Data Protection and Privacy (DPP) issues in the Kingdom of Saudi Arabia (Saudi Arabia) are governed by a robust set of laws, regulations, policies, procedures, standards and guidelines.
The most notable of these laws, the Personal Data Protection Law (together with the Implementing Regulations, the PDPL), came into force on 14 September 2023.
Other significant laws and regulations, inter alia, related to the protection and privacy of data in Saudi Arabia include:
The PDPL covers processing of personal data (i) that takes place in Saudi Arabia and (ii) related to individuals residing in the Kingdom, by any means by any party outside the Kingdom. The TCIT Law covers communication services and protection of client and customer data and privacy. The ET Law covers electronic transactions, creating and keeping electronic records, electronic signatures and electronic authentication certificates. The ACC Law addresses cybersecurity crimes and their punishment. The EC Law covers electronic commerce.
The policies, procedures, standards and guidelines are vast; however, most relevant to DPP are:
The PDPL, and its corresponding Implementing Regulations, entered into force on 14 September 2023. Data controllers, however, have a one-year grace period (eg, 14 September 2024) to comply with the PDPL.
The Saudi Data and Artificial Intelligence Authority (SDAIA) is the regulatory body that is empowered to supervise and enforce the implementation of the PDPL in Saudi Arabia for at least the first two years following promulgation. Consideration will be given to transferring supervising regulation and the application of the PDPL to the National Data Management Office (NDMO), the regulatory subdivision of SDAIA.
The Communications, Space and Technology Commission (CSTC, or the “Commission”) is responsible for the enforcement of both the TCIT Law and ET Law. The Ministry of Commerce (MoC) is responsible for the enforcement of the EC Law. The National Cybersecurity Authority (NCA) is responsible for the enforcement of the ACC Law. Violations are reported to the Public Prosecution Office, which takes the necessary action to prosecute violators.
In respect of both the TCIT Law and ET Law, CSTC inspectors investigate, examine and collect allegations of violations of the provisions of the TCIT Law. Inspectors are tasked with inspecting sites of suspected violators of the TCIT Law and with gathering evidence in support of their investigations. Suspected violators may appeal a decision issued against them before the Administrative Court in accordance with the Law of Procedure before the Board of Grievances.
Under the ACC Law, potential penalties for the violation of any of its articles range from imprisonment of up to ten years to fines of up to SAR5 million. See 5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation for more detail.
Under the PDPL, SDAIA is currently the competent authority and regulator in charge of administering the enforcement of the PDPL. Unless SDAIA provides exceptional approval, a data subject must submit a complaint within 90 days of an alleged incident to SDAIA. Complaints must specify:
SDAIA is tasked with taking the necessary measures regarding the processing and decisions related to any complaints and informing the complainant of the outcome.
Article 3 of the PDPL stipulates that the provisions and procedures stated in the PDPL shall be without prejudice to any provision that grants a right to personal data subjects or confers better protection on personal data subjects pursuant to any other law or any international agreement to which Saudi Arabia is a party.
The PDPL does not allow for the transfer of data outside Saudi Arabia where such transfer would compromise the national security or vital interests of Saudi Arabia. In addition, a public entity may transfer data outside Saudi Arabia where to do so would be in Saudi Arabia’s national security or for the public interest.
The PDPL has recently come into force in Saudi Arabia. As part of the process, Saudi Arabia solicited suggestions from the public, and industry, to enact “best in class” laws and implementing regulations from Day 1. From this perspective, Saudi Arabia’s proactive approach allowed the public, and industry, to “self-regulate” the laws and regulations applicable in Saudi Arabia through a lengthy and robust review and commentary period.
In addition, many statutes developed by Saudi Arabia related to data privacy are based on “best practices” promulgated by global associations. For example, the NDMO Data Management and Personal Data Protection Standards selected the Data Management Body of Knowledge (DAMA-DMBOK Guide) as a key reference.
Although there are no official NGOs or self-regulatory organisations, or NGOs, specialised in data protection and data privacy issues operating in Saudi Arabia at the time of publication, it should be noted that Saudi Arabia is set to host the 19th edition of the Internet Governance Forum (IGF) in late 2024.
The PDPL is designed with “best practices” in mind, and, after a two-year public consultation period, it was put into effect. Accordingly, it should not be surprising that the PDPL shares many of the same characteristics as other global data protection and privacy laws and regulations promulgated in other parts of the globe, most notably the EU’s GDPR.
Some of these characteristics include:
The PDPL introduces comprehensive legislation aimed at filling gaps not previously addressed in Saudi Arabia. SDAIA also published a set of key ethical principles related to the use and deployment of artificial intelligence (AI). This publication on AI Ethics was developed to help establish policies, guidelines, regulations and frameworks with respect to the ethical deployment, and use, of AI in Saudi Arabia.
