As part of Saudi Arabia’s Vision 2030, the government seeks to transform the nation into a hub for technology and innovation. This transformation will have several legal implications, particularly with regards to data protection and cyber security.
In recent years, lenient cyber security implementation has made the Kingdom a global target for cyberattacks. To protect businesses and consumers, the government is implementing new laws and regulations to improve the security of the nation’s digital infrastructure.
The government is also working to create a more favourable environment for businesses and consumers by introducing new data protection laws and establishing regulatory frameworks related to cloud services and e-commerce. These efforts will help to attract foreign investment and encourage innovation within the Kingdom.
In 2020, Saudi Arabia experienced over 22 million cyberattacks, which cost the economy over $6 million. In a survey by VMware, 85% of Saudi Arabian security professionals reported an increase in cyberattacks during the pandemic, due to the increased number of employees working from their homes. Over the past few years, the government has begun to take steps to tackle the country’s long-standing cyber security vulnerabilities with the introduction of several new regulatory frameworks and governing bodies.
The National Cybersecurity Authority (NCA) was established in 2017 as the central authority for cyber security in Saudi Arabia. The NCA is responsible for developing and coordinating the Kingdom’s cyber security strategy, as well as overseeing the implementation of new laws and regulations.
In 2018, the NCA released a whitepaper outlining the minimum standards for cyber security that all organisations in Saudi Arabia must adhere to. This document includes requirements for risk management, incident response, data protection, and more. It was circulated amongst both private organisations and government bodies, to raise awareness and improve cyber security posture across the country.
In 2019, NCA established the Computer Emergency Response Team (CERT), which is responsible for responding to cyber incidents and providing technical and forensic support. Two years later, Saudi Arabia’s Communications and Information Technology Commission (CITC) announced the implementation of a cyber security regulatory framework that aims to raise the security levels of service providers in the IT, communications, and postal services sector.
In 2020, the Saudi government enacted a new e-commerce Law, which includes provisions on data protection. The law requires e-commerce businesses to take measures to protect the personal data of consumers and establishes penalties for companies that fail to do so. It ensures the reliability and trustworthiness of online business transactions while safeguarding consumer rights and protecting online users from fraud and deception.
In March 2022, a new standalone personal data protection law (PDPL) came into force to provide additional protection for Saudi citizens’ personal data. The law requires organisations to take steps to protect the personal data of Saudi residents, including obtaining written permission before collecting, using or sharing personal data. Data controllers will be required to register with Saudi Data & Artificial Intelligence Authority (SDAIA) and pay an annual fee. Failure to adhere to this new law may incur criminal penalties including up to two years’ imprisonment or a fine of up to SAR 3 million. At the time of writing, the PDPL Implementing Regulations will be postponed until 17 March 2023, in order to consider the public consultation responses. That said, businesses are aware of the regulations which will be enforced soon, and are therefore urged to implement operational realignment to ensure legal compliance with the law from 2023.
Cloud Computing Regulatory Framework
In 2020, the Saudi government also released a Cloud Computing Regulatory Framework (CCRF), which sets out the requirements for organisations that wish to provide cloud services in the country. Cloud Service Providers (CSPs) are required to register with the Communication & Information Technology Commission (CITC) before they can provide cloud services within Saudi Arabia. In the event of any type of security breach, CSP must inform the CITC and any affected subscribers of their services, without delay. Additionally, the CSP is not permitted to share, or use their subscribers’ data for any purpose, unless express permission is obtained from the subscriber.
As Saudi Arabia’s tech transformation continues, the legal landscape is also evolving to keep pace with these changes. By ensuring that its legal system meets the demands of the modern IT industry, the Saudi government is sending a clear message that it is committed to protecting the privacy and security of its citizens in the digital age. In the coming years, we can expect to see these laws evolve further as the Kingdom looks to stay at the forefront of the global tech landscape.