Júlia Giuntini Furlan*
Abstract
This
article focuses on analyzing the impact of the digitalization process on arbitral
proceedings, and how the arbitration community has approached this situation
through the creation of multiple guidelines, roadmaps, and protocols. In
addition, attention will be given to the arbitral tribunal’s crucial role in assuring
data protection obligations are complied with by all arbitral participants.
Introduction
With effect, much of the adaptations
forced upon legal proceedings
at the outbreak of the COVID-19 pandemic will become regular
practices. Remodeling the previous framework to accommodate remote procedures
has elucidated law firms, arbitral institutions, and legal advisers on how the
flexibility inherent to arbitration enables a proper adjustment to the
digitalization process and likewise a beneficial one, since costs derived from
traveling, locating adequate venues and related expenses are dismissed – hence
it is safe to say that such adaptations will be become a post-pandemic standard
practice. However, as the reliance on electronic and digital means continues to
rise, concerns about cybersecurity risks and data protection have become even
more pressing.
Despite
the considerable amount of investment made in ensuring greater protection
against cyberattacks in recent years, assessing data protection obligations
must be an ongoing undertaking. Arbitration, as such, often involves regulated
personal data[1] and business-sensitive
information on high-value disputes, which leads to targeting – the risks increase
especially with arbitral institutions, given their position as data repositories.
Also, given the cross-border nature of the process, complying with applicable
legal requirements leads to a complex challenge that heightens the consequences
of an incident.
Accordingly,
the urgency to intervene on the matter motivated the international arbitration community
to properly address cybersecurity, along with the impact of the General Data
Protection Regulation (“GDPR”) on proceedings. Under the very close connection held
between data protection and information security, it is typical for data
protection laws and regulations to demand, amongst other things, that
individuals or legal entities processing[2]
personal data implement reasonable information security measures (baseline
security). An arbitration alone cannot be subject to obligations associated
with data protection, nonetheless, the subjection of even one of the arbitral
participants impacts the conduct of proceedings as a whole. Under these
circumstances, the various protocols and roadmaps formulated by Arbitral Institutions,
in addition to providing procedural and practical guidance regarding
cybersecurity, may also facilitate compliance with data protection legal
regimes. It is important to emphasize, still, that these protocols do not
supersede applicable legal obligations.
The importance of determining
reasonable Cybersecurity measures.
In
an increasingly digital landscape, much of the credibility of any dispute
resolution system depends on whether a reasonable degree of protection of the data
exchanged can be upheld. As far as arbitration, assuring the integrity of
digital proceedings becomes even more imperative, considering that confidentiality
stands as one of its main benefits over other processes.
The
information security issue should therefore be raised from the outset of
proceedings, as recommended by the Cybersecurity Protocol[3]. Through
a procedural conference, parties, arbitrators, and representatives must carefully
study all factors related to the dispute relevant to this decision, which
include: the nature of the information being processed, risk profile (risk
analysis), existing information security practices, and consequences of a
breach. Following those considerations, balancing limitations such as financial
and technical resources is appropriate to prevent measures to be so onerous as
to hinder the arbitration from proceeding normally. Prior consultation with the arbitral institution involved
would be wise, so that consistency and adequacy of the proposed measures under
to the institution’s rules can be ensured.
Overall, much caution must be
directed to this step of arbitral proceedings. The arbitral tribunal, along
with the parties and any administering institution, should certify that anyone
directly or indirectly involved is aware and willing to comply with the
measures adopted. This includes independent contractors and third parties[4]
– often associated with a party through a contractual relationship or are under
its practical control –, who are not under the tribunal’s authority and may not
directly suffer from the consequences of a breach.
A successful attack suffered by one
arbitral participant might have an impact on everyone involved, including third
parties. Alongside damages to the integrity of arbitral proceedings, breaches
of confidentiality may result in financial losses, reputation injuries, exposure
of proprietary data, and risks to the authenticity of the information. Analyzing
the consequences of a potential security violation is, at last, equally
fundamental to have a comprehensive understanding of the risk profile of a
particular case.
The role of the Tribunal on data
protection issues
Similar
to all other aspects of arbitration, respecting party autonomy is
crucial in determining what information security measures will be employed, so
parties and their representatives are bound to take the lead on these considerations.
The arbitral tribunal’s duty as to data protection is also important, though largely
supplementary, amidst interventions to ensure adequacy, compliance, and
efficiency.