While the coming into force of the PDPL is the most significant change in law related to DPP, the Implementing Regulations set forth more specifics as to the standards expected of companies operating under the auspices of the PDPL. Significant provisions in the PDPL include the introduction of consumer-friendly rules on the collection, storage and use of personal data, such as:
It is worth noting that the PDPL does not supersede pre-existing laws, regulations, policies, etc, provided they do not otherwise contravene the PDPL. Moreover, the PDPL provides that sectors such as banking and state security will be among the “special” cases subject to the authority of government bodies such as the Saudi Central Bank and Ministry of Interior.
In terms of AI, the AI Ethics framework was published by SDAIA and is intended to apply to all AI stakeholders designing, developing, deploying, implementing, using or being affected by AI systems within Saudi Arabia, including but not limited to public entities, private entities, non-profit entities, researchers, public services, institutions, civil society organisations, individuals, workers, and consumers.
AI is already embedded in day-to-day life, but as the focus shifts to more user-facing applications of AI, the AI Ethics framework is intended to provide guidance in the interim as regulators and governments review the application of how existing laws and regulations will be applied to issues that will inevitably arise from AI, and whether the development of new laws and regulations will be required to tackle the unique set of issues tied to the deployment of AI use in Saudi Arabia.
The PDPL and its Implementing Regulations are considered the main source of protection for data subjects in Saudi Arabia (bearing in mind the one-year grace period for controllers to fully implement all aspects of the PDPL). This law applies, together with sector-specific regulations passed by other competent authorities (eg, healthcare sector data privacy rules and regulations codified by the Ministry of Health, financial sector data privacy rules and regulations codified by the Saudi Central Bank, etc).
Appointment of Data Protection Officers
Article 32 of the Implementing Regulations states that a controller is required to appoint a data protection officer under the following circumstances:
The data protection officer may be an official, employee or external contractor of the data controller. However, further rules governing the appointment of data protection officers, which are supposed to be published and clarified by the regulator, have not yet been issued by SDAIA as of the publication date of this guide (12 March 2024). It should also be noted that sector-specific requirements from other relevant, competent authorities may require the appointment of a data protection officer and/or specify additional rules related to the data protection officer (eg, the banking sector, via the Saudi Central Bank, may issue additional rules requiring the appointment of a data protection officer or, for example, the data protection officer’s physical location and/or nationality).
Requirements for the Collection, Processing and Use of Personal Data
Article 10 of the PDPL stipulates that the controller may collect personal data only from the personal data subject. Such personal data may only be processed for the purpose for which the personal data is collected. However, the controller, on an exceptional basis, may collect personal data from a person other than the personal data subject or process personal data for a purpose other than that for which the personal data is collected.
Article 11 of the PDPL stipulates the following in relation to privacy, fairness and legitimate interest.
Article 15 of the Implementing Regulations also provides specifications related to the collection of data from third parties, while Article 16 of the Implementing Regulations addresses the processing of data, other than sensitive personal data, for legitimate interests by private entities. A legitimate interest is defined as any necessary interest of the controller that requires the processing of personal data for a specific purpose, provided it does not adversely affect the rights and interests of the data subject.
Legitimate interests include, inter alia, the disclosure of fraud operations and the protection of network and information security. The controller may process personal data to achieve a legitimate interest provided that the processing purpose is legal, but in so far as the processing of data balances the rights and interests of the data subject with the legitimate interests of the controller, and, in doing so, the controller does not adversely affect the rights and interests of the data subject. Processing shall be within the reasonable expectations of the data subject.
Internal or External Privacy Policies
Article 12 of the PDPL stipulates that the controller shall adopt a personal data privacy policy and make it available to personal data subjects for review prior to collecting personal data. The policy shall specify the purpose of collection, the personal data to be collected, the method of collection, the means of storage and processing, the manner in which the personal data shall be destroyed, and the rights of the personal data subject in relation to the personal data and how such rights shall be exercised.
Data Subject Access Rights
Article 5 of the PDPL states that a data subject has the right to access their personal data available with the controller provided that such access does not negatively impact the rights of others, such as intellectual property rights or trade secrets. Article 6 also makes it clear that, subject to certain parameters, data subjects have the right to request a copy of their personal data in a readable and clear format from the controller.
