Individual privacy in Saudi Arabia and the protection of personal data have long fallen under the general provisions of Saudi law and not under the specific provisions on „data protection“ or „data security“.
In the absence of specific laws, Islamic law generally applies in Saudi Arabia. Thus, Saudi courts dealt with data protection issues according to the general principles of Shariah – a collection of general principles which are the Qur’an and the Sunnah (the attested sayings and actions of the Prophet Muhammad). This has changed in recent years. New laws have emerged in Saudi Arabia that impose strict obligations on Saudi companies regarding how, why and when personal data may be collected, used and stored.
The latest developments adopted a comprehensive regulatory framework governing the processing of personal data.
The legal reform on data protection
The first comprehensive data protection law was passed in 2021. This law was not enforced. Instead, the Saudi Data and Artificial Intelligence Authority (SDAIA) proposed amendments after public consultations and executive regulations were added. On September 14, 2023 the Personal Data Protection Law (PDLP) was released alongside with the Implementing Regulations of the Personal Data Protection Law and the Regulation on Personal Data Transfer outside the Geographical Boundaries of the Kingdom. The law was released with a grace period until September 14, 2024 when it will enter into force.
The Personal Data Protection Law (PDPL) and its Implementing Regulations
The Personal Data Protection Act and its implementing regulations have been adapted to the European General Data Protection Regulation (GDPR) in several aspects. The definition of „consent“ (Art. 5 GDPR) and the concept of legitimate interest (Art. 6 para. 4 GDPR) are in line with the GDPR. Data breaches must be reported to the SDAIA within 72 hours and data subject requests must be answered within 30 days (Art. 24/Art. 3 Implementing Regulation). In addition, data controllers are obliged to keep a record of processing activities (ROPA) (Art. 31 PDPL) and appoint a data protection officer (Art. 32 Implementing Regulation).
Fines are also part of the law (Art. 35, 36 PDPL). Unlawful use of sensitive data can result in a prison sentence of up to two years and/or a fine of up to SAR 3,000,000 / € 760,000. Repeated offences can result in penalties of up to double the maximum amounts mentioned above, including the duration of the prison sentence and the amount of the fine.
While fines are also imposed under the GDPR, Saudi law – unlike European law – is subject to considerable uncertainty, as Saudi law refers to „the person“ and not to the „controller“ or „processor“ (as in Article 83(3) GDPR). Therefore, it is not certain who could be fined or imprisoned in the event of a data breach.
The Regulation on Personal Data Transfer
Data transfers to countries outside the Kingdom of Saudi Arabia are intended, for example, to fulfil agreements to which the country is a party, to protect national interests or for other purposes listed in the Regulation on the Transfer of Personal Data (Art. 29 PDPL).
Chapter 2 of the Regulation on the Transfer of Personal Data also introduces an adequacy system on the basis of which the transfer of data can take place.
Impact of the legal developments for business activities and on the civil society
Overall, the legal reform is a successful achievement for the Kingdom and is largely modelled on the General Data Protection Regulation. However, the Saudi Arabian data protection law has been heavily criticised in global reporting, particularly by international human rights organisations.
This is due to the fact that, despite the formal guidelines, the opinions of the competent authorities have a major influence on the interpretation of the Saudi Arabian data protection law, which sometimes run contrary to the law. It is criticised that these interpretations sometimes undermine the right to privacy. The entities that control data are allowed to pass on data to government agencies, citing vague and overly broad „security reasons“ that are not defined in the law. In this context, for example, extramarital and same-sex online relationships are prosecuted and severely penalised.
It is therefore not surprising that there was an international outcry when Microsoft announced its intention to invest in a new data centre region in Saudi Arabia at the beginning of the year. It remains to be seen how Microsoft will position itself here in the long term.