In arbitral proceedings under the law of England and Wales arbitrators and parties are subject to the Arbitration Act, 1996.  Curiously there is no duty in that Act to assure confidentiality.  Instead parties may provide for confidentiality in their arbitration agreements expressly, or may rely on the implied duty of confidentiality at Common Law:  Ali Shipping Corporation v Shipyard Trogir [1997] EWCA Civ. 3054 and Emmott v Michael Wilson & Partners Ltd [2008] 1 Lloyd’s Rep 616 (CA). The parties to the arbitration and the tribunal are under implied duties to maintain the confidentiality of the hearing, documents generated and disclosed during the arbitral proceedings and the award itself.

Some arbitral institutions provide rules which impose an express duty upon arbitrators to assure confidentiality and two examples are in the LCIA (Arbitration Rules 2014, Article 30), CIArb (CIArb Arbitration Rules 2015, Art. 17(2) and Appendix II, para 12) and the International Institute for Conflict Prevention and Resolution (CPR: Rules for Administered Arbitration of International Disputes 2019, rule 20).  The duty to assure confidentiality is the primary duty of the arbitrator and the administering scheme.

Cases such as Libananco Holdings Co. Limited v Republic of Turkey of 2013 – ICSID Treaty arbitration (hack with loss of ca 2,000 emails). the infamous South China Sea Arbitration in 2015 (hack via unpatched Adobe) and most recently Tennant Energy v Government of Canada in August 2019 (GDPR not applicable to a NAFTA dispute was the headline but the real meat of the decision’s importance is that the arbitrator required a high degree of data protection to protect confidentiality, making an order to that effect).

Mediation in England and Wales is another successful form of ADR and is growing in numbers as the civil justice system increasingly introduces mediation as a compulsory or implied compulsory ADR mechanism within civil procedure.  According to CEDR’s 2018 Audit of Mediation, leaving aside Family mediations, there were some 12,000 civil/commercial mediations taking place every year with noticeable growth in administered schemes.

The mediation rules of schemes and the agreements that underpin mediation expressly provide for the confidentiality of these ADR proceedings.  For example: CIArb (Mediation Rules, 2018, Article 6) and CEDR (Model Mediation Procedure, 2018, para 8)

This duty of confidentiality is underpinned by the GDPR which forms part of UK law under the Data Protection Act, 2018. The GDPR imposes specific duties affecting administrative schemes, their arbitrators and mediators together with reputational and financial sanctions for breach.  The table below highlights the provisions of the GDPR which are relevant in this context.

GDPR Article Provision in summary
2(1) This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
3(3) Applies in any place where Member State law applies by virtue of public international law whether arbitrators and mediators are established in the EU.
4(2) Defines processing of data to include not only data processed by automated means in a computer but also when data is held in paper form.
4(7) ‘controller’ is defined so as to include natural or legal persons which, alone or jointly with others, determine the purposes and means of the processing of personal data.  Thereby including arbitrators, mediators and their scheme administrators.
32(1) Obliges arbitrators and mediators to implement appropriate technical and organisational measures to ensure a level of security appropriate to the proceedings.  The provision then specifies the appropriate steps to achieve compliance with Art. 32.
44-49 inclusive International data transfers are addressed particularly important under GDPR whether the UK remains in the EU or leave.


There are of course a host of other requirements within the GDPR including self-reporting obligations but the few summarised above should be considered by arbitrators and mediators at the outset of any proceedings.

Awareness of the importance of data security when assuring parties of the confidentiality of the proceedings is of course a key USP for Institutions seeking to attract work especially in the light of the infamous hacks mentioned above.

Adopting a secure Platform or introducing cyber security guidance for arbitrators and mediators are important steps toward providing comfort to parties that a hack is less likely to take place and reassure neutrals that this important issue has been addressed and to attract work.

Tony is the Director of Limited the provider of online ADR platforms and a Past President of the London Solicitors Litigation Association.