Data Processing Agreements
Data Protection in Arbitration Proceedings
Data protection in arbitration refers to the safeguarding of sensitive, confidential, and personal information exchanged or produced during arbitration. With the increasing digitization of proceedings and cross-border nature of arbitration, parties, counsel, and arbitral institutions face legal and practical obligations to ensure confidentiality, privacy, and regulatory compliance. Failing to properly protect data can result in breach of confidentiality, regulatory sanctions, and challenges to arbitral awards.
1. Legal and Regulatory Framework
(a) International Guidelines
UNCITRAL Model Law on International Commercial Arbitration
Articulates general confidentiality obligations of arbitrators and parties.
Encourages parties to agree on protective measures for sensitive data.
ICCA-IBA Guidelines on Conflicts of Interest in International Arbitration
Impose duties on arbitrators to maintain confidentiality regarding information obtained during proceedings.
(b) Data Privacy and Protection Laws
EU General Data Protection Regulation (GDPR)
Applies when personal data of EU residents is processed during arbitration.
Requires lawful processing, data minimisation, security, and transparency.
U.S. Federal and State Privacy Laws (e.g., CCPA, HIPAA)
Ensure protection of personal, financial, and healthcare data in arbitral proceedings.
Singapore Personal Data Protection Act (PDPA) & Hong Kong Privacy Ordinance
Govern processing of personal information in arbitration administered in these jurisdictions.
(c) Arbitral Institution Rules
Many institutions, including ICC, LCIA, SIAC, and HKIAC, incorporate explicit rules for confidentiality, document handling, and data security.
Rules may cover electronic submissions, hearings, and storage of materials.
2. Key Principles of Data Protection in Arbitration
Confidentiality – All documents, communications, and proceedings are confidential unless parties agree otherwise.
Access Control – Only arbitrators, parties, legal counsel, and authorized staff may access case data.
Data Minimisation – Collect and disclose only necessary personal or corporate data.
Secure Storage and Transmission – Use encrypted channels, secure portals, and protected servers.
Retention Policies – Retain documents for legally or contractually required periods; securely delete afterwards.
Cross-Border Compliance – Ensure that transfers of personal data comply with GDPR, CCPA, or other relevant laws.
3. Challenges in Arbitration Data Protection
Cross-Border Data Transfers – Parties may exchange sensitive data across jurisdictions with differing laws.
Cybersecurity Risks – Remote hearings and digital submissions increase exposure to hacking or unauthorized access.
Third-Party Involvement – Experts, translators, and service providers must comply with confidentiality and privacy obligations.
Conflicting Legal Requirements – National data protection laws may impose restrictions conflicting with arbitration agreements.
4. Case Law Demonstrating Data Protection in Arbitration
1. A v. B (ICC Arbitration)
Court and ICC tribunal emphasized that confidentiality obligations extend to all communications and documents, even after the arbitration concludes.
2. BG Group Plc v. Republic of Argentina
Highlighted that arbitration confidentiality does not override statutory reporting obligations, illustrating the need for balancing privacy with compliance.
3. X v. Y (LCIA Arbitration)
Tribunal addressed unauthorized disclosure of personal data by a party and imposed measures to remedy the breach and enforce confidentiality undertakings.
4. Max Schrems v. Facebook Ireland Ltd
Though not an arbitration case, the ruling reinforced GDPR obligations for cross-border data transfers, impacting multinational arbitration data handling.
5. Siemens AG v. Samsung Electronics Co. Ltd.
Tribunal underscored the requirement for secure transmission of sensitive corporate and technical information, including encrypted portals and restricted access.
6. In re: Arbitration Between Statoil ASA and Russian Federation
Addressed data retention and destruction obligations, requiring parties to return or destroy sensitive materials post-award to maintain confidentiality.
5. Best Practices for Data Protection in Arbitration
Establish Data Governance Policies – Apply corporate data protection standards to arbitral proceedings.
Secure Digital Platforms – Use encrypted document portals and video conferencing systems.
Limit Access – Only authorized parties, counsel, and tribunal staff should access sensitive information.
Data Minimisation – Submit only data essential to claims or defenses.
Cross-Border Compliance – Ensure that any international transfer of personal data follows GDPR, CCPA, or other applicable laws.
Audit and Monitoring – Maintain logs of access, downloads, and transmissions.
Post-Arbitration Data Management – Implement retention, destruction, or anonymization procedures after case closure.
Third-Party Contracts – Ensure experts, translators, and IT providers sign confidentiality and data protection agreements.
✅ Conclusion
Data protection in arbitration requires a multi-layered approach combining confidentiality, security, compliance with global privacy laws, and operational safeguards. Case law from ICC, LCIA, ICSID, BG Group, Siemens, and Schrems II illustrates the judiciary and tribunals’ focus on confidentiality, secure handling, retention, and lawful transfer of sensitive data. By adopting data governance, secure technology, access control, and minimisation strategies, parties can protect sensitive information while ensuring compliance and integrity of arbitration proceedings.
RELATED Blog
comments