The current pandemic has forced the legal world to shift to an unprecedented remote working model. Video conferencing and virtual hearings are becoming the new norms, and many are predicting the extent to which their use will be a mainstay of dispute resolution, including international arbitration, post-crisis.
In this article, Vikram Khasriya, a trainee solicitor in our International Arbitration team, considers data-related concerns arising from the virtualisation of arbitration hearings, what guidance exists to help parties plan their data protection measures, and highlight some of the provisions in the Roadmap to Data Protection in International Arbitration published in February 2020.
Technology has, for a long time, played a core role in assisting dispute resolution. International arbitration, with its cross-border and flexible nature, is no stranger to the use of technology and it has perhaps led the way in, for example, adopting e-filing, e-bundling and witness testimony over video-link.
Much has been said about the ability of technology to keep the wheels of the administration of justice turning during the crisis (and perhaps beyond) and rightly so. Perhaps less, however, has been written in this context about the need to recall the significant obligations and risks associated with the protection of digital data. It is a topic that has, in recent years, become a key concern for practitioners and clients alike.
It is one that perhaps has not received the thorough attention that it deserves in the context of international arbitration which, by its very nature, will trigger cross-border data-related concerns. Data will be processed and managed as one by-product of the current virtual ‘push’, underlining the need for data protection and cybersecurity to be among the many aspects parties will need to keep in mind, especially in the current climate. Thankfully, various guidance now exists to help parties to identify and navigate these issues in the context of an international arbitration.
Data Protection and the GDPR
The introduction of the EU’s General Data Protection Regulation (“GDPR”) in 2018 set out some, potentially, steep financial penalties for those who breach its provisions on data protection. This has resulted in various industry bodies setting out guidance and protocols in relation to the handling of data.
There are certain exemptions under the GDPR applicable to legal proceedings which allow, for instance, the sharing of data under specified circumstances; for example, where disclosure of data is required by law or an order of a court. However, it is not immediately clear that such exemptions apply to international arbitration or, if they do, to what extent. In that context, the recent guidance provided is particularly welcome, albeit it remains in draft and subject to consultation.
In the sphere of arbitration, a number of organisations have issued helpful guidance on the measures that one can take to protect data within arbitral proceedings. Most recently, draft guidance has been published by a task force jointly established between The International Council for Commercial Arbitration (“ICCA”) and the International Bar Association (“IBA”) (the “Task Force”). The Task Force was created in 2018 in order to “produce a practical guide that identified ways in which data protection may need to be taken into account during the course of an arbitration”.
In February 2020, the Task Force published its draft “Roadmap to Data Protection in International Arbitration” (the “Draft Roadmap”). This draft is part of a public consultation process and is open for feedback until 30 June 2020. The Draft Roadmap is expressly marked as not for citation, but it already demonstrates the deep level of analysis the Task Force has given to the subject and how useful, when finalised, the guidance will no doubt prove to be.
In this article, we will only highlight some of the draft findings of the Draft Roadmap. We will also consider what other guidance exists to help parties plan their data protection and cybersecurity measures. While the Draft Roadmap is a work in progress, it is a developed and lengthy analysis that contains a number of helpful practice tips and guidance.
The Draft Roadmap: a summary
It is important to state at the outset that the Task Force acknowledges that the application of legislation (such as the GDPR) to an arbitration is going to be highly fact-specific and, therefore, any guidance provided will not be a “universal solution”. Having said that, the Draft Roadmap identifies many matters parties must bear in mind when dealing with electronic data.
Section 1 of the Draft Roadmap describes the primary data protection principles potentially applicable to international arbitration, drawing heavily from the GDPR framework. Notably, this section highlights several “general obligations” that will arise under data protection laws which include: “issuing GDPR-compliant data privacy notices, ensure the lawfulness of their personal data processing and transfers, minimising the personal data they process, and adopting appropriate data security measures, data breach procedures, data retention policies, and procedures for addressing data subject complaints”.
These general obligations make clear that data protection considerations can be triggered at various stages of proceedings, the most obvious being during disclosure where the most likely concern to parties would be the disclosing of “irrelevant” or “non-responsive” personal data.
Section 2 of the Draft Roadmap considers how the principles discussed in section 1 may apply to the various stages of an arbitration.
It is stressed throughout the document that parties should be proactive when considering cybersecurity and data protection issues. For instance, arbitral participants should identify and document at the outset of proceedings what data will need to be processed for the arbitration and the lawful basis on which such data will be processed.
Following on from this, practitioners are encouraged to know their assets and infrastructure that may be used in an arbitration. Namely, one should know where data may reside (for example, on what devices) and how it flows through your infrastructure (for instance, is data saved locally on devices or on a cloud platform?). Understanding your assets and infrastructure in this way allows one then to assess how, and to what extent, data protection issues might arise.
To ensure that parties are not caught off guard, helpful guidance is provided as to the approach one might take upon receipt of a data subject access request. Such a request compels the arbitral participant to provide the data subject with access to the personal data held about them, provided this does “not adversely affect the rights or freedoms of others”. Parties are advised to either restrict access to those documents, or portions thereof, specifically necessary to fulfil such a request and to redact any personal data that is not specifically relevant to the arbitration in order to limit the possibility of such requests.