Article 13 of the PDPL stipulates that when collecting personal data directly from the personal data subject, the controller shall take appropriate measures to inform the personal data subject of the following prior to collection:
Use of Anonymised Data
Article 9 of the Implementing Regulations states that when personal data is anonymised by a controller, the controller must ensure the following with respect to the data that has been “converted”, in terms of classification, from personal data to anonymised data:
Article 9 also states that anonymised data shall not be considered personal data. Accordingly, data that is classified as anonymised data, even if it originally was considered personal data, can be used in any manner that is lawful under applicable law provided such data is anonymised in accordance with Article 9. Since the PDPL only applies to personal data, the PDPL would not apply to the processing of such anonymised data.
Big Data Analysis
Article 10 of the PDPL outlines potential exceptions for the use of personal data beyond the purpose for which such data was collected. This could involve big data analysis of personal data. These potential exceptions include, inter alia:
In addition, Article 27 of the PDPL stipulates that personal data may be collected or processed for scientific, research or statistical purposes without the consent of the personal data subject if:
Financial and Credit Data
Together with the PDPL, the financial data of banking, insurance and financial clients is protected by the rules of the Saudi Central Bank.
Under the PDPL, credit data is defined as any personal data related to an individual’s request for, or obtaining of, financing from a financing entity, including any data relating to that individual’s ability to obtain and repay debts, and the credit history of that person.
Article 24 of the PDPL also sets out additional controls and procedures for the processing of credit data in a manner that ensures the privacy of the data subject. These include:
In addition, the Implementing Regulations specify that consent for processing and collection of credit data must be explicit, and when decisions are made solely based on automated processing of personal data, such as automated approval or denial of credit.
Communications Data
Article 23 of the TCIT Law provides for the following with regard to voice telephony, text messaging and the content of electronic communications.
Article 6 of the ET Law addresses storing electronic records as follows.
The regulations of the ET Law stipulate in greater detail how to preserve data and electronic records.
Health Data
The PDPL defines health data as any personal data related to an individual’s health condition, whether their physical, mental or psychological conditions, or related to health services received by that individual. Article 23 of the PDLP restricts the right to access health data (including medical files) to the minimum number of employees or workers ‒ and only to the extent necessary to provide the required health services.
In addition, health data processing is restricted to the minimum procedures and operations required of employees and workers as necessary to provide health services or offer health insurance programmes.
Children’s Data
Article 13 of the Implementing Regulations discusses legal guardians and the process for obtaining consent with respect to individuals who fully or partially lack legal capacity to exercise rights and/or provide consent with respect to the collection, processing and storage of personal data, including sensitive personal data. These include duties imposed on the controller to take appropriate measures to verify validity of guardianship over the data subject and means for a data subject to take back their individual rights when full legal capacity is gained or regained (as the case may be).
The Children and Incompetents’ Privacy Protection Policy aims to protect the privacy of children and incompetent individuals in data processing activities. It mandates that the data collected must be relevant and limited, and that appropriate security measures must be implemented to protect personal data. Parental or guardian consent must be obtained before collecting, processing or transferring personal data of children and incompetent individuals. In case of a data breach, affected individuals and the NDMO must be notified. Privacy awareness must be raised among children and their guardians through education programmes and materials.
It should be noted that the PDPL makes it clear that consent to collect and process a data subject’s data can only be provided by an individual who has full legal capacity to do so.
Data Subject Rights
The fundamental rights of individual data subjects are set forth in Article 4 of the PDPL and include, inter alia, the following.
In addition, the Implementing Regulations, and in particular Article 4 (right to be informed), Article 5 (right of access to personal data), Article 6 (right to request access to personal data), Article 7 (right to request correction to personal data) and Article 8 (right to request destruction of personal data), provide further clarification of data subjects’ fundamental rights.
Article 12 of the PDPL specifies that a controller shall adopt a personal data privacy policy in line with the law and make it available to personal data subjects for review prior to collecting personal data. The policy shall specify:
In addition, Article 29 of the Implementing Regulations further specifies that controllers must provide an “opt out” available to personal data subjects that is easy, straightforward, and no more difficult than the way data subjects provide consent in the first place.
Article 26 of the PDPL specifies that personal data (excluding sensitive personal data) may be processed for marketing purposes if it is collected directly from the personal data subject and the personal data subject consents to that in accordance with applicable laws and regulations.
Article 28 of the Implementing Regulations of the PDPL sets out the general rules applicable to consent and the processing of data for advertising and awareness purposes in this regard.
Article 29 of the Implementing Regulations also requires that the entity sending materials through direct marketing clearly identify themselves without anonymity. In addition, if a data subject withdraws consent, the controller shall immediately stop sending related marketing materials without undue delay.
There are no special regulations found explicitly dealing with workplace privacy. The PDPL does not make a special distinction between the treatment of data subjects generally and that of those who are simultaneously considered employees of the controller, so, at the very least, a controller’s employees should enjoy, at a minimum, the same rights and remedies under the minimum standards that a data controller uses with data subjects generally.
