Data Protection in Virtual Arbitration: How does it look in Asian Jurisdiction?
Samriddhi Sanga [i]
The EU’s GDPR inspired - ICCA-IBA Roadmap on Data Protection in International Arbitration, arrived in 2020 as a much-needed framework against the backdrop of the shift to virtual hearings across arbitral jurisdictions. The Task Force Co-Chairs Kathleen Paisley and Melanie van Leeuwen remarked that arbitral participants need data protection laws directly governing arbitral proceedings. Besides, burgeoning volumes of personal information in virtual arbitral hearings have made the need for such guidelines more pertinent.
Given the booming protocols on virtual hearings and increasing exchange of information, it becomes imperative for us to gain an outlook on popularly used guidelines. In this pursuit, comparative analysis, such as ‘Virtual Hearing Guidelines: A Comparative Analysis and Direction for the Future’ aids in appreciating the similarities and differences in the guidelines in order to make the arbitration community and users cognizant of various aspects that need to be considered.
However, this article particularly compares the data protection features offered in the following jurisdictions of the Asian region:
India - IAF Protocol on Virtual Hearings for Arbitrators, 2020 (“IAF Protocol”)
Singapore - SIAC Guide: Taking Your Arbitration Remote, 2020 (“SIAC Guide”)
Hong Kong - HKIAC Guidelines for Virtual Hearings, 2020 (“HKIAC Guidelines”)
South Korea - Seoul Protocol on Video Conferencing in International Arbitration, 2020 (“Seoul Protocol”)
Series of developments like increasing popularity of SIAC, expansion of institutions such as International Chamber of Commerce (ICC) and Chartered Institutes of Arbitrators (CIArb) towards Asia, and the rise of a fairly new institution - Korean Commercial Arbitration Board (KCAB), over the past decade, have cultivated a culture conducive to arbitration. Therefore, the choice of Asian jurisdictions is inevitable. Besides, the surge in arbitral institutions results from a multitude of factors like substantial increase in cross-border business activities, comparatively inexpensive hearings, easier enforcement of awards under domestic arbitration laws, and many more, seemed to have brought Asia into the spotlight.. Further, amidst internalisation of technology in every sector, data protection also saw the light of day in Asia. While seven jurisdictions engaged in the amendment of data protection laws to be at par with technological updates from 2010 to 2020, 13 more jurisdictions enacted a new framework. Thus, in the backdrop of the Covid-19 pandemic, it becomes crucial to examine data protection principles in the guidelines for virtual hearings released by arbitral institutions, across the Asian region.
A. Data Security
Data security is a comprehensive term per se and while scrutinising the framework for the same offered by the above institutions, this article looks into nuances like the choice of software/platform and document sharing and communication channels. It was observed that all the institutions give parties the opportunity to make a choice of the platform that they feel is most secure. At the same time, all of them provide for a password protected/encrypted communication channel. Besides, SIAC and HKIAC also float a list of the participants who are allowed to use the platform for communication. However, the Seoul Protocol remains silent on this front. A striking difference among all the institutions is with respect to the document sharing mechanism. IAF and SIAC ask the parties to choose a secured platform for the same. While Seoul furnishes a shared repository coupled with efforts by parties to keep it secure, HKIAC prescribes to supply the documents to an Electronic Presentation of Evidence (EPE) Manager. It is assumed that documents submitted to the manager remain safe given that the institution supervises EPE.
B. Consent of Parties
The principle of ‘consent’ in a virtual hearing is exercised on various occasions, however, it was observed that in all the given protocols, it was most importantly required for ‘recording’ the virtual hearing. It was witnessed that recording the hearing is subject to the approval of parties and the tribunal. The difference lies in the method of approval. The Seoul Protocol and HKIAC Guidelines simply leave the decision to the discretion of the tribunal and parties/tribunal, respectively. For the other two institutions, consent holds more gravitas. IAF and SIAC ask for written/explicit consent for the same. Besides, SIAC offers the feature of excluding deliberations of the tribunal from the recording and the tribunal is earnestly expected to ensure that the stakeholders abide by the mechanism. It can be deduced that tribunals in SIAC can freely deliberate on the concerned issues including sensitive business information of the parties without brooding over data security concerns.
