CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The Personal Data (Privacy) Ordinance (Cap. 486)  (the "PDPO") is a comprehensive set of laws that is technology-neutral and provides a set of Data Protection Principles outlining how data users should collect, handle and use personal data.

There is no law dedicated to data protection. However, an interim regulation was issued recently with respect to personal data protection. Also, certain general and other sector specific laws and other mandatory documents address data protection.

Cybersecurity Law

The Anti-Cybercrimes Law of 2017 (the “Cybersecurity Law”) is a general law that applies across the board and addresses data protection in the context cybercrimes.

National Data Regulations

The National Data Governance Interim Regulations of 2020 (the “National Data Regulations”) issued by the National Data Management Office deal mainly with government-related data. Part 5 of the National Data Regulations, however, deals with personal data protection and is stated to apply to all entities in KSA that process personal data in whole or part, as well as all entities outside KSA that process personal data related to individuals residing in KSA. The legal status of the National Data Regulations remains slightly unclear at the time of writing and it is not clear if they are being actively enforced. No sanctions for breach are specified, which is unusual for a law which is intended to be enforced. Clearly the potential scope of Part 5 is very extensive and, on the face of it, would catch numerous businesses with no local presence in the Kingdom, such as cloud service providers. Business should remain on the look-out for updates.

Telecommunication and Internet of Things

The Implementing Regulations of the Telecom Law of 2002.

General Principle for ​Personal Data Protection of 2020 (“Telecom Data Protection Principles”) covers data protection in the telecommunications, information technology and postal sectors.

Process of Launching Services or Products Based on Users’ Personal Data, or Sharing Personal Data of 2020 covers the launching of products in the telecommunications, information technology and postal sectors based on customers’ personal data.

The telecommunications regulator, the Communications & Information Technology Commission (CITC), has also published an IoT Regulatory Framework, (IoT RF) regulating the provision of internet-of-things services in the Kingdom. The IoT RF is issued pursuant to the Telecommunications Law.

Cloud services

The Cloud Computing Regulatory Framework (the “Cloud Framework”) covers data protection of customers of cloud service providers.

Ecommerce

The Ecommerce Law of 2019 and its Implementing Regulations of 2020 cover data protection of customers in the ecommerce business.

Medical

The Medical Practitioners’ Law of 2005 also deals with the safeguarding of information obtained during medical practice, which would include their personal data.

2. Data protection authority

The Office of the Privacy Commissioner for Personal Data www.pcpd.org.hk

3. Anticipated changes to local laws

The legislation is due for amendment since its last substantive amendment in 2012.

The Constitutional and Mainland Affairs Bureau released LC Paper. No. CB(2) 512/19-20(03), a discussion paper seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486). The proposed changes follow proposals by the Privacy Commissioner for Personal Data, and include six proposed amendments:

  • Inclusion of a Mandatory Data Breach Notification Mechanism;
  • Requirement for retention policy and specified Data Retention Period; 
  • Provision of Sanctioning Powers to PCPD to impose administrative fines and raise relevant criminal fine levels; 
  • Regulation of Data Processors; 
  • Amending the Definition of Personal Data to cover information relating to an "identifiable" natural person; 
  • Regulation of Disclosure of Personal Data of Other Data Subjects to curb doxing;

Being a new regulation, it is not clear yet how the National Data Governance Interim Regulations will be implemented.

4. Sanctions & non-compliance

Administrative sanctions:

N/A

Criminal sanctions:  

A summary of various offences and penalties under the Ordinance can be found at: https://www.pcpd.org.hk/misc/files/table2_e.pdf

Others:  

N/A 

Administrative sanctions:

Cybersecurity Law

The Cybercrimes Law imposes a penalty of up to SAR 3m (USD 800,000) for the offence of unauthorised access to, amongst others, destroy, leak or redistribute private data.

Telecommunication and Cloud Services

CITC may impose a fine of up to SAR 25m (USD 6.666m).

Internet of Things

No specific sanctions are set out in the IoT RF but as it is issued pursuant to powers and duties under the Telecommunications Law, the CITC may treat breach of the IoT RF as a breach of the Telecommunications Law.

Ecommerce

The Ecommerce Law imposes a penalty of up to SAR 1m (USD 266,630). Also, the ecommerce business may be suspended or closed, and the internet shop may be blocked, partially or completely, temporarily or permanently.

Criminal sanctions:

Cybersecurity Law

The Cybercrimes Law provides for imprisonment of up to four years for the offence of unauthorised access to, amongst others, destroy, leak or redistribute private data.

Others:

A data subject may also make a claim to the courts for damages.

5. Registration / notification / authorisation

There is no requirement for notification/registration/authorisation for processing personal data (i.e. no mechanism similar to that in UK Notification to process personal data - GOV.UK (www.gov.uk))

There are no registration requirements for the processing of personal data. However, the sector specific approvals, licences or registrations, if any, will apply for carrying out the respective economic activities in that sector.

6. Main obligations and processing requirements

Data users shall comply with the six principles set out in Schedule 1 to the Ordinance: 

  • personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair; 
  • data users are required to take all practicable steps to ensure that personal data is accurate and not kept longer than is necessary for the fulfilment of the purpose for which the data is used. If data users engage a data processor for handling personal data of other persons, data users should adopt contractual or other means to ensure that the data processor comply with the mentioned retention requirement; 
  • data users shall not use personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s express and voluntary consent; 
  • data users shall take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use; 
  • data users are required to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it; and 
  • data users shall provide data subjects with the right to request access to and correction of their own personal data.

Cybersecurity Law

Unauthorised access to private data is prohibited. Accordingly, consent of the individual to whom the personal data belongs should sought before collection or processing.

