Introduction
It is generally accepted that Brexit will not affect the conduct of arbitration claims in London as much as other areas of law. The legal framework of arbitration in the UK is not governed by EU law and it has the benefit of the New York Convention ensuring ongoing enforceability of arbitral awards.
Cybersecurity is becoming increasingly prominent and, conversely, it will be impacted by Brexit. It is important to consider how the arbitration community might future-proof itself against cybersecurity problems to maintain London’s position as a leading arbitration centre after Brexit.
The publication of the Panama Papers and Paradise Papers in 2015 and 2017 highlighted the vulnerability of law firms to hacking. We only need to look to the 2015 hacking of the website of the Permanent Court of Arbitration to see that arbitral institutions are also potential targets.
Governments and institutions are acting to tackle these problems. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 took effect on 28 May 2018. China, Australia and New Zealand have all implemented new cybersecurity rules in the last year and, on 16 November 2018, the United States enacted the Cybersecurity and Infrastructure Security Agency Act 2018, creating a new pan-US cybersecurity agency. In the arbitration world, the International Council for Commercial Arbitration (ICCA) published a Draft Protocol on the management of cybersecurity in international arbitration in April 2018. The International Bar Association also published cybersecurity guidelines in October.
How is cybersecurity being dealt with in the Brexit negotiations?
We now have the text of the latest version of the draft withdrawal agreement, which was accepted by the UK cabinet on 14 November and by EU leaders on 25 November. The Prime Minister will attempt to push it through Parliament on 11 December. The Political Declaration Setting Out the Framework for the Future Relationship between the European Union and the United Kingdom was published on 22 November.
We can now consider with a little more clarity how cybersecurity issues might impact arbitration after Brexit.
Withdrawal agreement
The withdrawal agreement contains two key provisions on data protection. If it is accepted by Parliament, these will form the basis of the UK’s ongoing data protection regulation:
- To maintain continuity during the transition period, EU law will continue to apply to the UK, although the UK Information Commissioner will not be part of the European Data Protection Board. The withdrawal agreement now provides for the transition period to be extended beyond 31 December 2020.
- Article 71 of the withdrawal agreement provides a limited safety net if the UK doesn’t achieve an adequacy decision. EU citizens’ data processed in the UK before the end of the transition period will remain protected by EU laws. Article 73 confirms that UK citizens’ data will be similarly protected in the EU.
Adequacy decision
One of the bases for future UK-EU cooperation in the political declaration is that the UK commits to a “high level of personal data protection”. Without an agreement to the contrary, on leaving the EU the UK becomes a third country under the GDPR and will have to seek an adequacy decision to maintain its current data-sharing systems with parties in the EU. The EU will begin assessing a future adequacy decision under the GDPR by the end of 2020 (at the earliest).
If successful, the UK will need to demonstrate equivalent levels of data protection to those offered under the GDPR. This will allow data exchange to continue as if the UK were regulated by the GDPR.
The adequacy process cannot begin until the transition period ends. Whether or not the UK leaves the EU under a deal (or as seems increasingly possible, at all), an interregnum between leaving and any adequacy finding is almost inevitable. Nor is an adequacy decision automatic (even though on exit, UK and EU regulation would be identical). The longer the adequacy process takes, the higher the risk of divergence between the UK and EU’s data protection laws. During this gap, the UK would be a third country, to which transfers of personal data are not permitted unless an appropriate alternative solution is in place.
The adequacy application could be complicated further by the fact that if “equivalent” regulations can be overridden by national law, they may not be deemed to provide adequate protection. The UK is also seeking an “enhanced adequacy” decision to allow it to retain membership of the European Data Protection Board. This is being met with resistance by the EU.
There is no explicit mention of cybersecurity in the withdrawal agreement. The EU is looking at a new Cybersecurity Act which will introduce a new certification regime. This will almost certainly come into force after the end of the transition period, problematising the UK’s attempt to maintain equivalency.
What problems might this cause for international arbitration in London?
The withdrawal agreement gives little comfort and the cybersecurity problems already facing arbitration will become all the more stark after Brexit. The ICCA Protocol does not supersede national cybersecurity laws and while it may provide a helpful framework, it will not plug any gaps between UK and EU cybersecurity regulation.
Risks of data breach
Risks of cybersecurity breaches in international arbitration are well documented. Law firms and arbitral institutions are large depositaries of valuable data relating to high-profile entities which are vulnerable to hacking.
Arbitrations involve the cross-border transfer of large amounts of data, potentially through insecure internet connections. Data security is managed on an ad hoc basis, often relying on the initiative and engagement of arbitrators to navigate the varying cybersecurity policies of parties and law firms.
Brexit effect
GDPR has forced entities to address their own data protection/cybersecurity policies. Whether the UK leaves the EU under the withdrawal agreement or without a deal, arbitral institutions and law firms must prepare for the gap between the transition period and, hopefully, an adequacy decision.
In relation to cybersecurity issues, Brexit (if it goes ahead) is likely to affect UK-based international arbitration in two main ways:
- The UK’s increased vulnerability to cyberattack once outside the EU (since the UK will no longer be party to as much sharing of information regarding cyber threats) will mean arbitral institutions and UK-based users of arbitration must be more vigilant to data threats. It will likely fall to arbitral institutions to implement overarching policies to regulate the handling of cybersecurity. This could take the form of procedural changes such as inter-party data-sharing platforms and institutional rule changes which require the use of secure data connections, and implementing response procedures in case of a security breach.
- UK institutions will risk being left behind by their EU counterparts if they do not actively ensure their data protection policies correspond to GDPR standards. Without an adequacy decision, the UK will lose the automatic ability to transfer data from the UK to the EU and will require secure methods of transferring data that satisfy GDPR requirements. This will likely need to be contractual, meaning that individual relationships will need to be revisited and institutional rules in arbitrations with a UK nexus will likely need to include appropriate wording.
Conclusion
One of the key selling points of arbitration is confidentiality. Being lax with cybersecurity in an arbitration could threaten this reputation and potentially lead to sanctions for EU parties or give rise to breaches of contract.
Confusion over the status of cybersecurity rules in the UK after Brexit means that if UK arbitration institutions do not implement changes like those suggested above, they risk being unable to deal with data appropriately. With Brexit nothing is certain, but this could cause EU parties to move away from using London as an arbitration centre and undermine the potential for the London arbitration community to weather the storm of Brexit.
This blog is published in conjunction with BCLP’s annual international arbitration survey, which in 2018 considers cybersecurity in international arbitration.