Data Privacy and Security in Online Arbitration

Introduction:

Non disclosure of crucial information without the party’s consent is the foundation of any legal process. One of the most significant reasons for disputing parties to opt for alternative modes of dispute resolution, apart from an expediated procedure, is its confidentiality. But in the post pandemic world, there has been a huge shift from the offline, i.e. conventional mode of conducting legal proceedings towards online and that has raised major privacy and security concerns, regarding data breach or theft and leaks, adversely impacting the litigating parties. The 2015 hack on the Permanent court of arbitration during a maritime border dispute between China and the Philippines is a glaring example of the importance of data protection in arbitration, wherein Malware was implanted on the PCA’s website which infected the computers of visitors, potentially exposing them to data theft.

Major concerns:

1.?????Protection of sensitive information of the parties (like personal data, financial information and trade secrets) from unauthorised access, especially in high stakes international arbitrations involving MNCs, governments or state bodies.

?2.?????Use of evidence obtained by means of cyber attacks or data breaches, especially in investment arbitration matters, for instance, Yukos?disputes and?Conoco Philips v Venezuela?the parties sought to rely on hacked E-mails obtained from WikiLeaks, as a result of which the tribunal was asked to reopen its earlier decision.

?3.?????Preservation of integrity and authenticity of data , as digital records can be easily modified or manipulated, as opposed to physical ones, which raises a concern for data tampering or falsification during transit, and is very difficult to prove or detect.

?4.?????Protection from data theft or hack, ?as?in-house lawyers, counsel, and arbitrators tend to travel extensively and work from multiple places.

?5.?????Protection from use of third-party service providers, such as videoconferencing software providers or document management systems, who may have access to sensitive information of the parties.

?Measures for Data privacy and security in online arbitration:

1.?????Use of secure communication tools and platforms, which are password protected and encrypted, free from threats.

2.?????Data protection measures should be taken by the parties involved in the arbitration such as confidentiality agreements or non-disclosure agreements.

?3.?????Ensure data security certification compliance by reviewing privacy policy and terms of service and conducting due diligence.

?4.?????Restricting physical access to the hardware containing crucial evidence. Even if accessed, making the system password protected, ensuring no unauthorised access is made to the protected information of the parties.

?5.?????Avoiding unencrypted modes of communication, so that the communication between parties and arbitrators cannot be leaked to third parties

?Indian law:

Section 42-A of the Arbitration and Conciliation Act, 1996, inserted by the 2019 amendment states that :

“Notwithstanding anything contained by any other law for the time being in force, the arbitrator, the arbitral institution and the parties to the arbitration agreement shall maintain confidentially of all arbitral proceedings except award where its disclosure is necessary for the purpose of implementation and enforcement of award”

The purpose of inserting the same is to ensure privacy and confidentiality of the proceedings, even though the Data protection bill is still not clear on the status of an arbitral institution.

?Conclusion:

Even though arbitrators try to ensure cybersecurity, they may not have the support of advanced IT systems, making them vulnerable to cyber attacks and theft of sensitive information. Unsecured communication channels make it more dangerous for them. Therefore there is a dire need of a framework governing data protection in the field of arbitration. Till then, arbitral institutions can frame their own guidelines to protect sensitive data from any breach, in the interest of justice to the parties.