Recents in Beach

header ads

Cybersecurity on International Arbitration and the role of the Arbitral Tribunal

Júlia Giuntini Furlan*



            This article focuses on analyzing the impact of the digitalization process on arbitral proceedings, and how the arbitration community has approached this situation through the creation of multiple guidelines, roadmaps, and protocols. In addition, attention will be given to the arbitral tribunal’s crucial role in assuring data protection obligations are complied with by all arbitral participants.



            With effect, much of the adaptations forced upon legal proceedings at the outbreak of the COVID-19 pandemic will become regular practices. Remodeling the previous framework to accommodate remote procedures has elucidated law firms, arbitral institutions, and legal advisers on how the flexibility inherent to arbitration enables a proper adjustment to the digitalization process and likewise a beneficial one, since costs derived from traveling, locating adequate venues and related expenses are dismissed – hence it is safe to say that such adaptations will be become a post-pandemic standard practice. However, as the reliance on electronic and digital means continues to rise, concerns about cybersecurity risks and data protection have become even more pressing.

            Despite the considerable amount of investment made in ensuring greater protection against cyberattacks in recent years, assessing data protection obligations must be an ongoing undertaking. Arbitration, as such, often involves regulated personal data[1] and business-sensitive information on high-value disputes, which leads to targeting – the risks increase especially with arbitral institutions, given their position as data repositories. Also, given the cross-border nature of the process, complying with applicable legal requirements leads to a complex challenge that heightens the consequences of an incident.

            Accordingly, the urgency to intervene on the matter motivated the international arbitration community to properly address cybersecurity, along with the impact of the General Data Protection Regulation (“GDPR”) on proceedings. Under the very close connection held between data protection and information security, it is typical for data protection laws and regulations to demand, amongst other things, that individuals or legal entities processing[2] personal data implement reasonable information security measures (baseline security). An arbitration alone cannot be subject to obligations associated with data protection, nonetheless, the subjection of even one of the arbitral participants impacts the conduct of proceedings as a whole. Under these circumstances, the various protocols and roadmaps formulated by Arbitral Institutions, in addition to providing procedural and practical guidance regarding cybersecurity, may also facilitate compliance with data protection legal regimes. It is important to emphasize, still, that these protocols do not supersede applicable legal obligations.


The importance of determining reasonable Cybersecurity measures.

            In an increasingly digital landscape, much of the credibility of any dispute resolution system depends on whether a reasonable degree of protection of the data exchanged can be upheld. As far as arbitration, assuring the integrity of digital proceedings becomes even more imperative, considering that confidentiality stands as one of its main benefits over other processes.

            The information security issue should therefore be raised from the outset of proceedings, as recommended by the Cybersecurity Protocol[3]. Through a procedural conference, parties, arbitrators, and representatives must carefully study all factors related to the dispute relevant to this decision, which include: the nature of the information being processed, risk profile (risk analysis), existing information security practices, and consequences of a breach. Following those considerations, balancing limitations such as financial and technical resources is appropriate to prevent measures to be so onerous as to hinder the arbitration from proceeding normally. Prior consultation with the arbitral institution involved would be wise, so that consistency and adequacy of the proposed measures under to the institution’s rules can be ensured.

            Overall, much caution must be directed to this step of arbitral proceedings. The arbitral tribunal, along with the parties and any administering institution, should certify that anyone directly or indirectly involved is aware and willing to comply with the measures adopted. This includes independent contractors and third parties[4] – often associated with a party through a contractual relationship or are under its practical control –, who are not under the tribunal’s authority and may not directly suffer from the consequences of a breach.

            A successful attack suffered by one arbitral participant might have an impact on everyone involved, including third parties. Alongside damages to the integrity of arbitral proceedings, breaches of confidentiality may result in financial losses, reputation injuries, exposure of proprietary data, and risks to the authenticity of the information. Analyzing the consequences of a potential security violation is, at last, equally fundamental to have a comprehensive understanding of the risk profile of a particular case.


