DLA Piper Intelligence

Data Protection
Laws of the World

Law

Saudi Arabia
Saudi Arabia

Shari'a principles (that is, Islamic principles derived from the Holy Quran and the Sunnah, the latter being the witnesses' sayings of the Prophet Mohammed), which although not codified, are the primary source of law in the KSA. In addition to Shari'a principles, the law in the KSA consists of secular regulations passed by government, which is secondary if it conflicts with Shari'a principles.

At this time, there is no specific data protection legislation in place in the KSA (although we understand that a new freedom of information and protection of private data law is under review by the Shura Council). Shari'a principles generally protect the privacy and personal data of individuals.

That said, there are certain secular regulations passed by government, which although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts. Examples of such regulations include:

  • the Basic Law of Governance (no: A/90 dated 27th Sha'ban 1412 H (corresponding to 1 March 1992)), which provides that telegraphic, postal, telephone and other means of communications shall be safeguarded. They cannot be confiscated, delayed, read or breached

  • the Anti-Cyber Crime Law (8 Rabi 1, 1428 (corresponding to 26 March 2007)) (as amended), which generally prohibits, amongst other things, the interception of data transmitted through an information network, the invasion of privacy through the misuse of camera-equipped mobile phones and the like, illegally accessing bank or credit data of another, unlawful access to computers for the purpose of deleting, destroying, altering or redistributing private data, or the production, preparation, transmission or storage of material impinging on public order, religious values, public morals, and privacy, through an information network or computers;

  • the Telecoms Act (approved pursuant to the Royal Decree No. (M/12) dated 12/03/1422H (corresponding to 3 June 2001), which states that the privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained, and disclosure, listening or recording the same is generally prohibited

  • the Regulations for the Protection of Confidential Commercial Information (issued by Minister of Commerce and Industry Decision No. (3218) dated 25/03/1426H (corresponding to 4 May 2005), and as amended), which governs the protection of data considered to be "commercial secrets" under these regulations.

There may also be specific regulations applicable to certain industries, for example, in banking, the Saudi Arabian Monetary Agency imposes a general duty of confidentiality on banks, and requires banks to provide a safe and confidential environment to ensure confidentiality and privacy of customer data. Similarly, in the healthcare sector, confidentiality requirements will apply in terms of protecting medical data of patients.

In the absence of specific regulations which apply, the courts will apply Shari'a principles, which in essence provide that an individual has a right to be compensated for losses/harm suffered as a result of the disclosure of his/her personal information and/or breach of privacy by another party. A KSA court may also, in its absolute discretion, impose other penalties on a case by case basis (for example, imprisonment and/or fines).

Last modified 26 Jan 2017
Law
Saudi Arabia

Shari'a principles (that is, Islamic principles derived from the Holy Quran and the Sunnah, the latter being the witnesses' sayings of the Prophet Mohammed), which although not codified, are the primary source of law in the KSA. In addition to Shari'a principles, the law in the KSA consists of secular regulations passed by government, which is secondary if it conflicts with Shari'a principles.

At this time, there is no specific data protection legislation in place in the KSA (although we understand that a new freedom of information and protection of private data law is under review by the Shura Council). Shari'a principles generally protect the privacy and personal data of individuals.

That said, there are certain secular regulations passed by government, which although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts. Examples of such regulations include:

  • the Basic Law of Governance (no: A/90 dated 27th Sha'ban 1412 H (corresponding to 1 March 1992)), which provides that telegraphic, postal, telephone and other means of communications shall be safeguarded. They cannot be confiscated, delayed, read or breached

  • the Anti-Cyber Crime Law (8 Rabi 1, 1428 (corresponding to 26 March 2007)) (as amended), which generally prohibits, amongst other things, the interception of data transmitted through an information network, the invasion of privacy through the misuse of camera-equipped mobile phones and the like, illegally accessing bank or credit data of another, unlawful access to computers for the purpose of deleting, destroying, altering or redistributing private data, or the production, preparation, transmission or storage of material impinging on public order, religious values, public morals, and privacy, through an information network or computers;

  • the Telecoms Act (approved pursuant to the Royal Decree No. (M/12) dated 12/03/1422H (corresponding to 3 June 2001), which states that the privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained, and disclosure, listening or recording the same is generally prohibited

  • the Regulations for the Protection of Confidential Commercial Information (issued by Minister of Commerce and Industry Decision No. (3218) dated 25/03/1426H (corresponding to 4 May 2005), and as amended), which governs the protection of data considered to be "commercial secrets" under these regulations.

