Article by Abdulaziz Al Bosaily and Donovan Rinker-Morris

This is the fifth update published by Clyde & Co's Commercial Group relating to data protection and privacy in the Middle East

Data protection and privacy are important considerations for all businesses. Failing to treat personal information in accordance with legislative requirements and best practice can have an adverse effect on a company's reputation, its employees and its customers.

Specific data protection regimes are now in place in many jurisdictions. Awareness of the implications of data protection and privacy issues is increasing around the globe, including in the Middle East, where there have been a number of developments in recent months.

This article provides a brief overview of data protection and privacy in the Kingdom of Saudi Arabia (KSA).

Background

The KSA does not have data protection laws which are comparable with the data protection regimes in place in many other jurisdictions. There are, however, a number of provisions of various different KSA laws which relate to the protection of personal information. Where no specific or relevant data protection provisions are set out in KSA legislation, the KSA courts will apply concepts of Shari'ah or Islamic law.

Shari'ah Law Framework

Broadly speaking, Shari'ah law establishes a framework pursuant to which an individual will be compensated if he or she suffers a loss or harm as a result of the disclosure of his or her personal information by another party. Liability for disclosure will pass to any third party who improperly discloses personal information that he or she has obtained unlawfully. The extent of liability and penalties for breaching Shari'ah principles in relation to the protection of personal information will be determined on a case by case basis. Severe penalties may be imposed by the authorities in the KSA if an individual does not comply with the Shari'ah principles relating to the protection of personal information.

Legislative Provisions

The principle that correspondence and communications should be kept confidential is enshrined in the KSA Basic Law of Governance. This principle is reinforced by the KSA Telecommunications Act, which restricts the disclosure of information or content that is intercepted in the course of its transmission. A fine of up to SAR 5,000,000 (approximately USD 1,300,000) may be imposed in the event of a breach of the KSA Telecommunications Act. Telecommunications and internet service providers in the KSA are also restricted from disclosing subscriber information to third parties, and from allowing private individuals to monitor subscribers' communications.

The KSA Anti-Cyber Crime Law imposes a number of penalties which relate to data protection and privacy, including those set out below:

  • a fine of SAR 500,000 (approximately USD 130,000) and/or up to one year's imprisonment for individuals who interrupt data that is transmitted through an information network, without authorisation;
  • a fine of SAR 2,000,000 (approximately USD 530,000) and/or up to three years' imprisonment for individuals who illegally access bank or credit information or information pertaining to the ownership of securities; and
  • a fine of SAR 3,000,000 (approximately USD 800,000) and/or up to four years' imprisonment for individuals who unlawfully access computers to delete, erase, destroy, leak, damage, alter or redistribute personal information.

Specific laws and regulations in the KSA impose data protection restrictions on certain types of entities, including hospitals, insurance companies, and financial institutions, and set out specific instructions in relation to confidential information. Most government entities in the KSA are also restricted from disclosing personal information that they possess.

Clyde & Co's Commercial Group, operating across the Middle East, advises some of the world's leading companies on their data protection and privacy policies, their compliance with data protection legislation, their approaches to collecting, storing, processing and transferring personal information and what to do when things go wrong.

The authors would like to thank Chris Moxon and Nouf Al-Joaid, for their contributions to this update.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.