The role of the Tribunal on data protection issues

            Similar to all other aspects of arbitration, respecting party autonomy is crucial in determining what information security measures will be employed, so parties and their representatives are bound to take the lead on these considerations. The arbitral tribunal’s duty as to data protection is also important, though largely supplementary, amidst interventions to ensure adequacy, compliance, and efficiency.

            A good illustration of its relevance occurs throughout deliberations on cybersecurity measures, where differing opinions or conflicting legal obligations between parties are a very firm prospect. In case it happens, the tribunal should be the one to determine how to harmonize obligations and preferences, and likewise discuss the ability and willingness of participants to adopt specific security measures. In consultation with the parties and institution (if any), it should be able to create a framework of digital protection that satisfies both sides equally.

            However, proactive conduct on the tribunal’s side also implies interference on what has been decided by the parties in case arbitrators find it improper. The Cybersecurity Protocol indicates some of the circumstances in which departing from the parties’ agreement may be justified, underlining the tribunal’s authority to determine applicable security efforts if necessary. The possibilities involve: (a) measures to protect third-party interests, including witnesses or any other who might participate in the arbitration, (b) the capabilities of arbitrators and administering institution, and (c) the tribunal’s interest in protecting the legitimacy and integrity of proceedings, including the security of its deliberation and communications.

             In addition, reference must be made to the requirement of tribunal deference. As far as an information security agreement between parties impacts the arbitration process, only after consultation with the tribunal and administering institution – if necessary – should it be formalized. This is yet another example of how much scrutiny regulations apply to data protection measures, along with the relevance of the tribunal’s role as data controllers. The Cybersecurity Protocol (Principle 13) determines that, at its discretion, the tribunal may also allocate related costs among the parties and/or impose sanctions in the event of an information security incident. This provision can however be limited by applicable law.


Data Protection Laws and the Arbitral Tribunal

            Data protection laws form nowadays a non-exhaustive list of important national and regional regulations that apply, in most part, to arbitration. As one prime example, the General Data Protection Regulation (‘GDPR’) subjects all personal data processed within its scope of application, may it be entirely, partly, or not at all through automated means. Even where the GDPR does not apply as a matter of law, part of provisions may still apply as a matter of agreement.

            Arbitral participants covered by a data protection regime are charged with certain obligations, which may vary depending on their status. Data controllers are a natural or legal person, public authority, or any other body that determines the purposes and means of the processing of personal data [GDPR, Article 4 (7)], whereas data processors are those which process personal data on behalf of the controllers [Article (8)]. Accordingly, parties and arbitrators are considered data controllers; administering institutions and third parties serve as data processors.

            The arbitral tribunal, as a data controller, carries the responsibility of complying with data protection, recording measures taken to achieve those obligations, and issuing directions applying data protection principles to the adequate extent. In addition, the GDPR obliges the tribunal to provide data subjects – in other words, the parties – with information about their data protection rights (Articles 13 and 14). Those instructions may be presented in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”[5].



            In addition to forcing adaptations upon arbitration’s framework, the ever-increasing digitalization proved that remote proceedings are here to stay. Investing in cybersecurity should nowadays be one of top priorities not only to ensure a particular arbitration is protected but also to secure the credibility of this dispute resolution method. Ultimately, attention should be directed to the stage where applicable data protection measures are discussed. Parties and the arbitral tribunal should carefully study all risk factors, relevant national laws, and possible adherence to a well-known and structured protocol. As previously stated, assessing data protection obligations must be an ongoing undertaking, and no longer an option.


*Regular student of PUC-SP Law. E-mail:


[1] ‘Personal Data’ can be defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” [General Data Protection Regulation, ‘GDPR’, Article 4 (1)]

[2] ‘Processing’ relates to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction[GDPR, Article 4 (2)]

[3] Refers to the “ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020 Edition)”

[4] Defined by the GDPR as “natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data”, Article 4 (10)

[5]  General Data Protection Regulation ‘GDPR’, Article 12 (1).

Publicar un comentario

0 Comentarios