Arbitration: Saving Two Birds (Confidentiality and Personal Data) from One Stone (Cyber Attack)

Confidentiality is one of the cornerstones of arbitration and allows the parties to resolve their disputes in private. The Arbitration and Conciliation Act, 1996 (Arbitration Act) under Section 42A imposes a statutory obligation on all stakeholders, i.e., arbitrators, arbitral institutions and parties, to maintain confidentiality in the arbitration proceedings. However, the Arbitration Act misses out on ramifications for any non-compliance by the stakeholders. It may be argued that non-compliance by a party may be adjudicated by arbitrators, but there is no recourse against such non-compliance by other stakeholders.

Generally speaking, no preventive steps are taken by the arbitral tribunals or the arbitral institutions to prevent a breach of confidentiality in the arbitral proceedings, specifically in India. However, with the increasing use of technology, confidentiality has become a sensitive nerve to touch upon.

In this backdrop, we think some nudge is required for legislators and other stakeholders in India to give due weight to this critical provision and strengthen the arbitration ecosystem in India. We hope the Digital Personal Data Protection Act 2023 (DPDP Act) proves to be that nudge.

The DPDP Act provides the framework for protecting personal data [any data about an individual who is identifiable by or in relation to such data] in India and outside. Further, the DPDP Act imposes obligations on the data fiduciary [Any person who determines the purpose and means of processing personal data] to protect personal data in its possession or control, including for processing, and take all reasonable safeguards to prevent a breach of personal data. In case of default, the data fiduciary may be penalised up to Rs. 250 Crores.

It is important to mention that the DPDP Act exempts courts, tribunals or any other body in India entrusted by law with the performance of any judicial or quasi-judicial, regulatory or supervisory function where processing is necessary for carrying out the function of a data fiduciary. However, the fundamental obligation to provide reasonable safeguards to prevent breaches of personal data still applies [Section 17 (1) (b) of the DPDP Act]. While the arbitral tribunals and arbitral institutions would be exempted from most compliances as data fiduciary under the DPDP Act, the obligation to provide reasonable safeguards to prevent breach of personal data (under Section 8(5) of the DPDP Act) particularly would still be applicable. Importantly, the arbitral records containing the personal data of a party, witness, etc., trigger the applicability of the DPDP Act.

Therefore, the time is ripe even for arbitral tribunals and arbitral institutions to start mulling over measures to protect personal data forming part of arbitral records.

The lessons may also be learned from international arbitrations where data breaches have adversely impacted another party.

The infamous case of hacking of the Permanent Court of Arbitration’s website raised concerns about data protection. Additionally, in the two prominent international arbitration cases below, information was obtained through cyber-attacks, and then the data was used against a party.

• In Caratube International Oil Company and Mr Devincci Saleh Hourani v. Kazakhstan, the tribunal, while acknowledging that some emails were obtained through cyber-attack, still allowed the usage of emails against the other party in the absence of any rule or guideline prohibiting the tribunal from admitting evidence obtained through questionable means.

• Conversely, in another arbitration, namely, Libananco Holdings Co Ltd v. Republic of Turkey, the tribunal denied admission of evidence obtained through cyber-attack on the ground that the principle of confidentiality and privacy are of utmost importance in any arbitral proceeding.

Unfortunately, the Indian law aligns with the former approach. It does not delve into the source of evidence. Any evidence acquired illegally remains admissible as long as it holds relevance, subject to discretion of the court. Consequently, evidence procured through cyber-attacks can potentially be used against the opposing party in an arbitral proceeding. Nonetheless, this remains a contentious issue, and its resolution depends on the specific circumstances of each case.

Unlike the Arbitration Act, the DPDP Act provides penalties for non-compliance that are quite significant. There are, therefore, enough compelling reasons to start taking confidentiality and protection of personal data seriously. Having safeguards in the laws of a country or the institution's rules is also one of the critical considerations for contractual parties in selecting a seat of arbitration. Since institutions like the Singapore International Arbitration Centre (SIAC) and the International Chamber of Commerce (ICC) have already taken cyber security initiatives and formulated guidelines, these institutions and their home countries have an edge over the Indian arbitral institutions and India.

To stop cyber-attacks from replacing the discovery procedures provided in the Civil Procedure Code and to elevate India to the status of an arbitration hub akin to countries like Singapore, which are renowned for their robust arbitration practices, proactive measures are imperative. Both governmental and arbitral institutions must demonstrate a proactive approach to fortify the arbitration ecosystem in India. Here are some recommendations:

• Formulate Confidentiality and Virtual Hearing Protocols: The arbitral institutions must have rules and protocols for confidentiality and virtual hearings. A reference may be taken from the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration, which aims to increase cybersecurity awareness in international arbitration and provide a framework for incorporating cybersecurity measures in arbitral proceedings.

• Provide Regular cybersecurity training for Arbitrators: This initiative could be taken by the High Courts for the arbitrators empaneled with their court-annexed arbitration centers. The arbitral institutions can also bring such initiatives for the arbitrators empaneled with them.

• Incorporate Model Cybersecurity Guidelines in the Arbitration Act: A new schedule may be added in the Arbitration Act providing model cyber security guidelines which will be followed by arbitral tribunals, at least that are ad-hoc.

As arbitration remains a popular dispute resolution method, it must adapt to the rapid technological advancements to continue delivering benefits to the parties involved. The measures mentioned above are essential for protecting personal data, preserving confidentiality, and promoting the adoption of additional services, such as AI-assisted transcription, in arbitration proceedings. These advancements can save significant time and cost for arbitral tribunals, arbitral institutions, and the parties involved. Further, establishing a robust cybersecurity framework for arbitration will bolster India's arbitration landscape and play a pivotal role in reducing the backlog of nearly five crore cases pending in courts across the country.

Dinesh Pardasani is a Partner and Tanya Tikiya is an Associate at DSK Legal.