Data Protection in International Arbitration — A TRW Law Firm Guide (Dhaka • London • Dubai)

Executive Summary

Arbitration has always promised privacy, but “private” is not the same as “data-protected.” Today’s cross-border disputes move massive volumes of personally identifiable information (PII), special category data, trade secrets, chats, cloud workspaces, mobile extractions, and third-party datasets across multiple jurisdictions. Add in remote hearings, e-bundles, AI review, and sanctions screening, and you have a perfect storm of regulatory overlap + cyber exposure.

This TRW Law Firm guide translates the fast-moving law-and-tech terrain into a practical playbook you can adopt at the first case management conference (CMC)—and ideally before a dispute is filed. We draw on our cross-border practice in Bangladesh (Dhaka), the UK (London), and the UAE (Dubai) to help you design defensible and efficient protocols that withstand tribunal scrutiny and regulator oversight.

Bottom line for counsel and case teams: treat data protection as a front-end design problem, not a back-end scramble. Build your information security, transfer, and minimisation architecture into Procedural Order No. 1 (PO1) and your Terms of Reference.

For an overview of how we run complex cross-border cases end to end, see International Arbitration.

1) Confidentiality vs. Data Protection: Same Family, Different Rules

• Confidentiality is an arbitral feature (often by rule, contract, or implied term). It restrains disclosure to the outside world and controls publicity.
• Data protection is a regulatory regime (public law + private obligations) that governs collection, purpose, processing, transfer, storage, retention, and rights of data subjects. It applies regardless of whether your arbitration is “confidential.”

Practical implication: Even when your arbitration is fully confidential, you can still breach data protection laws by over-collecting, over-retaining, transferring unlawfully, failing to secure, or ignoring data-subject rights. Confidentiality ≠ compliance.

2) The Five Pillars of Arbitration Data Protection

Think of your case architecture around five pillars. If you can answer these before PO1, you’re ahead of 90% of case teams.

1. Roles & Responsibilities

• Who is controller vs. processor for each flow? (Parties, counsel, tribunal, institution, service providers, hearing tech, transcription, translation, e-bundling, hosting, forensics.)
• Record this in PO1 and vendor DPAs (data processing agreements).

1. Lawful Basis & Purpose Limitation

• What is your lawful basis for processing (e.g., establishment/defense of legal claims, contractual necessity, legitimate interests)?
• Limit usage to arbitration purposes; ban “data creep.”

1. Data Minimisation & Redaction

• Collect only what you need; tier production requests; use redaction and pseudonymisation for sensitive fields (health, bank, minor data).
• Designate a confidential annex for the most sensitive items.

1. Security by Design

• End-to-end: protected file exchange, MFA, least-privilege access, encryption at rest/in transit, device policies, patching, incident response, immutable logging.
• Don’t rely on email for evidence transfer—use a secure evidence portal.

1. Cross-Border Transfers & Localisation

• Map where data will reside and travel (Dhaka, London, Dubai, hearing seat, host providers).
• Pre-bake transfer tools (e.g., SCCs/adequacy equivalents where needed), and track local blocking statutes or secrecy laws.

3) Who Are the “Data Actors” in Your Case?

• Parties & Affiliates: Typically controllers for their own datasets; may act as joint controllers when jointly determining purposes.
• Counsel Teams & Experts: Usually processors vis-à-vis clients’ data; may become controllers for their internal admin data.
• Tribunal Members: Often independent controllers for the data they hold (notes, drafts) with purpose limitation to the arbitration.
• Institutions: Controllers for the data they collect to administer the case; may impose security standards on all participants.
• Vendors (ediscovery, hosting, transcripts, real-time, interpretation, hearing rooms): Processors—need DPAs, security annexes, breach notice windows, sub-processor controls.

Action: Spell this out in PO1 + annex of approved processors. Require change-control if a new vendor is added.

4) First CMC: What to Ask for (and Get) in PO1

Use the first CMC to lock in a dispute-specific data framework. Here’s a checklist we deploy:

A. Information Security (InfoSec) Core

• Approved platforms (evidence portal, e-bundles, chat capture, audio/video).
• Access control: named users, MFA mandatory, device hygiene (no shared credentials).
• Encryption (in transit/at rest), key management, audit logs (immutable).
• Breach response: 24-hour notification to tribunal and parties; contain, assess, inform where law requires; forensic preservation.
• Prohibition on personal email/cloud drives for case data.

B. Data Minimisation & Redaction

• Phased disclosure: start with key custodians/timebands; small pilots; scale only if necessary.
• Automatic masking for national IDs, account numbers, birthdays, minors’ data; release unmasked only on good cause.
• Clawback protocol (inadvertent production of privileged/special category data).

