Arbitration In IndiaArbitration in Data Privacy Sector

With the rise of technological advancements and the increasing reliance upon digital platforms, the lawmakers have recognised the need to govern personal data to protect individual rights and privacy. The world is slowly transforming into a data driven system, where organization thrive on their user’s data to advance in their fields. Hence, this calls upon closer inspection on the use, process and disposal of the same to prevent exploitation of any data.

This raises more concerns about how these disagreements may be settled amicably without sacrificing the accuracy of the data. In order to promote a quick and private process for resolving such disagreements, several organisations are therefore anticipating the implementation of alternative dispute resolution mechanisms. But in order to comprehend its relevance, we must proceed in tandem with the existing data protection framework in order to successfully resolve conflicts while safeguarding the data.

Whether such Disputes are Arbitrable?

Data Privacy disputes are governed by privacy laws and the nature of such disputes. In India, in Vidya Drolia v. Durga Trading Corporation the Supreme Court laid down the following four-fold test to determine whether a dispute is non-arbitrable:

• when the cause of action and subject matter of the dispute relates to actions in rem, that do not pertain to subordinate rights in personam that arise from rights in rem;
• when the cause of action and subject matter of the dispute affects third party rights;
• when the cause of action and subject matter of the dispute relates to inalienable sovereign and public interest functions of the State;
• when the subject-matter of the dispute is expressly or by necessary implication non-arbitrable as per mandatory statute(s).

The Data Protection Board of India (“DPB”) is established by Section 18 of the Digital Personal Data Protection Act. It is a quasi-judicial authority to receive complaints pertaining to violations of this Act and, in accordance with Section 31, to recommend them for mediation. As a result, the Act permits complaints to be referred to an alternative conflict resolution process. By their very nature, data privacy disputes involve a combination of rights in personam (enforceable against an individual) and rights in rem (enforceable against the general public), which may make arbitration seem inappropriate. Therefore, the four-prong test can be used to decide whether or not the issue will be arbitrable.

Types of Disputes

1. Data Breach and Cybersecurity Related Disputes: This can include any dispute that results from unauthorised access to or disclosure of private data, and it typically involves accusations of negligence or a failure to implement appropriate cybersecurity measures.

2. Cross Border Data Transfer: Any inconsistency with or violation of various privacy laws, including the Digital Personal Data Protection Act, the GDPR, or other data protection laws pertaining to the transfer of personal information between different jurisdictions.

3. Breach of Data Processing Agreement: Such disputes arise between data controllers and processors over contractual breaches under Data Processing Agreements (DPAs) that has failed to uphold the legal, contractual or industry standards.

4. Third-Party Vendor or Subcontractor Liability: Conflicts that arise when a third-party vendor or subcontractor mishandles personal data entrusted to them by a primary party can also be arbitrated.

5. Employee Data Privacy Conflicts: Any situations where personal information about employees is misused or unlawfully disclosed, including workplace monitoring, surveillance, or biometric data usage.

6. Consumer Privacy Violations: Such disputes can occur between businesses and consumers about the collection, use, or sale of personal data, particularly in the e-commerce, fintech, and digital advertising industries.

7. Intellectual Property Related Disputes: This includes conflicts that arise from the intersection of private or sensitive company information with personal data, which can result in ownership disputes and illegal disclosure.

8. Privacy Disputes in Mergers and Acquisitions: Such disputes can occur due to due diligence or post-merger integration, notably on the handling of customer or employee data.

Why Arbitration?

The following important viewpoints are used to evaluate why arbitration should be the proper dispute resolution procedure when the conflict has passed the initial threshold:

Compensation:

The DPDP Act lacks provisions for compensating aggrieved parties. Without a specific provision for compensation, an aggrieved party whose personal data has been breached is left with no remedy other than filing a complaint with the Data Protection Board (DPB) under the DPDP Act. However, this only results in penalties being imposed and offers no compensation to the aggrieved party.

As a result, arbitration agreed upon in a contract becomes a good substitute for pursuing damages. It is important to remember that in situations where there is a breach of personal data, Clause (a) of Section 27(1) gives the DPB the authority to order immediate corrective action. It is unclear, though, if such steps may involve compensation in the absence of further explanation.

Confidentiality:

Confidentiality is a cornerstone of arbitration which is particularly critical in data privacy disputes where sensitive information is often involved. Arbitration fosters private dispute resolution by restricting access to the details of the dispute, the proceedings, and the final decision. This secure framework allows parties to engage in open discussions without fear of reputational damage or data breach.

