Robin Callender Smith looks at three important issues - data protection, cybersecurity and technology - that need to be addressed when using video conferencing for international arbitration, a route that has been given extra impetus in the context of Covid-19.
International arbitration, as it matures in a world of rapid digital and technological advances, inevitably throws up myriad novel issues and problems. Video conferencing (Vcon) is part of the technological and procedural climate change which is rapidly being processed and understood.
The definition of Vcon used here is:
‘technology which allows two or more locations to interact simultaneously by two-way video and audio transmission, facilitating communication and personal interaction between these locations.’
As Professor Maxi Scherer notes, Article 28(4) of the UNCITRAL Arbitration Rules already allows for witnesses and experts to be heard remotely but makes no provision for other remote aspects like legal argument. She observes that it would be ‘difficult to conceive why legal arguments could not be heard remotely’ under UNCITRAL Rules, suggesting that banning this in, for instance, ICC tribunals would be ‘nonsensical’.
The draft 2021 ICC Rules take this on board, reflecting the international and institutional shift across the piece. Although the procedures of major arbitral institutions have already adjusted to and accommodated many changes, Vcon is not a panacea that solves all problems. Using it – or its procedural hybrid variants – requires careful thought and planning. Tribunals cannot avoid resolving the ultimate conundrum when one party, or the Tribunal itself, wishes to use Vcon and the other party resolutely wants a live, in-person hearing.
This article focuses on three important issues that need to be addressed as early and comprehensively as possible in procedural orders (POs), given the extra impetus for Vcon in the context of Covid-19.
These are data privacy, cybersecurity and technology. The fundamental techniques of Vcon are not new in international arbitration. What makes early consideration of these three issues vital in POs now is the expanded potential for ubiquitous Vcon deployment over a significantly broader international arbitral horizon. At its best, Vcon can reach into disparate locations, bridging travel and practical difficulties like document transfers and sharing, in a way that allows a ‘green’ rationalisation of the procedures and logistics of international arbitration and less wear and tear on all the parties involved. On the other hand, inadequate preliminary consideration of this trio of issues within Vcon hearings risks potential challenges relating to party-to-party fairness, the appropriateness of the measures adopted and the ultimate enforceability of the award.
Two cautionary 2016 pre-Covid-19 examples from opposite ends of the Vcon spectrum highlight the importance of security and reliability, as both are key factors in retaining the integrity of the arbitral process.
In the first, a personal example, the problem occurred in what should have been a technologically secure, online English judicial hearing which also led to data privacy breaches when the results were posted on YouTube. In Scarth v Information Commissioner, William Scarth attracted the adverse attention of the Lord Chief Justice in 2013. As a result, he feared coming from Ireland to England for his Freedom of Information (FOI) appeal. A Ministry of Justice secure audio link was provided for him remotely to participate in his appeal. He shared this link, unlawfully, with a regular FOI litigant (Alan Dransfield) who claimed to represent Scarth  before being cut off. Lesson learned: if not carefully pre-checked, apparently secure official institutional systems can be ‘gamed’ and the ‘hacked’ results then publicised.
In the second example, a party to international arbitration insisted on what became a technologically flawed Vcon hearing, and had to live with the appeal result. Sino Dragon Trading v Noble Resources International  resulted from an international arbitration on an iron ore contact. Noble won and began to enforce the award. Sino unsuccessfully tried to have this set aside in Australian proceedings. Justice Beach’s analysis and his 12 findings will receive attention from future arbitral panels and national courts as an exemplar when faced with such problems, setting a high bar for future challenges based on insufficiently robust technology. In this case, Vcon flaws included ‘Chinese Skype with poor quality’, evidence being given in a ‘split’ format (a witness on screen with the audio feed via a separate telephone link) and down-the-line unsatisfactory Chinese–English interpretation problems. Lesson learned: flawed Vcon technology does not automatically invalidate a subsequent award.
While effective cybersecurity and technological reliability are obvious Vcon topics for early POs, data privacy has been a Cinderella issue in the arbitral space. However, its potential to endanger the validity of arbitral awards is as strong as the other two matters. It now has a ticket to the ball for reasons that have been magnified by Vcon hearings.
