Data protection and cybersecurity are hot topics in international arbitration. A majority of respondents to the 2018 Queen Mary International Arbitration Survey listed "security of electronic communications and information" as an issue which should be addressed in arbitration rules. This demonstrates that users of arbitration are concerned about data security.
While there are signs that the market is listening, users seem to think that institutions, counsel and tribunals could do more to address cybersecurity.
This article examines three aspects of data protection and cybersecurity in arbitration – namely:
- the EU General Data Protection Regulation (GDPR) and how it bears on international arbitration;
- data breaches in arbitral proceedings and cyberattacks on institutions, as well as the way in which institutions are responding; and
- how hacked evidence might appear in arbitration and how tribunals have dealt with this issue.
The GDPR has significantly altered the data protection landscape. Its broad scope and potentially severe penalties have forced those that hold and process data to take note of its provisions. The international arbitration community must be aware of the GDPR and how it affects the arbitral process.
The GDPR applies to 'personal data', a concept that is broadly defined to include any information relating to an identified or identifiable natural person, including an individual's name and address and any online identifier (eg, an email address). The GDPR also has a broad scope of application, reaching entities in the European Union and entities outside the European Union which process the data of EU-based individuals in some contexts. For example, a witness based in the European Union may in some circumstances import GDPR obligations into an arbitration, even if the arbitration is otherwise independent of the European Union.
This wide scope of application is coupled with potentially severe penalties of up to €20 million or 4% of an entity's total worldwide annual turnover of the preceding financial year (whichever is higher) for certain contraventions of the GDPR. These penalties can be imposed per breach – meaning that penalties can quickly escalate.
If the GDPR is engaged, entities that process personal data will be subject to a number of obligations. If an entity is deemed to be a data controller for the purposes of the GDPR, these obligations would include:
- identifying a lawful basis to process data;
- ensuring that the appropriate technical and organisational measures are in place in order to safeguard the security of processing (including to prevent data breaches to the extent possible); and
- not transferring data outside the European Union, other than in certain specified circumstances.
If an entity is deemed to be a data processor rather than a controller, the GDPR contains detailed provisions as to how the processor should process data only on the basis of documented instructions from the controller.
The detail of how the GDPR operates is complex. International arbitration practitioners should be aware that the GDPR may be relevant to their arbitration, regardless of whether they are located – or the arbitration is seated – in the European Union.
In July 2015 the Permanent Court of Arbitration's (PCA's) website was hacked during an ongoing maritime border dispute between China and the Philippines. Malware was implanted on the PCA's website, which infected the computers of visitors, potentially exposing them to data theft.
The attack on the PCA illustrates the risk faced by arbitral institutions. Parties in arbitration can be called on to disclose sensitive material to prove their case. While in many jurisdictions it is assumed that arbitration will be cloaked in confidentiality, cyberattacks have the potential to seriously undermine this.
The arbitral community is responding to this risk. The most prominent example is the draft Cybersecurity Protocol for International Arbitration, which was published in 2018 by the International Council for Commercial Arbitration (ICCA), the New York City Bar Association and the International Institute for Conflict Prevention and Resolution. The protocol is intended to apply in particular cases, either by agreement of the parties or order of the tribunal. Once adopted, the protocol gives a tribunal the power to determine what security measures are reasonable for the case, taking into account the views of the parties. Such measures should account for, among other things:
- the transmission of materials;
- communication between arbitrators;
- the storage of information; and
- data security.
Importantly, the protocol makes clear that cybersecurity is the shared responsibility of all participants in an arbitration, who must ensure that all personnel involved in the arbitration are aware of – and follow – any cybersecurity measures adopted.
The ICCA and the International Bar Association (IBA) have also established a Joint Task Force on Data Protection in International Arbitration, which will publish practical guidance on the potential impact of data protection principles, including the GDPR.
At an institutional level, arbitral institutions are also addressing the risk posed by cyberattacks. The Hong Kong International Arbitration Centre Rules, which entered into force on 1 November 2018, specifically include "any secured online repository that the parties have agreed to use" as a recognised means of communication. The London Court of International Arbitration also intends to revise its 2014 Arbitration Rules and is considering adding new provisions on data protection and cybersecurity. Data protection is an area ripe for reform in the arbitration context and users expect arbitral institutions to be at the centre of the effort to address it.
A related issue which is appearing more regularly in arbitration is the attempted use of evidence obtained through cyberattacks or data breaches. This issue has arisen most predominantly in investment arbitration. For example, in both the Yukos and ConocoPhilips/Venezuela disputes, the parties sought to rely on evidence obtained from WikiLeaks.
Arbitration rules typically afford broad discretion to tribunals to decide evidentiary issues. For example, Article 27(4) of the United Nations Commission on International Trade Law Rules provides that the "arbitral tribunal shall determine the admissibility, relevance, materiality and weight of the evidence offered". Article 9(2) of the IBA Rules on the Taking of Evidence in International Arbitrations permits tribunals to exclude evidence on grounds of either "legal impediment or privilege under… legal or ethical rules" or "special political or institutional sensitivity".
In ConocoPhilips the tribunal was asked to reopen its earlier decision on jurisdiction in light of information contained in hacked emails published by WikiLeaks. The majority did not expressly address whether that evidence was admissible, instead finding that it did not have the power to reopen its earlier findings. A dissenting opinion in that case relied on the emails as a basis for reopening the decision, without expressly addressing whether they were admissible in the first place. However, in Caratube International/Kazakhstan the tribunal expressly admitted emails which had been published on WikiLeaks to the extent that such material was not covered by legal professional privilege.
Given the paucity of authority, there is little evidence that a consistent approach to dealing with these issues is emerging. As data breaches become more common, tribunals will be called on more frequently to rule on the admissibility of such evidence. It is hoped that as tribunals engage with this issue, some guidance as to how it might be dealt with will be made available to parties.
Data protection and cyber risk are emerging as important considerations in arbitration. Although the arbitral community and the arbitral institutions are taking steps to address this concern, more needs to be done. As these issues become more common, it is hoped that consistent practices will emerge to reassure users that their data will be secure.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.