New Telecommunications and Data Protection Rules Taking Effect in Saudi Arabia

Kelly Tymburski, Senior Legal Consultant and Principal of SPR Advisors co-authored this alert.

The Kingdom of Saudi Arabia (KSA or Kingdom) is a sovereign state located in the Middle East between the Red Sea and the Arabian Gulf (sometimes referred to as the Persian Gulf) and is one of the member states of the Gulf Cooperation Council (the GCC), a political and economic alliance formed in 1981 of six Arab states, namely the United Arab Emirates, Qatar, Bahrain, Kuwait, Oman and KSA, which is similar in structure to the European Union. 

With its immense oil and gas reserves, KSA is deemed to be the largest (and arguably the most powerful) economy in the Middle East.  Beginning in 2016, the KSA government has announced a series of development initiatives under its Vision 2030 program, with the goal to diversify its economy and attract foreign investment in numerous fields beyond the Oil and Gas sector. These include a number of major development projects, such as NEOM, a project aimed at developing a number of futuristic cities including the Line, Octagon, Trojena and Sindalah, as well as the Al-Ula Project, which aims to develop and rebrand the Kingdom’s tourism sector. 

The economic shift in KSA and its growing business appetite over the past few years has been noticeable on a global scale. Growth has prompted the Kingdom to modernize its laws across key sectors to remain competitive and align with global market standards and expectations. Among the most notable recent changes have been updates to the KSA’s Telecommunications and Data Protection laws and regulations, with a clear objective to develop and expand its digital economy at a competitive level.  

This Alert provides an overview of these recent legislative and regulatory developments.  

KSA Telecommunications & Information Technology Act  

The Communications, Space, & Technology Commission (CST), previously known until 2022 as the Communications & Information Technology Commission (CITC), is the authority responsible for regulating activities within the telecommunication and information technology sectors in KSA.  

Until recently, the telecommunications sector in KSA was governed by the Telecommunications Law issued by Royal Decree No. (M/12) of 12/03/1422H (3 June 2001) and its By-Laws, which generally prohibited the provision of telecommunications services or operating (or connecting to) a public telecommunications network without first obtaining a license from the CST.  The licensing framework was in flux in recent years, with the CST taking several different approaches and offering a variety of “Class” licenses authorizing specific types of activity.  To date, the number of fixed and mobile service providers in KSA that have been issued with an “Individual” license remains very limited, however, the CST has issued class licenses to various service providers offering IoT, ISP, VoIP, VSAT, SMS and other specialized services. 

The new Telecommunication and Information Technology Act, issued by Royal Decree No. M/106 of 02/11/1443H in June 2022 came into effect on 4 December 2022 (the Telecommunications Act) replacing the previous Telecommunications Law.  Implementing regulations for the Telecommunications Act were subsequently issued in November 2022 (the Telecommunications ByLaws). 

The express goal of the Telecommunications Act is to promote digital transformation in the Kingdom and enhance the services provided within the ICT sector, particularly in light of recent exponential growth.  At the same time, the new Telecommunications Act and ByLaws continue to require a license or authorization to provide certain communications or technology services in KSA and, in fact, they have effectively widened the scope of the CST’s regulatory jurisdiction to include additional technology and digital services.  Whether these changes advance or hinder these policy goals, therefore, may ultimately depend on the burden created by the CST’s implementation practices.

The most notable changes introduced in the Telecommunications Act include the following: 

1. ‘Telecommunications’ and ‘Information Technology’ have been given broad definitions to bring a range of new telecommunication and digital services under the scope of the new framework and the CST.  While the stated aim of the regulators in this regard is clear, until further guidance is issued by the regulators, the change is likely to leave many service providers operating or looking to operate in KSA uncertain as to whether they would be obligated to obtain licensing and/or authorization from the CST.  Regulatory counsel experienced with the views of the CST can assist in clarifying these matters or can seek guidance directly from the CST concerning more complex scenarios.  
2. In addition to service providers requiring a license for the provision of telecommunication services, service providers that use telecommunication networks to provide telecommunication functionalities are now also required to obtain an appropriate license from the CST.
3. Service providers may now obtain a ‘General Class License’ to provide services captured under the Telecommunications Act, provided they also obtain a separate ‘Service Permit’ for each of the captured services.  Pursuant to the latest version of the Classification Regulations and the General Class License Regulations issued by the CST in 2024, there are currently 11 categories of services for which service providers may be granted permits by CST, however, this list continues to be updated regularly.
4. The CST Board has now been given the authority to require a license, registration or authorization for the provision of any other services related to the telecommunication or information technology sector, above and beyond the activities which may be captured under the current framework.  This change is likely to perpetuate regulatory uncertainty as the CST has effectively been granted the power to regulate future technologies in unspecified ways as and when they may emerge into the KSA market.  
5. The Telecommunications Act now includes specific provisions relating to the processing and protection of user information and confidential documents and places an obligation on service providers to abide by applicable KSA laws and regulations in this regard.  These include the data protection regulations and policies issued by CST and the National Cybersecurity Authority, as well as the new KSA Personal Data Protection Law, discussed below. 

