitration.
SUGGESTIONS ABOUT THE WAY FORWARD
In the wake of COVID-19, we have witnessed major video applications such as Zoom become entangled with cybersecurity issues. The protocol is a soft law instrument whose application depends on how the tribunal and parties apply the protocol in practice. Arbitral institutions are also free to decide whether they want to adopt the protocol.[23]
At this time, sadly, there is no adequate data protection and cybersecurity framework for arbitration and, with virtual hearings being necessary at this time, this will be a critical issue in the near future. The author opines that even though the GDPR provides onerous and comprehensive regulation, there is the need for specific guidelines made precisely for arbitration, keeping in mind the guidelines and the roadmap prepared by the ICCA-IBA. Furthermore, international communities should attempt to advance an arbitration treaty concerning the issue since it could provide some assurance. Domestic laws, such as the GDPR and Protection of Personal Data Bill, 2019, are not enough to deal with the arbitrations like cross-border dispute. Furthermore, in a situation of conflict between different jurisdictions, the various domestic legislations pertaining to the data protection can lead to ambiguity. Even though the guidelines prepared by the ICCA-IBA are wide-ranging, they are still not binding. Hence, the UNCITRAL and the IBA, which have clearly been providing uniformity in international arbitration in the past, should develop the requisite guidelines since there is a dire need for uniformity in data protection laws so that the promise of confidentiality is not broken.
[1] Regulation (EU) 2016/679 of May 4, 2016, General Data Protection Regulation, 2016 O.J. (L 119) 1 [hereinafter GDPR].
[2] The Personal Data Protection Bill, 2019, Bill No. 373 of 2019 (India).
[3] Justice K. S. Puttaswamy (Retd.), and ANR v. Union of India and Ors., (2017) 10 SCC 1, 242 (India) (“privacy is a postulate of human dignity itself.”)
[4] The ICCA-IBA Roadmap to Data Protection in International Arbitration, Public Consultation Draft (February 2020), https://www.arbitration-icca.org/media/14/18191123957287/roadmap_28.02.20.pdf [hereinafter ICCA-IBA Roadmap].
[5] Pierre Bienvenu & Benjamin Grant, Data protection and cyber risk issues in arbitration, Norton Rose Fulbright International Arbitration Report, Sept. 2019, at 19, 19.
[6] Id.
[7] Tennant Energy, LLC (U.S.A.) v. Government of Canada, PCA Case No. 2018-54, Tribunal’s Communications to the Parties (June 24, 2019), https://jusmundi.com/en/document/pdf/Decision/PCA-Tennant-24062019-3741/en/en-tennant-energy-llc-v-government-of-canada-tribunals-communication-to-the-parties-monday-24th-june-2019.
[8] GDPR, supra note 1, Arts. 4(7)-4(8).
[9] Opinion 1/2010 on the concepts of “controller” and “processor”, at 28-29 (Feb. 16, 2010), https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf.
[10] ICCA-IBA Roadmap, supra note 4, at 9.
[11] GDPR, supra note 1, Art. 7(1); ICCA-IBA Roadmap, supra note 4, at 17.
[12] GDPR, supra note 1, Art. 32; ICCA-IBA Roadmap, supra note 4, at 26-27.
[13] GDPR, supra note 1, Art. 33(1); ICCA-IBA Roadmap, supra note 4, at 29.
[14] ICCA-IBA Roadmap, supra note 4, at 37.
[15] Id. at 14-15.
[16] GDPR, supra note 1, Art. 15.
[17] ICCA-IBA Roadmap, supra note 4, at 23-25.
[18] Id. at 2.
[19] Id.
[20] GDPR, supra note 1, Art. 4(2).
[21] ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020), https://www.arbitration-icca.org/media/14/76788479244143/icca-nyc_bar-cpr_cybersecurity_protocol_for_international_arbitration_-_print_version.pdf
[22] David Turner & Guishan Gill, Addressing emerging cyber risks: reflections on the ICCA Cybersecurity Protocol for International Arbitration, Thomson Reuters Practical Law Arbitration Blog (May 17, 2019), http://arbitrationblog.practicallaw.com/addressing-emerging-cyber-risks-reflections-on-the-icca-cybersecurity-protocol-for-international-arbitration/.
[23] Id.
*Smriti Shukla is a student at National University of Study and Research in Law, Ranchi, India. Her interest lies primarily in International Commercial Arbitration, Public International Law with additional interest in Insolvency Law. She has authored Articles for various Journals, Blogs and Magazines.
**Yash Raj is a student at National University of Study and Research in Law, Ranchi, India. He has a very keen interest in International Arbitration and Intellectual Property Rights, and also has an acumen for research on nascent legal topics. He has authored Articles for various national as well as international Journals, Blogs and Magazines.