A close-up of Saudi Arabia’s regulatory approach to data governance, content moderation, competition and more.
This is the eighteenth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Tommaso Giardini, Jamila Issa
04 Aug 2023
Saudi Arabia, the largest economy in the Middle East, strives to diversify its economy from oil exports to become a digital leader through its Vision 2030. Saudi Arabia’s digital economy policy aims to grow the ICT sector by 50 per cent and raise the GDP share of the digital economy, currently estimated at 15.8 per cent. To facilitate digital payments under the Vision, the government has established a FinTech regulatory sandbox and experimented with an international central bank digital currency. The Vision further focuses on gaming and esports, planning investments of over SAR 140 billion (approx. USD 37.3 billion).
But what do Saudi Arabia’s domestic digital policies stand for? The eighteenth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Saudi Arabia-specific points of emphasis.
In data governance, Saudi Arabia has adopted its comprehensive data protection law, including rules on data transfers, and established a rigorous cybersecurity regime.
In content moderation, Saudi Arabia has implemented a law regulating audiovisual media content and established a council to support local digital content.
In competition policy, Saudi Arabia has adopted a competition law and enforced it in digital markets, while deliberating competition rules for digital content platforms.
Saudi Arabia’s points of emphasis include electronic commerce, online advertising and telecommunications.
Jump directly to the section that interests you most:
Discover the details of Saudi Arabia's regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini and Jamila Issa. Edited by Johannes Fritz.
Saudi Arabia’s Personal Data Protection Law is expected to come into force in September 2024, following an amendment and postponement. The law covers entities collecting or processing the data of individuals located in Saudi Arabia, including deceased people. Such entities must register, conduct a privacy impact assessment, and obtain data subjects’ consent (with exceptions). Data subjects are granted the rights to information, rectification, access, deletion, and consent withdrawal. The competent authority, currently the Saudi Authority for Data and Artificial Intelligence (SDAIA), enforces the law through binding and non-binding measures, including compliance certification. In July 2023, the SDAIA published the draft implementing regulation, detailing deadlines for complying with data subject requests (30 days) and reporting data breaches (72 hours), conditions for the validity of consent and the requirement to appoint a data protection officer.
Saudi Arabia has installed a cybersecurity regime building on the 2018 Essential Cybersecurity Controls (ECC) of the National Cybersecurity Authority (NCA). The ECC set cybersecurity requirements for private and public organisations based on confidentiality, integrity, and availability. The ECC establish obligations in five cybersecurity domains (governance, defence, resilience, third-party and cloud computing, as well as industrial control systems and devices). In February 2021, the NCA updated the Cloud Cybersecurity Controls under the ECC, which impose cybersecurity requirements for cloud service providers and require operators of critical national infrastructure to only use cloud services of licensed providers. Also in 2021, the NCA adopted the Organisation's Social Media Accounts Cybersecurity Controls under the ECC, imposing cybersecurity requirements regarding the social media accounts of private companies operating sensitive national infrastructure. In 2023, the NCA consulted on the National Policy for Managed Security Operations Centers as well as the Regulatory Framework for Licenses for Managed Cybersecurity Operations Center Services, following a consultation in 2022 on the Regulatory Framework for Licensing Cybersecurity Compliance Assessment Services.
The Cloud Cybersecurity Controls require providers of cloud computing services for government entities and operators of critical national infrastructure to establish systems for storage, processing, and disaster recovery in Saudi Arabia.
The Personal Data Protection Law creates a data transfer regime that shifts away from single transfer approval and instead allows transfers through several mechanisms, if they do not prejudice national security and uphold data subject rights. The currently deliberated regulation on data transfers specifies that transfers are allowed based on a decision by the competent authority establishing that the foreign data protection level is at least equal to Saudi Arabia’s. In the absence of such a decision, transfers are enabled by safeguards, e.g. standard contractual clauses, certification and binding codes of conduct, as well as exceptions, e.g. contractual performance and public interest.
While there has been no enforcement of data protection policy to date, Saudi Arabian authorities have published several pieces of secondary legislation. In 2023, the SDAIA consulted on a draft framework regarding the use of secondary data, outlining the principles of data quality, transparency, ethical data use, purpose and accountability, and anonymity. The SDAIA has also launched the Data and Privacy Regulatory Sandbox for entities to test their products, services, technologies and business models. Previously, the National Data Management Office issued the Data Management and Personal Data Protection Standards, establishing guiding data principles concerning data quality, operations and classification. In 2020, the NDMO issued the National Data Governance Policy, including specifications on minor data protection and data transfers.
Since 2018, the Audiovisual Media Law requires audiovisual media content to conform to Saudi Arabia’s cultural, social, and legal values. Content must respect Shari'ah principles as well as political leaders and allies. In turn, content shall not contain nudity or vulgar language; promote drugs, tobacco or alcohol; or upheave the public order. Providers of audiovisual content, including over-the-top streaming, video-on-demand and video games, among others, must obtain a licence from the General Commission for Audiovisual Media (GCAM). The implementing regulations provide a detailed account of illegal content and outline enforcement procedures, including investigations by the GCAM and a mechanism for the public to report violations. In addition, the regulations specify requirements for licensees, including retaining and providing data to the GCAM and preferencing Saudi nationals in hiring.
In September 2021, Saudi Arabia established the Digital Content Council to support the domestic digital content market. The support includes investments of SAR 4.2 billion (approx. USD 1.1 billion) and extends to video, audio, video games, and digital advertising content.