As mentioned in 1.3 Administration and Enforcement Process, to enforce both the ET Law and TCIT Law, the CSTC inspectors investigate, examine and collect evidence of violations of the provisions of the TCIT Law. Penalties can include issuance of a fine not exceeding SAR5 million and/or imprisonment for a period of up to five years.
The National Cybersecurity Authority is the competent authority regarding overseeing all cybersecurity matters in Saudi Arabia, according to Article 3 of the Statute of the National Cybersecurity Authority. Penalties of up to one year in prison and a fine of up to SAR500,000 apply to any person found to have committed one of the following cybercrimes:
Article 35 of the PDPL specifies that any individual who discloses or publishes sensitive personal data either intentionally or for personal benefit may face a penalty of up to two years of imprisonment and/or a fine of up to SAR3 million without prejudice to any other harsher penalty applicable under any other law for the same act. These penalties may be doubled in the case of repeat offenders.
Article 36 of the PDPL specifies that all violations of the PDPL, other than those covered in Article 35, face penalties that range anywhere from a warning to a fine up to SAR5 million on every person with a special nature or legal capacity who violates the PDPL. This is, again, without prejudice to any other harsher penalty applicable under any other law for the same act, and the penalty may be doubled in the case of repeat offenders.
In general, Article 15 of the PDPL specifies the exceptional basis for disclosure of an individual’s personal data in connection with serious crimes. Article 15, paragraph 3 of the PDPL allows a controller to disclose a data subject’s personal data in response to a disclosure request from a public entity (eg, law enforcement) provided that the collection or processing of the personal data is required for public interest (eg, law enforcement) or security purposes, to implement another law, and/or to fulfil judicial requirements.
Article 15, paragraph 4 of the PDPL also allows a controller to disclose a data subject’s personal data if the disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
Under the Implementing Regulations, transfer of a data subject’s personal data is permitted outside Saudi Arabia by a controller that is a public entity, where such transfer and disclosure is necessary for the protection of the Kingdom for the investigation, or detection, of crimes, or the prosecution of their perpetrators, or for the execution of penal sanctions.
As mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, the general basis for the disclosure of a data subject’s personal data for national security purposes is set forth in Article 15 of the PDPL. In addition, Article 16 of the PDPL limits the disclosure of personal data even if such disclosure is normally allowed if the disclosure represents a threat to security.
Also, under Article 6 of the PDPL, a public entity shall not be required to obtain a data subject’s consent where the processing of such data is required for security purposes or to satisfy judicial requirements.
Under the Implementing Regulations, transfer of a data subject’s personal data is permitted outside Saudi Arabia by a controller that is a public entity, where such transfer and disclosure is necessary for national security reasons or for the public interest.
It should also be noted that, pursuant to the Law of Electronic Transfer of Private Entity Client Information to the Ministry of Interior National Information Center (2013), hotels, furnished apartments, rental cars, and gold and silver stores must provide the competent security entities with their customers’ information.
Privacy safeguards are included in High Order No 37194 (2016), which stipulates that:
The Implementing Regulations of the PDPL set forth exemptions for the transfer of personal data outside Saudi Arabia by a data controller. A controller may transfer personal data outside Saudi Arabia provided that the regulatory requirements of the country (or, in the case of world bodies, the international organisation) where such data is transferred to do not prejudice the privacy of data subjects or affect the ability of data subjects to enforce appropriate safeguards.
These safeguards may include binding common rules, standard contractual clauses, certifications of compliance with the PDPL, and/or binding codes of conduct. In all cases, the competent authority (eg, SDAIA) must certify the sufficiency of the appropriate safeguards. As of the date of publication of this guide (March 2024), the Implementing Regulations specify the minimum suitability of binding common rules, but standard contractual clauses have yet to be issued by the competent authority.
The controller may not transfer personal data outside Saudi Arabia or disclose it to a party outside Saudi Arabia unless necessary to implement an obligation under an agreement to which Saudi Arabia is a party, or to further benefit Saudi Arabia’s interest, or for other reasons as determined by the regulations, and subject to compliance with the following conditions:
Under Article 3 of the Implementing Regulations, SDAIA is tasked with assessing the sufficiency of the protection of personal data to countries, sectors or international organisations outside Saudi Arabia on a periodic basis. This assessment is based, inter alia, on previous assessments and international agreements signed between Saudi Arabia and sovereign nations and/or relevant entities.
The PDPL and its Implementing Regulations entered into force on 14 September 2023, but data controllers have until 14 September 2024 to update their current policies and procedures to fully align with the requirements of the law.
