Confidentiality at Risk: Arbitration in the Age of Evolving Technology

Authored by - Purvi Singla (Law Student, Rajiv Gandhi National University of Law, Punjab)

I.              Introduction

Secrecy has always been the strongest argument in favour of arbitration. The parties involved choose arbitration, in part, because they do not wish their disputes, documents or commercial strategies to be exposed in the public view. In particular, for enterprises, confidentiality is a shield against reputational damage, effects on negotiations, and market position.

However, when arbitration went online, the retreat of confidentiality from being just a thing was evident. Email communication, cloud data, virtual hearings, AI digital transcription tools, and collaborative platforms that have made proceedings shorter and smart. They also create new risks. Most of these channels are operated by third-party service providers whose data policies allow access, storage, or incidental processing of user information which goes against arbitration’s confidentiality charm. This is not to question if technology should be integrated with arbitration, but to analyse the risks associated with it and how they can be mitigated.

II.            Understanding of Confidentiality in Arbitration

The nature of arbitration as a private process has traditionally been seen as such. Proceedings occurred in private rooms; filings were exchanged in person; and, the parties controlling access to the documents of the arbitration process. Although before the 2019 amendment to the Arbitration & Conciliation Act, which established the formal requirement for confidentiality in arbitration within the statute (section 42A), parties typically viewed arbitration as a discrete process.[1]

However, section 42A of the Arbitration & Conciliation Act (amended by the 2019 Act) represents a key point at which statutory recognition of confidentiality requirements in arbitration within India is recognized. The provision establishes the obligation of confidentiality to apply to "the arbitrator, the arbitral institution and the parties to the arbitration agreement" regarding "all arbitral proceedings", with the exception being awards, in those instances in which disclosure of the award is required for the purpose of implementation and enforcement of the award." This codification imposed the obligation of confidentiality upon all parties and entities engaged in the arbitration process (i.e., arbitrators, arbitral institutions and the parties), and further established that confidentiality should be the overriding principle applicable to all other competing obligations arising from any other provision of law.

This model assumed a physical presence. With proceedings now taking place via e-mail chains, data rooms hosted in the cloud, and hearings via Zoom, the notion that "it's just the parties and the tribunal who can see the material," has become unstable. Therefore, the possibility of exposure is no longer dependent upon who are participating in the proceeding, but upon the platforms used to conduct the proceeding. A 2021 International Arbitration Survey found that 63% of respondents reported using video conferencing technologies (such as Zoom), either always or frequently, and 56% also reported using cloud-based storage, either always or frequently.[2] These technologies have therefore fundamentally changed the landscape of confidentiality in arbitration.

III.          The New Factors of Confidentiality Risk

Email platforms like Microsoft Outlook and Gmail search for metadata info. E-mail is the traditional means of communication in arbitration although considerable risks of confidentiality are involved. Microsoft Outlook and Gmail also capture users' arbitration-related communications and have the right to use this data for the company's benefit. Customers can read the emails sent and received during the arbitration procedure, meaning that the communication lines are not entirely private.

Providers of cloud services like Dropbox, OneDrive, and Google Drive continue to have the right under their contracts to collect, use, and share customer data for the purpose of service improvements and compliance.[3] Confidential arbitration data utilized in cloud environments can also be accessed and misused by those conducting the services, even when the parties involved are under strict confidentiality agreement according to the arbitration rules.

Those attending virtual heated can record proceedings, take screenshots, and have these go undetected. According to the AAA-ICDR Model Order, the parties and their lawyers must agree to not take any recordings without authorization.[4] However, this can be difficult to enforce in a virtual world.  The video conferencing platforms themselves have the right to collect and use the content of the hearing as required for their business operations.

Cyberattacks have targeted institutions and law firms. Chinese state-affiliated hackers were behind a July 2015 cyberattack that imbedded malicious Adobe Flash files on the Permanent Court of Arbitration’s website.[5] The breach allowed access to the secret South China Sea arbitration documents. Cyberattacks often target law firms because they have a lot of sensitive information stored.[6]

IV.          Current Framework and Practical Solutions

Most arbitration rules assume confidentiality, while the most do not sufficiently permit enforcement against digital infringements. Of the ICC, SIAC, HKIAC, LCIA, and CIETAC, only the ICC does not have default confidentiality obligations,[7] the others impose broad obligations on participants. According to the ICC, participants in virtual hearings do not include video conferencing platform providers, raising concerns about access to sensitive information.

Confidentiality requirements are inadequate in a digital world. End-to-end encryption only protects messages in transit and not at rest, meaning service providers can continue reading arbitration messages in the mailbox.  The ICC 2021 Note to Parties acknowledges this shift.[8] It calls for technical and organizational measures with reasonable security levels appropriate for the arbitration.

V.            Moving Toward Systemic Solutions

Confidentiality by Design, or "CbD", is proposed by scholars such as Mark Malekela,[9] and includes technical safeguards intended to ensure confidentiality through the entire codebase to the user interface as a model of privacy by design established under the EU GDPR.[10] The features of CbD include end-to-end encryption, role-based access control, secure internal storage of data over external cloud storage, audit logs, and anonymized data. For example, Jus Mundi's Jus AI has demonstrated its adherence to these principles - ISO 27001 certification was completed in December 2024 along with stringent encryption requirements and access controls.[11]

Guidelines issued by the SVAMC were the first international guidelines for the use of artificial intelligence in arbitration; and specifically, Guideline 2 requires that all AI tools used during arbitration honour their obligation to maintain confidentiality and that users review their data use and retention policies prior to submitting any information to be reviewed using AI.[12] The CIArb 2025 Guidelines for AI[13] provides a framework for ensuring the security and transparency of the use of AI systems in arbitration; and recommend evaluating the potential confidentiality impacts of AI systems and conducting early risk assessments.