Cybersecurity and technological regimes are, by their nature, ‘overlays’ to the international arbitral system, enhancing and protecting the integrity of the processes that exist within it. Data privacy is of a different order. It encompasses issues of national and supra-national laws and the ways in which each nation can identify and protect the sovereignty of its subjects’ privacy rights when used elsewhere. It is ‘black letter’ statute law rather than the ‘soft law’ of procedural guidance, protocols and rules. For this reason, data privacy is dealt with first.
While confidentiality is an inimical feature of international arbitration, its importance is sharpened by national data protection legislation. If an arbitral tribunal fails to recognise the nuanced span of data privacy requirements from the outset, it puts at risk the integrity of its process and the enforceability of any award. Of all the world’s data privacy regimes, the EU’s General Data Protection Regime (GDPR) is the most expansive and intrusive in its extra-territorial reach. Its definition of data ‘processing’ catches most of those involved in disclosure or fact-finding – if the data ‘subject’ has GDPR protections or an EU locus – across the spectrum of arbitral participants from the parties and their advisors to witnesses, experts, document custodians and arbitrators themselves. For reasons that have never been satisfactorily explained, data processing and data transfers in international arbitration were not specifically or adequately addressed.
There are significant GDPR lacunae in international arbitral data transfers. Article 45 mandates transfers only if there is an ‘adequacy decision’. The recent Court of Justice of the European Union (CJEU) decision in Schrems II means that previous ‘adequacy’ and ‘safe harbour’ provisions that allowed protection for extra-EU transfers particularly to the US – save for a limited list of countries approved by the European Commission – can no longer be relied upon. The writer is not persuaded that suggested ‘work-arounds’ by repurposing standard contractual clauses (SCCs) could be effective in the shifting scenarios of international arbitration.
Article 46 only allows transfers if there are appropriate safeguards and where data subjects are given enforceable rights and effective legal remedies in situ. Those who wish to rely on the ultra-slender exceptional derogation in Article 49, where fines for breaches are up to €20m or 4 per cent of worldwide turnover, can only do so when the data subjects concerned give informed and explicit consent and where the transfer is ‘necessary for the establishment, exercise or defence of legal claims’. As Article 49(1)(e) emphasises:
‘The restrictive nature of this derogation means that it is unlikely to provide a legal basis for the transfer of personal data to respond to data requests from foreign law enforcement authorities except in a small number of cases.’
In my opinion, this cannot cover – in the international arbitrational space where the ‘authority’ was a foreign-seated tribunal outside the EU applying its own lex arbitri – the equivalent of the US v Microsoft case.
On the other hand, the blunt and barely reasoned approach taken in Tennant Energy v Canada presents a high-risk strategy. It invites both contradiction and challenge, as one of the arbitral tribunal members was a London-based QC with at least three data privacy GDPR duties as a controller, processor and transferor:
‘the Tribunal finds that an arbitration under NAFTA Chapter 11, a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of the GDPR….This is without prejudice to the importance of ensuring a high level of data protection.’
There are obvious risk management options that are less Canute-like than the Tennant Energy response and which minimise and mitigate the risk of challenges and potential unenforceability. Whether or not an institutional or an ad hoc model is being used for the arbitration, the following data privacy points should be addressed by the parties and the appointed arbitrators at the earliest possible stage and on an on-going basis:
As always, it is important to check things in the real world rather than the theoretical. While protective and flexible data privacy procedures and protocols are vital, there are no publicly-available examples of any challenge – successful or otherwise – to any international arbitral award on any of the issues identified in this section. There is, however, one EU data privacy breach decision outside the world of international arbitration to note. The Austrian data protection authority fined Österreichische Post AG €18m in October 2019 for revealing sensitive personal data (the political affinity of the data subjects).
The UK Information Commissioner’s recent £20m penalty for a significant cybersecurity breach by British Airways is examined in the cybersecurity section below. While there are clear, inherent dangers of ‘weaponising’ data privacy issues in international arbitration at all stages of the process, none have yet revealed themselves so that their merits can be considered and scrutinised through appeals heard in national courts. One reason for this may be, quite simply, that parties and arbitrators have yet to become comfortable in the data privacy space and are over-cautious, as initially happened with English High Court Judges.
