15 March 2018
DataGuidance confirmed, on 12 March 2018, with Matthew Kirkham, Associate at Dentons & Co, that the Communications and Information Technology Commission’s (‘CITC’) Cloud Computing Regulatory Framework (‘the Framework’) entered into force on 8 March 2018. The Framework, which was subject to a public consultation in its draft format in 2016 (‘the Draft’), applies to cloud services provided to natural and legal persons resident or with a customer address in Saudi Arabia. In addition, certain provisions apply to data centres or other elements of a cloud system located in Saudi Arabia, regardless of customers’ residence or address.
Kirkham and John Balouziyeh, Legal Consultant at Dentons & Co, told DataGuidance, “Numerous changes have been made to the Draft since 2016. One of the most significant changes from the Draft to the Framework is the addition of the term ‘cloud customer’ rather than simply referring to ‘cloud users.’ The distinction between these terms is that a customer uses cloud services pursuant to a contract or other business relationship with a cloud service provider (‘CSP’), while a user is any person who uses a CSP’s services. Accordingly, in the Framework, many of the provisions in the Draft that referred to users now only apply to customers.”
At the core of the Framework, customer data stored by CSPs is categorised into four levels based on its sensitivity and requires corresponding levels of data security, with the first three levels applying to content belonging to private customers. Non-sensitive customer content which is not subject to any sector-specific outsourcing restrictions is classed as level 1; sensitive customer content from private individuals or entities not subject to any sector-specific outsourcing restrictions qualifies as level 2; and customer content from private sector industries subject to a level categorisation by virtue of sector-specific rules or a decision by a regulatory authority is classed as level 3.
[It] is reasonable to speculate that further regulatory documents dealing with other areas in the field of IT will be forthcoming from the CITC and that this is simply one of many first steps
Kirkham and Balouziyeh continued, “The Framework gives customers the option to agree to level 1 protection for content that would otherwise be subject to level 2 or level 3 treatment and request level 2 treatment for content that would otherwise be subject to level 1 or level 3 […] The Framework requires customers to inform CSPs of the security level they believe their content qualifies as (this was previously merely optional). Reciprocally, CSPs are now obliged to inform customers upon request of which security level their content has qualified as. The Draft forbade CSPs from transferring, storing, or processing level 2 content through or in certain types of clouds, but this prohibition has been raised to level 3 content in the Framework. In addition, the protections for customer data have been relaxed in the Framework to allow for disclosure under certain circumstances, including pursuant to the laws of foreign jurisdictions and for billing purposes.”
Certain entities are required to register with the CITC, namely those engaged in the provision of cloud services in Saudi Arabia that exercise direct or effective control over data centres or other critical cloud system infrastructure hosted in Saudi Arabia used in whole or in part for the provision of cloud services, and entities that exercise control over the processing and/or storing of customer content classified as level 3. Moreover, the Framework obliges CSPs to inform affected customers of a security breach without undue delay, as well as the CITC in certain circumstances. Customers also have the right to access, verify, modify and delete their data. In order to assist compliance with the Framework, the CITC also issued the Guide for Cloud Service Providers and the Enterprises’ Guide to Cloud Computing Services.
Kirkham and Balouziyeh concluded, “While Saudi Arabia has lofty ambitions to not only become a larger participant in the field of IT, but to be an innovator as well, the numerous bureaucracies in Saudi Arabia can be a hindrance to the drafting and enacting of all-encompassing legislation in the field. That said, the CITC does have in place numerous laws and regulations relating to a variety of technological fields (as do numerous other government ministries) […] With all of this in mind, it is reasonable to speculate that further regulatory documents dealing with other areas in the field of IT will be forthcoming from the CITC and that this is simply one of many first steps.”
ELLEN O’BRIEN | Privacy Analyst