Since the DPDP Act seeks to safeguard personal information, arbitration offers a safe setting for settling these kinds of conflicts. Arbitral tribunals are excluded from some compliance obligations under Section 17(1)(b) of the DPDP Act; nevertheless, they are still required by Section 8(5) to put appropriate protections in place against data breaches. This duty is particularly pertinent when the personal information of parties, witnesses, or other participants in the proceedings is included in arbitral records.

Party Autonomy:

Another key benefit of arbitration is that it enables party autonomy, which offers the parties to choose the arbitration process and arbitrator. In the context of data privacy disputes, this allows parties to appoint arbitrators with specialized expertise in data protection laws, ensuring that the dispute is handled by professionals with the necessary knowledge.

Application of DPDP Act on Arbitration

The Arbitration Proceedings will be required to comply with their governing laws on data regulations including protecting data from any cybercrime. Compliances can include protecting personal data, data security, data transfer, sanctions and liabilities and maintaining confidentiality and transparency.

EU-U.S. Data Privacy Framework (EU-U.S. DPF)

The Department and the Commission have agreed upon specialised arbitration rules for the EU-U.S. Data Privacy Framework Panel, which consists of the following provisions:

1. Initiation: By delivering a Notice outlining previous settlement procedures, the alleged breach, and any supporting documentation or legal discussion, an individual can start binding arbitration.
2. Non-duplication: Procedures will prevent duplicative remedies for the same claim.
3. Parallel FTC Action: Federal Trade Commission (FTC) actions may proceed alongside arbitration.
4. Limited Government Involvement: While EU Data Protection Authorities (DPAs) can help with the Notice preparation, no government representatives are permitted to take part in arbitrations.
5. Location and Participation: Arbitrations will take place in the United States, and participation will be free by telephone or video. Participation in person is not necessary.
6. Language and Translation: Arbitration will be in English unless otherwise agreed. Interpretation and translation may be provided at no cost, unless deemed unjustifiably costly.
7. Confidentiality: Arbitration materials and discovery will be kept confidential and used only for arbitration purposes.
8. Discovery: Individual-specific discovery may occur if necessary and will be confidential.
9. Timeline: Arbitrations are to be completed within 90 days unless parties agree otherwise.

These rules are subject to amendment or replacement with established U.S. arbitral procedures if needed.

AMLEGALS Remarks

Arbitration and India’s data privacy laws intersect in a dynamic and evolving landscape that demands careful analysis and ongoing refinement. The following are suggestions to create a reliable arbitration mechanism for data privacy related issues:

Clarify and Harmonize Applicable Laws:

For arbitration to be used effectively in resolving data protection issues, the pertinent laws and regulations must be clarified and brought into alignment. This entails guaranteeing uniformity across jurisdictions and offering precise instructions on how data protection laws and arbitration legislation interact. The concentration should be on creating a logical structure that will provide parties the assurance that arbitration is a trustworthy method of resolving disputes.

Develop Specialized Panels of Arbitrators:

Given the technical and complex nature of data protection issues, it is highly recommended to form specialized panels of arbitrators with expertise in data privacy and protection laws. Working together with arbitral institutions, data protection authorities, and professional associations can help achieve this. These specialised panels will guarantee that arbitrators have the necessary expertise to handle the particular difficulties of data protection disputes, resulting in more efficient and knowledgeable decision-making.

Implement Training and Education Programs:

It is essential that arbitrators, solicitors, and other stakeholders in the data protection field get ongoing training and instruction. New developments in technology, best practices for resolving data protection issues, and revisions to data protection regulations should be the main topics of these sessions.

Foster a Collaborative Approach:

In order to effectively resolve data protection issues, all parties involved—including arbitral institutions, data protection authorities, the judiciary, and other pertinent entities—should work together. Regular communication and information exchange can improve the legitimacy and effectiveness of arbitration by fostering consistent procedures like decision-making uniformity.

Review and Update Arbitration Rules:

In order to handle the unique requirements and difficulties of data privacy disputes, arbitral institutions should evaluate and update their rules on a regular basis. This could include clauses that address certain procedural requirements in data protection issues, preserve confidentiality, and secure personal data during arbitration. Parties will be encouraged to choose arbitration as their preferred method of resolving disputes if arbitration rules are tailored to meet these issues.

By implementing these measures, India can build a strong system that not only supports data privacy standards, but also ensures that disputes are resolved efficiently and securely. Arbitration, when customized to the needs of the digital era, has the potential to become a cornerstone in the resolution of data privacy disputes.

Team AMLEGALS, assisted by Mahima Periwal (Intern).

Please reach out to us at rohit.lalwani@amlegals.com in case of any query.