The PDPL does specify many “best practice” standards for controllers and public entities, including a standard for legitimate interests and fundamental rights for data subjects, which provide a legal basis for challenging the collection and processing of personal data, including when such data is collected and/or processed by public entities.
There are restrictions on the transfer of data outside Saudi Arabia; however, the transfer of data outside Saudi Arabia for processing (including storage) of personal data is possible provided such transfer is performed in compliance with the PDPL and any other applicable law in Saudi Arabia.
Part 2 of the Implementing Regulations of the PDPL addresses the transfer of personal data to jurisdictions outside Saudi Arabia. A controller may transfer personal data outside the Kingdom, provided that the transfer or disclosure does not impact national security or vital interests of Saudi Arabia or otherwise violate any applicable law in Saudi Arabia. Any transfer should be limited to the minimum necessary to achieve the purpose of the transfer.
Any transfer should not impact the privacy of data subjects, or otherwise undermine the level of protection guaranteed for personal data under the PDPL by ensuring that the transfer will not compromise, at a minimum, the following principles:
The NDMO sets out general standards for personal data transfer beyond the geographical limits of Saudi Arabia in order to specify the terms and conditions for cross-border transfer and storage of personal data for both public and private entities while pointing out the sovereignty of personal data. The standards also stipulate the rights of personal data owners, along with general guidelines and exceptions for personal data transfer beyond Saudi Arabia’s borders – thereby creating secure processing for personal data and idealising national data privacy and security (see 4.4 Data Localisation Requirements).
Article 5 of Part 2 of the Implementing Regulations sets forth certain exemptions for international data transfers where there is an absence of adequate levels of protection for personal data outside Saudi Arabia, but appropriate safeguards are in place to protect the personal data of data subjects. Provided that the regulatory requirements in the country where data is transferred to does not bring any prejudice to the privacy of personal data subjects or the ability to enforce appropriate safeguards, a controller may transfer data if one of the following safeguards is in place.
Article 6 of Part 2 of the Implementing Regulations sets forth an exemption for international data transfers where there are no adequate levels of protection for personal data outside Saudi Arabia and no appropriate safeguards in place. In such cases, the transfer or disclosure of personal data outside Saudi Arabia is permitted in any of the following circumstances:
See 4.2 Mechanisms or Derogations That Apply to International Data Transfers.
The PDPL does not stipulate that data must be localised provided the transfer and processing of personal data outside Saudi Arabia is performed in accordance with the PDPL and any other applicable law or regulation applicable to such personal data in Saudi Arabia.
When transferring personal data outside Saudi Arabia, there are special rules and regulations, however, that may apply in addition to, and exclusive of, the PDPL depending on the type of data (eg, health data) or sector (eg, financial), or if the localisation of data is in the national security, or public, interest of Saudi Arabia. Under such circumstances, the transfer and/or processing of personal data may be restricted or prohibited altogether.
The National Cryptographic Standards issued by the National Cyber Security Authority establish the minimum technical standards for cryptography for civil and commercial use and to protect the data, systems and national network.
Please see 4.4 Data Localisation Requirements.
Article 24 of the TCIT Law stipulates that after co-ordinating with the competent authorities, the Commission must:
It is prohibited to by-pass or swindle internet filtering or to provide the means to do so. In addition, the Commission shall set the regulating controls and requirements.
In September 2023, SDAIA published the first version of its AI Ethics Principles. These principles were issued and published with the aim of:
The AI Ethics Framework applies to all AI stakeholders designing, developing, deploying, implementing, using or being affected by AI systems within Saudi Arabia, including, without limitation, public entities, private entities, non-profit entities, researchers, public services, institutions, civil society organisations, individuals, workers and consumers.
Seven principles are addressed in the framework:
In addition, in November 2023, the government announced the establishment the International Centre for Artificial Intelligence Research and Ethics, which aims to advance competencies and legislative frameworks in the field of AI and other advanced technologies.
Other than SDAIA’s mandate, there is no specific fair data practice review board. The general rules for digital governance are laid out in the PDPL.
As mentioned in 1.3 Administration and Enforcement Process, to enforce the TCIT Law, CSTC inspectors must jointly or severally investigate and examine control violations of the provisions of the TCIT Law, by-laws and regulatory decisions. In addition, without prejudice to the relevant legal provisions, the inspectors must:
To enforce the ET Law, the CSTC – in co-operation and co-ordination with competent authorities – are in charge of recording and inspecting violations and making a record thereof. The Commission may seize the equipment, systems and programs used in committing the violation until such violation is decided.