Arbitral institutions maintain confidentiality by obviating any unauthorised access. Barring the Seoul Protocol, all the guidelines ask to pre-approve a list of participants that have the access to the hearing. While IAF prepares it for merely identification purposes, HKIAC also records the location of the participants that brings associated data protection laws in the limelight. Interestingly, SIAC comparatively increases the scrutiny by mentioning the duration and the level of access given to the participant along with other basic information. For instance, a witness will not be permitted to access Tribunal’s breakout room once specified.
D. Legal Backing by Domestic Laws
Hong Kong has one of the oldest data security frameworks in the form of the Personal Data (Privacy) Ordinance, 1996 and the Data Protection Principles (DPP) that show its enhanced awareness on this front. In Singapore, Personal Data Protection Act, 2012 (PDPA) brings into ambit the protection of data disclosed, used and collected in Singapore. Thus, PDPA extends a shield for the aggrieved party in case of a data breach. Similarly, the Personal Information Protection Act, 2011 (PIPA) protects the data processed within South Korea. Like other jurisdictions given above, it also provides a robust framework.
However, while the Personal Data Protection Bill, 2019 (‘PDP Bill’) provides detailed provisions with respect to ‘Confidentiality,’ ‘Explicit Consent,’ and ‘Data Protection by design’ among many others, they are unable to give any legal backing to the Protocol since it has not been passed by both the houses, yet. Thus, India still longs for a data protection framework.
E. Responsibility of the Institution to Ensure Compliance
Data protection is an integral adjunct of a virtual hearing. Thus, it becomes imperative for an arbitral institution to ensure that data of the concerned stakeholders remain secured. Having discussed the concept of legal backing, it can be easily understood that among all the above jurisdictions, only India to date remains bereft of a data protection framework. Therefore, the applicability and the compliance of the IAF Protocol is left at the mercy of the contractual obligations between the parties. It does not take responsibility for the same. Similarly, the institutional support provided by Seoul Protocol to the participants in the virtual arbitral hearing is also comparatively less. In general, only parties are expected to ensure that all the requirements for the hearing are met. Perhaps, the reason for this inadequacy is an early release (5-6 November 2018) as compared to its counterparts. It must be highlighted that even GDPR was in its nascent stage then.
The guidelines by SIAC and HKIAC take things a step further. It is the responsibility of both the parties and tribunals to ensure compliance with the SIAC Guide. Besides, the institution provides a comprehensive checklist (Appendix B) inclusive of data protection measures to assist the Tribunal in preparing procedural orders for the hearing. At the same time, HKIAC involves itself in every process to ensure safe virtual hearing. For instance, the guidelines provide for a back-up system after consulting with the participants instead of waiting for them to find an alternative that may be unintentionally unsafe to use.
What needs to be appreciated is that all the above institutions promptly responded to changing dynamics in arbitration. Releasing guidelines on virtual hearings was indeed a welcome step. However, this cannot take away from the fact that these guidelines suffer from certain lacunae. For instance, the accountability of the arbitral institution in case of a potential security breach cannot be determined in any of the protocols given. Besides, they also remain silent on reprimanding the responsible party.
Nevertheless, the ICCA-IBA Roadmap to Data Protection in International Arbitration fills the gaps. It provides that even the slightest data breach should be informed and accompanied by a discussion on ethical obligations associated with it. It also asks the data controller i.e. the arbitral institution to expressly demonstrate compliance efforts in order to establish accountability. The roadmap elaborates at length on inter-alia confidentiality measures, right to erasure, encryption and consent mechanism. Most importantly, the document addresses ‘how’ data protection laws need to be applied in an arbitral proceeding.
At last, it is essential to highlight that barring the participants subject to IAF Protocol, i.e., in the Indian jurisdiction, most Asian seated arbitral participants can successfully exercise the right of access, correction, deletion, or data minimisation under their existing data protection laws. Thus, for jurisdictions bereft of the same, the significance of the ICCA-IBA Roadmap to Data Protection in International Arbitration and its adoption is worth emphasising.
Samriddhi Sanga is a Penultimate year law student at Vivekananda Institute of Professional Studies, New Delhi. Her interests lie in International Arbitration, Maritime Law and Technology Law. She can be contacted at email@example.com .