Changes to technology and data laws in Saudi Arabia

As digital transformation of businesses and economies moves ahead at speed, the Kingdom of Saudi Arabia has been particularly active with a number of related legislative developments during the first half of 2022. In this article, we highlight some of those initiatives and consider the implications for businesses operating in the Kingdom.

Saudi Personal Data Protection Law implementation delayed

As we reported in a previous update, a new Personal Data Protection Law (PDPL) was issued in September 2021 and scheduled to take effect in March 2022 with an additional grace period of one year for organisations to become fully compliant. A number of the controls, mechanisms and requirements in the PDPL were expected to be clarified in the executive regulations that were also due to be issued before March 2022. Draft regulations were published for consultation in March, but the consultation was subsequently withdrawn and the Saudi Data & Artificial Intelligence Authority (SDAIA) announced that it was postponing full enforcement until 17 March 2023 based on views and responses received from various stakeholders.

Registration of cybersecurity service providers

The National Cybersecurity Authority (NCA) of Saudi Arabia has called on all entities that provide cybersecurity solutions, services or products to register through its website. The stated objectives of the registration are to create a suitable ecosystem to attract and stimulate local and international investments, enhance the level of services provided in the Kingdom, support small to medium-sized enterprises and encourage innovation in the cybersecurity sector.

Optional registrations were accepted from April 2022 and registration will become mandatory from 1 August 2022 for any entities providing cybersecurity solutions, services or products in the Kingdom. Applicants are required to complete a registration request form, which will be reviewed by the NCA (who may request additional information before determining their approval of the application).

Separately, the NCA announced the launch of a new national portal, HASEEN, that will be used by national authorities to enhance their cyber resilience. The platform will include information sharing, compliance management and email authentication tools.

Consultation on new IoT regulation

The Communications & Information Technology Commission (CITC) published an updated Internet of Things (IoT) Regulatory Framework for public consultation with several edits to the existing version that was published in 2020.

Among the changes are slight amendments to the definition of IoT and a new focus on the regulation of devices, connectivity and connectivity service providers. The proposed new Framework takes a more principles-based approach than the current regulations, which focus more on technical specifications. The proposed Framework references out to international standards and encourages both the use of IPv6 and interoperability between IoT devices and platforms.

It is clear that the CITC wishes to retain oversight over this space with potential reporting and registration requirements on IoT market players included in the new Framework. However, the publication of the new regulations for public consultation will allow IoT service providers and other interested stakeholders an opportunity to provide comment on the proposed approach.

Emerging technology regulatory sandbox

In May 2022, CITC launched a regulatory sandbox initiative for emerging technologies with the aim of increasing investments, fostering innovation and encouraging the introduction of new emerging technology products and services into the Saudi markets, as well as maintaining effective consumer protection.

The sandbox targets investors and companies that propose to provide innovative business models, solutions, and services via emerging technologies such as IoT, cloud computing, artificial intelligence, blockchain and robotics. Applications to join the sandbox are open until July 2022 and the CITC has published a number of criteria for acceptance on the programme, including:

• Readiness of an innovative business model, solution or service
• Reliance of the business model, solution or service on emerging technologies
• Demonstration of clear benefits to end customers
• A clear plan for participation and testing of the business model, solution or service
• Plans to commercially launch or scale the business in Saudi Arabia

Companies in the sandbox will benefit from regulatory waivers, guidance and support from CITC’s partner network. The listed exit scenarios for companies that successfully complete the programme could range include a grant of full regulatory approvals, limited approvals or proposals for further testing.

The CITC sandbox is not the first of its type in the Kingdom with the Saudi Central Bank (SAMA) having issued a regulatory sandbox framework for fintech companies in 2019.

Net neutrality consultation

CITC published a public consultation on the regulation of network neutrality as part of its initiatives under the Digital Content Council, which aims to support a thriving digital economy in the Kingdom by protecting consumers, safeguarding competition, ensuring reliable services, fostering digital innovation and promoting transparency.

Net neutrality is the principle that internet service providers should treat all content equally and not charge different rates, intentionally block or slow down certain types of content or traffic. Proponents of the concept argue that net neutrality is essential to ensuring the freedom to exchange information and that a free and open internet encourages competition and innovation.

The draft Network Neutrality Regulations Document would create a regulatory basis for net neutrality for the first time in Saudi Arabia with provisions to protect consumers’ rights to access lawfully permissible content, safeguard local content providers’ non-discriminatory access to the market, promote healthy competition, foster digital innovation and ensure the continuity of the service providers’ control over their operations.

The public consultation is open to all stakeholders – whether local or international – until 24 June 2022.

For more information, please contact Dino Wilkinson.