As we reported in our 2019 and 2020 Trends Reports, data protection and cybersecurity are becoming focal points in international arbitration. The politically and commercially sensitive nature of arbitration disputes, which are often confidential, makes them an attractive target for hackers. The prevalence of online hearings and electronic records in the wake of COVID-19 has brought renewed awareness of cybersecurity and data protection risks, a trend that will continue into 2023 and beyond.
A 2022 ICC survey on the use of technology in arbitration demonstrated that most arbitration users now support adopting specific measures, such as encryption, to safeguard the privacy and security of electronically stored information.
Data breaches may pose a real risk to the integrity of arbitration as a dispute resolution mechanism. In 2015, hackers attacked the PCA’s website. Malware planted on the section of the PCA’s website devoted to the China–Philippines maritime boundary dispute posed a potential risk to visitors, causing the PCA’s website to go off-line for a week. That same year, in Caratube v Kazakhstan, confidential information was leaked from the Kazakh government’s IT system and the claimant eventually obtained some of the leaked documents. Although the information was derived from hacking, the tribunal permitted the claimant to adduce non-privileged documents obtained from that leak, as no rule or guideline prohibited the tribunal from exercising its discretion to admit evidence obtained through such questionable means. Anecdotal information also suggests that there have been arbitrations where the case database was leaked or hacked into, which may have been preventable if appropriate safeguards had been put in place.
These risks highlight the importance of giving thought to how to protect data in an arbitration proceeding. Fortunately, parties and arbitrators now have an array of instruments available to guide them.
The ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration, originally launched in 2019 and updated in 2022, provides a framework for participants to agree on reasonable cybersecurity measures for their dispute (eg access controls, encryption and security incident management). The protocol provides sample language to address information security issues that can be incorporated into arbitration agreements, agendas for case management conferences, procedural orders and post-arbitration dispute resolution clauses, as well as a procedure to notify and deal with data breaches based on the GDPR.
Arbitral institutions have also taken steps to tackle cybersecurity risks:
the HKIAC, LCIA, CAM-CCBC, DIFC-LCIA, CPR, DIS and the Swiss Arbitration Centre, for instance, now either require or encourage tribunals to consider appropriate measures or issue binding directions to enhance information security and protect personal data at an early stage in the proceedings (typically before or during the first procedural conference);
a growing number of institutions, including the SCC, the AAA-ICDR, the Thai Arbitration Institute and the ICC have launched bespoke case management platforms, such as the ICC’s recently launched Case Connect, to securely centralise file sharing, thereby eliminating risks associated with the use of email;
yet a third group of institutions has introduced additional measures – the AAA-ICDR, for example, requires arbitrators on its panel to complete mandatory cybersecurity training, and CPR offers parties access to an encrypted email service; and
finally, while ICSID’s recently released 2022 Arbitration Rules do not mention cybersecurity or data protection explicitly, amended Rule 29 now requires tribunals to seek views from the parties on ‘the treatment of confidential or protected information’ before the first session.
Beyond the importance of protecting data for its own sake, parties and counsel should be aware that various mandatory data protection regulations may arise at different stages of an arbitration or affect certain participants but not others. Personal data transfers can trigger a complex web of different legal regimes with strict rules on when and how data can be transferred internationally. For example, a party’s evidence may include emails between persons based in the EU and that contain personal, protected data under the GDPR. To transfer such data to an arbitrator in a third-party country, the party may be required to put in place appropriate safeguards to protect those emails. In some cases, personal data will need to be redacted before it can be transferred. Regulators are augmenting the costs of noncompliance, with fines for breaches of the GDPR reaching up to the higher of €20m or 4 per cent of the entity’s total worldwide turnover for the preceding financial year.
Given the complexity of this regulatory universe, in 2022, the ICCA and the IBA launched the ICCA-IBA Roadmap to Data Protection in International Arbitration as a tool to assist arbitration professionals in applying data protection and privacy laws during international arbitration proceedings. It offers a primer on data compliance and includes sample data privacy notices for institutions, arbitrators and counsel to adopt for arbitration-related activities; sample provisions for data protection directions for the first procedural order or terms of reference; and checklists of relevant issues that arbitration participants should consider (see our blog here).
Law firms are also focusing resources on developing innovative tools to assist clients with data breach issues. One example is the Freshfields Data Breach Notification Platform, which provides an instant assessment of which authorities to notify and what information to provide in case of a data breach.
As concern over data protection increases, so are disputes surrounding breaches of data protection obligations. These kinds of disputes may in fact end up being arbitrated (see re StockX Customer Data Sec Breach Litigation).
‘The arbitration community has now developed a set of helpful tools for parties who want to effectively manage cyber and data protection risks. In addition to incorporating these best practices, the onus is on parties to select arbitrators, institutions and service providers that understand the importance of, and are competent in, protecting data in international arbitrations.’
John Choong, Partner
In 2023, we expect parties to increasingly adopt cybersecurity and data protection measures in their individual proceedings, and institutions to continue to encourage their adoption through their rules or policies. Parties are advised to select arbitrators, institutions and service providers that understand the importance of, and are competent in, protecting data in international arbitrations. It also falls on counsel to guide participants in the arbitration process, such as clients, witnesses and experts, to comply with best practices as they develop. While there is a growing consensus over the importance of these issues, clients should consider building cybersecurity requirements into their arbitration clauses (drawing from model clauses such as those included in the Protocol) and using internal checklists of essential steps to be taken before, during and after the arbitration, such as those we provided in our 2020 Trends Report.