Tiered obligations are established within the EU Artificial Intelligence Act for high-risk AI systems which require effective data governance and cybersecurity; and thus present a potential for arbitration to implement CbD as a clear expectation of arbitration practice and not simply as a theoretical concept.[14]

Parties and tribunals should prioritize secure and institutional instead of relying on email or consumer file-sharing tools. The ICCA-NYC Bar-CPR Protocol advises against unencrypted attachments and recommends sending passwords separately when needed.[15] Access and recording must be controlled: participant lists should be pre-approved, virtual rooms password-protected, cameras kept on, and recording permissions agreed upon in advance, as emphasized in the ICC Virtual Hearings Checklist. Law firms, meanwhile, should strengthen internal security by adding cybersecurity breach clauses to contracts and enabling protective measures like waiting rooms, host controls, and restricted chats.

VI.          Conclusion

Confidentiality is no longer automatic. By adopting digital technologies provided by internet giants, arbitration stakeholders have lost control over confidentiality without properly preventing third party access. The breaches that were noted at the Permanent Court of Arbitration and India’s National Company Law Tribunal show that existing systems are flawed.

Technology is neutral and safeguards must matter. The procedural rules of arbitration will need to become modern. Institutions need to invest in purpose-built technology. Cybersecurity protocols will need to be adopted proactively. Finally, confidentiality by design must be embraced where technology architecture has protections built into them.

Confidentiality is not a guarantee but a hope without structural reform. The dilemma is not if technology is to be used but whether arbitration will build the safeguards to protect its core promise.

[1]Arbitration & Conciliation Act, 1996, § 42A (India) (amended 2019).

[2]Queen Mary University of London & White & Case LLP, 2021 International Arbitration Survey: Adapting Arbitration to a Changing World (2021), https://arbitration.qmul.ac.uk/media/arbitration/docs/LON0320037-QMUL-International-Arbitration-Survey-2021_19_WEB.pdf.

[3] Thomson Reuters Insights, Understanding Data Privacy and Cloud Computing, https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing.

[4]American Arbitration Association & International Centre for Dispute Resolution, Model Order and Procedures for a Virtual Hearing via Videoconference, https://go.adr.org/rs/294-SFS-516/images/AAA270_AAA-ICDR%20Model%20Order%20and%20Procedures%20for%20a%20Virtual%20Hearing%20via%20Videoconference.pdf.

[5]Int'l Arb. Reporter, Permanent Court of Arbitration Goes Offline with Cyber Security Firm Contending that Security Flaw was Exploited in Lead-up to China-Philippines Arbitration, https://www.iareporter.com/articles/permanent-court-of-arbitration-goes-offline-with-cyber-security-firm-contending-that-security-flaw-was-exploited-in-lead-up-to-china-philippines-arbitration/.

[6]CyberProof, Why Law Firms are Prime Targets for Cyber Attacks and How to Stay Secure, https://www.cyberproof.com/blog/why-law-firms-are-prime-targets-for-cyber-attacks-and-how-to-stay-secure/.

[7]Nobumichi Teramura & Leon Trakman, Confidentiality and Privacy of Arbitration in the Digital Era: Pies in the Sky?, 40 Oxford J. Arb. 277 (2022), https://academic.oup.com/arbitration/article/40/3/277/7716003.

[8]Int'l Chamber of Commerce, Note to Parties and Arbitral Tribunals on the Conduct of Arbitration Under the ICC Rules of Arbitration (2021), https://iccwbo.org/wp-content/uploads/sites/3/2020/12/icc-note-to-parties-and-arbitral-tribunals-on-the-conduct-of-arbitration-english-2021.pdf.

[9]AI and Confidentiality Protection in International Commercial Arbitration: Analysis of the Existing Legal Framework, 2 Springer (Jan. 2025), https://link.springer.com/article/10.1007/s44163-025-00316-7.

[10]Privacy by Design, GDPR Info, https://gdpr-info.eu/issues/privacy-by-design/.

[11]Jus Mundi Achieves ISO 27001 Certification, https://dailyjus.com/news/2024/12/jus-mundi-achieves-iso-27001-certification.

[12]SVAMC, Guidelines on the Use of Artificial Intelligence in Arbitration (1st ed.), https://svamc.org/wp-content/uploads/SVAMC-AI-Guidelines-First-Edition.pdf.

[13]CHARTERED INST. OF ARB., Guideline on the Use of AI in Arbitration (Sept. 2025), https://www.ciarb.org/media/bpndtcgu/guideline-on-the-use-of-ai-in-arbitration_updated-sept-2025.pdf.

[14]Artificial Intelligence Act, https://artificialintelligenceact.eu/.

[15]Int'l Ct. for Commercial Arbitration, New York City Bar Ass'n & Collaborative Problem Solving, Cybersecurity Protocol for International Arbitration (2022), https://documents.nycbar.org/files/ICCA-NYC-Bar-CPR-Cybersecurity-Protocol-for-International-Arbitration-Electronic-Version.pdf.