Even then, if an alleged breach is reported to a national or supra-national regulator, all will depend on whether it is a procedural ‘transfer’ breach or – more seriously – a practical ‘data privacy’ breach where sensitive personal data escapes into the public domain. The latter destroys completely the confidential nature of the arbitration itself; hence, the importance of the robustness and resilience of the following cybersecurity measures and technology issues.
A burgeoning series of official and advisory guides and checklists addressing most of the points that all concerned in international arbitration need to consider in terms of cybersecurity is now available. Given this, there is little excuse for failing to consider such issues at the earliest possible stage in the proceedings. Their key elements are considered here.
Cybersecurity means keeping electronic data and IT systems safe from unlawful access. Breaches of such systems are commonplace at all levels of society. The interlocking priorities in cybersecurity and international arbitration are twofold. Firstly, in terms of the confidentiality of the proceedings themselves and, secondly, to ensure the integrity and security of the information shared, argued about and decided upon within the arbitration itself.
For instance, the 1 October 2020 version of the LCIA Rules enjoins parties to seek reciprocal confidentiality undertakings from all those involved in the arbitration including such categories as authorised representatives, witnesses of all categories and service providers. Confidentiality extends to the tribunal itself, the tribunal secretary as well as the LCIA: ‘the LCIA does not publish any award or any part of an award without the prior written consent of all parties and the Arbitral Tribunal’.
It is surprising that it has taken until 1 October 2020 for such provisions to be enunciated. The need for clear requirements to address such risks have been evident for at least the last ten years. It appears that Covid-19 has usefully spurred forward a clearer definition of what might otherwise have seemed to be the obvious.
When and if breaches occur, the effect can be profound and reputationally indelible (in this age of the eternal digital footprint) for the parties within the arbitral process and the institution itself. One of the most blatant hacking examples this decade relates to a longstanding dispute in the Permanent Court of Arbitration (PCA) in the Hague. In July 2015, on the third day of the hearing on the territorial dispute in the South China Sea between the Philippines and China, the PCA’s website was taken offline. It seems the attack was made by Chinese hackers who infected the page with malware, ‘leaving anyone interested in the landmark legal case at risk of data theft’.
Rather than reviewing the strengths and weaknesses of the plethora of model protocols, most of the positive elements that need to be considered in this area can be found in the 2020 Protocol on Cybersecurity in International Arbitration issued by the International Council for Commercial Arbitration (ICCA), the New York City Bar Association (NYCBA) and the International Institute for Conflict Prevention & Resolution (CPR).
The Protocol provides a framework that allows for the assessment and determination of cyber risks and for the reasonable security measures to address these. It is divided into 14 Principles. It is straightforward to incorporate into any arbitration agreement. Principle 2 (the baseline information security practices) and Principle 6 (the factors parties should assess when implementing cybersecurity measures) are the most important. Breach consequences – like the loss of confidentiality in the information, the continued viability of the arbitration itself and the financial on-costs that inevitably occur from damage and destruction of personal privacy as well as damage to confidential and proprietorial data – need to be considered in assessing the risk profile of the arbitration.
Principle 2 directs the relevant parties to consider imposing the obligations listed in the Protocol’s Schedule A, including:
Again, checking reality against theory, there are no current examples of regulatory penalties of cyber breaches in international arbitration. There is, however, one recent worked example from 16 October 2020 of a national regulator fining an international commercial entity for poor cybersecurity under the GDPR.
In this matter, the UK’s Information Commissioner originally threatened to fine British Airways (BA) £183.39m for a 2018 cybersecurity breach that resulted in theft of the personal data and credit card information of over 400,000 customers worldwide. In her final decision, the Commissioner set a general fine of £30m, reduced by 20 per cent because of mitigating circumstances to £24m, and then by a further £4m to reflect the general difficulties caused by Covid-19, to arrive at a final total of £20m. This was because:
Two features about this example are notable. Firstly, this penalty notice was not issued until it had been circulated and agreed on by all the EU data protection authorities. Secondly, the Covid-19 discount of £4m is interesting because the breach itself came from a pre-Covid-19 event. The ongoing economic circumstances of BA since the Covid-19 outbreak and its ability to pay any regulatory penalty became a separate head of consideration.
