NOURA LAWYERS
Speak with a partner
arbitrateAD arbitration

Cybersecurity obligations in arbitrateAD proceedings

arbitrateAD arbitration

What this guide covers

  1. Article 29: The cybersecurity framework
  2. Electronic communications and document transmission
  3. UAE data protection law intersection
  4. Consequences of cybersecurity breach
  5. Practical checklist
  6. What we'd typically advise
  7. Frequently asked questions

arbitrateAD 2024 is among the first UAE arbitration institutions to include explicit cybersecurity provisions in its rules. Article 29 imposes obligations on all participants — parties, counsel, and the tribunal — to maintain the security and confidentiality of arbitration data. Non-compliance can affect proceedings and expose counsel to professional liability.

Article 29: The cybersecurity framework

Art 29 of the arbitrateAD 2024 Rules establishes a cybersecurity protocol framework for arbitration proceedings. Key obligations: (i) the tribunal shall, in consultation with the parties, establish a cybersecurity protocol for the arbitration (Art 29.1); (ii) the protocol addresses secure communication channels, document transmission, hearing platform selection, and storage of arbitration materials (Art 29.2); (iii) parties and their representatives must comply with the agreed protocol and shall not transmit arbitration documents over unsecured channels without the parties' agreement (Art 29.3).

The cybersecurity protocol is typically agreed at or before the first case management conference. The tribunal may use arbitrateAD's recommended protocol template as a starting point. Parties may agree modifications appropriate to their sector — construction disputes involving technical drawings require different data handling from financial services disputes.

Electronic communications and document transmission

In practice, Art 29 means: (i) all communications between parties and the tribunal should use encrypted email or a dedicated arbitration management platform; (ii) document production via an insecure shared folder (e.g., unprotected Google Drive, unencrypted email attachments of sensitive documents) may be objected to; (iii) virtual hearings must use a platform agreed by the parties and approved by the tribunal (Teams, Zoom, Opus2, Relativity).

arbitrateAD recommends use of its own case management portal for document filing, which is TLS-encrypted. Large volume document production (50,000+ pages in complex disputes) should use a certified legal review platform — Relativity, Everlaw, or DISCO — with access controls logging who accessed which documents.

UAE data protection law intersection

Art 29 intersects with UAE Federal Decree Law 45/2021 on Personal Data Protection (UAE PDPL) and the DIFC Data Protection Law 2020 (if DIFC-seated). Arbitration proceedings routinely involve personal data — employee records, medical records, personal financial information. Under UAE PDPL: data controllers must implement technical and organisational measures to protect personal data; cross-border transfer of personal data outside the UAE requires adequacy determination or contractual safeguards.

In arbitrateAD proceedings, the parties are data controllers for their own evidence; the Centre is a data processor in relation to documents filed on the portal. Ensure the arbitration protocol includes: data minimisation (only produce documents relevant to issues in dispute); access controls (restrict document production platform access to counsel, tribunal, and named party representatives); retention and deletion obligations post-award.

Consequences of cybersecurity breach

If a cybersecurity breach occurs during arbitrateAD proceedings: (i) the affected party must notify the tribunal and the Centre promptly; (ii) the tribunal may issue a procedural order addressing the breach, including sanctions for non-compliance with the agreed protocol; (iii) in severe cases, the tribunal may consider the breach in its cost award; (iv) the breach may give rise to a UAE PDPL regulatory investigation if personal data was compromised.

Counsel firms face additional exposure — a data breach involving arbitration documents may constitute a breach of client confidentiality obligations under UAE Bar Association rules and UAE Federal Law 35/2022 on the Legal Profession.

Practical checklist

  • Agree cybersecurity protocol at the first CMC — use arbitrateAD's template as a starting point
  • Use encrypted email (TLS) for all tribunal and party correspondence
  • For document production exceeding 5,000 pages: use a dedicated eDiscovery platform with access logging
  • Virtual hearings: test the agreed platform 48 hours before each session; designate a tech support contact
  • Post-award: destroy or return confidential documents per the protocol — do not retain opponent's documents indefinitely
  • PDPL compliance: if personal data appears in the evidence, apply data minimisation — redact irrelevant personal data before producing to the tribunal

What we'd typically advise

The cybersecurity protocol is an opportunity, not just a compliance burden. Agreeing a protocol at the outset establishes ground rules that prevent later disputes about document handling, platform access, and confidentiality. In disputes involving commercially sensitive technical or financial data, the protocol is an important protection for our client's most sensitive information — not just a box-ticking exercise.

Frequently asked questions

Is a cybersecurity protocol mandatory under arbitrateAD 2024 Rules?

Art 29.1 requires the tribunal to establish a protocol in consultation with the parties. It is mandatory for the tribunal to consider and implement cybersecurity measures, though the specific measures are agreed with the parties. Non-agreement does not suspend proceedings — the tribunal can issue default provisions.

Can the arbitrateAD cybersecurity protocol be used in ADGM-seated proceedings?

Yes. Art 29 applies regardless of seat. An arbitrateAD arbitration with ADGM seat is still administered under arbitrateAD 2024 Rules and Art 29 applies fully.

Does Art 29 replace the duty of confidentiality in arbitration?

No. Art 29 supplements the general duty of confidentiality in Art 28 (confidentiality obligations). Art 28 provides that the proceedings and award are confidential; Art 29 provides specific technical obligations to protect the security of arbitration data. Both apply simultaneously.

What if the counterparty refuses to use an agreed secure platform?

Report the refusal to the tribunal at the earliest opportunity. The tribunal can issue a procedural order requiring compliance and may sanction continued non-compliance in its cost award under Art 38.

Are expert reports subject to the cybersecurity protocol?

Yes. Expert reports are part of the arbitration record and are subject to the same confidentiality and cybersecurity obligations as pleadings and documentary evidence. Parties should ensure experts handling documents via their own systems comply with the agreed protocol.

Related guides

Published 20 May 2026. General information only — not legal advice. Contact us for matter-specific advice.

Need this matter handled?

A partner can review the specifics and respond with a scoped engagement note within one working day.

Speak to us →