There may also be specific regulations applicable to certain industries, for example, in banking, the Saudi Arabian Monetary Agency imposes a general duty of confidentiality on banks, and requires banks to provide a safe and confidential environment to ensure confidentiality and privacy of customer data. Similarly, in the healthcare sector, confidentiality requirements will apply in terms of protecting medical data of patients.

In the absence of specific regulations which apply, the courts will apply Shari'a principles, which in essence provide that an individual has a right to be compensated for losses/harm suffered as a result of the disclosure of his/her personal information and/or breach of privacy by another party. A KSA court may also, in its absolute discretion, impose other penalties on a case by case basis (for example, imprisonment and/or fines).

Last modified 26 Jan 2017
Definitions

Definition of personal data

In the absence of specific data protection legislation, there is no definition of "personal data".

Definition of sensitive personal data

In the absence of specific data protection legislation, there is no definition of "sensitive personal data".

Last modified 26 Jan 2017
Authority

There is no national data protection authority in the KSA. In respect of telecommunications services, the Communications and Information Technology Commission ('CITC') is responsible for overseeing the relevant telecoms laws and policies. The Saudi Arabian Monetary Agency is responsible for, amongst other things, overseeing commercial banks in the KSA.

Last modified 26 Jan 2017
Registration

In the absence of a national data protection authority, there are no data protection registration requirements in the KSA.

Last modified 26 Jan 2017
Data Protection Officers

There is no requirement in the KSA for organisations to appoint a data protection officer.

Last modified 26 Jan 2017
Collection & Processing

There is no concept of "data controller" or "data processor" in the KSA. To ensure compliance with Shari'a, it is advisable to obtain data subjects' consent before processing their data.

Last modified 26 Jan 2017
Transfer

There are generally no specific data protection regulations regarding transfer of data outside of the KSA, although in certain sectors, the approval of a regulatory authority may be required. We do generally recommend that consent is sought from data subjects for any processing or transfer of personal data outside of the KSA.

Last modified 26 Jan 2017
Security

There are no specific security measures that must adopted and implemented by commercial organisations, although as a matter of best practice and to avoid unauthorised processing, disclosure, loss or theft of personal data (and therefore potential liability under Shari'a), it is recommended that appropriate measures (technical and organisational) are put in place to protect the personal data held.

Last modified 26 Jan 2017
Breach Notification

There are no data protection regulations imposing a mandatory requirement to report data security breaches.

Last modified 26 Jan 2017
Enforcement

At this time, there is no clear designated authority responsible for the enforcement of data protection and privacy equivalent to, say, the Information Commissioner in the United Kingdom. That said, specific authorities are tasked with enforcing breaches of other legislation that is in place (for examples of such legislation, please see the section above entitled 'LAW'). For example, under the Anti-Cyber Crime Law (as amended), the Bureau of Investigation and Public Prosecution is tasked with carrying out investigations, with the CITC providing any technical support required, and the matter potentially being referred to the courts.

Last modified 26 Jan 2017
Electronic Marketing

Electronic marketing is regulated by Spam Regulations issued by the CITC, which require, amongst other things, opt-in consent from the date subject to receive electronic messages.

Last modified 26 Jan 2017
Online Privacy

There is no specific legislation in the KSA that expressly regulates the use of cookies. We generally recommend that the use of cookies should be carefully and fully disclosed in a website privacy policy (which should be compliant with KSA law).

Last modified 26 Jan 2017
Contacts
Mohamed Moussallati
Mohamed Moussallati
Legal Consultant
T +966 11 201 8900
Last modified 26 Jan 2017