Changes to the Technology and Data Laws in Saudi Arabia

For quite some time, data privacy has been a contentious regulatory issue, particularly for US and European businesses. In the past two years, we have seen a number of new data privacy laws and regulatory guidelines introduced in the Middle East region, including by the United Arab Emirates (UAE), Bahrain, Lebanon, Egypt, and the Kingdom of Saudi Arabia (Saudi Arabia), halting the enactment of inclusive regulatory frameworks on data privacy is no longer an option in the global economic landscape. As part of its ambitious Vision 2030 strategy, Saudi Arabia has experienced significant transformation, modernizing its regulatory environment to establish rules that are more investor-and company-friendly. The country has also increased the ease of doing business. Saudi Arabia has enacted the Personal Data Protection Law, which is the first ever inclusive data protection regulation under Decree Number M/19 dated 16 September 2021.  


European Union (EU) General Data Protection Regulation (GDPR)

In line with the adoption of a new Personal Data Protection (PDPL), Saudi Arabia is more in line with the regional standards for the Middle East and with global rules like the (EU) (GDPR). The Saudi Arabia Cabinet Decision Number 98/1443 which took effect on March 23 2022, aims to safeguard the privacy of sensitive personal data, control business data exchange, prohibit the misuse of personal data, and unite all current data regulations under the Saudi Data & Artificial Intelligence Authority (SDAIA). The gathering and processing of personal information in Saudi Arabia are now governed under the country’s first comprehensive national data protection law. In this piece, we examine how this significant event may affect organizations that operate in the Kingdom. There are significant similarities between the PDPL and the GDPR, particularly in the language used to describe the principles for processing personal data and data subject rights. Thus, comparing the PDPL with the GDPR reveals that while both laws’ fundamental principles are substantially the same, there are a number of significant changes that should be taken into account.

The recently established government agency SDAIA, which is a recent amendment of directing the nation’s national data and artificial intelligence (AI) strategy in line with Vision 2030’s objective for digital transformation, will be in charge of overseeing the PDPL. The Saudi government is being transformed under the direction of SDAIA into a data-driven, AI-enabled organization that can direct the expanding and shifting economy through data-informed decisions and digital solutions. The National Data Management Office, the SDAIA’s regulatory branch, will then be regarded as the competent data authority.

SDAIA recently announced that the relevant authorities have delayed the process of implementing the PDPL law until March 17, 2023. The justification for this unexpected delay is the requirement to take preventive measures, in light of SDAIA recommendations following the public comment period on the draft implementing regulations to the above-mentioned law. 


Who Does The PDPL Apply To?

Controllers are obligated under the PDPL to determine the purpose and manner of the procession of personal data. In addition to the international data protection principles, the terms processing and personal data encompass almost any action involving information about an identifiable individual, the personal data owner. This rule also applies to all controllers who are located outside of Saudi Arabia, controlling the personal data of Saudi residents. The PDPL also adds processing requirements similar to those under the GDPR. Personal data processing must be done on a legal basis specified under the law, such as permission or contract performance. Parallel to the GDPR, there are also accountability requirements for controllers, there is no legitimate interest’s justification that exists for such processing. The PDPL stipulates that the punishment for exposing or publishing sensitive personal data may entail up to two years in prison and/or a fine of SAR 3 million, as a result, both the organization and individuals may suffer consequences.

According to Article 33 of the PDL, the authority is in charge of granting licenses to commercial, professional, or nonprofit organizations in accordance with the PDPL. However, it has not been clearly states under the above-mentioned article, if any, additional licenses an organization will require to obtain in order to process personal data.


Controller’s Obligations Under The PDPL  

Personal date may only be processed with the approval of the personal date owner, with certain restricted exceptions. The terms of consent, including when it must be in writing, shall be outlined in the Executive Regulations, However, at any given moment, the owner of the personal data may revoke the consent. In order to ensure compliance with the Executive Regulations, controllers will need to carefully review their consent mechanisms. There are certain rights the personal data owners have been granted, along with definite rights in respect to their personal data, there must be valid reasoning or justification for collecting such data, the reason for collecting their personal data, whether doing so is required or optional, and that their data will not be processed later in a way that is contrary to the reason for collection or in circumstances other than those listed under the PDPL. Before processing personal data, controllers must ensure its accuracy, completeness, and relevance. Additionally, they must keep a record of that processing from the time period specified by the executive regulations and make sure that their staff has received the appropriate training in the PDPL and data protection principles.

In any case, any companies doing business in Saudi Arabia or handling data regarding the citizens of the country, will now need to evaluate their operations and make adjustments to conform to the PDPL. Moreover, controllers must give employees training on the PDPL’s terms and principles, and they must allow enough time for the organization to develop a suitable data protection culture. The law goes into effect, requiring data controllers and processors inside and outside the Kingdom to implement a number of steps. To reduce future risks, it is crucial for businesses and other entities to start evaluating their compliance framework. However, the controller must be aware of the requirements involved in any transfer of personal data outside of Saudi Arabia.


