In an era where data is a new form of currency, safeguarding sensitive information is an essential consideration in international arbitration. At the same time, data protection laws of the world have rapidly expanded in scope to the point that, according to Gonçalves and Brancher, “there is no area of law that is not impacted by these issues.”[1] This note explores key challenges and practical considerations surrounding the topic of data protection in international arbitration.
Confidentiality in International Arbitration
International arbitration is widely valued for its confidential nature. Unlike domestic suits, arbitration proceedings typically take place behind closed doors, and arbitration awards remain unpublished unless otherwise agreed.
This principle is reflected in the rules of most arbitral institutions. For example, the 2025 Arbitration Rules of the Singapore International Arbitration Centre provide that all participants to an arbitration “shall be under a continuing obligation to treat all matters relating to the proceedings as confidential.”[2]
Similarly, the 2024 HKIAC Administered Arbitration Rules of the Hong Kong International Arbitration Centre state that “[u]nless otherwise agreed by the parties, no party or party representative may publish, disclose or communicate any information relating to […] the arbitration under the arbitration agreement”.[3]
In England and Wales, the confidentiality of arbitration proceedings is even implied into the terms of arbitration agreements (with limited exceptions). In The Eastern Saga, the Commercial Court held that “parties have agreed to submit to arbitration particular disputes arising between them and only between them”, giving rise to an implied term of confidentiality.[4] In Ali Shipping, the Court of Appeal confirmed that this extends to documents that are produced by parties, pleadings, written submissions, and witness statements, among other things.[5]
Cybersecurity: Lessons from the PCA Hack
However, on rare occasions, data is extracted from arbitration proceedings without the parties’ consent.
In 2015, the Permanent Court of Arbitration (“PCA”) was hosting high-profile hearings between the Philippines and China over a maritime dispute in the South China Sea. Specifically, the Philippines initiated arbitration under Part XV of Annex VII to the United Nations Convention on the Law of the Sea (“UNCLOS”), alleging that China’s territorial claims to the region went beyond its rights under the convention and that it was aggravating the parties’ dispute by constructing a series of artificial islands (sometimes dubbed the “Great Wall of Sand”) to strengthen its hold over the region.[6]
Though China refused to participate, the arbitration proceeded in its absence. However, on day 3 of the hearing, an independent cybersecurity firm discovered an exploit on the PCA’s website that was purportedly being used by a group of Chinese state-associated hackers.[7] Specifically, the group was alleged to have abused an exploit in the now-discontinued Adobe Flash Player to gain access to and alter parts of the Court’s website to load malicious code on visitors’ computers.
Fortunately, there has not been a high-profile data breach since 2015, and the risk of a cybersecurity breach is likely higher from parties than arbitral institutions. Arbitral institutions may also have statutory requirements to take care to prevent such data breaches. For example, Article 32 of the United Kingdom’s General Data Protection Regulation provides that data controllers and processors “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.[8]
It is clear from the above, therefore, that there are firm restrictions on the use for other purposes of data that was acquired in the course of an international arbitration. However, the proliferation of stringent data protection regimes means that arbitration participants must ensure that data is properly handled within the arbitral process as well.
Data Protection Legislation
More and more data protection laws have come to exist over the last decade, including the European Union’s well-known General Data Protection Regulation (“GDPR”). The GDPR imposes heavy fines for non-compliance of up to €20 million or 4% of a company’s turnover in the previous year, whichever is higher.[9] It is, therefore, crucial that parties with ties to the European Union comply with its provisions.
On paper, it would appear that international arbitrations are squarely subject to GDPR if any parties thereto are headquartered or operate in the European Union:
Article 3
Territorial Scope
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Article 3 appears to impose the GDPR onto arbitrations where any form of data processing or controlling takes place in the European Union, be it by arbitral institutions, arbitrators, counsel, witnesses, court reporters, or others. According to the GDPR’s recitals, the regulation applies “inter alia, to the activities of courts and other judicial bodies”.[10] According to Born, a plausible argument thus arises that arbitrators and arbitral institutions fall within the GDPR’s scope.[11] This raises interesting questions, such as whether overbroad document production requests in arbitration may breach the GDPR.