A
good illustration of its relevance occurs throughout deliberations on
cybersecurity measures, where differing opinions or conflicting legal
obligations between parties are a very firm prospect. In case it happens, the
tribunal should be the one to determine how to harmonize obligations and
preferences, and likewise discuss the ability and willingness of participants
to adopt specific security measures. In consultation with the parties and
institution (if any), it should be able to create a framework of digital
protection that satisfies both sides equally.
However,
proactive conduct on the tribunal’s side also implies interference on what has
been decided by the parties in case arbitrators find it improper. The
Cybersecurity Protocol indicates some of the circumstances in which departing
from the parties’ agreement may be justified, underlining the tribunal’s
authority to determine applicable security efforts if necessary. The possibilities
involve: (a) measures to protect third-party interests, including witnesses or any
other who might participate in the arbitration, (b) the capabilities of
arbitrators and administering institution, and (c) the tribunal’s interest in
protecting the legitimacy and integrity of proceedings, including the security
of its deliberation and communications.
In addition, reference must be made to the
requirement of tribunal deference. As far as an information security agreement between
parties impacts the arbitration process, only after consultation with the
tribunal and administering institution – if necessary – should it be
formalized. This is yet another example of how much scrutiny regulations apply
to data protection measures, along with the relevance of the tribunal’s role as
data controllers. The Cybersecurity Protocol (Principle 13) determines that, at
its discretion, the tribunal may also allocate related costs among the parties
and/or impose sanctions in the event of an information security incident. This
provision can however be limited by applicable law.
Data Protection Laws and the Arbitral Tribunal
Data
protection laws form nowadays a non-exhaustive list of important national and
regional regulations that apply, in most part, to arbitration. As one prime
example, the General Data Protection Regulation (‘GDPR’) subjects all personal
data processed within its scope of application, may it be entirely, partly, or
not at all through automated means. Even where the GDPR does not apply as a
matter of law, part of provisions may still apply as a matter of agreement.
Arbitral
participants covered by a data protection regime are charged with certain
obligations, which may vary depending on their status. Data controllers are
a natural or legal person, public authority, or any other body that determines
the purposes and means of the processing of personal data [GDPR, Article 4 (7)],
whereas data processors are those which process personal data on behalf
of the controllers [Article (8)]. Accordingly, parties and arbitrators are
considered data controllers; administering institutions and third parties serve
as data processors.
The
arbitral tribunal, as a data controller, carries the responsibility of complying
with data protection, recording measures taken to achieve those obligations,
and issuing directions applying data protection principles to the adequate
extent. In addition, the GDPR obliges the tribunal to provide data subjects –
in other words, the parties – with information about their data protection
rights (Articles 13 and 14). Those instructions may be presented in “a concise,
transparent, intelligible and easily accessible form, using clear and plain
language”[5].
Conclusion
In
addition to forcing adaptations upon arbitration’s framework, the
ever-increasing digitalization proved that remote proceedings are here to stay.
Investing in cybersecurity should nowadays be one of top priorities not only to
ensure a particular arbitration is protected but also to secure the credibility
of this dispute resolution method. Ultimately, attention should be directed to the
stage where applicable data protection measures are discussed. Parties and the arbitral
tribunal should carefully study all risk factors, relevant national laws, and
possible adherence to a well-known and structured protocol. As previously
stated, assessing data protection obligations must be an ongoing undertaking,
and no longer an option.
*Regular student of PUC-SP Law.
E-mail: julia.g.furlan@hotmail.com
[1] ‘Personal Data’ can be defined as “any information relating to an
identified or identifiable natural person (‘data subject’); an identifiable
natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person” [General Data Protection Regulation, ‘GDPR’, Article 4 (1)]
[2] ‘Processing’ relates to “any operation or
set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure or destruction” [GDPR, Article 4 (2)]
[3] Refers to the “ICCA-NYC Bar-CPR Protocol on
Cybersecurity in International Arbitration (2020 Edition)”
[4] Defined by the GDPR as “natural or legal person, public
authority, agency or body other than the data subject, controller, processor
and persons who, under the direct authority of the controller or processor, are
authorized to process personal data”, Article 4 (10)
[5] General Data Protection Regulation ‘GDPR’, Article 12 (1).
0 Comentarios