Support Centre
Saudi Arabia - Data Protection Overview
Back

Saudi Arabia - Data Protection Overview

Novemeber 2020

INTRODUCTION

There is currently no specific national data protection legislation in the Kingdom of Saudi Arabia ('KSA') but privacy provisions and concepts can be found in specific legislation.

It has been reported that the Government of KSA is considering the introduction of personal data protection laws. However, there has been no formal confirmation or public consultation on any draft legislation in this area, so far.

It is anticipated that further developments will occur in the data protection space in the KSA with a national data privacy law widely expected to be introduced in the short to medium term. While detailed understanding of data protection concepts is generally low in the absence of specific legislation, some government Ministries and state-owned companies do maintain privacy policies and have implemented a level of internal data protection measures. The Saudi Data and Artificial Intelligence Authority ('SDAIA') is a government body established in 2019 to enhance the KSA's drive towards innovation and digital transformation. In August 2020, it was announced that SDAIA had approved the Saudi National Strategy for Data and Artificial Intelligence, established a national data bank consolidating more than 80% of government datasets, and rolled-out a G-Cloud (or Government-Cloud) aimed at building one of the largest data clouds in the region through the merger of 83 data centres owned by over 40 Saudi government bodies.

There is also a high focus on cybersecurity issues in the KSA with the National Cybersecurity Authority ('NCA') guidance for government entities stating that data should be retained within the KSA.

1. GOVERNING TEXTS

1.1. Key Acts, Regulations, Directives, Bills

Although there is no specific national data protection legislation, there are certain privacy-related concepts within legislation, including Shari'ah principles against the invasion of privacy or disclosure of secrets that are also reflected in the Basic Law of Governance of 1992 (Royal Order No. A/91 of 1992) ('the Basic Law'). The Basic Law mentions privacy as a right that is related to the dignity of an individual and guarantees the privacy of telegraphic, postal, and other types of communication. It also prohibits surveillance and eavesdropping unless permitted by law.

Sectoral laws

More specific examples of privacy-related legal provisions are found in the Anti-Cyber Crime Law of 2007 (Royal Decree No. M/17) ('the Anti-Cyber Crime Law') and the new E-commerce Law of July 2019 ('the E-Commerce Law'). In addition, sectoral regulations contain data protection obligations regarding organisations working in telecommunication, IT/cloud services, healthcare, and financial services industries (see below).

Financial sector

The Banking Control Law of 1966 (Royal Decree No. M/5 of 1966) ('the Banking Control Law') generally prohibits the disclosure of information obtained by a person in the banking sector in the performance of his duties with sanctions of imprisonment for up to two years and/or a fine not exceeding SAR 20,000 (approximately €4,560).

Telecommunications

In April 2020, the KSA's national ICT regulator, the Communications and Information Technology Commission ('CITC'), published a general guide to regulate the use of customers' personal data by ICT and postal service providers (only available in Arabic here) ('the Guide'). The purpose of the Guide is to maintain the privacy of users' personal data and protect their rights in a manner in line with globally adopted standards. The Guide applies to all service providers in the identified sectors and states that service providers must regularly monitor and ensure compliance with these standards. Any violation will be dealt with in accordance with the CITC's regulations. The service provider is expected to collect and store the user's data in a clear and transparent manner, as well as having obtained clear consent for the relevant purpose. Other requirements include only collecting data that is necessary for the service provider's needs and not retaining the data for a period longer than necessary.

A further data-related regulation was passed by the CITC in May 2020 with the publication of procedures for launching services or products that involve the use or sharing of personal data of users in the telecommunications, information technology, and postal sectors (only available in Arabic here) ('the Manual'). The Manual will regulate the sharing of personal data between the service providers and third parties, and apply to:

  • any party that launches a new service or product, or makes a change to an existing service or product, that involves the use of data personal data; and
  • anything that involves the sharing or transfer of personal data.

The Manual grants an exception to the act of processing a user's personal data within the systems of the service provider in order to provide services to the user (i.e. only internal processing, no transfer or exchange of data occurs). Service providers are expected to consider the level of risk of a breach to a user's data and provide a report to the CITC setting out the level of risk associated with their operations in order to satisfy that they do not need approval from the authority to offer their product or service. Based on the risk level identified in the report, the CITC may request further information from the service provider to be satisfied of the position.

IT/Cloud Services

The latest version of the Cloud Computing Regulatory Framework of 2019 ('Cloud Framework') regulates cloud service providers ('CSPs') who conclude agreements for cloud services with customers' resident or having an address in the KSA. CSPs are required to register with the CITC if they exercise direct or effective control over data centres or other critical cloud system infrastructure hosted in the KSA. Cloud customers are explicitly responsible for ensuring that the necessary security features to protect their content are implemented. The CSP must inform customers upon request of the information security features they offer to enable the customer to inform its decision. Additionally, 'Level 3' and 'Level 4' content (as defined in the Cloud Framework) must not be transferred outside the KSA unless there is a specific legal exception and should not be processed on public, community, or hybrid clouds other than those operated by registered CSPs. For these purposes, Level 3 content is defined as:

  • 'any Customer Content from private sector-regulated industries subject to a level categorization by virtue of sector-specific rules or a decision by a regulatory authority;
  • sensitive Customer Content from public authorities; and
  • customer Content qualifying for Level 1 or Level 2 treatment, for which the Cloud Customer elects Level 3 treatment.'

