As part of our coverage of global privacy and data security issues, we thought you would be interested in a brief overview of some of the privacy and data interception laws in Saudi Arabia. This has been compiled with special thanks to Amgad T. Husein and John Balouziyeh in our Riyadh office.
Data related laws in Saudi Arabia originate from the Saudi Arabian Constitution (Basic Law of Governance), which makes mention of privacy as a right that revolves around the dignity of the individual. It guarantees, for example, the privacy of telegraphic and postal communications, as well as the privacy of telephone and other means of communication. It prohibits, among other things, surveillance or eavesdropping of such communications, except in cases provided by law (Art. 40).
Based on this framework, and elaborating on basic Shari’ah (Islamic law) principles that create a tort claim (masouliya taqsiriya) for damages caused by the wrongful disclosure of a person’s private information, Saudi legislation has focused on privacy violations relating to telecommunications and information technology.
For example, the Telecommunications Act, issued under the Council of Ministers Resolution no. 74 (2001), prohibits internet service providers and telecommunications companies from intercepting telephone calls or data carried on the public telecommunications networks (Art. 38.7) and, other than in the course of duty, intentionally disclosing the information or contents of any message intercepted in the course of its transmission (Art. 38.13). The Act imposes fines upwards of SR 5,000,000 (US $1.3 million) for violations of the Act.
In the same vein, the Anti-Cyber Crime Law (2007), enacted by Royal Decree no. M/17, imposes heavy civil and criminal sanctions on the encroachment of personal data privacy, including the interception of data transmitted through an information network without legitimate authorisation and the illegal access of bank data or computers to modify, delete, damage or redistribute private data. Penalties upwards of SR 3,000,000 and four years’ imprisonment may apply (see, e.g., Arts. 3-5).
Saudi Arabia’s data protection and interception laws and implementing regulations are still relatively new and developing. They reflect, however, the growing global recognition of the importance of control over private data in the digital age. Something every organisation possessing such data should be aware of.