10 Legal Updates in Saudi Arabia’s Technology and Data Laws

Digital transformation remains integral to Saudi Arabia’s Vision 2030, which seeks to diversify the economy and emphasizes the importance of innovation. With 66 out of the 99 Vision 2030 goals relating to data and Artificial Intelligence (AI), Saudi Arabia’s legal landscape is reforming rapidly to align with these objectives and facilitate investment in technology. This article summarises ten key legal updates in Saudi Arabia’s technology and data space in 2024.

1. The Saudi Personal Data Protection Law (PDPL) became enforceable by the Saudi Data and AI Authority (SDAIA) in September 2024

The PDPL became effective on 14 September 2023, and organisations were given a one-year grace period to fully align with the PDPL by 14 September 2024, making it imperative for organisations to take swift action to implement the necessary measures to comply with the PDPL and its accompanying regulations after the PDPL became enforceable by SDAIA. This was particularly important because the PDPL extends its reach beyond Saudi borders, applying to non-Saudi organisations if they process the personal data of Saudi residents. Our previous insight article includes more detailed information on the key requirements of the PDPL and its accompanying Regulations. Given the broad applicability of the PDPL, businesses must conduct thorough assessments of their data flows, since failure to comply could lead to penalties, making it essential for organisations to urgently prioritise alignment with the PDPL framework.

2. The Regulation on Personal Data Transfer Outside the Kingdom (Data Transfer Regulations) were amended for the third time

In September 2024, SDAIA amended the Data Transfer Regulations to streamline cross border transfer requirements to align them with international standards, such as the EU GDPR. Organisations are required to implement appropriate safeguards, in the form of standard contractual clauses (SCCs), binding common rules (BCRs), or certificates of accreditation, when transferring personal data to countries that SDAIA has not deemed to provide an adequate level of data protection. As at the time of publication, a list of adequate countries is not yet available. 

3. SDAIA issued its Standard Contractual Clauses and Guidelines for Binding Common Rules

SDAIA issued pre-approved agreements that bind both the data exporter (the sender) and the data importer (the recipient) to specific privacy and security obligations, ensuring compliance with the PDPL and its Implementing Regulations. The SCCs can be integrated into a broader agreement or used as a standalone contract.

SDAIA also issued guidelines on implementing BCRs, which are internal policies adopted by multinational organisations to govern cross-border transfers of personal data within their corporate group.

4. SDAIA issued the Generative AI Guidelines for the Government and the Public

SDAIA issued two guidelines for the adoption and use of generative AI systems, with one guideline addressed to government employees and the other to the public. These “soft laws” highlight challenges and considerations for the use of generative AI, introduce principles for responsible use, and present best practices in this context.

5. SDAIA issued the Data Protection Officer (DPO) Rules

SDAIA issued the Rules for Appointing a DPO, which outline the minimum requirements for appointing a DPO, including the criteria, responsibilities, and circumstances when a DPO is required. You can find more information about this here.

6. SDAIA issued the Rules Governing the National Registration of Controllers within the Kingdom

These rules require the following Saudi entities to register with SDAIA: (i) public entities, (ii) controllers whose main activity involves personal data processing, and (iii) controllers processing sensitive personal data that poses a high risk to data subjects' rights (e.g., criminal or genetic data). Registration must be completed and maintained to gain access to the platform’s services, including filing statutory data breach notifications.

7. SDAIA issued a suite of guidelines relating to personal data protection

SDAIA proactively issued helpful guidelines setting out the practical implications of key aspects of the PDPL. Among the guidelines issued in 2024 are the Privacy Policy Guideline, Data Disclosure Guideline, Destruction, Anonymisation and Pseudonymisation Guideline, Record of Processing Activities Guideline, and Data Minimization Guideline. We summarised the key aspects of these useful publications here.

8. The National Cybersecurity Authority (NCA) issued the Regulatory Framework for Licensing Managed Security Operations Centre (MSOC) Services

This new framework regulates the provision of services aiming to monitor cybersecurity in a technology ecosystem to detect cyber threats, diagnose how they occur, and provide recommendations for resolving them, setting out the obligations and responsibilities for service providers and their employees. It includes a requirement for service providers to procure one of two licensing tiers depending on their targeted clients, and their analysts to obtain a qualification certificate.

9. The NCA amended the Essential Cybersecurity Controls (ECCs)

The NCA also updated the ECCs in 2024, with key changes including amendments to the scope of the ECC, transfer of authorities in relation to data localization, introduction of new Saudization requirements, streamlining of controls, and enhanced clarity. A summary of these changes and their impact can be viewed here.

10. The Regulations for Providing Digital Content Platform Services became effective and enforceable

The Communications, Space & Technology Commission (CST) published these regulations in October 2023, establishing for the first time a licensing mechanism for digital content platforms. The regulations apply extraterritorially to any digital video, audio, gaming, advertising and other platforms that distribute digital content or provide it to users in Saudi. Video over-the-top (OTT) platforms with more than 35,000 subscribers and social media/video sharing platforms with more than 100,000 subscribers will be required to register with CST, although there is the power to exempt certain trusted digital content platforms.

These regulations subsequently became effective in January 2024, subject to a grace period that ended in October 2024. Following its full implementation, it has become necessary for organisations falling within the scope of these regulations to assess whether they require any regulatory licenses, registrations or notifications, and take the required measures to achieve compliance.