From the example above, it will be clear that all those embarking on international arbitration now should be considering not just issues of cybersecurity by also of insurance in an attempt, at least, to minimise financial exposure if things go wrong.
Parties and institutions also need to consider ‘hiding in plain sight’ by using the best institutional systems and arrangements that can be crafted in terms of cybersecurity. The alternative is to purpose-build tailor-made facilities, over and above the ‘off-the-peg’ proprietary or institutional solutions, that makes them even less visible and potentially more secure. This may prove a practical problem for parties who are not well-resourced or whose on-going commercial and financial viability is inextricably entwined in the matter to be arbitrated.
Third-party funding may provide part of the solution, but associated insurance and success fees may so erode matters that mediated settlements (which also require stringent cybersecurity measures) should be considered more often – and undertaken more seriously – than at present. Whatever is chosen, opting for cost-cutting measures in framing and providing these security measures is likely to be a false economy and could be reputationally disastrous both to institutions and parties involved in the process.
In addition to all the cybersecurity issues already discussed, at the heart of the technology component of Vcon is its accessibility, availability, integrity, reliability and robustness when deployed in current international arbitration and future agreements to arbitrate. It is vital that the parties, witnesses, experts – and the arbitrators themselves – can communicate clearly and appropriately in the context of such proceedings.
The pull and tug of the disparate Vcon styles, preferences and predilections of advocates should not dazzle arbitral panels into accepting a one-size-fits-all solution. The two watchwords now and for the future are flexibility and pragmatism, underpinned by concise, proportionate reasoning.
In terms of Vcon technology modelling options, there is a danger that any disparity between parties’ resources can create challengeable imbalances in terms of the final award. The Seoul Protocol forms part of institutional moves to address this. The model within the Stockholm Chamber of Commerce (SCC)’s ad hoc digital platform provides an option for beginning things. Another is the ICDR-AAA facility. Major international law firms, via the reach of their national offices, are offering unified technology protocols. Such firms and international arbitral institutions now vie with each other to provide bespoke, secure high-quality Vcon hubs. Parties, their advocates and perhaps arbitrators will either base themselves there or feed securely into such facilities via special Vcon ports. It will then be for the parties and the arbitrators to determine the locations, systems and the fairest and most appropriate methods for the delivery of documentary and witness evidence and cross-examination.
Testing reality against theory, pragmatic solutions are likely to lead to slimmed-down and more tightly focused hearings, albeit ones that may have shorter daily sessions, and therefore take longer, to avoid the now-pervasive ‘Zoom fatigue’. Opening statements, witnesses’ evidence in chief and expert testimony can be pre-recorded and served ahead of hearings. as can all skeleton arguments – allowing everyone, including the arbitral tribunal, asynchronous space to absorb these ahead of the middle and closing stages of the proceedings. Concerns about witness coaching and prompting with evidence in chief can be addressed in cross examination. Making reasoned decisions on witnesses’ veracity is always fraught with difficulty, whether the evidence is live or in Vcon, and that will never change until technology develops a ‘truth’ chip or algorithms take over the arbitral process. Neither of these suggestions are being advocated here.
Two complex and almost insurmountable problems remain, however: secure storage – the near-indelible digital footprint of the proceedings – and mobile phones. Vcon evidence and the record of the arbitral proceedings is critical, but this also raises the following questions that are likely to need preliminary resolution:
Material recorded and stored on innocent mobile phones with ever-higher audio and camera/video specifications can unravel everything. The earlier example of Scarth is a reminder of what is now much easier to achieve when parties and witnesses in separated locations are allowed a degree of Vcon autonomy. It takes but a fractional effort to record what is being seen and said on screen, and to post that via anonymous intermediaries online. A recent real-world litigation example close to such conduct is Barclay v Barclay, the bugging battle that arose between members of the families of the reclusive Barclay twins, (owners of The Ritz in London) and The Telegraph media publishing empire.
Given the sensitivity of the confidential, reputational and commercial issues that are a prime reason for using arbitration rather than in-court litigation, the ubiquitous mobile phone and subsequent postings to platforms like YouTube are a real and continuing threat that should never be underestimated.