The Cloud Framework does, however, suggest that enterprise customers can agree to different treatment of their data. It also requires CSPs to inform cloud customers and the CITC without undue delay of certain security breaches or information leakages affecting customer data or the CSP's cloud service. The CITC has also published the Cybersecurity Regulatory Framework for the ICT Sector Version 1.0 of 2019 ('the CITC Cyber Framework') which sets out requirements for better management of cybersecurity risks in line with international best practices and local cybersecurity regulations. The CITC Cyber Framework mainly operates to regulate Licensed Service Providers, which are defined as 'all service providers that have requested and own licences from CITC to provide the services as specified in the respective licences.'

Cybersecurity

In June 2020, the CITC published a comprehensive Cybersecurity Regulatory Framework ('the CRF') with the objective of increasing the cybersecurity maturity of the ICT and postal sectors in KSA. The CRF mainly impacts organisations that are licensed or registered by CITC and those subject to it as the regulator of the ICT and postal sector in KSA. The CRF establishes requirements for better management of cybersecurity risks through a consistent approach that is intended to be aligned with international best practices and local cybersecurity regulations. The requirements set out under the CRF must be implemented by service providers in the ICT and postal sectors to fulfil the minimum security requirements. There are also differing levels of obligation depending on whether or not service providers are classified by the CITC and/or the NCA as critical national infrastructure.

1.2. Guidelines

In the absence of a single data protection regulator, guidelines on data-related matters are issued by a range of regulatory authorities for the public and private sector (as noted in section 1.1. above).

1.3. Case Law

Not applicable.

2. SCOPE OF APPLICATION

2.1. Personal Scope

Not applicable.

2.2. Territorial Scope

Not applicable.

2.3. Material Scope

Not applicable.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

In the absence of a specific data protection law, there is no dedicated privacy regulator. However, the CITC regulates the wider information and communications technology sector and the SDAIA has a mandate to drive the national data and AI agenda for transforming the KSA into a leading data-driven economy. Other regulatory authorities in the area of technology and information include the Ministry of Communications and Information Technology ('MCIT'), the Ministry of Media, the General Commission for Audiovisual Media ('GCAM'), and the National Cybersecurity Authority ('NCA').

3.2. Main powers, duties and responsibilities

Not applicable.

4. KEY DEFINITIONS

Data Controller: Not applicable.

Data Processor: Not applicable.

Personal Data: Not applicable.

Sensitive Data: Not applicable.

Health Data: Not applicable.

Biometric Data: Not applicable.

Pseudonymisation: Not applicable.

5. LEGAL BASES

5.1. Consent

Not applicable.

5.2. Contract with the Data Subject

Not applicable.

5.3. Legal Obligations

Not applicable.

5.4. Interests of the Data Subject

Not applicable.

5.5. Public Interest

Not applicable.

5.6. Legitimate Interests of the Data Controller

Not applicable.

5.7. Legal Bases in Other Instances

Not applicable.

6. PRINCIPLES

Not applicable.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data Processing Notification

Not applicable.

7.2. Data Transfers

Not applicable.

7.3. Data Processing Records

Not applicable.

7.4. Data Protection Impact Assessment

Not applicable.

7.5. Data Protection Officer Appointment

Not applicable.

7.6. Data Breach Notification

There is no generally applicable data breach notification obligation in the absence of a national data protection law. However, when a cybersecurity incident occurs, service providers classified as critical national infrastructure under the CRF are obliged to report the incident to the NCA immediately and to notify the CITC (Article 4 of the CRF). They are also required to share security alerts, threat intelligence information, indicators of compromise, and cybersecurity incident reports with the CITC.

In addition, the Cloud Computing Regulatory Framework requires cloud service providers to inform customers and the CITC of certain types of security breach or information leakage.

7.7. Data Retention

Financial Sector

The Anti-Money Laundering Law of 2017 (Royal Decree No. M/20 of 2017) contains a requirement on certain institutions to keep company records for a minimum of 10 years and there are record-keeping obligations for various other categories of information that apply to financial institutions under other regulations.

Telecommunications Sector

As noted above, the Guide provides that ICT and postal providers should only collect data that is necessary for the service provider's needs and must not retain the data for a period longer than is necessary.

According to Article 56.4 of the ByLaw, all user-specific information, and in particular billing-related information, shall be retained by a service provider only for billing purposes and retained only for so long as it is required by the laws of KSA. According to Article 55.3, service providers shall, except in case of a billing dispute, retain accurate records of all user invoices for a period of six months from their billing date. As noted above, there is also a data retention obligation on Internet of Things ('IoT') service providers under the IoT Framework.

7.8. Children's Data

Not applicable.

7.9. Special Categories of Personal Data

Not applicable.

7.10. Controller and Processor Contracts

Not applicable.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other Rights

Not applicable.

9. PENALTIES

9.1 Enforcement Decisions

Not applicable.