A. Setting the Context

While technological innovations have undeniably enriched our existence by offering conveniences which were once thought unimaginable, they have also put before us certain unforeseen challenges.A spurt in innovations has led to an increase in exposure of one’s personal data, however at the same time, it has led to growing concerns about its potential misuse, thereby increasing data privacy disputes. The courts in India have time and again recognised the importance of personal data and have made protection of personal data the cornerstone of individual privacy.

In a landmark ruling, the Hon’ble Supreme Court, in the case of Justice K.S.Puttaswamy (Retd) vs Union of India[1], in 2019, recognised the right to privacy as a fundamental right for the first time. The Hon’ble Court therein also highlighted the necessity of enacting a comprehensive law on data privacy, broadened the concept of privacy to include personal spaces, and emphasised its significance as an intrinsic value. Consequently, the legislature introduced The Personal Data Protection Bill, 2019 which was, however, withdrawn due to extensive changes made in it by the Joint Parliamentary Committee[2]. Thereafter, in 2022, the draft Digital Personal Data Protection Bill, 2022 (“DPDP Bill, 2022”) was introduced by the Government and released for public consultations. The DPDP Bill, 2022 was further revised and subsequently the Ministry of Electronics and Information Technology introduced another version of the DPDP bill in 2023 which culminated in the enactment of the present legislation i.e., Digital Personal Data Protection Act, 2023 (“DPDP Act”).[3]

It is important to point out here that, with the evolution of data protection laws, arbitration as a mechanism of dispute resolution has also seen substantial growth in India. Over the past few years, India’s arbitration landscape has gone through several key developments, with an ongoing effort to refine the mechanism and align it with the international arbitration framework. According to a PwC report, 91%[4] of the Indian companies surveyed consider arbitration over traditional litigation as the preferred choice of dispute resolution. It was also found that 82%[5] of the companies with arbitration experience indicated that they would continue to use arbitration in future disputes. Therefore, it is seen that there is an increasing tendency to refer disputes to arbitration by the parties as opposed to traditional mechanism of dispute resolution through protracted litigation.

In this edition we discuss the interplay between data privacy framework in India and arbitration as a preferred mechanism for dispute resolution on data privacy matters.

B. Discussion, analysis and prevailing positions in the data privacy and arbitration laws in India

Firstly, the question that arises is whether disputes related to data privacy fall within the purview of private arbitration or are exclusively under the jurisdiction of statutory bodies under the DPDP Act. While the DPDP Act does not explicitly exclude arbitration, its provisions, read alongside established arbitration jurisprudence in India, reveal a nuanced interplay between data privacy disputes and arbitral mechanisms.

Arbitration in data privacy matters may arise from relevant terms and conditions, data-processing agreements etc. which frequently include arbitration, in matters of breach of confidentiality, non-compliance with security obligations, or data breach, as a standard practice for resolving disputes.

Section 18 of the DPDP Act, empowers the Central Government to establish the Data Protection Board of India (“DPB”), as a statutory body entrusted with quasi-judicial powers to determine contraventions of the provisions of the DPDP Act[6], receive complaints[7] and impose penalties[8]. However, the enactment does not preclude the use of Alternate Dispute Resolution (“ADR”) mechanisms, on the contrary, it actively encourages the use of the same. Section 31 of the DPDP Act provides that the DPB may refer any complaint to mediation, where it is of such opinion. While the DPDP Act explicitly bars the jurisdiction of Civil Courts, there is no express bar on reference of disputes to arbitration[9]. Furthermore, it is well settled that an arbitral tribunal cannot be considered a “court”, and arbitral proceedings are not civil proceedings.[10] Thus, there exists no bar as such on referral of disputes to arbitration under the DPDP Act.

Nextly, whether data privacy disputes are arbitrable at all or not depends upon their nature and context. Indian courts, through landmark judgments, have clarified the arbitrability of a dispute. In the recent case of Vidya Drolia v. Durga Trading Corporation[11], the Hon’ble Supreme Court laid down a four-fold test to determine arbitrability of disputes and held that disputes are non-arbitrable when – (i) the dispute involves rights that affect the public or third parties, not just private rights between the parties, (ii) the dispute requires a centralized decision, and mutual resolution between parties isn’t suitable or enforceable, (iii) the dispute relates to the state’s sovereign functions or public interest, making mutual resolution unenforceable, (iv) the dispute is explicitly or implicitly prohibited by law from being arbitrated.

Data privacy disputes by their very nature involve a mix of rights in rem (rights enforceable against public at large) and rights in personam (right enforceable against a person) and therefore may seem unsuitable for arbitration. Data privacy disputes typically involve contractual obligations and specific rights between parties, which could be considered rights in personam and therefore might be considered arbitrable in such contexts. Disputes limited to contractual obligations, such as breaches of terms and conditions, data-sharing agreements, can fall within the domain of arbitration as they pertain to rights in personam. However, there may be instances where the dispute could be argued to fall under the category of rights in rem, in light of the four-pronged test laid down in the Vidya Drolia (supra) case thus making the dispute non-arbitrable.