To summarise, carefully crafted Protocols, informed and driven by the dynamic use of issues explored above in POs, are vital. Such Protocols must address the national/supra-national data protection regimes, even on the margins, that are in play in the arbitration itself and in terms of the enforceability of any award.
National data privacy restrictions, constraints, and data localisation laws must be addressed, while ‘due process’ and ‘fairness’ issues, must be addressed in a reasoned and proportionate manner – Article 6 ECHR ‘access to justice’ principles are also relevant.
The physical presence v Vcon balance needs to be reasoned and addressed on a rolling basis throughout the hearing; having established its internal standards, the arbitral tribunal should remain steadfast in refusing to dilute them by repetitive and erosive applications, and parties who choose to stand outside the arbitral process need to have the consequences of doing so spelled out in full.
Finally, it is indisputable that Vcon has radically advanced the utility and potential of international arbitration.
Robin Callender Smith is an Arbitrator, Mediator and Adjudicator at ARBITA, specialising in determining and resolving data privacy and technology issues domestically and internationally. He is also Honorary Professor of Media Law at QMUL's Centre for Commercial Law Studies, a founder member of its TMT Institute and belongs to SCL's Tech Adjudication Panel.
 Hague Conference on Private International Law, Guide to Good Practice on the Use of Video-Link under the 1970 Evidence Convention, para 10 (2020).
 ‘Remote Hearings in International Arbitration: An Analytical Framework’, Journal of International Arbitration 2020, 37(4): previewed in Queen Mary University of London, School of Law Legal Studies Research Paper No. 333/2020.
 Ibid, para 3.1, p 4.
 ICC Draft Article 26.1 (Hearings).
 Notably, the 12 international institutional signatories of the Covid-19 Joint Statement, ‘Arbitration and COVID19’
 The ‘Consultation Draft February 2020: ICCA/IBA Road Map to Data Protection in International Arbitration’ and its appendices – currently a work in progress and consequently not referenced in detail here – is a useful entry point for an overview of the complexity of the issues in play.
  UKFTT 2014_0042 (GRC)
 Attorney General v Scarth  EWHC 994:
 The judge originally assigned to this fell ill the day before the hearing and it was assigned overnight to me.
  UKFTT 2014_0042, paras 34–39 and 51–64.
 Both Mr Scarth and Mr Dransfield made separate judicial complaints about the handling of the hearing. Both were rejected by the General Regulatory Chamber (GRC) President, Justice Peter Lane.
 The SIAC has championed pre-testing of any proposed Vcon technology.
  FCA 1131, Federal Court of Australia.
 Ibid, paras 136 – 149
 Ibid, paras 160 - 179
 Ibid, para 149, quoting  of original arbitral tribunal’s observations.
 One of the first reported cases to explore the data privacy issues inherent in the extra-territorial reach of the EU’s General Data Protection Regulation (GDPR) is Tennant Energy LLC v Canada, PCA Case No 2018-54, an UNCITRAL Rules (1976) and NAFTA matter.
 Particularly to enforcement challenges under the New York Arbitration Convention 1958 Article V (1)(c) tangentially and, more specifically, under 2(b) that recognition or enforcement of the award ‘would be contrary to the public policy of that country’.
 See endnote 8: ‘The Consultation Draft February 2020 ICCA-IBA Road Map to Data Protection in International Arbitration’
 See Data Protection and Cybersecurity Questions 26, 27 and 28 in White & Case/QMUL 2020 International Arbitration Survey, ‘Adapting Arbitration to a Changing World’, which opened for responses on 12 October 2020.
 For instance, the UK’s Data Protection Act 2018, which – on 28 May 2018 and ahead of Brexit – incorporated all the provisions and key Articles of the EU’s General Data Protection Regulation (GDPR).
 Institutions now recognise this and are amending their Rules accordingly. The LCIA’s new Article 30A Data Protection Rule came into force on 1 October 2020.
 The GDPR came into force on 28 May 2018 and contains 11 Chapters and a total of 99 Articles.
 In trading (and therefore potential contract dispute/international arbitration dispute) terms, the (then) 28 Member States in 2018 had global exports of 15.2 per cent of world trade (compared to China: 16.4 per cent, the US: 10.9 per cent and the rest of the world: 52.6 per cent) and global imports of 15.1 per cent ( compared with China: 13.8 per cent, the US: 16.4 per cent and the rest of the world 49.7 per cent).
