Arbitration, Confidentiality, And Digital Data Protection
Arbitration has become a popular way to settle commercial and civil disputes without involving the courts. One of its key attractions has always been confidentiality, keeping sensitive information out of the public eye. In India, it started off as a private, behind the scenes approach focused on keeping matters confidential but has since evolved into more advanced system, heavily relying on digital tools and data to streamline proceedings. With this rise in digitalization, the protection of data involved in arbitration has become a critical concern, bringing the Digital Personal Data Protection Act into spotlight.
Digitalisation Of Arbitration And Data Processing
As arbitration has moved into digital stage, the role of data in the process has become more significant. Arbitral institutions don’t just oversee disputes, they manage the entire process, from receiving and storing case files to coordinating hearings and communicating with all the parties involved.
This means they collect and handle a lot of personal data:
- Details about the parties
- Witnesses
- Lawyers
- Experts participating in the case
In order to manage case related data and conduct proceedings, modern arbitral institutions are depending more and more on digital platforms.
Electronic filing systems, secure communication portals, and databases for storing pleadings, witness statements, and evidentiary documents are maintained by organisations like the Singapore International Arbitration Centre, London Court of International Arbitration and the Mumbai Centre for International Arbitration.
Institutions control the submission, storage, and transmission of case materials between parties and tribunals through these systems. Given these responsibilities, they decide how and why this is processed, making them central to data management in arbitration.
Legal Framework Governing Personal Data In Arbitration
The Digital Personal Data Protection (DPDP) Act, 2023, along with the Arbitration and Conciliation Act, 1996, set the legal standards for handling such personal data.
Under the DPDP Act, a Data Fiduciary is the entity that determines the purpose and means of processing personal data and must ensure individuals are informed, consent is obtained when needed, and data is securely protected. This is different from a Data Processor, who acts on behalf of the Fiduciary under a contract[1].
Role Of The Right To Information Act In Confidentiality
Moreover, Section 8 of the Right To Information (RTI) Act, allows authorities to withhold personal information unless there is an overriding public interest that justifies its disclosure, which supports its principle of confidentiality in arbitration.[2]
Control Over Data Processing By Arbitral Institutions
Although arbitral institutions may appear to function as mere administrative facilitators, their role in determining digital platforms, document retention policies, and communication infrastructure indicates that they exercise significant control over the means of data processing.
Arbitral institutions control the flow and use of data throughout the arbitration process, they are strong candidates for being classified as Data Fiduciaries, carrying the legal duties that come with that role.
Classification Of Arbitral Institutions As Data Fiduciaries
This analysis suggests that arbitral institutions should be treated as Data Fiduciaries under the Digital Personal Data Protection Act, 2023, because they determine the purpose and means of processing personal data during arbitration proceedings.[3]
Summary Of Data Handling Responsibilities
| Aspect | Description |
|---|---|
| Data Collection | Collection of personal data relating to parties, witnesses, lawyers, and experts involved in arbitration. |
| Data Storage | Maintaining electronic filing systems, databases, and document repositories for arbitration materials. |
| Data Communication | Secure communication portals used to exchange pleadings, evidence, and procedural information. |
| Data Responsibility | Institutions determine the purpose and means of processing data, making them potential Data Fiduciaries. |
DPDP Act and Judicial Exemptions
The Digital Personal Data Protection Act, 2023 grants certain exemptions to courts and tribunals when they process personal data as part of their judicial functions. Section 17(1)(b) states that requirements like notice, consent, and data principal rights may not apply in these circumstances. Still, this is not an absolute exemption. Courts and Tribunals must uphold reasonable security measures for personal data, as required by Section 8(5).
Scope of Exemptions for Courts and Tribunals
While arbitral tribunal are not specifically named, their quasi-judicial nature under the Arbitration and Conciliation Act, 1996 suggests they could also benefit from this exemption, provided they continue to safeguard data protection and confidentiality.
- Section 17(1)(b) allows exemptions from requirements such as notice, consent, and certain data principal rights.
- The exemption is limited and does not remove the obligation to protect personal data.
- Section 8(5) still requires reasonable security safeguards for personal data.
Judicial Recognition of Quasi-Judicial Role of Arbitrators
The Supreme Court in Associated Engineering Co. v. Government of Andhra Pradesh has clarified that an arbitrator acts in a quasi-judicial capacity and is required to decide disputes within the framework of the contract and law, similar to a tribunal.[4] This understanding further supports the idea that arbitral tribunals may be covered by these exemptions.
Additionally, in Naresh Shridhar Mirajkar v. State of Maharashtra, the Supreme Court recognized that courts possess inherent powers necessary for the administration of justice, and their functioning cannot be controlled by general statutory restrictions that interfere with judicial duties.[5] This supports the legislative rationale for allowing courts and tribunals limited exemptions from general statutory requirements, as reflected in Section 17(1)(b) of the DPDP Act.[6]
Comparison with GDPR Data Controllers
A useful comparison can be drawn with the General Data Protection Regulation. Under this law, Organisations that determine the purpose and means of processing personal data are classified as “Data Controllers”. This concept is similar to the idea of a “Data Fiduciary” under the DPDP Act,2023, suggesting that institutions exercising control over data processing may also bear corresponding responsibilities.[7]
| Framework | Term Used | Meaning |
|---|---|---|
| General Data Protection Regulation (GDPR) | Data Controller | Entity that determines the purpose and means of processing personal data |
| Digital Personal Data Protection Act, 2023 | Data Fiduciary | Entity that determines the purpose and means of processing personal data under Indian law |
Can Arbitral Institutions Be Data Fiduciaries?