The Saudi National Cybersecurity Authority (NCA)

The NCA signed a Memorandum of Understanding for cybersecurity cooperation with the US department of homeland security (DHS) and the cybersecurity and infrastructure security agency (CISA) in July 2022. To protect and enhance the cyberspace and important interests in the United States and the Kingdom, this initiative aims to promote and strengthen bilateral cooperation in the cybersecurity sector. The MoU is an addition to the ongoing cooperation between the two countries, which focuses on several areas including sharing cyber threats information and exchanging best practices and expertise in the fields in both the countries. Furthermore, under all aspects of space exploration, including human spacelight, earth observation, commercial and regulatory development, and responsible space behavior, the US and Saudi Arabia are increasing their cooperation.  Before transferring personal data outside of KSA, it is necessary to obtain the prior written authorization of the relevant regulatory authority, according to the NCA Regulations. Thus, the NCA is the primary federal agency in charge of handling cybersecurity emergencies. The Saudi Central Bank and the CITC, however, have their own systems for receiving reports of cybersecurity incidents.

One of the key enablers of the National Cybersecurity Strategy, NCA has created the CyberIC program for the growth of the cybersecurity industry. The program intends to expand the domestic cybersecurity industry while also enhancing national cybersecurity capabilities, local cybersecurity technology, and training materials. Moreover, CyberIC will aid more than 60 local organizations (providing services and solutions), and also hope to expand the number of cybersecurity start-ups in the industry. Through the cybersecurity accelerator and the cybersecurity challenge, the program will develop more than 20 start-ups and support more than 40 start-ups.


Internet of Things (IoT)

The IoT incorporates several fundamental requirements, such as that equipment must follow set standards and that the IoT system must be able to support the interrogation of data processed via it for at least 12 monthly following the date of formation. The term IoT refers to a network of physical objects, or “things”, that have sensors, software, and other technologies built in. These “things” can link to other systems and devices over the internet to exchange data. Today, there are more than seven billion connected IoT devices, and according to analysts, there will be ten billion by 2020 and 22 billion by 2025.


How IoT is changing the world?

By enabling connected cars, IoT is completely redefining the automotive. With IoT, automobile owners can remotely control their vehicles, for instance, by preheating the vehicle before the driver gets in or by remotely calling for a vehicle through the phone. Cars will even be able to schedule their own servicing appointments, when necessary, with the help of IoT, which facilitates device-device connectivity. Businesses are using IoT’s enormous business value as it becomes more common in the market. These advantages consist of:


Saudi Arabia’s CITC to Launch Evolving Technologies Sandbox

In addition to attracting more and more local and foreign investment and maximizing the benefits of emerging technologies, such an environment will allow evolving technology service providers to offer work models, solutions, and services that would help to accelerate the digital transformation of all sectors. The communications and Information Technology Commission (CITC), has declared its plan to build evolving technologies sandbox, which aims to provide a flexible and exciting environment for emerging the rules and enablers required to expand the emerging technology industry. The CITC invites all evolving technology service providers to register on the commission’s website in order to discuss their business strategies, solutions or, services with the emerging technologies sandbox through

In the Two Holy Cities, CITC has made sure that more than 5,900 towers and 11,000 Wi-Fi access points are operating without any delays. Additionally, it oversaw a 41% growth in 5G towers, bringing the total to more than 2,600. By defining and refining the rules and enablers that are crucial to developing the emerging technology market, the sandbox aims to create a flexible and exciting environment for service providers of emerging technologies. Furthermore, increased investment, innovation, proper consumer protection, and the introduction of new goods and services into the Saudi market, are concise of the objectives of the Regulatory Sandbox. In light of this, it appears that the PDPL would not be completely enforceable against local entities for at least 18 months. With regards to the Resolution approved by the Council of Ministers also states, that SDAIA will work in conjunction with the Saudi Central Bank and the (CITC).


How Should We Prepare for These New Changes?

Early preparation is essential, in order to meet some of the stringent requirements outlined in the PDPL, in particular. Organizations should prioritize implementing these six strategies:

To conclude, with the government’s significant investment in STEM fields, big tech, and smart technologies, the most recent of which was launched technology initiatives this year, which were worth more than USD 1,200,000 (US Dollars one billion and two hundred million). Along with this, the Kingdom has a thriving digital economy that will only continue to expand in size and significance. The amount of data acquired will drastically expand as the government will execute its digital and smart economy initiatives, making data regulation even more crucial. Additionally, the new law gives people more control over their data ownership by preventing the collection of critical information including financial records, social security numbers, and personal information without their consent. As a result, the law shall safeguard individuals’ privacy and ensure the public that the data they give to companies would not be misused by outsiders for fraudulent purposes. To know more about the latest TMT legal amendments reach out to well-qualified TMT  lawyers.