According to Article 20 of the EC Law, any person may appeal a decision issued against them pursuant to the EC Law before the administrative court in accordance with the Law of Procedures before the Board of Grievances.
For the ACC Law, penalties to the violation of any of its articles may range between imprisonment for a period not exceeding one year and a fine not exceeding SAR500,000 to imprisonment for more than 10 years and a fine not exceeding SAR5 million.
Article 35 of the PDPL specifies that any individual that discloses or publishes sensitive personal data either intentionally or for personal benefit may incur a penalty of up to two years of imprisonment and/or a fine of up to SAR3 million without prejudice to any other harsher penalty applicable under any other law for the same act. These penalties may be doubled in the case of repeat offenders.
Article 36 of the PDPL specifies that all violations of the PDPL, other than those covered in Article 35, face penalties that range anywhere from a warning to a fine up to SAR5 million on every person with a special nature or legal capacity who violates the PDPL. This is, again, without prejudice to any other harsher penalty applicable under any other law for the same act, and the penalty may be doubled in the case of repeat offenders.
The PDPL lays out the standards for transferring data outside Saudi Arabia. These standards are evaluated by the regulator, SDAIA, working with the various concerned authorities in each sector. The criteria used to evaluate the sufficiency of transfer of personal data outside Saudi Arabia to a third country include:
The evaluation of these standards may be conducted by SDAIA on the basis of a specific country, sector or international organisation.
The procedures for launching services or products based on customers’ personal data or sharing personal data now include the “Privacy Impact Assessment”. Before launching a service or product that involves personal data or sharing personal data, the service provider conducts a study to evaluate the impact of the service or product on the privacy of new or existing customers. This study involves identifying and assessing privacy risks, specifying required data, explaining the purpose of data processing, and developing treatment plans. Moreover, the CSTC justifies the need for the Privacy Impact Assessment in each case and has the right to intervene based on the results of said assessment.
Article 20 of the PDPL does specify that a controller must notify the regulator, and individuals affected, of any breach, damage or illegal access to personal data. Although the Implementing Regulations specify what information should be communicated in the case of a breach, there is no specific obligation of disclosure to publicise the breach.
Subject to data qualifying as anonymised data under the PDPL, public disclosure of anonymised data is permitted because the PDPL does not apply to anonymised data.
As of March 2024, Saudi Arabia has not yet implemented any laws or policies specifically addressing the convergence of privacy, competition and consumer protection in connection with the regulation of tech companies, digital technology or data practices.
SDAIA is the competent authority to enforce the PDPL for at least the first two years after coming into effect; after this preliminary two-year period, an overview will be conducted to decide if the task of overseeing the enforcement of the PDPL will remain with SDAIA or be transferred to the NDMO.
The National Cybersecurity Authority shall remain the competent authority when it comes to overseeing all cybersecurity matters in Saudi Arabia.
SDAIA and various public entities still need to finalise all applicable rules and regulations that will apply from sector to sector in addition to, and exclusive of, the PDPL. This is particularly true of sectors where sensitive personal data, such as credit data and health data, are collected.
The non-exhaustive list of public entities includes the Ministry of Communications and Information Technology, Ministry of Foreign Affairs, CSTC, Digital Government Authority, NCA, Saudi Health Council, Saudi Central Bank, etc. While some of these have already been concluded with SDAIA, as of March 2024, others in key sectors are pending.
Sector-specific rules and regulations, together with the PDPL and its Implementing Regulations, are required so that industry players are aware of all unique and specific rules and regulations related to data privacy for data subjects in their sector and adapt accordingly.
In addition, SDAIA, as of March 2024, has yet to set forth the standard contractual clauses (Implementing Regulations, Part 2, Chapter 3, Article 5, paragraph 1(b)) or the specifics on the nationality/residency status of a data protection officer, particularly in sectors where big volumes of data are collected and processed or in sectors where high volumes of sensitive personal data are handled.
Alex Saleh
Managing Partner
Kuwait +(965) 669 55516 / UAE +(971) 54 997 4040
alex.saleh@glaco.com www.glaco.com/attorneys/alex-saleh/Digital Transformation in Saudi Arabia
As part of Saudi Arabia Vision 2030 (“Vision 2030”), Saudi Arabia has fully embraced the digital age, and the country’s digital transformation is leaving a lasting impression on its citizens, residents, visitors and outside observers globally.
At the heart of Saudi Arabia’s digital transformation is a multifaceted approach that spans various sectors. The government’s commitment to incorporating technology into its operations has been a driving force behind this evolution. From implementing smart city initiatives to digitising public services, Saudi Arabia has demonstrated a vision beyond mere modernisation. The digital revolution seeks to create a more efficient, responsive and interconnected administrative framework.