C. Cross-Border Transfers

• Data residency map (which country hosts what).
• Standardised transfer terms (e.g., SCC-style obligations or local equivalents) where applicable; seat-neutral language that works across regimes.
• Clarify localisation constraints (banking secrecy, telecoms, health data). Build workarounds (on-prem review, tokenisation, field-level redaction).

D. Data-Subject Rights (DSRs)

• Route any DSR requests (access/erasure/rectification) to a single channel; presumptive deferral where incompatible with legal-claims exception; tribunal gatekeeping to avoid tactical misuse.

E. Hearing Protocols

• No auto-record by participants; only the official service provider records; define storage period and deletion schedule.
• Screen-share hygiene; physical clean desk; watermarked bundles to discourage onward sharing.

F. Retention & Deletion

• Define retention periods and destruction triggers (award finality + X months/years; ongoing enforcement exceptions).
• Require certificate of deletion from all processors.

G. Sanctions & Export Controls

• If a party or custodian is designated or the data contains export-controlled tech, fillet a licensing path and restricted access model. (This frequently intersects with InfoSec.)

H. AI and Automated Tools

• Document review tools may use machine learning; ensure no external model training on your data and no vendor re-use.
• Ban public generative tools for case content. Permit only whitelisted AI features constrained within your secure environment.

5) Cybersecurity: What “Good” Looks Like (and What Fails in Practice)

The good stack (lean and effective):

• SSO + MFA for all endpoints; MDM on mobiles; data loss prevention (DLP).
• Zero-trust networking for your review platform; IP allow-lists for hearing tools.
• Immutable logging and tamper-evident export trails for exhibits.
• Vendor SOC 2 / ISO 27001 (or equivalent controls) and an annex listing technical safeguards (cipher suites; patch cadence; physical security).
• Tabletop incident drill with counsel + tribunal secretariat before disclosure begins.

Common failure modes we remediate:

• Evidence traded by email or consumer cloud.
• Shared credentials among co-counsel teams.
• No redaction discipline; full bank/health records dumped into the bundle.
• Unmanaged BYOD laptops at hearings.
• No plan for local data blockers (e.g., health, telecom, banking secrecy), leading to last-minute crises.

6) Cross-Border Transfer Playbook (Dhaka ↔ London ↔ Dubai)

Scenario A: Bangladesh data → UK-hosted review

• Use a secure transfer gateway; document lawful basis (defence of claims).
• If local law restricts export of specific data types, pivot to on-premise review in Dhaka or tokenise sensitive fields before export.
• Keep a transfer register (what moved, when, why, who).

Scenario B: EU/UK counsel ↔ UAE hearing

• Pre-approve a hearing server situated in the UAE with encrypted replication to the document platform; ban personal recording devices; define post-hearing purge.

Scenario C: Third-party datasets (banks, telcos, hospitals)

• Expect statutory secrecy overlays. Obtain appropriate consents, court letters of request (if needed), or de-identification workflows supervised by experts.

7) Evidence Strategy: “Less Is More” (and More Defensible)

• Proportionality first: articulate how wider discovery burdens data risks (breach exposure, DSR conflicts, local secrecy laws).
• Sampling: agree pilot custodians/dates; expand only with tribunal permission.
• Structured data: prefer aggregated or anonymised extracts to raw dumps; let experts work on sandboxed copies.
• Sensitive categories: separate medical, juvenile, union, religious, biometric, criminal data; compile a sensitivity index and request special handling or exclusion.

8) Vendor Management & Papering

• DPA essentials: processing purpose, data types, security standards, sub-processor approval, breach window, audit rights, deletion.
• Information security annex: controls at the level of technical specificity (not high-level marketing).
• Geo-fencing: commit to data locality where required; disclose sub-processor jurisdictions.
• No training use: bar vendors from training models on your case data.
• Change control: vendors must notify and seek approval before adding sub-processors or changing hosting locations.

9) Data-Subject Rights (DSRs): Avoid Tactical Abuse

• Build a single intake channel (not to the tribunal’s inbox).
• Use the legal claims exception where relevant and narrowly; balance transparency with case integrity.
• If a DSR targets material already in evidence, propose a stay or redacted access; seek tribunal direction to prevent gamesmanship.

10) Incidents & Breach Response—How to Be Ready

Golden hour plan (pre-agreed in PO1):

1. Detect → automated alerts + human monitoring on all review/hearing platforms.
2. Contain → revoke access; rotate keys; isolate compromised nodes.
3. Preserve → forensic images, logs, chain-of-custody.
4. Notify → tribunal + counterparties within 24 hours; regulators/data subjects only if law requires (coordinated, accurate, minimal).
5. Remediate → patch, harden, re-issue bundles if integrity is in doubt.
6. Lessons learned → update controls; certify remediation to tribunal.