However, an arbitral tribunal constituted under the North American Free Trade Agreement (“NAFTA”) in the case of Tennant v. Canada determined that the GDPR did not apply despite one of its arbitrators being in the United Kingdom (then a member of the European Union) and despite his own data privacy notice on his website indicating that he was covered by it.[12] The tribunal reasoned that “a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of the GDPR.”[13]
This renders the applicability of the GDPR to international arbitrations rather unclear. As Huang and Xie argue, later Court of Justice of the European Union jurisprudence indicates that this may have been an incorrect decision based on an incorrect interpretation of Article 2.[14]
Nevertheless, only time will tell how arbitral tribunals will treat data protection laws such as GDPR that appear to have an extraterritorial effect.
Procedural Orders and Protective Measures
For now, concerns about data protection should generally be raised early on in proceedings, ideally around the time of the first case management conference. This way, parties can state their case and ensure that adequate data protection measures are provided for.
The London Court of International Arbitration’s Arbitration Rules 2020, for example, provide the following:
30.5 In accordance with its duties under Article 14.1, at an early stage of the arbitration the Arbitral Tribunal shall, in consultation with the parties and where appropriate the LCIA, consider whether it is appropriate to adopt:
(i) any specific information security measures to protect the physical and electronic information shared in the arbitration; and
(ii) any means to address the processing of personal data produced or exchanged in the arbitration in light of applicable data protection of equivalent legislation.
30.6 The LCIA and Arbitral Tribunal may issue directions addressing information security or data protection, which shall be binding on the parties, and in the case of those issued by the LCIA, also on members of the Arbitral Tribunal, subject to the mandatory provisions of any applicable law or rules of law.
The International Chamber of Commerce publishes a default data protection clause which, among other things, provides that “[i]f sensitive/special category data is submitted during the arbitration, it shall be processed to the extent necessary to establish, exercise, or defend legal claims in the arbitration.”[15]
Another option is to request a confidentiality order to legally bind participants to certain non-disclosure obligations.
Conclusion
It is apparent that, as international arbitration evolves in an increasingly digital and data-centric world, data protection can no longer be treated as an afterthought. At the same time, there is precious little guidance from jurisprudence and legislators on the matter. In order to ensure data protection in international arbitration parties must ensure that they use secure platforms that are safe from cybersecurity threats. They must also take care to consider data protection laws that might affect any party to the arbitration. Finally, they must bear in mind their ability to request specific provisions in procedural orders to ensure a higher level of data protection.
[1] E. Gonçalves and P. Brancher, Data Protection Issues in International Arbitration in G. Fessas et al. (eds.) Leadership, Legitimacy, Legacy: A Tribute to Alexis Mourre (2022), p. 199.
[2] Arbitration Rules of the Singapore International Arbitration Centre 2025, Rule 59.1.
[3] 2024 HKIAC Administered Arbitration Rules, Article 45.1.
[4] Oxford Shipping v Nippon Yusen Kaisha [1984] 2 Lloyd’s Rep 373, 379, as cited in Ali Shipping Corporation v Shipyard Trogir [1997] EWCA Civ 3054, p. 3.
[5] Ali Shipping Corporation v Shipyard Trogic [1997] EWCA Civ 3054, pp. 18-21 (“it is clear (and indeed the parties do not dispute) that the principle covers also pleadings, written submissions, and the proofs of witnesses as well as transcripts and notes of the evidence given in the arbitration”).
[6] Republic of the Philippines v. People’s Republic of China, PCA Case No. 2013-19, Award, 12 July 2016, paras. 7-10.
[7] ThreatConnect, Camerashy: Closing the Aperture on China’s Unit 78020 (2019), p. 15.
[8] Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 32(1).
[9] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC [2016] OJ L 119/1, Art. 83.5.
[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC [2016] OJ L 119/1, Recitals, para. 20.
[11] G. Born, Chapter 13: Rights and Duties of International Arbitrators (Updated February 2024) in International Commercial Arbitration (Third Edition) (2024).
[12] Tennant Energy LLC v. Government of Canada, PCA Case No. 2018-54, Questions and Investor’s Response to Tribunal GDPR Questions and Data Privacy Questions, 4 June 2019.
[13] Tennant Energy LLC v. Government of Canada, PCA Case No. 2018-54, Tribunal’s Communication to the Parties, 24 June 2019.
[14] J. Huand and D. Xie, Data Protection Law in Investment Arbitration: Applicable or Not?, in W. Park (ed.), Arbitration International (2021).
[15] International Chamber of Commerce, Model Data Protection Clause for Procedural Order One, https://iccwbo.org/wp-content/uploads/sites/3/2021/01/icc-model-po1-data-protection-english.pdf (last accessed 23 May 2025).