In the private sector, Saudi Arabia has been equally proactive in leveraging technology to drive innovation and economic growth. Initiatives that incentivise and nurture the development of tech start-ups and foster an ecosystem conducive to digital entrepreneurship have positioned Saudi Arabia as a regional leader in the digital landscape, from fintech to the automotive industry.
However, Saudi Arabia’s digital transformation is not solely about technological advancements; it is fundamentally about improving the quality of life for its citizens. Technology integration aims to simplify processes, reduce bureaucratic hurdles, and enhance overall efficiency.
Saudi Arabia’s digital transformation is also about the establishment of bodies within the country that specialise in developing the rules and regulations required to integrate technological advancements into society in a responsible manner. Initiatives like the establishment of the Saudi Data and Artificial Intelligence Authority (SDAIA) and the National Transformation Programme (NTP) have laid the groundwork for a comprehensive and strategic approach to digital evolution.
This chapter of the guide will explore some key legal and regulatory milestones that have played a pivotal role in shaping Saudi Arabia’s digital landscape, including personal data and the development and deployment of artificial intelligence (AI) in Saudi Arabia. It will also explore what Saudi Arabia is doing to ensure that the legal regime and the regulators tasked with monitoring further developments stay ahead of and in line with the advancement and use of technology in Saudi Arabia.
Significant developments in the regulatory landscape in Saudi Arabia
On 14 September 2023, the Personal Data Protection Law (PDPL) came into effect. In addition, SDAIA issued the Implementing Regulations of the Personal Data Protection Law (the “Regulations”) and the Regulations on Personal Data Transfer outside the Geographical Boundaries, which came into effect concurrently with the PDPL. Companies have a one-year grace period from the effective date to align their existing privacy policies with the PDPL and the Regulations.
The PDPL and the Regulations govern all aspects of processing personal data, including sensitive personal data. The law also addresses the processing of special types of data such as health data, genetic data, credit data, and data of minors. Much like the GDPR, it provides companies with rules related to the requirement for consent and circumstances for offshore data transfer.
The responsibilities outlined in the PDPL apply to all entities operating in Saudi Arabia or those processing the personal data of Saudi citizens, residents and visitors, excluding individual and non-commercial entities. Under the PDPL and the Regulations, data controllers must adhere to the provisions of the PDPL. Data controllers are permitted to collect personal data only in compliance with the PDPL, and they must ensure that all personal data processing, whether conducted internally or through a third-party processor, aligns with the PDPL regulations.
The concept of processing under the PDPL is comprehensive, covering any action applied to personal data, whether manual or automated. As a result, the PDPL applies to all personal data processing activities within Saudi Arabia and the processing of personal data related to individuals accessing data in Saudi Arabia by foreign entities.
The primary beneficiaries of the PDPL are the individuals from whom the personal data is derived. The law is designed to protect the privacy rights of Saudi residents, ensuring that their personal data is handled responsibly and in accordance with established regulations.
SDAIA AI Ethics Framework
SDAIA has been instrumental in setting guidelines and policies to govern the ethical use of artificial intelligence (AI). This reflects Saudi Arabia’s awareness of the need for responsible development and deployment of advanced technologies.
Before 2023, Saudi Arabia had yet to have a comprehensive national AI-specific regulatory framework, but there were discussions about developing guidelines and policies to govern the ethical use of AI.
On 14 September 2023, SDAIA published its AI Ethics Framework version 2.0 (the “Framework”), which focused on helping entities develop responsible AI-based solutions that limit the negative implications of AI systems while encouraging innovation. AI is defined under the Framework as “a collection of technologies that can enable a machine or system to sense, comprehend, act, and learn”.
AI has rapidly become an integral part of various sectors and industries. Society’s rapid deployment and adoption of AI are influencing decision-making processes and helping to reshape both existing and future interactions between technology and society. As AI systems continue to advance, it is crucial to prioritise the principle of fairness to prevent bias, discrimination and stigmatisation in their design, development, deployment and use. This commitment to fairness is essential to avoid perpetuating historical disadvantages and to ensure that AI benefits all segments of society.
The Framework developed by SDAIA is, in part, issued to ensure fairness in AI systems as these systems are developed and deployed in Saudi Arabia. The Framework’s evolution, as AI is used more in day-to-day life in Saudi Arabia, revolves around the following key principles and axes.
One of the key ethics and standards stated in the Framework and the list above, and worthy of discussion, is algorithm auditing development.
As algorithms increasingly influence decision-making processes in various domains, the need for transparency, accountability and fairness has given rise to algorithm auditing.
