The construction sector is a cornerstone of India's economy, contributing substantially to its GDP and set to become a global construction powerhouse. However, the complex disputes within this sector have made arbitration the preferred method for dispute resolution, with the Arbitration and Conciliation Act, 1996 serving as the governing framework. While arbitration has thrived in the digital age, the advent of India's Digital Personal Data Protection Act, 2023 introduces a significant challenge, raising questions about data protection, privacy, and confidentiality within arbitration proceedings. This article explores the intricate interplay between data protection and arbitration in the Indian context. It, in its first half delves into the international landscape, highlighting the varying data protection regulations across jurisdictions and their impact on arbitration. The next half then deals with the critical dimension that the Digital Personal Data Protection Act, 2023 has added to the arbitration landscape in India and explores its positive and negative implications.
India's construction sector is a major contributor to the country's economy, representing 9% of its GDP and poised to become the world's third-largest construction market by 2025. Construction contract disputes are unique, often requiring immediate resolution and involving numerous parties. These complex disputes entail high stakes, damage assessment, data analysis, and technical expertise. Construction disputes are typically resolved through Arbitration, with parties often initially referring disagreements to dispute boards. The Arbitration and Conciliation Act, 1996, amended several times, governs Arbitration in India, covering both domestic and international cases. Arbitration is crucial in the construction sector due to the growing infrastructure projects in India. While Construction Arbitrations can be time-consuming, proper planning can expedite the process. Delays often result from parties, including lawyers and claimants, from drafting Arbitration clauses to final arguments. Arbitration has become the primary dispute resolution method in India's construction industry, particularly for infrastructure projects.
Foreign investors prefer institutional Arbitration, while Indian parties historically favoured ad hoc Arbitration, but institutional Arbitration is gaining traction, notably through the Mumbai Centre for International Arbitration (MCIA). SIAC is also increasingly chosen by Indian parties. The Act also provides for Conciliation, and settlements can be recorded as enforceable Arbitral Awards in Court.
Thus, Arbitration is indeed crucial for Infrastructure but, what is more important to note is that Arbitration is going to be significantly impacted with the new Digital Personal Data Protection Act, 2023. Thus, a discussion on the implications of the new Digital Personal Data Protection Act, 2023 over Arbitration is imperative given its importance in Project Infrastructure Disputes.
While the K.S. Puttaswamy Judgment was one of the initial steps in regard to concerns of data privacy violations as sensitive data has become more prone to misuse, these steps became only concrete when the Government introduced the ‘Personal Data Protection Bill’, 2019. The loopholes in the Bill sent the Bill back for reconsideration, and ultimately, the same was withdrawn. But recently, the Government introduced a revamped version of the Bill and re- named it as Digital Personal Data Protection Bill, 2022 (“the Bill”).
Digital Personal Data Protection Act, 2023 (“DPDP Act”)
A comparison of drafts reveals an expanding scope in the 2023 Act, covering digital personal data and overseas data fiduciaries offering services in India. Stricter breach reporting within 72 hours is introduced, but data portability, right to be forgotten, and harm regulation is omitted. The regulator transitions to the Data Protection Board of India, with Telecom Dispute Settlement and Appellate Tribunal (TDSAT) as the Appellate Tribunal. The evolving drafts showcase a changing data protection approach with strengthened and omitted provisions. The Digital Personal Data Protection Act, 2023 introduces notable changes to rights, regulations, and focus, requiring careful evaluation for balanced data protection. The DPDP Act builds upon the 2022 Act, focusing on notice, consent, legitimate data uses, children's data, and dispute resolution. It narrows the scope to safeguard digital personal data, reflecting evolution. Empowering the Board for monetary penalties and shifting the appellate process to TDSAT signifies a recalibrated, efficient approach to breach penalties and dispute resolution.