 Article 4 is the definition section of the Regulation.
 See generally, Christopher Kuner & Daniel Cooper, ‘Data Protection Law and International Dispute Resolution’, Vol 382 Recueil Des Cours de L’Academie de Droit International de la Haye, Hague Academy of International Law (Brill/Nijhoff) 9 – 174 (2017).
 Case C 311/18: Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
 Under Article 45 these are Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay with ongoing adequacy talks with South Korea.
 United States v Microsoft Corp., 584 U.S. ___, 138 S. Ct. 1186 (2018).
 Tennant Energy v Canada, Procedural Order 2, Para 2.8, 29 July 2019, see www.italaw.com/sites/default/files/case-documents/italaw11017.pdf
 For instance, China and Russia – along with many other nations - have restrictive data privacy and data location and storage laws, breaches of which impinge on the integrity of the arbitral proceedings and awards. For the EU’s data localisation requirements, and the problems of lawfully transferring data required to be kept within a nation, see Dr W Kuan Hon, Data Localisation Laws and Policy: the EU’s Data Protection International Transfers Restriction through a Cloud Computing Lens (her ‘Frankenrules’), Edward Elgar 2017 at pp.170 – 74.
 See para 6 of Philip Coppell QC’s 17-page Opinion dated 28 June 2012 to the Leveson Inquiry into The Press, HC 780-III Vol 3 Part H [2.5] at 1069: ‘Data protection law is technical and unfamiliar to most judges … applications for judgment on such claims are, for the moment at least, unlikely to find favour’.
 Article 30(1), LCIA Rules 2020
 Ibid, Article 30(2)
 Ibid, Article 30(3)
 The hackers were understood to have exploited a flaw in Adobe Flash, creating a malicious web address that site PCA site visitors unwittingly uploaded, allowing the hackers remote access to the visitors’ networks, computers and data.
 Ibid, Schedule D: ‘The Parties shall take reasonable measures to protect the security of the information processed in relation to the arbitration, taking into consideration, as appropriate, the ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration.’
 See generally, S Wheatley & ors, Addressing Insurance of Data Breach Cyber Risks in the Catastrophe Framework, Geneva Papers on Risk and Insurance – Issues and Practice, Springer 2020. They found that the median predicted number of IDs breached in the US by hacking in the last six months of 2018 was 0.5 billion, with a 5 per cent chance that the figure exceeded 7 billion.
 The ICO’s Penalty Notice 2020 against British Airways, COM0783542, was issued under s.155 of the Data Protection Act 2018, in line with the factors set of in Article 83 (2) and (3) GDPR. Its 112 pages of closely reasoned assessment and penalty setting is instructive. It is an example of the depth of detail applied when considering how such issues should be assessed and concluded.
 Ibid, Paras 7.52 – 7.53.
 Ibid, para 7.7
 Ibid, para 7.9 – 7.16
 Ibid, para 7.18
 Ibid, para 7.30
 Ibid, para 7.31
 Such formal consultation with the remaining 27 EU States post-1 January 2021 remains optional. The UK’s Information Commissioner (Elizabeth Denholm is a Canadian citizen) is highly regarded internationally. Her term ends in October 2021 but the intellectual rigour she has encouraged within her office will take some time to diminish.
 Such as DLA Piper, Herbert Smith Freehills, Ashhurst, CMS, Hogan Lovells and Latham & Watkins.
 However, the use of virtual reality (VR) and augmented reality (AR) applications at the ‘luxury’ end of the ‘international hearings’ market could open a Pandora’s Box of technology for parties and arbitrators. Initially, party/arbitrator access could be more secure. But impregnable ‘vaults’ have been illusory since the time of the Pharaohs.
  EWHC 424 (QB)
 An Austrian Supreme Court decision in Case no ONc 13/20s, involving a Vcon arbitral challenge on several points, emphasised this. The arbitral proceedings had been pending since 2017. The arbitral tribunal set a Vcon evidential hearing lasting for a day and spanning time zones on 15 April 2020 because of Covid-19 restrictions. One party objected to the process. The appeal failed because, inter alia, both parties were treated fairly, they had access to justice and their rights to be heard were respected.