11) Model Clauses You Can Drop into PO1 (Short-Form)

Note: Illustrative only; tailor to seat, rules, and governing law.

11.1 Roles & Purpose
“Each Party acts as a controller for data it contributes. The Tribunal and [Institution] act as independent controllers for data they process to conduct/administer this arbitration. Approved vendors act as processors. All processing is limited to establishing, exercising, or defending legal claims in this arbitration.”

11.2 Security
“Case data shall be processed exclusively on the Approved Platforms (Annex A) with MFA, encryption in transit and at rest, least-privilege access, and immutable audit logs. Email transmission of exhibits is prohibited.”

11.3 Minimisation & Redaction
“Disclosure shall be phased. Parties shall redact or mask special category data unless strictly necessary, with a confidential annex used for unavoidable items.”

11.4 Transfers
“Cross-border transfers are permitted solely for case purposes under transfer safeguards in Annex B. Parties shall maintain a transfer register.”

11.5 DSRs
“Any data-subject request shall be routed to the Parties’ designated contacts; the Tribunal will balance such requests against the needs of these proceedings and applicable legal-claims exceptions.”

11.6 Breach
“Security incidents shall be notified to the other Party and the Tribunal within 24 hours of discovery with details per Annex C; forensic artefacts shall be preserved.”

11.7 Retention/Deletion
“Within 90 days after final award or conclusion of set-aside/enforcement proceedings (whichever is later), Parties and processors shall delete or return case data and provide certificates of deletion, unless retention is mandated by law.”

12) How Seats and Institutions Differ (What Changes, What Doesn’t)

• London (UK): Tribunal and English courts are experienced with proportionate disclosure and tech-heavy cases; strong support for privacy-by-design orders.
• Dubai (DIFC/ADGM): Common-law courts and modern procedural flexibility; excellent for hybrid in-person/remote hearings with regional data localisation considerations.
• Dhaka (Bangladesh-sourced data): Expect local sensitivities around export of financial, telecom, and health data—prepare on-prem or tokenised review options.

Across major institutions (LCIA, ICC, SIAC, HKIAC), recent rule updates encourage tribunals to address information security and personal data explicitly. Use those hooks in PO1 to formalise the framework above.

13) Governance for In-House Teams (6 Moves to Make This Quarter)

1. Adopt a standard Arbitration DP Addendum you can hand to outside counsel on day one.
2. Vendor panel for e-bundling, hosting, transcription, interpretation—pre-papered DPAs and security annexes.
3. DSR protocol with a single intake channel and playbooks for legal-claims exceptions.
4. Secure evidence portal (SSO/MFA) and a ban on email for exhibits.
5. Incident tabletop with your disputes team; integrate with corporate incident response.
6. Retention calendar mapped to case lifecycle and regulatory duties.

14) TRW’s Tri-Hub Execution Model

• Dhaka: Data mapping, local law overlays, on-prem review options, secure collection from factories, banks, and regulators.
• London: PO1 drafting, hearing protocol design, proportionate disclosure strategy, UK privacy/regulatory interface.
• Dubai: Hybrid hearing tech, GCC data transfer planning, ADGM/DIFC support, vendor coordination and audits.

We integrate counsel, digital forensics, ediscovery, and hearing operations into a single workflow—so your case stays lean, fast, and compliant.

For end-to-end arbitration support, visit International Arbitration.

15) One-Page Checklist (Print This for Your War Room)

• Map data actors, roles, systems.
• Lock PO1 with security, minimisation, transfers, DSRs, breach, retention.
• Stand up a secure portal; ban email for exhibits.
• Phase disclosure; build redaction rules; keep a sensitivity index.
• Test your hearing stack; pre-issue credentials; watermark bundles.
• Drill incident response; keep forensic logging on.
• Schedule deletion and get certificates post-award.

Contact TRW Law Firm

Tahmidur Remura Wahid (TRW) Law Firm

Dhaka (Head Office): House 410, Road 29, Mohakhali DOHS
Dubai: Rolex Building, L-12, Sheikh Zayed Road
London: 330 High Holborn, London WC1V 7QH, United Kingdom

Phone: +8801708000660 · +8801847220062 · +8801708080817
Email: [email protected] · [email protected] · [email protected]

TRW designs and runs data-secure, regulation-aware arbitrations across industries and seats—so your team can focus on winning the case, not firefighting the systems.