Data protection and cyber risk issues
Dealing with regulation, cyber-attacks
and hacked evidence
Global | Publication | September 2019
Data protection and cyber security are hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and information” as an issue which should be addressed in arbitration rules. This demonstrates that users of arbitration are concerned about data security.
While there are signs that the market is listening, users seem to think that institutions, counsel and tribunals could do more to address cybersecurity.
This article examines three areas of data protection and cyber security in arbitration
- The European Union’s General Data Protection Regulation (GDPR) and how it bears on international arbitration.
- Data breaches in arbitral proceedings and cyberattacks on institutions, and how institutions are responding
- How hacked evidence might appear in arbitration, and how tribunals have dealt with this issue.
GDPR and arbitration
The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. The international arbitration community must be aware of the terms of the GDPR and how it impacts the arbitral process.
The GDPR applies to “personal data”. This concept is defined extremely broadly to include any information relating to an identified or identifiable natural person, and would include things such as an individual’s name, address and any online identifier (such as an email address). The GDPR also has a broad scope of application, reaching entities in the EU as well as entities outside the EU processing data of EU based individuals in some contexts. For example, a witness based in the EU may in some circumstances import GDPR obligations into an arbitration, even if the arbitration is otherwise completely independent of the EU.
This wide scope of application is coupled with potentially severe penalties of up to €20 million or 4 per cent of an entity’s total worldwide annual turnover of the preceding financial year (whichever is higher) for certain contraventions of the GDPR. It is important to note that these penalties can be imposed per breach – meaning that penalties potentially could quickly reach a significant level.
If the GDPR is engaged, entities which process personal data will be subject to a number of obligations. If an entity is deemed to be a data controller for the purposes of the GDPR, these obligations would include the need to identify a lawful basis to process data, a requirement to ensure appropriate technical and organizational measures are in place in order to safeguard the security of processing (including to prevent data breaches to the extent possible), and a requirement that data is not transferred outside the EU other than in certain specified circumstances. If an entity is deemed to be a data processor rather than a controller, the GDPR contains detailed provisions as to how the processor should only process data on the basis of documented instructions from the controller.
The detail of how the GDPR operates is complex. The key point for international arbitration practitioners is to be aware that the GDPR may be relevant to their arbitration, regardless of whether they are, or the arbitration is seated, in Europe.
Cyber-attacks and institutional responses
In July 2015, the website of the Permanent Court of Arbitration (PCA) was hacked in the midst of an ongoing maritime border dispute between China and the Philippines. Malware was implanted on the PCA’s website which infected the computers of visitors, potentially exposing them to data theft.
The attack on the PCA illustrates the risk faced by arbitral institutions. Parties in arbitration can be called upon to disclose sensitive material to prove their case. While in many jurisdictions, it is assumed that the arbitration will be cloaked in confidentiality, cyber-attacks have the potential to seriously undermine the confidentiality of the arbitral process.
The arbitral community is responding to this risk. The most prominent example is the draft Cybersecurity Protocol for International Arbitration published by the ICCA, the New York City Bar Association and the CPR Institute last year. The Protocol is intended to apply in particular cases, either by agreement of the parties or order of the tribunal. Once adopted, the Protocol gives the tribunal the power to determine what security measures are reasonable for the case, taking into account the views of the parties. Such measures should account for, among other things, the transmission of materials, communication between arbitrators, storage of information and security of data. Importantly, the Protocol makes clear that cybersecurity is the shared responsibility of all participants in the arbitration, who must ensure all personnel involved in the arbitration are aware of, and follow, any cybersecurity measures adopted.
ICCA and the IBA have also established a Joint Task Force on Data Protection in International Arbitration with the view to producing a guide providing practical guidance on the potential impact of data protection principles, including the GDPR.
At an institutional level, arbitral institutions are also addressing the risk posed by cyberattacks. The Hong Kong International Arbitration Centre (HKIAC) Rules which entered force on 1 November 2018 specifically include as a recognized means of communications “any secured online repository that the parties have agreed to use”. The London Court of International Arbitration (LCIA) is also aiming to revise its 2014 Arbitration Rules this year, and is considering adding new provisions on data protection and cybersecurity.
Data protection is an area ripe for reform in the arbitration context and users expect arbitral institutions to be at the centre of the effort.
Hacked evidence in arbitration
A related issue which is appearing more regularly in arbitration is the attempted use of evidence obtained through cyberattacks or data breaches. This issue has arisen most predominantly in investment arbitration. For example, in both the Yukos disputes and ConocoPhilips v Venezuela the parties sought to rely on evidence obtained from WikiLeaks.
Arbitration rules typically afford broad discretion to the tribunal to decide evidentiary issues. For example, Article 27(4) of the UNCITRAL Rules provides that the “arbitral tribunal shall determine the admissibility, relevance, materiality and weight of the evidence offered”. Article 9(2) of the IBA Rules of on the Taking of Evidence in International Arbitrations permits the tribunal to exclude evidence on grounds of either “legal impediment or privilege under … legal or ethical rules” or “special political or institutional sensitivity”.
In ConocoPhilips, the tribunal was asked to reopen its earlier decision on jurisdiction in light of information contained in hacked emails published by WikiLeaks. The majority did not expressly address whether that evidence was admissible, finding instead that it simply did not have the power to reopen its earlier findings. A dissenting opinion in that case relied on the emails’ contents as a basis for reopening the decision, without expressly addressing whether the emails were admissible in the first place. However, in Caratube International v Kazakhstan, the tribunal expressly admitted emails which had been published on WikiLeaks to the extent such material was not covered by legal professional privilege.
Given the paucity of authority, there is little evidence as yet that a consistent approach to dealing with these issues is emerging. As data breaches become more common, tribunals will be called on more frequently to rule on the admissibility of such evidence. It is hoped that as tribunals engage with this issue, some guidance will be available to parties as to how it might be dealt with.
Data protection and cyber risk are emerging as an important considerations in arbitration. The arbitral community, and the arbitral institutions, are taking steps to address this concern, but more needs to be done. As these issues are experienced more frequently, it is to be hoped that consistent practices will emerge, which will offer users comfort that their data will be secure.