March 10, 2019

Saudi Arabia updates Cloud Computing Regulatory Framework

After introducing its innovative regulatory framework for cloud computing in 2018, Saudi Arabia's Communications and Information Technology Commission (CITC) has issued an update that contains some notable changes for cloud service providers and customers alike.

The updated Framework reduces a number of the obligations on cloud service providers while maintaining strong protection for consumer rights

Background

A second version of the Cloud Computing Regulatory Framework (the Framework) was published on CITC's website on 12 February 2019. It will replace the previous version with effect from 14 March 2019 to govern the provision of cloud-based IT services in the Kingdom of Saudi Arabia (KSA).

Summary of changes

Key changes introduced by the update include:

  • Reduced scope of application: The Framework is only intended to bind cloud service providers (CSPs) who conclude agreements for cloud services with customers resident or having an address in KSA. In the previous version, the Framework was also binding on CSPs owning, operating or offering access to data centres or any other elements of a cloud system located in KSA even where that party did not contract with a Saudi end user.
  • Limited registration requirements: Only CSPs that exercise direct or effective control over data centres or other critical cloud system infrastructure hosted in KSA are now required to register with CITC. Under the original system, CSPs processing 'Level 3' customer content were also required to register (for the purposes of the Framework, 'Level 3' means customer content from regulated industries in the private sector, sensitive content of public authorities or other content for which a customer requested a Level 3 classification).
  • Responsibility for security: Cloud customers are now explicitly responsible for implementing the necessary security features to protect their content. The previous version of the Framework was ambiguous in terms of passing this responsibility to CSPs. The CSP must inform customers upon request of the information security features they offer.
  • Transfers outside KSA: It is now the responsibility of cloud customers (and not CSPs) to ensure that 'Level 3' content is not transferred outside KSA unless permitted by law or regulation and that it is not transferred to a public, community or hybrid cloud other than those operated by registered CSPs.
  • Clarification of CSP's safe harbour defences: There is no obligation on CSPs to monitor their cloud systems for unlawful or infringing content and any official take-down notice will be satisfied for the purposes of the Framework if the content is removed from cloud equipment located in KSA.
  • Customer protection and unfair contract terms: The updated Framework clarifies that the customer protection provisions (including restrictions on excluding liability) extend only to individual consumers. Accordingly, CSPs will have greater scope to negotiate terms with enterprise customers.

Comment

The updated Framework reduces a number of the obligations on CSPs while maintaining strong protection for consumer rights. The lower compliance burden should be beneficial for CSPs operating in KSA with the intention of supporting the country's overall development strategy, which is underpinned by technological innovation and e-services.

Customers or CSPs that have executed contracts for cloud services in KSA during the last 12 months should be reviewing those arrangements to ensure compliance with the new regime.