KSA Personal Data Protection Law

Data Protection in KSA is currently regulated by the Saudi Authority for Data and Artificial Intelligence (SDAIA) as well as the National Data Management Office (NDMO) which is responsible for assisting SDAIA in establishing data policies and standards and developing the same while monitoring compliance with the applicable laws and regulations.  It is expected that NDMO will ultimately oversee all aspects related to data protection in KSA and will become the sole regulatory authority; however, there is currently no timetable for this transfer of jurisdiction.

Over the past few years, KSA regulators have been in a back-and-forth process of issuing the Personal Data Protection Law (the PDPL).  This was initially issued in 2021 but was heavily criticized, primarily for its restrictive provisions on data transfers, and was subsequently opened to a series of consultations to develop a more workable approach suitable for the current KSA market.  Ultimately, the final draft of the PDPL was issued pursuant to Royal Decree No. (M/148) of 09/02/1443H (27/03/2023G) and came into effect on 14 September 2023.  Companies falling within the scope of the PDPL, however, were granted 12 months (i.e. until 14 September 2024) to comply with the new law.

Subsequently, SDAIA issued the implementing regulations for the PDPL in two parts, (i) the Implementing Regulations of the PDPL, and (ii) the Regulations on Personal Data Transfers outside KSA, which are intended to supplement each other in the interpretation and implementation of the PDPL.  

The primary changes brought about by the PDPL and its implementing regulations include the following: 

1. The PDPL has extra-territorial effect in that it applies to the processing of any personal data related to individuals residing in KSA, even by entities based outside KSA.  While the regulators may face limited options for assessing penalties on such foreign entities from a jurisdictional standpoint, they may and are likely to take steps to report such entities to their local regulators.  In addition, they may seek to implement sanctions against noncompliant entities or to restrict/block access to their digital platforms and services in KSA.
2. Notwithstanding the revisions to the PDPL with respect to data transfers, the PDPL continues to include explicit rules and restrictions regarding the transfer of personal data outside of KSA.   Specifically, the PDPL permits such transfers only for specific purposes set out in the Regulations on Personal Data Transfer outside KSA.  Further, even in cases where such transfers are permitted, they are generally limited to countries that are deemed to have appropriate levels of protection as assessed and issued by SDAIA.  Cross-border transfers of data may also be permitted (depending on the classification of the data in question) to countries not deemed to have adequate levels of protection, provided appropriate safeguards are implemented prior to doing so and a transfer risk assessment is conducted by the data controllers.
3. The PDPL now recognizes ‘legitimate interest’ as a basis for collecting and processing of personal data, albeit legitimate interest cannot be used as a basis for collecting data categorized as ‘sensitive data’ under the PDPL and its implementing regulations.
4. Certain data controllers, including data controllers that process personal data (including ‘sensitive data’) on a large scale so as to require regular monitoring, are now required to appoint a data protection officer (DPO).  This role may be outsourced to specialist DPO service providers.
5. In the event of a data breach and subject to the circumstances, the PDPL now imposes requirements to notify both SDAIA and the relevant data subjects according to prescribed timelines.
6. The PDPL also imposes criminal penalties (including imprisonment for up to 2 years and/or a fine of SAR 3 million (approximately USD 800,000)) in the event of a breach of the PDPL.  Further, SDAIA has been granted authority to issue additional fines of up to SAR 5 million (approximately USD 1.33 million), which may be doubled in the event of repetitive violations, where it deems a violation of the PDPL and its implementing regulations and related decisions and policies has occurred.  

It should be noted that companies operating in KSA and processing, controlling, or storing personal data can be subject to additional restrictions and obligations, subject to the type of regulated activities they practice, pursuant to the data protection laws and regulations issued by other regulatory bodies, such as the National Cybersecurity Authority and CST. 

As is the case in any jurisdiction, an understanding of legislative and regulatory frameworks is crucial to ensure compliance with the applicable laws and regulations and to minimize the risks of penalties and sanctions when operating in a new jurisdiction.  That said, while KSA and other GCC member states have made significant efforts over the past few years to bring their legislative and regulatory frameworks in line with international standards, it is equally important to understand that the interpretation and application of such laws and regulations in practice may differ significantly among these jurisdictions.  As such, it is highly recommended that foreign companies looking to enter or expand their operations in this region seek advice from specialized regulatory counsel in order to understand applicable compliance requirements. 

If you or client are looking to expand your operations in KSA (or any other member state in the GCC) and would like further advice on the relevant legislative and/or regulatory framework in such jurisdiction(s), please do not hesitate to contact us.  We also expect to issue further periodic updates and overviews to facilitate a better understanding of the region and any significant legislative and regulatory updates.