Cyber security and data privacy law in Saudi Arabia
April 2015 | EXPERT BRIEFING | RISK MANAGEMENT
In the age of cloud computing which, according to some experts, has reached a level of maturity making it ripe for full commercial exploitation, it will come as a surprise to many that there is currently no specific data protection legislation in Saudi Arabia. While the major Cloud technology developers including Microsoft and Google continue to invest billions a year in Cloud R&D, foreign companies operating in Saudi Arabia are still grappling with legal issues to make use of this technology due to the legal vacuum.
The absence of specific provisions on data protection leave Saudi Arabian courts and adjudicatory bodies with considerable discretion to deal with data privacy violation claims under general Sharia principles. Sharia, a collection of general principles derived primarily from the Holy Qur’an and Sunnah (the witnessed sayings and actions of the Prophet Muhammad) which form the basis of the legal system in Saudi Arabia, are often expressed in general terms. In addition, the absence of a central place where adjudicator bodies’ decisions are consistently indexed and collected and made publicly available and the lack of binding precedent system only make the situation more complex.
Provisions relating to the sanctity and safety of individuals’ personal data are spread out over a number of legislative instruments. For instance, The Basic Law of Governance (commonly referred to as the Constitution of Saudi Arabia) broadly protects the privacy of individuals by stating that “Property, capital, and labour are basic constituents of the economic and social structure of the kingdom. They are private rights which fulfil a social function in accordance with Islamic Sharia”. The Anti-Cyber Crime Law of 2007 prohibits the interception of data transmitted on an information network and the Telecommunications Act of 2001 outlines sanctions for breaches of privacy in the telecommunications sector. Principles, issued by the Saudi Arabian Monetary Agency, for Financial Consumer Protection provide that consumers financial and personal information should be protected through appropriate control and protection mechanisms by financial institutions.
The recently published ‘Draft Law of E-Commerce System’ by the Ministry of Commerce and Industry in Saudi Arabia also requires a vendor to keep the personal information of the buyer, and any records of electronic communications with the client, safe whether the same are under its own custody or control, or transferred to the vendors’ agents or employees. The draft law also makes the vendor responsible for recordkeeping and requires it to take reasonable steps to ensure that such data is protected in an appropriate manner.
The term ‘personal data’ is not defined in any law or regulation. Similarly, there are no formal notification or registration requirements before the processing of data. A ‘data controller’ is not defined in any law or regulation in Saudi Arabia. The Electronic Transactions Law merely imposes certain obligations on an ISP stating that the ISP and its staff must maintain confidentiality of information obtained in the course of business.
Although Sharia law is supplemented by regulations issued by royal decrees covering modern issues such as intellectual property, corporate law and cyber law, the absence of specific data protection legislation is perplexing.
The absence of a National Data Protector means that personal data security breaches are not notified to any individual or entity in Saudi Arabia. Problems arise when a company opts for data processing by third parties. Due to the absence of a defined ‘data controller’ the company processing such data needs to comply with Sharia law, which is often couched in vague and general terms. In addition, the company providing such data continues to remain liable for the confidentiality of such data.
There is no regulation currently dealing with the transfer of data outside Saudi Arabia, though approval of the relevant regulatory authority in specific sectors might be required in areas such as the health sector.
Data transfer agreements are not governed by any laws or regulations. No standard form or precedent data transfer agreements have been approved by the national authorities or Saudi courts. However, in view of applicable Sharia principles and anticipating the enactment of a proposed data protection law in the future, employers in Saudi Arabia often include provisions in employment contracts to record employees’ consent to the use or disclosure of their data to third parties to the extent that such disclosures are required or anticipated.
The Anti-Cybercrime Law was issued through a Royal Decree in Saudi Arabia in 2007. The law aims at combating cyber crimes by identifying such crimes and determining their punishments to ensure information security, protection of rights pertaining to the legitimate use of computers and information networks, protection of public interest, morals and protection of the national economy.
Cyber crime is severely punished by the Saudi Ministry of Interior and the Communications and Information Technology Commission and penalties are imposed for identity theft, defamation, electronic piracy, email theft and other unlawful activities.
However, such punishments have had little impact on online attackers – those cyber criminals that are determined to break into computers, steal information and interfere with businesses, are generally considered to be more technologically advanced than those trying to stop them. A recent annual survey found that approximately 45 percent of IT professionals in the GCC admit that their organisations had at least one IT security incident that they were aware of in the last 12 months.
The Saudi authorities are currently reviewing the Anti-Cybercrime Law to bring social networking sites such as Twitter into the punishment regime for allowing accounts which promote adultery, homosexuality and atheism. The authorities believe that organised bodies are behind targeted attacks against Saudis promoting atheism, something which is taken very seriously in Saudi Arabia.
There are many weaknesses in traditional cyber security models, but there are also new and improved solutions entering the market. Cyber security risks are also potentially increasing with social media becoming more available within companies.
Who will be the ultimate winner in this struggle, only time will tell.
Muhammad Arif Saeed is a partner and head of the Corporate and Commercial Practice, and Muhammad Anum Saleem is a senior associate, at Eversheds (in association with Dhabaan & Partners). Mr Saeed can be contacted on +966 50 241 1166 or by email: email@example.com. Mr Saleem can be contacted on +966 50 993 6655 or by email: firstname.lastname@example.org.
© Financier Worldwide
Muhammad Arif Saeed and Muhammad Anum Saleem
Eversheds (in association with Dhabaan & Partners)