Once the dispute passes the muster, the next question revolves around the feasibility of opting for arbitration, looked at from three key perspectives of, (i) compensation, (ii) confidentiality, and (iii) party autonomy, which are discussed below:

 

  1. Compensation: A significant limitation of the DPDP Act is the absence of provisions for awarding compensation to aggrieved parties. While the earlier draft bills provided for compensation, the DPDP Act focuses exclusively on penalties for contravention. In the absence of any such specific provision providing for compensation, the aggrieved party whose personal data has been breached has no other remedy but to file a complaint with the DPB under the DPDP Act which only provides for imposition of penalties and does not provide for compensation to the aggrieved party. As a result, contractually induced arbitration becomes a viable alternative for the parties to seek compensation. Having said that, it is important to mention that Clause (a) of Section 27 (1) deals with power of DPB to direct urgent remedial measures in the event of personal data breach, which in the absence of necessary clarification or rules framed, does not clarify whether such urgent remedial measures may be in the nature of compensation.

 

  1. Confidentiality: Confidentiality in arbitration encourages resolution of disputes privately by limiting access to the details of the dispute, the proceedings and the final decision. By safeguarding such critical information, arbitration provides a secure framework that encourages parties to engage in open discussions without the fear of reputational harm or competitive disadvantage. Section 42A of the Arbitration and Conciliation Act 1996 (A&C Act), establishes a binding obligation on the arbitrator, the arbitral institution, and the parties to the proceedings to refrain from disclosing or utilizing any documents submitted or utilized during the arbitration, in stark contrast to judicial proceedings, where records and hearings are generally accessible to the public, thereby exposing sensitive information to a broader audience. Confidentiality being one of the cornerstones of arbitration, it provides for a crucial avenue to the parties to keep the proceedings private, especially in cases of data privacy disputes where often sensitive information is involved. Since the DPDP Act is all about protection of personal data, arbitration appears to be a secure environment for such sensitive matters. The DPDP Act establishes data fiduciaries as entities that determine the purpose and means of processing personal data, who are obligated to ensure the protection of personal data in their possession or control. However, by virtue of section 17(1)(b) of the DPDP Act of arbitral tribunals enjoy benefit from exemptions from a number of compliance requirements. Nevertheless, they remain bound by the obligation to provide reasonable safeguards against data breaches, as stipulated under Section 8(5) of the DPDP Act. This is particularly relevant where arbitral records contain personal data related to parties, witnesses, or other individuals involved in arbitration proceedings.

 

  1. Party Autonomy: Another advantage of arbitration is party autonomy which allows the party to choose the arbitration process and the arbitrator. In the context of data privacy disputes, this would enable the parties to select experts with specialized knowledge in data protection laws ensuring that disputes are handled by arbitrators with the requisite expertise.

 

C. Conclusion

The intersection of data privacy and arbitration presents both challenges and opportunities for India’s dispute resolution landscape. The growing complexity of digital data usage alongside the enactment of the DPDP Act underscores the importance of a robust mechanism that not only protects individual’s privacy but also ensures efficient and effective redressal of grievances. Arbitration with its inherent advantages of confidentiality, expertise, faster resolution, emerges as a promising mechanism for resolving such data privacy disputes. While the DPDP Act provides for a centralized watchdog through the DPB, the absence of provisions for compensation on one hand, and the growing preference for arbitration on the other present compelling reasons for preferring arbitration as a viable alternative. However, a significant challenge in this context arises with regard to the high costs associated with arbitration. These types of disputes often come with intricate technical details and legal complexities, driving up arbitration costs significantly. This financial burden can discourage individuals from enforcing their rights, highlighting the importance of making the arbitration mechanism more affordable and accessible in these contexts.

The evolving jurisprudence around arbitrability of disputes highlights the need for a balanced approach, one that respects the statutory framework of data protection laws, while also embracing arbitration’s potential to offer private, quick and effective resolution. The focus on confidentiality within the arbitration framework aligns seamlessly with the protection of sensitive data as envisaged under DPDP Act and it becomes necessary to explicitly incorporate data privacy considerations within the arbitration framework.

It is incumbent to implement an ecosystem where parties can trust that their data is protected and any disputes arising out of it can be resolved fairly and privately. However, it will be interesting to observe how the jurisprudence around arbitrability of data privacy disputes evolves in the Indian legal context where parallel arbitral proceedings may take place alongside the traditional DPB route, albeit on separate grounds. Nevertheless, the ever-evolving arbitration framework holds a cautiously optimistic future in the data disputes landscape.


Authors: Swarajit Dey, Ronodeep Dutta and Kushagra Sharma


Footnotes

[1]      (2019) 1 SCC 1

[2] Explained: Why the Govt has withdrawn the Personal Data Protection Bill, and what happens now: https://indianexpress.com/article/explained/explained-sci-tech/personal-data-protection-bill-withdrawal-reason-impact-explained-8070495/

[3]      It is important to note that although the DPDP Act has received the President’s assent, the provisions of the DPDP Act are not yet in force as on the date of publishing this article and shall come into force on such date as the Central Government may appoint by notification in the Official Gazette.

[4]      Corporate Attitudes & Practices towards Arbitration in India: https://www.pwc.in/assets/pdfs/publications/2013/corporate-attributes-and-practices-towards-arbitration-in-india.pdf

[5]     Ibid.

[6] The Digital Personal Data Protection Act, s. 27.

[7] The Digital Personal Data Protection Act, s. 27.

[8] The Digital Personal Data Protection Act, s. 34.

[9] The Digital Personal Data Protection Act, s. 39.

[10] Union of India v. Vedanta Limited, (2020) 10 SCC 1

[11] (2021) 2 SCC 1

More from AQUILAW