DATA PROTECTION IN CROSS-BORDER ARBITRATION: THE DPDP ACT 2023 MEETS INTERNATIONAL PRACTICE

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as 'DPDP Act') is considered the most significant piece of legislation in India with regard to data governance. The Act provides for a right-based regime for processing of digital personal data, which is heavily based on GDPR provisions, albeit with India's own regulatory spin . In its attempt to assert India's position as a key international commercial arbitration center, there arises the issue of interaction of data protection law with arbitral practice, which has received inadequate scholarly attention to date. Cross-border arbitration almost inevitably results in exchange of personal data between multiple jurisdictions, which includes witness statements, documents, parties correspondence, records of e-discovery, and case management databases maintained by arbitral institutions. All this information is exchanged between parties, lawyers, arbitrators, arbitral institutions themselves, and technology providers, often lacking appropriate data governance measures altogether. This paper focuses on application of the DPDP Act, 2023 to these transactions, as well as potential conflicts between Indian regulation and provisions of GDPR, Singapore PDPA, and Hong Kong PDPO, and compliance challenges faced by parties of international arbitration proceedings. Moreover, this paper identifies gaps in the Act and suggests a framework for ensuring compliance in arbitral practice under Indian law.