Algorithm auditing involves a systematic evaluation of algorithms to ensure they meet predefined ethical and performance standards. This process is essential for uncovering biases, discrimination and unintended consequences that may arise from algorithmic decision-making. With algorithms influencing areas ranging from finance and hiring to criminal justice, the significance of algorithm auditing cannot be overstated.
One of the primary motivations behind algorithm auditing is identifying and mitigating biases present in algorithms. Bias can inadvertently be introduced during the development process or be learned from historical data, leading to discriminatory outcomes. By conducting thorough audits, organisations can uncover and rectify biased decision-making, promoting fairness and equity in algorithmic systems.
Algorithm auditing contributes to transparency, allowing stakeholders and the public to understand how algorithms function and make decisions. Transparency is crucial for building trust, especially when algorithms impact individuals’ lives. Moreover, auditing enhances accountability by holding developers and organisations responsible for the consequences of algorithmic decisions.
As AI applications become more sophisticated, the ethical implications of algorithmic decision-making become more pronounced. Algorithm auditing plays a pivotal role in ensuring that AI systems adhere to ethical standards and do not compromise privacy, security or human rights. By scrutinising algorithms, auditors can identify and rectify ethical lapses before they result in adverse outcomes.
In response to the growing importance of algorithmic transparency and accountability, regulatory bodies in the country, such as SDAIA, are beginning to enact laws requiring organisations to audit their algorithms. Compliance with these regulations is not only a legal requirement but also a demonstration of commitment to responsible AI practices.
Algorithm auditing is not without its challenges. The dynamic and evolving nature of algorithms and sheer complexity of AI systems makes auditing a demanding task. The lack of standardised auditing procedures and tools further complicates the process. However, ongoing research and collaboration within the industry are working towards establishing best practices for algorithm auditing.
Development of AI recruitment tools
AI tools are increasingly being used for automated screening of resumes and applications. These tools can analyse and match candidate profiles with job requirements, streamlining the initial stages of the recruitment process.
Chatbots powered by AI are utilised for initial candidate interaction. They can engage with applicants, answer queries, and collect preliminary information, providing a more efficient and responsive recruitment experience.
Nonetheless, AI tools are incorporating predictive analytics to assess the likelihood of a candidate’s success in a particular role. This involves analysing historical data to predict future job performance and cultural fit. Further, AI tools are being developed with a focus on mitigating biases in the recruitment process. This includes addressing gender, ethnic and other biases to promote diversity and inclusivity.
Given the rise of remote work, AI tools are facilitating remote hiring processes. This includes virtual interviews, online assessments and collaborative tools for remote team evaluation.
AI Trust, Risk and Security Management (TRiSM)
In the swiftly digitising landscape of Saudi Arabia’s economy, AI TRiSM emerges as a safeguard for trust and security within AI systems. As the Vision 2030 initiative propels the nation towards technological leadership, the imperative of ensuring transparency, fairness and security in AI becomes crucial. With generative AI anticipated to revolutionise 70% of new web and mobile app development by 2026, the role of AI TRiSM becomes indispensable in steering this transformative journey.
Metaverse-related projects
The Saudi Central Bank was involved in Project Aber, which concentrated on assessing the viability of digital currencies for facilitating cross-border payments with the United Arab Emirates. It is likely that the Saudi Central Bank will continue to be involved as the United Arab Emirates introduces its digital currency. Reports indicate that Saudi Arabia has allocated a substantial investment of USD1 billion in projects associated with the metaverse. This underscores the jurisdiction’s evident comprehension of the pivotal role the digital economy is poised to play within the framework of Vision 2030.
Conclusion
Saudi Arabia is actively navigating the evolving landscape of data protection and AI with a keen eye on rapidly satisfying, and perhaps exceeding, international trends and developments. Saudi Arabia recognises the critical importance of safeguarding personal data and fostering responsible AI practices, and it is putting together a regulatory and legal scheme that is nimble enough to pivot at the pace of business while simultaneously safeguarding the balance between individual and commercial interests. The implementation of comprehensive data protection laws aligns with global efforts to empower individuals with greater control over their personal information.
The active participation of Saudi institutions, such as the Saudi Central Bank, in initiatives like Project Aber and investments in metaverse-related projects, underscores Saudi Arabia’s strategic goals for being at the forefront of technological innovation. As Saudi Arabia progresses on its transformative journey as outlined in Vision 2030, the harmonisation of AI advancements with robust data protection measures plays a pivotal role in shaping a digitally resilient, and ethically grounded, future for the nation.
Alex Saleh
Managing Partner
Kuwait +(965) 669 55516 / UAE +(971) 54 997 4040
alex.saleh@glaco.com www.glaco.com/attorneys/alex-saleh/