Saudi Arabia: Implemented Telecommunications and Information Technology Law including data protection regulation

On 7 December 2022, the Telecommunications and Information Technology Law was implemented. The law contains data protection provisions for service providers. Service providers are defined as any "licensee, registrant, or permittee" that provides services relating to telecommunication or IT. This definition includes content platforms as well. User data may not be externally shared unless consent has been requested. Service providers bear the legal responsibility to protect users' data and prevent any unauthorised access. Protocols for data protection need to be drafted and submitted to the Communications and Information Technology Commission (CITC). Documents may be retained for as long as the CITC determines.