To understand the implications, it is pertinent to assert that there exists a strong relevance of Data Protection in Arbitration proceedings, stemming from the idea of ‘Confidentiality’. Confidentiality and Privacy act as counterparts in protecting the essence of Arbitration. The feature of Confidentiality, which refers to non-disclosure of materials placed during proceedings, no Award being passed unless there is express consent of the parties to arbitrate, and the feature of Privacy which makes sure that no third party has access to the Arbitration proceedings without consent of the parties, gives Arbitration an edge over traditional Litigation. However, this edge is under threat as while Arbitration continues to be dynamic in nature and embraces technology, Data Protection is also becoming a major concern. While Laws like General Data Protection Regulation (“GDPR”) exist to protect Data in the European Union, the same is not the case in every jurisdiction. This disparity of Laws protecting Data in different jurisdictions is one of the major concerns that International Institutions face. The same can be highlighted from the fact that most Respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and information” as an issue that should be addressed in Arbitration rules. This demonstrates that users of Arbitration mechanisms are concerned about Data Security. Further, incidents such as the July 2015 hacking of the Website of the Permanent Court of Arbitration (PCA) in the midst of an ongoing maritime border dispute between China and the Philippines, the reliance on evidence obtained from WikiLeaks in Yukos disputes and ConocoPhilips v Venezuela dispute, further reinforce the concerns relating to Data Protection in Arbitral proceedings.
In 2019, the ICCA and the IBA established a Joint Task Force on Data Protection in International Arbitration Proceedings and, in 2022, published a Report on the ICCA-IBA Roadmap to Data Protection in International Arbitration. Apart from this major step, international institutions have also taken individual steps for mitigation, which this Article will discuss in detail later.
Thus, through this Article, the authors attempt to explore the implications that India’s new Bill will have, considering these international developments in Arbitration for Data Protection, and to understand implications further of the same if implemented. The Article will first deal with the International and Indian positions on Data Protection and Arbitration, respectively and then move on to analysing the Bill’s implications and the potential issues arising out of it.
International Position on Data Protection and Arbitration
Data Protection mainly involves the relationship between the collection and dissemination of Data and Technology. It’s objective is to find the optimum balance between individual Privacy rights and the use of Data for business activities. However, the fact exists that Data Protection and Cybersecurity laws vary from country to country. In various jurisdictions, non-compliance with Data Protection regulations can lead to substantial risks and consequences. Thus, associations have come together to create solutions to the issue of Cyber and Data Security in International Arbitration. Initially, international regulations on Data Protection were vague, but after the digital shift in International Arbitration, institutions have updated themselves with the change in times.
General Data Protection Regulation (“GDPR”)
GDPR was drafted with the objective of ensuring the free movement of personal data of ‘identified or identifiable natural person[s]’. Its scope is not only restricted to individuals but also encompasses legal entities, agencies, government bodies, and international organizations as well.
The GDPR as aforesaid, has a broad scope of application, reaching entities in the EU as well as entities outside the EU which process Data of EU-based individuals. As soon as Data with personal content of EU-based individuals is electronically processed (e.g., in emails or in documents that are stored electronically), the application of the GDPR must be assumed, and thus, it becomes applicable to Arbitration too. It must be noted, though, that Data of legal entities (for instance, an Organization’s address or telephone number) are not protected by the GDPR. However, the personal data of those individuals acting for that legal entity are protected by the GDPR.
The information that is transacted or exchanged between the parties, the Counsels, the Arbitrators and third parties during the Arbitration proceedings qualifies as ‘Personal Data’, and these named entities qualify as “Identified or Identifiable” Data subjects. Additionally, the Arbitrators can be the data controllers, who essentially are entities responsible for compliance with Laws in place for Data Protection. Arbitrators, being the adjudicating authority in the process, would ideally be the ones responsible for such compliance.
No doubt, GDPR has significantly altered the landscape of Data Protection. However, several loopholes do exist within it. For example, although consent is necessary to enter into an Arbitration Agreement from a Civil Law perspective, consent as a legal ground for Data Processing under GDPR is not appropriate in Arbitration proceedings.
ICCA-IBA Road Map to Data Protection in International Arbitration
The roadmap identifies the Data Protection issues that may arise in the context of International Arbitration proceedings, as well as solutions that may be adopted to address them. The roadmap’s intended scope and purpose consist of identifying the types of proceedings, and Arbitral Participants (which is defined in the roadmap as, and limited to, the parties, their legal Counsel, the Arbitrators and Arbitral Institutions). Furthermore, the roadmap explores Data Protection compliance in International Arbitration with reference to general data protection principles.
