The international arbitration community has been increasing its attention to data protection and cybersecurity issues. Given the litigious and multi-jurisdictional nature of international arbitration, combined with the highly confidential nature of information usually handled in international arbitrations, it is important that arbitration users assess how they may be impacted by data protection laws and regulations and what types of information security measures are suitable for a particular arbitration. A number of organizations have collaborated to publish a Protocol on Cybersecurity in International Arbitration (the “Cybersecurity Protocol”) and a Roadmap to Data Protection in International Arbitration (the “Data Protection Roadmap”) (together, the “Reports”), to provide practical guidance to international arbitration users.
As discussed below, the Reports provide extensive guidance on how data protection and cybersecurity issues may arise in an arbitration, and offer sample protocols, clauses, and notices for arbitration users to consider adopting to effectively address data protection issues in the context of international arbitrations. Both documents complement each other and include examples and sample language based on the GDPR, which the Roadmap characterizes as one of the “most comprehensive and onerous data protection regulations, that is becoming a global reference.” These Reports are non-binding guidance but offer helpful tools for arbitration users.
The Cybersecurity Protocol
The Protocol, which was recently updated, provides recommendations on how to mitigate information security risks in an arbitration. Recognizing the increased number of cyber threats, the Protocol provides a sample personal data breach protocol for breaches that may occur in a proceeding (see Schedule D-1). The Protocol characterizes this addition as a recognition of “the importance of having an incident response plan in place were a security incident to occur during an arbitration.”
The Protocol contains fourteen guiding principles. The key takeaway points are as follows:
- The Protocol offers sample baseline security practices (Schedule A) but emphasizes that information security measures in arbitration are not “one-size fits all” – not only because there may be different applicable data protection regulations requiring compliance with different obligations, but also because each arbitration is a creature of its own (Principle 1). The Protocol recommends a “reasonable in the circumstances” standard for determining the appropriate measures that should be applicable in an arbitration (Principle 5).
- The principles provide guidance to arbitration users on how to determine reasonable cybersecurity measures, including by describing and explaining: (i) characteristics of the arbitration that parties and tribunals should consider for implementing security measures (e.g., the “risk profile of the arbitration”, resources of arbitral participants, and the “efficiency of the arbitral process”) (Principle 6); (ii) categories of measures that could be adopted in an arbitration (which cover various categories of measures like asset management, access control, and encryption) (Principle 7 ); and, (iii) guidance on how specific circumstances or phases in an arbitration may require tailored measures (e.g., hearings and conferences, information exchanges, and post-arbitration retention and destruction policies) (Principle 8).
- The Protocol recognizes that many persons besides the arbitrators, parties and arbitral institutions may need to access the information shared in an arbitration. As such, Principle 3 recommends that tribunals, parties, and arbitral institutions ensure that all persons involved in an arbitration become aware and comply with the information security measures that have been adopted for that arbitration.
The principles favor party agreement and recommend prompt attention to matters of information security, usually at the case management conference (Principles 9-10). They note that tribunals have authority to determine or modify information security measures applicable in an arbitration (Principles 11-12). And, in case those measures are breached, or if an information security incident takes place, the Protocol notes that tribunals may allocate costs and impose sanctions on the parties (Principle 13). The Protocol notes, however, that it does not establish “any liability or liability standard for any purpose” (Principle 14). Similarly, the Protocol acknowledges that it does not supersede applicable laws, arbitration rules, professional or ethical obligations, or other binding obligations. (Principle 4)
The Data Protection Roadmap
The Roadmap represents the updated and finalized version of a draft released for public consultation in 2020, including revised language and new annexes. The Roadmap is addressed to “arbitral participants” which is limited to the “parties, their legal counsel, the arbitrators and arbitral institutions.” However, its guidance is also relevant to others “working for or with an [a]rbitral [p]articipant during an arbitration.”
The Roadmap begins by setting out key concepts relating to data protection including “personal data”, “data subject” and “processing” as well as the notions of data “controllers” and “processors” based on principles found in EU-style regulations. The Roadmap then describes (including by references to examples and hypotheticals in the arbitration context) nine general data protection principles included in most EU-style data protection regulations, which include the principles of:
- Fair and lawful processing, providing that data should be processed if there is a lawful basis for it.
- Proportionality, requiring data protection measures to account for the interests of the data subjects and third parties’ interests and rights.
- Data minimization, requiring that the “amount of personal data [produced] to be limited to meet the purpose of that data processing.”
- Purpose limitation, limiting the collection of personal data only to fulfill a “specific and legitimate purpose” and limiting the processing of personal data in any other way that may not be compatible with that purpose.
- Data subject rights, indicating that “individuals whose personal data is collected and processed” have the right to obtain access to that data.
- Accuracy, ensuring that the personal data collected and processed must “be valid, relevant, and complete” for the purpose of its collection, and requiring it be updated as and when necessary.
- Data security, requiring data controllers to take appropriate “technical and organizational security measures to protect personal data” to avoid data breach risks.
- Transparency, requiring that the measures taken for the protection of data must be made known to the data subjects.
- Accountability, requiring data controllers to keep “a record of their data protection compliance efforts”.
The Roadmap then addresses how data protection compliance may affect the different stages of an arbitration, contemplating pre- and post-arbitral phases, and every stage in between.
The Roadmap also includes eleven annexes with checklists of issues to consider, sample privacy notices for institutions, arbitrators and counsel to adopt, as well as sample provisions for data protection directions for the first procedural order or the terms of reference. One of the annexes added to the newly released version of the Roadmap provides a checklist for data protection compliance when using online case management platforms. Like the Protocol, the Roadmap provides non-binding guidance, and does not supersede an arbitral participant’s obligations under applicable data protection laws.
The increased adoption and enforcement of data protection rules across the globe has spurred attention to these issues in many areas, and international arbitration is no exception. Initiatives like the Reports are intended to raise awareness and assist arbitration participants in addressing their data protection obligations. Although the Protocol and the Roadmap are not binding, and do not provide legal advice, they offer useful guidance to arbitration users and their counsel in developing appropriate data protection measures for their international arbitration proceedings.