Inevitably given its cross-border nature, including the likelihood that the participants themselves in an arbitration may be located around the world, an early consideration is the potential impact of differing jurisdictional data protection regimes.
GDPR will apply, broadly speaking, where a company processes personal data within the EU. However, a party processing data outside the EU may be beholden to data protection regimes equivalent to that of the GDPR. For example, the Act on Protection of Personal Information in Japan or the Personal Information Protection and Electronic Documents Act in Canada. In order to understand such jurisdictional issues, it is important to map out the potential data flows within each individual arbitration by:
1. Identifying which participants could trigger data issues. This group is a lot wider than one might appreciate and may include, for example, transcribers, hosts of document review platforms, employees of your client, experts, etc.
2. Considering the data flows between the parties identified at point 1 and to assess which data protection regimes may apply, what those regimes may require based on the data flows mapped and the nature of how the data is being handled by each participant.
Where a virtual hearing is taking place, those two steps will also now need to cover the participants involved in the hosting and supporting of that hearing, to possibly include the software platform being used (especially where documents are being ‘shared’ on screen) and any e-Bundling solution deployed in parallel.
The issues the Draft Roadmap addresses are numerous and wide-ranging. To ensure that appropriate measures are taken, it recommends parties to enter into a signed data protection protocol at an early stage of proceedings which addresses the roles and responsibilities of data controllers in relation to the processing of personal data. This would ensure that parties have set processes in place for dealing with issues, for example, the receipt of a data subject access request, and are not on the proverbial ‘back foot’. However, given that information travels across such a complex network during an arbitration, it can be questioned whether it is feasible to scope out such a protocol at the outset. It may be that the onus is better placed on the tribunal to lead the process of negotiating such a protocol as part of its early case management duties.
The importance of cybersecurity
The Draft Roadmap recognises the importance of data security, and this raises a number of issues in its own right. With the recent use of additional technology (for example, Zoom) to facilitate virtual hearings and some widely reported issues with such platforms (for instance the phenomenon of ‘Zoom bombing’), this issue gains further importance. So too does the general transition to people temporarily working from home undoubtedly generate additional cybersecurity risks. The arbitration community has put some thought into measures that can be taken to secure data. For instance, the “ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration” and the IBA’s “Cybersecurity Guidelines” provide some helpful baseline security measures that one can adopt.
ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration
In 2018, ICCA launched a working group on cybersecurity in arbitration (the “Working Group”). The aim of this Working Group was to establish “… voluntary cybersecurity protocols for use in international arbitral proceedings”. In 2020, the Working Group released their protocol – an 80-page guide which aims to provide a framework to determine reasonable information security measures for individual arbitration matters.
It is important to note that, as with the Draft Roadmap, several underlying principles form the basis of the protocol. Below we have highlighted some of those principles that provide more practical guidance:
- As with other areas of case management, the principle of ‘proportionality’ applies, ie the measures enacted on any specific matter should take into account the size of the matter and the relative resources of each party.
- Information security is an early case management issue and should be raised no later than the first case management conference.
- The arbitral tribunal has the overall authority for determining security measures and can allocate costs/sanctions against a party for breaches of such.
Schedule A of the protocol, entitled “Baseline Security Measures”, provides a helpful checklist of key considerations that parties may consider incorporating into any agreed arbitral data protection protocol (as suggested by the Draft Roadmap). Many of these points are fairly simple to implement without significant cost, for instance, the use of secured file share services instead of email. Practitioners would be well advised to consider all of the suggestions made in Schedule A and to apply its guidance to their matters.
The implementation of legislation such as the GDPR (and jurisdiction-specific equivalents) has created an economic incentive to focus on issues of data protection and cybersecurity; companies could potentially be liable for steep fines of up to €20m or 4% of the company’s global annual turnover if any infringement of GDPR is identified.
Following the recent shift in working patterns, these issues are likely to (or should) be given even higher priority. Indeed, this assertion is supported by, for example, the recent release by the International Chamber of Commerce (“ICC”) of their guidance note aimed at mitigating “adverse effects of the Covid-19 pandemic on ICC arbitrations”. This guidance note, at Annex II, provides parties with suggested clauses for cyber-protocols and virtual hearings and specifically address issues such as “confidentiality, privacy and security”.
It is unlikely that the shift in working patterns mentioned above is temporary. The outbreak of Covid-19 has catalysed a debate that was already underway with regard to flexible/agile working. Many see the benefits of balancing work and family priorities as well as the reduced environmental impact of having to travel to an office/hearing. We have also seen a large amount of capital investment in technology by firms, institutions and courts in an effort to keep productivity as high as possible through remote working and it is unlikely that this investment will be ignored when the crisis is over.
It will, therefore, be up to our industry as a whole to adapt to this new environment and to reassure potential clients that a pragmatic and proactive approach is being taken with regard to data protection. It will be interesting to observe how many parties go to the effort of implementing measures, for example, agreeing a data protection protocol at the outset of a hearing, and to what extent arbitral tribunals will rise to the challenge in order to assist. One might also consider whether arbitrators will be required to go through a significant amount of ‘retooling’ in order to get up to speed on the technology required to adapt to this changing environment. Could the choice of arbitrator be influenced by such concerns?
We intend to revisit this topic when the Draft Roadmap is finalised, but we hope that this article has given the reader an idea of the breadth of guidance available to them in the realm of data protection and cybersecurity in international arbitration.