Changes brought in by Individual International Institutions
Principle 10 of the ICC-NYC Bar-CPR Protocol, is an example of recent changes added for Data Protection. It states that the initial case management meeting must include discussions on data security matters where “reasonable informational security measures, issues about the willingness of the parties to engage in specific security measures, and disputes concerning reasonable information security measures” should be addressed.
The London Court of International Arbitration, in its 2020 Arbitration Rules, empowered the Tribunals to determine the situation when it would be suitable to adopt specific information security measures and methods for addressing the processing of personal data procured from or during arbitral proceedings. Again, while institutions like the Indian Arbitration Forum (IAF) and the Singapore International Arbitration Centre (SIAC) leave it to the parties to choose a secured sharing platform, the Honk Kong International Arbitration Centre (HKIAC) offers a process where electronic evidence managers are designated to receive and safeguard the documents during proceedings. In the context of the method of giving consent, the method varies with changes in jurisdictions. Under the Seoul Protocol, the discretion lies with the tribunal, whereas in the case of HKIAC, the parties, as well as the tribunal, exercise their right to decide. SIAC and IAF have more stringent requirements regarding the issue of obtaining consent.
Indian Position on Dealing with Data Protection and Arbitration
Confidentiality, as a principle, has been a part of The Arbitration and Conciliation Act, 1996, since its inception in terms of Section 75 of the Arbitration. However, in 2019 after the recommendation of Justice B. N. Srikrishna Committee, the Arbitration and Conciliation (Amendment) Act, 2019 was enacted, which introduced Section 42A wherein the principle of Confidentiality was extended to Arbitration proceedings as well.
The initial draft of the Personal Data Protection Bill, 2018, was put forward by the Justice Srikrishna Committee established by the Ministry of Electronics and Information Technology (“MeitY”) with the mandate of setting out a Data Protection Law for India. The Government revised this draft and introduced it as the Personal Data Protection Bill 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (“JPC”) submitted its Report on the Bill after two years in December 2021 and in August 2022, in response to the Report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the Government withdrew the Bill. Finally, the latest draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) was released.
Although the new draft does not deal directly with Arbitration proceedings, it still carries importance for it as Data Protection Laws would apply to any platform dealing with data online. The Bill seeks to regulate the processing of ‘Digital Personal Data’, i.e., personal data, which is either collected online or which, where collected offline, is digitised. The bill does not cover processing through manual means or by individuals for ‘personal or domestic purposes’. The Bill additionally aims to exempt personal data “contained in a record that has been in existence for at least 100 years”.
The bill ,when viewed in its entirety represents a more lenient framework for Compliance, and proposes several positive improvements (such as the deletion of Non-Personal Data), also puts forward several concepts which have wide-reaching consequences.
Implications of the Act Over Arbitration
● Data Privacy Compliance in Arbitration:
Arbitration often involves the exchange of sensitive personal data, especially in commercial disputes. The Digital Personal Data Protection Act would likely require parties involved in arbitration to comply with its provisions, ensuring the protection of individuals' personal data.
● Consent and Data Processing:
The act may require parties to obtain explicit consent from individuals when processing their personal data in arbitration proceedings. This may involve obtaining consent from all parties involved in the dispute.
● Data Minimization:
Data protection laws often emphasize the principle of data minimization, which means that only the necessary data should be collected and processed. In arbitration, this could mean limiting the collection of personal data to what is directly relevant to the dispute.
● Data Security:
The act may impose stricter data security requirements on parties involved in arbitration to protect personal data from breaches or unauthorized access. This could entail implementing encryption, access controls, and other security measures.
● Data Transfer:
If arbitration involves cross-border data transfers, the act may require parties to ensure that data transfers comply with its provisions. This could involve using specific safeguards, such as Standard Contractual Clauses or Binding Corporate Rules.