Arbitral institutions can be considered Data Fiduciary under Digital Personal Data Protection Act, 2023. As highlighted in Vidya Drolia v. Durga Trading Corporation, arbitration is a private process grounded in confidentiality, making the protection of sensitive data essential.[8]
The supreme court’s decision in Justice K.S Puttaswamy v. Union of India affirmed informational privacy as fundamental right, reinforcing this duty.[9]
Role of Arbitral Institutions in Data Processing
By managing digital case records and controlling access to personal data, arbitral bodies like ICA and MCIA fit the statutory definition of Data Fiduciary, and already undertake similar responsibilities to ensure data security and confidentiality in practice.
Doctrinal Grounds for Classifying Arbitral Institutions as Data Fiduciaries
There are strong doctrinal grounds for treating arbitral institutions as Data Fiduciaries under the DPDP Act. These bodies determine how personal data is collected, stored, and shared, directly shaping the purpose and means of processing. Arbitration often involves handling sensitive information, giving institutions effective custodial control over personal data.
- Arbitral institutions determine the purpose and means of data processing.
- They handle sensitive personal and commercial information.
- They exercise custodial control over case-related digital records.
- They manage access to confidential arbitration proceedings.
Confidentiality Under the Arbitration Act
Section 42A of the Arbitration Act also imposes a legal duty of confidentiality, mirroring the fiduciary responsibility under data protection law. With the rise of digital case management and virtual hearings, arbitral institutions now process even larger volumes of personal data, further supporting their classification as Data Fiduciaries.[10]
Compliance Challenges
If arbitral institutions are treated as Data Fiduciaries under the DPDP Act, they should meet strict compliance standards, ensuring transparency, notifying parties about data collection, maintaining clear privacy policies, and adopting strong security measures. Non-compliance could result in civil penalties and reputational harm, threatening the trust arbitration depends on.
These obligations may also require appointing Data Protection Officers, regular audits, staff training, and tech upgrades, increasing operational costs. Ultimately, institutions will need to balance traditional confidentiality with the transparency and accountability demanded by modern data protection laws.
Key Compliance Requirements
- Ensuring transparency in data handling practices
- Notifying parties about the collection of personal data
- Maintaining clear and accessible privacy policies
- Adopting strong cybersecurity and data protection measures
- Appointing Data Protection Officers
- Conducting regular compliance and cybersecurity audits
- Providing staff training on data protection obligations
- Upgrading technological infrastructure to safeguard data
Potential Risks of Non-Compliance
| Risk | Description |
|---|---|
| Civil Penalties | Failure to comply with the DPDP Act may result in financial penalties imposed by regulatory authorities. |
| Reputational Harm | Loss of trust among parties and stakeholders could undermine the credibility of arbitral institutions. |
| Operational Burden | Additional compliance obligations may increase administrative and technological costs. |
Strengthening Data Protection In Arbitration
To keep arbitration effective while complying with new data protection standards, arbitral institutions must adopt practical reforms and best practices. First, institutions should craft detailed privacy policies specifically for arbitration, clearly outlining how personal data will be collected, processed, stored, and safeguarded.
These policies should be transparent and accessible, with clear notices to all parties about data handling practices from the outset of proceedings.
Strengthening Data Governance Frameworks
Institutions should also strengthen their data governance frameworks. This can include appointing a dedicated Data Protection Officer to oversee compliance with the DPDP Act, conducting periodic risk assessments, and running regular cybersecurity audits. Such proactive measures help identify and address any weaknesses, ensuring that personal data remains protected through every stage of arbitration.
Updating Arbitration Rules
Additionally, it is essential for institutions to update their arbitration rules to reflect evolving data protection obligations. This could involve including explicit clauses on secure document management, digital communication protocols, and confidentiality requirements that align with contemporary standards.
By embedding these safeguards into their institutional framework, arbitral bodies can reassure parties that both their privacy and the integrity of the arbitration process will be maintained.
Recommended Institutional Practices
- Develop arbitration-specific privacy policies
- Provide clear data collection and processing notices to parties
- Appoint a dedicated Data Protection Officer
- Conduct periodic risk assessments
- Perform regular cybersecurity audits
- Integrate data protection clauses into arbitration rules
- Establish secure digital communication and document management protocols
Conclusion
Recognising Arbitral institutions as Data Fiduciaries may bring certain practical and compliance challenges. Institutions may need to adopt stronger privacy policies, improve cybersecurity measures, and adjust their internal procedures to meet the requirements of the Digital Personal Data Protection Act, 2023.
However, the benefits of such recognition outweigh these difficulties. As arbitration increasingly relies on digital systems to manage documents and communications, institutions play a crucial role in handling sensitive personal data.
Treating them as Data Fiduciaries would promote greater accountability and strengthen data protection standards, helping ensure that the confidentiality traditionally associated with arbitration is preserved in the digital age. End Notes:
- Aquilaw, ‘Scope of Arbitration in Data Privacy Disputes: Growing Need for Alternate Dispute Resolution in Digital Data Landscape in India’ (Legal 500, 10 December 2024) URL: https://www.legal500.com
- Right to Information Act 2005, s 8
- Digital Personal Data Protection Act 2023 and Digital Personal Data Protection Rules 2025
- Associated Engineering Co v Government of Andhra Pradesh (1991) 4 SCC 93 (SC)
- Naresh Shridhar Mirajkar v State of Maharashtra AIR 1967 SC 1
- Dinesh Pardasani and Tanya Tikiya, ‘Arbitration: Saving Two Birds (Confidentiality and Personal Data) from One Stone (Cyber Attack)’ (Bar & Bench, 28 September 2023) URL: https://www.barandbench.com
- General Data Protection Regulation (Regulation (EU) 2016/679)
- Vidya Drolia v Durga Trading Corporation (2021) 2 SCC 1 (SC)
- Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (SC)
- Arbitration and Conciliation Act 1996, s 42A
