Saudi Arabia’s Vision 2030 focuses on digital transformation to boost innovation and diversify the economy. A significant part of this vision involves data and AI, with 66 of its 99 goals centered on these areas. As a result, Saudi Arabia is updating its legal framework to encourage tech investment and ensure compliance. Here, we look at ten important legal developments in Saudi Arabia’s tech and data landscape for 2024.
1. The Saudi Personal Data Protection Law (PDPL) is now enforceable as of September 2024
The PDPL started on 14 September 2023, giving a one-year grace period for organizations to comply by 14 September 2024. Organizations must act quickly to meet this law and its regulations. Notably, the PDPL applies not just to local firms but also to foreign ones that handle the personal data of Saudi residents. Companies need to examine their data practices carefully, as non-compliance can lead to serious penalties.
2. Data Transfer Regulations updated for the third time
In September 2024, SDAIA made changes to the Data Transfer Regulations to match global standards like the EU’s GDPR. Organizations must now use safeguards such as standard contractual clauses when sending personal data to countries that haven’t been recognized as providing enough data protection.
3. New Standard Contractual Clauses and Guidelines issued by SDAIA
SDAIA has introduced pre-approved agreements that create specific privacy and security obligations for data senders and recipients. These clauses can be added to other agreements or used alone. Additionally, guidelines for Binding Common Rules have been released to help multinational companies manage their data transfers.
4. Generative AI Guidelines released by SDAIA
SDAIA published two sets of guidelines about generative AI — one for government employees and another for the public. These guidelines address challenges and best practices, promoting responsible use of generative AI technologies.
5. Data Protection Officer (DPO) Rules issued
The Rules for Appointing a DPO detail the criteria and responsibilities necessary for organizations appointing a DPO. These rules clarify when a DPO is needed to ensure compliance with data protection norms.
6. National Registration of Controllers Rules introduced
SDAIA has set rules requiring certain organizations to register. Public entities and businesses that process sensitive personal data, like health or legal information, must register to access essential services, including filing data breach reports.
7. Helpful guidelines from SDAIA on data protection
SDAIA has released several practical guidelines related to the PDPL. These cover topics like privacy policies, data disclosure, data destruction, and minimization, aimed at helping organizations navigate their responsibilities.
8. New licensing framework for Managed Security Operations Centre (MSOC) services from the National Cybersecurity Authority (NCA)
This framework regulates cybersecurity services, requiring providers to monitor and respond to threats effectively. It outlines licensing obligations based on the type of clients they serve, ensuring quality standards in cybersecurity operations.
9. Essential Cybersecurity Controls (ECCs) updated by the NCA
The NCA revised the ECCs in 2024, covering new data localization requirements, Saudization policies, and clearer guidelines for businesses. These updates aim to strengthen cybersecurity practices across the country.
10. Regulations for Digital Content Platform Services enacted
The Communications, Space & Technology Commission (CST) introduced licensing regulations for digital content platforms in October 2023. These regulations apply to various service providers, including streaming and gaming platforms, requiring larger platforms to register to ensure compliance and maintain a standard in content distribution.