There are no public, official sources on single cases of content moderation enforcement in Saudi Arabia. Rather, in April 2023, the GCAM issued a statement mentioning over 4000 violations of the audiovisual media law in 2023. 15% of the violations were detected by public reporting. The GCAM stated that it reacted by issuing warnings, requesting public apologies and retracting licences.
The 2019 Competition Law prohibits a variety of actions by domestic and foreign commercial entities that have an adverse effect on fair competition within Saudi Arabia. To enforce the rules, the law established the General Authority for Competition (GAC) (replacing the Competition Council), an independent regulatory body with powers to impose corrective orders and fines, temporarily suspend operations and initiate criminal proceedings. Regarding unilateral conduct, entities considered to have a dominant position in a market are prohibited from refusing to trade with companies without a specific reason, discriminating between businesses or making the sale of goods/services conditional on excessive obligations. The implementing regulations specified that "dominance in a relevant market" is determined by a market share of over 40 per cent, while other factors considered include ease of market entry, competition and diversity level, economies of scale, user rights and purchasing power. The law further prohibits vertical or horizontal agreements that fix prices, restrict market entry and the free flow of goods, or collude on government bids.
Regarding merger control, the competition law requires GAC approval for transactions that constitute "economic concentration", determined by three criteria: 1) transactions resulting in a change of control over the target entity, 2) transactions by parties with a combined worldwide annual turnover exceeding SAR 100 million (approx. USD 26.7 million), or 3) transactions with a potential “effect in Saudi Arabia”. In April 2023, the GAC amended the turnover threshold to SAR 200 million (approx. USD 53.3 million).
In September 2022, the Communications, Space and Technology Commission (CITC) consulted on competition regulations for digital content platforms, including over-the-top streaming, user-generated content, online advertising, and gaming platforms, among others. Platforms must disclose their revenue as well as the number of business users and monthly active users in Saudi Arabia. The CITC assesses whether a platform has "significant and entrenched market power", considering size, user numbers, entry barriers, fixed costs and economies of scale, among others. Platforms with market power are prohibited from engaging in unfavourable contracts with business users, imposing differing conditions on business users, making services dependent on other services, and favouring their own services.
The GAC has started enforcing unilateral conduct and merger rules. In January 2021, the GAC fined Saudi Telecom Company (STC) SAR 10 million (approx. USD 2.7 million) for abusing its dominant market position. Namely, STC imposed specific obligations on other companies, weakening their position in the market, and refused to do business without justification. In September 2020, the GAC fined Oracle SAR 1 million (approx. USD 270’000) for violating reporting requirements, by withholding information and preventing judicial officers from inspecting records.
Regarding mergers, in December 2021, the GAC issued its first merger blocking, concerning the proposed acquisition of The Chefz by Delivery Hero. The GAC explained that the two food delivery companies failed to submit the required documents. Previously, the GAC approved the Microsoft/Activision Blizzard acquisition in August 2022 and the Uber/Careem acquisition in February 2021.
Regarding customer data protection, the law requires providers to limit the types of processed data and the time frame for storage, both determined by the necessity for the transaction (except with explicit consent). In addition, e-commerce providers must protect customer data, specified by the implementing regulations to include data subjects’ names, addresses, phone numbers, financial details, and images, among others. Finally, providers must notify data breaches to the Ministry of Commerce and the individual within 3 days with a detailed explanation.
Saudi Arabia imposes specific rules on online content. The Audiovisual Media Law (see above) requires advertising providers to obtain a licence, "balance" advertising and non-advertising content and obtain pre-approval for advertisements regarding pharmaceuticals, nutrition or investments. In 2022, the GCAM issued two orders establishing requirements for individuals and non-residents posting advertised content on online platforms to obtain a licence. Platforms can only host advertised content by licensed creators. Licensed creators must follow rules regarding illegal content and age classification, provide data on their posts and delete content flagged by the GCAM. Non-compliance can be punished with fines and imprisonment of up to 5 years.
In addition, advertisements on e-commerce platforms are considered legally binding statements, cannot mislead consumers and must clearly state the name of the product or service and the provider.
In terms of enforcement, in July 2022, the GCAM and the Communications and Information Technology Commission issued a removal order to YouTube concerning advertisements that contradicted Islamic and societal values. In October 2022, the GCAM issued a statement on enforcement regarding online advertisements, stating that 94 unlicensed entities posted advertisements on social media, calling for the public to report violations.
In December 2022, the Telecommunications and Information Technology Law was implemented, establishing a regulatory framework with a focus on licensing and competition. The licensing requirement applies to providers of public telecommunication services and infrastructure that supports such services, as well as providers using the frequency spectrum or offering domestic domain name registration. The Communications and Information Technology Commission (CITC), which issues licences, can further demand applications from private telecommunication service providers, digital content platforms, and firms that make use of relevant technologies. The implementing regulations specify the CITC’s criteria when rejecting licence applications, e.g. behaviours that endanger public security and health.
Regarding competition, the law regulates both unilateral conduct and mergers. Dominant providers, with a market share above 40 per cent, cannot to abuse their dominance. The implementing regulations specify obligations, e.g. to grant interconnection and access on “fair terms". Regarding mergers, the law requires mergers or acquisitions of over 5 per cent of shares of covered providers to be notified to the CITC. The implementing regulations specify the merger approval procedure, which requires information sharing, can last up to 90 days and can end in approval, conditional approval, extended review or rejection.
The law covers several other policy areas. Regarding content moderation, the CITC can restrict specific online services and block online content. Regarding data protection, providers must prevent unauthorised access, retain data and cannot externally share customer data without consent. Regarding consumer protection, providers must treat users fairly and without discrimination, establish complaint channels, and implement protocols for the handling of service deficiencies.