● Data Subject Rights:
The act may grant data subjects (individuals whose data is processed) certain rights, such as the right to access their data, the right to rectify inaccuracies, and the right to erasure. Parties in arbitration may need to accommodate these rights in their proceedings.
● Data Protection Officers:
Depending on the scale and nature of data processing in arbitration, parties may be required to appoint a Data Protection Officer (DPO) to oversee compliance with data protection regulations.
● Sanctions and Liabilities:
The act might stipulate penalties for non-compliance with data protection provisions. Parties involved in arbitration could face legal consequences if they fail to adhere to data protection requirements.
● Confidentiality and Transparency:
Balancing the confidentiality requirements of arbitration with transparency obligations under data protection laws can be challenging. Parties may need to find ways to protect personal data while still ensuring a fair and transparent arbitration process.
The Act operates on a triad—data principal, data fiduciary, and grievance resolver. Though prima facie, it looks similar to the General Data Protection Regulation (GDPR), and the Bill has welcome changes and grey shades being doubts and/or necessary considerations. Unlike the GDPR, the Bill boldly defines “harm”, “loss”, and “public interest” in small lists. A first in India’s legislative history, the Bill uses “her” and “she” for an individual, irrespective of gender.
It is to be noted that in the context of online Arbitration proceedings, the Bill, if implemented, would bring these proceedings under its purview as the elements of a Data Principal, Data Fiduciary, and Grievance Resolver would come into play. Furthermore, the classification of data into critical, sensitive and general further finds the relevance of the Bill in reinforcing the principle of Confidentiality. But one of the biggest concerns that arise from the Bill is that it restricts itself to personal data, which is either collected online or which, where collected offline, is digitised. The exclusion of offline data might lead to great concerns as the recognition of sensitive data will only be restricted to online Arbitration proceedings, which only form a very small portion of the total Arbitration proceedings, which, in the opinion of the Authors, is highly pertinent to note. Thus, offline Arbitration proceedings will be excluded from Data Protection Laws. Since the underlying principles of establishing legal safeguards to check unfair harvesting of personal data are the same regardless of the medium, there’s a case to extend the scope of the draft Digital Personal Data Protection Bill.
Also, it is interesting to note that the new Bill seeks to adopt Alternate Dispute Resolution in clause 23 of the Bill for companies arising before the board. It speaks of “Mediation and other dispute resolution process”. This implies that the Government is seeking to encourage Alternate Dispute Resolution as a viable mechanism for resolving disputes in matters as sensitive as Data Protection. However, the Bill is not comprehensive when it comes to deriving its effect over Dispute Resolution proceedings or any legal proceeding that uses online or a digital platform for conducting proceedings. For example, Commercial Arbitration Proceedings specifically carry a lot of sensitive data, and the probability of misuse of such data is extremely high. Thus, some guideline is required to directly address such sensitive data and the need to keep their Confidentiality under the purview of the Bill.
The 2022 Bill is definitely a positive step towards ensuring data privacy for Indian citizens. However, the Bill still needs to be refined and tweaked to make it more comprehensive and further increase its scope of application. While the Laws placed under the Bill will become applicable to Arbitration if implemented, its uneven application of data protection might lead to the creation of several grey areas in Law. Also, considering that access to technology remains a privilege in India, the new Bill will be only able to protect data for those who have the privilege of accessing digital platforms for Arbitration proceedings.
The views and opinions expressed by the Authors are personal.
About the Authors
Mr. Yazad Maneck Udwadia is a Counsel practising primarily at the Bombay High Court. After graduating with a B.B.A., LL.B. (Hons.) Degree, he has also completed a Post Graduate Diploma in Business Management (PGDBM, 2022) and a Post Graduate Diploma in Arbitration and Mediation (PGDAM, 2022) while pursuing Litigation and Dispute Resolution before joining Counsel practice.
Kaushiki Singh is a 3rd year BALLB Law student in Jindal Global law School.
Managing Editor: Naman Anand
Editors-in-Chief: Abeer Tiwari & Muskaan Singh
Senior Editor: Abeer Tiwari
Associate Editor: Kaushiki Singh