Data Protection & Online Dispute Resolution

Photo by Privecstasy on Unsplash

Introduction

There has been a perceptible uptick in the adoption and acceptance of Online Dispute Resolution (ODR) in India during the last two years. A necessary corollary to this development, as with any digital platform, are concerns around data security & privacy.

The 2015 cyber attack on the Permanent Court of Arbitration (PCA) during a maritime border dispute between China and the Philippines serves as a stark example, highlighting the critical need for data protection in arbitration, especially online arbitration. In this case, malware was introduced to the PCA’s website, infecting the computers of visitors and posing a threat to data security.

In this short piece (with more to follow) we talk about concerns around data security & privacy and some potential solutions.

Risks

The most important risks around online proceedings relate to disclosure of information, theft/leakage of information, and, authenticity of information being submitted. All of these adversely affect the parties involved and are essential to be addressed at a fundamental basis. These risks broadly arise as below:

1. Disclosure of Data: During the course of proceedings a broad range of data including personal information, financial information, trade secrets etc. are disclosed to the tribunal and the opposing party. The information submitted is subject to clarifications and questioning by the tribunal and the opposing party over a digital audio/video meeting link. While such disclosure is essential for conducting the proceedings and is unavoidable, in the online space it poses additional risks like, unverified parties being present in a video/audio call, unauthorised recordings, etc.
2. Storage & Access to Data: The different kinds of data disclosed by the parties (as above) is stored on the online platform and is accessible to the arbitrators, the parties, the legal or other representatives of the parties, employees of the ODR platform or employees of service providers whose services are essential for the functioning of the ODR platform. This poses challenges like unauthorised access & download, impersonation and tampering.
3. Evaluation of Digital Evidence: Establishing the integrity and authenticity of data offered as evidence in a digital environment is not an easy task, especially in a country like India where digital documentation has low awareness. This raises issues about data tampering and falsification. This is a severe risk and requires arbitrators and platforms to exercise diligence and caution.

Potential Solutions

The management of these risks requires proactive measures from arbitrators, parties, as well as the ODR platforms. A list of potential solutions is below:

1. Utilisation of secure communication tools and platforms: The ODR Platforms must provide a secure communication platform that is both password-protected and encrypted, ensuring freedom from potential threats. The parties and the tribunal must refrain from using unencrypted communication methods to prevent the leakage of information. Platforms must have stringent rules around password sharing or reset or expiry.
2. Implementation of Digital Personal Data Protection Act, 2023 (DPDP Act): ODR Platforms must implement the provisions of the DPDP Act including the establishment of confidentiality agreements or non-disclosure agreements among the involved parties. The Tribunal is anyways bound by Section 42-A of the Arbitration and Conciliation Act, 1996 which ensures privacy and confidentiality of the proceedings. In addition, in the Indian context, ODR platforms must also ensure compliance with data residency rules. Arbitrators, employees and sub-contractors should also undergo training on privacy laws and appropriate handling of data.
3. Verification of compliance with data security certifications: The ODR Platforms must thoroughly examine their privacy policies, terms of service, and conduct due diligence of its compliance with data security accreditation/certification. It will not be out to place to implement a BIS or ISO standard for ODR platforms as well.
4. Offer cybersecurity training for Arbitrators: ODR Platforms must introduce training programs on cybersecurity for arbitrators within their panels and include topics like digital forensics, understanding digital signature certificates, verifying digital signatures etc.
5. Development of Protocols for Confidentiality of Virtual Hearings and Document Sharing: ODR Platforms should establish specific rules and protocols addressing confidentiality and virtual hearings. Consideration can be given to the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration, designed to enhance awareness of cybersecurity in international arbitration and offer a framework for integrating cybersecurity measures into arbitral proceedings.

Conclusion

As online arbitration through ODR Platforms continues to become a favoured method for resolving disputes, it is crucial for ODR Platforms to work on security as they are fundamental in safeguarding personal data, and upholding confidentiality.

(with inputs from Rajneesh Jaswal, Co-Founder, CADRE ODR)