Last review date: 31 December 2024

☒         omnibus — all personal data

The Personal Data Protection Law in the Kingdom of Saudi Arabia, promulgated by Royal Decree No. M/19, dated 09/02/1443H, corresponding to 16 September 2021 ("PDPL") was published in the Saudi Official Gazette (Umm AlQura) on 24 September 2021 and was developed by the Saudi Data and Artificial Intelligence Authority ("SDAIA"), a regulatory authority established in 2019 with a mandate to progress the national data and AI agenda in Saudi Arabia.

On 4 April 2023, amendments to the PDPL were published in the Kingdom of Saudi Arabia's ("KSA") Official Gazette. The amending decree also confirmed that the PDPL would come into effect 720 days from the date of its original publication in the Official Gazette, i.e. on 14 September 2023.

Controllers were afforded a further 12-month period from the effective date to bring themselves into compliance with the PDPL. Accordingly, the grace period concluded in September 2024 and the PDPL is now fully enforceable against controllers (and processors) in KSA.

The Implementing Regulations of the Personal Data Protection Law ("Implementing Regulations") and Regulation on the Transfer of Personal Data Outside the Kingdom ("Data Transfer Regulation") were issued on 22/2/1445H (corresponding to 7 September 2023G). The original Data Transfer Regulations were subsequently replaced by a new version published by SDAIA on 1 September 2024.

☒         sector-specific

While the PDPL contains no express exemptions for sector-specific legislation, there are provisions in the Implementing Regulations on health data and credit data that refer to controllers adopting and implementing the requirements and controls established by relevant regulatory authorities including the Ministry of Health, the Saudi Health Council, the Council of Health Insurance, and the Saudi Central Bank ("SAMA"). Several of these authorities already had sector-specific regulations on data that pre-date the PDPL.  

☒         constitutional

According to the Basic Law of Governance, the constitution of Saudi Arabia is the Holy Quran and the Sunna, from which the Shari'ah is derived. As mentioned above, the Shari'ah provides for basic rights of privacy, such as principles against the invasion of privacy and disclosure of secrets. The Basic Law of Governance contains many characteristics of what may be considered a constitution in other countries, and provides that privacy is a right that is related to the dignity of an individual and guarantees the privacy of telegraphic, postal, and other types of communication. It also prohibits surveillance and eavesdropping unless permitted by law.

Last review date: 31 December 2024

• Personal Data Protection Law
• Implementing Regulations to the Personal Data Protection Law
• Regulation on Personal Data Transfer outside the Kingdom
• Data Sharing Policy
• Data Classification Policy
• Freedom of Information Policy
• Open Data Policy
• Data Management and Personal Data Protection Standards
• Cloud First Policy
• Islamic Law (Shari'ah)
• E-Commerce Law
• Law of Civil Affairs
• Banking Control Law
• Banking Consumer Protection Principles
• Regulations for Consumer Credit
• Insurance Market Code of Conduct Regulation
• Insurance Intermediaries Regulation
• Telecommunications Law and Regulations

Last review date: 31 December 2024

• Cybersecurity Regulatory Framework for Service Providers in the ICT and Postal Sector (version 1.0) issued June 2020 by the Communications, Space and Technology Commission ("CST")
• Regulations of Cybersecurity Operations in Communications, and Information Technology Sectors issued 1 August 2022 by CST
• Essential Cybersecurity Controls (ECC – 2: 2024) issued by the National Cybersecurity Authority ("NCA")
• Cloud Cybersecurity Controls (CCC –1:2020) issued by NCA
• Saudi Arabia Cabinet Decision No. 79/1428 on the Approval of the Anti-Cyber Crime Law ("Anti-Cyber Crime Law");

Last review date: 31 December 2024

 N/A

Last review date: 31 December 2024

Further development of the PDPL regime is anticipated, including the release of a list of approved jurisdictions for data transfers.

Artificial intelligence is also a focus with the Kingdom pushing to be an AI hub through Project Transcendence, an initiative targeting global AI leadership with plans to invest up to USD 100 billion in data centers, AI startups, and essential technology infrastructure. SDAIA supported this with the second iteration of its AI Ethics Principles issued in late 2023, two sets of generative AI guidelines (for government and the general public) published in early 2024, and an AI Adoption Framework published in September 2024.

Other sectoral regulators also continue to publish and update regulations that impact data protection and cybersecurity. In particular, the Communications, Space & Technology Commission ("CST") established a cloud computing special economic zone and updated its cloud computing regulations in 2023, consulted on a draft digital content safe harbor law in September 2023, and issued new regulations for data center services and digital platform services in 2024.

On 30 March 2023, Saudi Arabia's Health Sector Transformation Program ("HSTP"), a program established for the Kingdom's Vision 2030 with the aim of ensuring the continued development of healthcare services in Saudi Arabia, launched a public consultation on a new health system project law to address important health regulatory issues (including the handling of health data by private and public stakeholders in the Kingdom).