National Data Regulations

The National Data Regulations sets out principles for dealing with personal data, which include: the purpose of collection of personal data should be known, the data subject’s consent should be sought for collection and processing, collection of personal data shall be limited to what is necessary for the purpose, personal data should be used for the agreed purpose only, and data shall be protected against breach.

Telecommunication

The Implementing Regulations of the Telecom Law of 2002 requires service providers to protect the personal information of their customers. Further, the Telecom Data Protection Principles require service providers to comply with the following principles:

  • process customers’ personal data in a lawful and transparent manner;
  • process customers’ personal data for specified and clear purposes;
  • collect customers’ personal data that is necessary for the purposes of the processing;
  • not keep customers’ personal data in a form that allows identification of the customer for longer than the period necessary to achieve the purposes of processing;
  • secure customers’ personal data to ensure its privacy and prevent unauthorised access, breach, tampering or misuse.

Internet of Things

The IoT RF contains some basic provisions requiring equipment to comply with mandated standards and for the IoT system to be capable of allowing interrogation of data processed over it for not less than 12 months after the date of creation.

Cloud Services

The Cloud Framework prohibits cloud service providers from (i) providing to any third party any subscriber content or subscriber data; and (ii) processing or using subscriber content or subscriber data for purposes other than those permitted by the cloud subscriber; except where (a) the same is required under KSA laws; or (b) the subscriber’s data is of non-governmental nature and is not received from any government entity, and the relevant cloud customer has given their express prior consent (whether in an opt-in or opt-out form).

The provisions of the Telecom Data Protection Principles will apply to cloud service providers in addition to the Cloud Framework.

Ecommerce

The Ecommerce Law requires a service provider to only retain a customer's personal data or electronic communications for the period required by the nature of the electronic transaction, unless a different period is agreed upon.

A service provider is responsible for protecting customers electronic communications or personal data in its possession or in the possession of the entities or agents that it deals with, and is prohibited from using customers’ personal data or electronic communications for unauthorised or impermissible purposes and from disclosing the same to third parties, whether against or for no consideration, unless the consumer consents to such disclosure or the same is required by law.

Financial

Financial institutions licensed by the Saudi Central Bank are required to protect their customers’ personal data.

Medical

Medical practitioners are prohibited from disclosing any personal data of their patients without the prior consent of their patients.

7. Data subject rights

Data subjects are given the right to access and make correction to their data.

National Data Regulations

The National Data Regulations prohibit the collection, processing or sharing of personal data with third parties without the consent of data subjects. Customers may withdraw such consent at any time. Customers may withdraw such consent at any time unless otherwise required by law.

Telecommunication

The Telecom Data Protection Principles prohibit collecting and processing, or sharing with third parties, customers’ personal data without their explicit consent. Customers may withdraw such consent at any time except as otherwise required by law.

Customers should also be enabled to view or be given access to the privacy policy prior to processing their personal data.

Customers should also be enabled to access, correct (amend) and obtain their personal data being processed by the service providers.

Cloud Services

Cloud service providers are required to grant subscribers the right and technical capability to access, verify, correct or delete their subscriber data in a manner that does not contradict the instructions of the National Data Management Office.

8. Processing by third parties

No direct regulation on data processors.  However, data are required to adopt contractual means to ensure that data processors or sub-contractors adopt measures to ensure the safety of personal data.

It is advisable to seek the consent of the data subject before processing their data. Further, the collector of the Ecommerce Law and the Telecom Data Protection Principles provide that the entity collecting data from customers will be responsible for the protection of data, even if it is processed by third parties.

9. Transfers out of country

A data user shall not transfer personal data outside Hong Kong unless one of the following conditions is met: 

  • the place is specified by the Commissioner by notice in the Gazette that there is in force any law which is substantially similar to, or serves the same purposes as, the Ordinance – no place has satisfied this condition up to date. 
  • The data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the Ordinance;
  • The data subject has consented in writing to the transfer;
  • The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
  • The data is exempt from Data Protection Principle 3 by virtue of an exemption under Part VIII of the Ordinance (such as personal data held for news activities, for domestic use, for purpose of prevention of crime etc.); or
  • The data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. Please note that use of recommended model data transfer clauses to develop an enforceable data transfer contract by data users is one method to satisfy the required due diligence requirement. 

National Data Regulations

The National Data Regulations requires that prior written consent of the relevant regulatory authority is sought before transferring personal data out of KSA.

Telecommunication

The Telecom Data Protection Principles requires that service providers process customers’ personal data within KSA, and prohibits them from processing customers’ personal data out of KSA.

Internet of Things

All servers, devices and network components used in providing an IoT service and all data relating to the service must be located within the Kingdom.

Cloud Services

The Cloud Framework also prohibits transfer of government related data out of KSA.

Financial

The Saudi Central Bank prohibits the transfer of customers’ data out of KSA.

10. Data Protection Officer

N/A

National Data Regulations

The National Data Regulations requires that a data controller shall establish an organisation unit to be entrusted with personal data protection matters.

Telecommunication

The Telecom Data Processing Principles require that service providers assign the role and responsibilities of customers’ personal data protection to an independent function.

11. Security

There is no mandatory requirement.  However, it is required that a data subject is informed of the name or job title, and address, of the individual who is to handle the data access or correction request made to the data user.

National Data Regulations

The National Data Regulations require the use of appropriate security measures.

National Cybersecurity Authority’s (the “NCA”) has also issued mandatory controls (documents) that address security measures in the context of cybersecurity.

Financial

The Saudi Central Bank’s Cybersecurity Framework of 2017 sets out the security measures that need to be taken in the context of cybersecurity.

12. Breach notification

There is no mandatory requirement, but a data breach may amount to a contravention of 

  • Data Protection Principle 4(1); and in Schedule 1 of the Ordinance;

The following action plan is recommended as practice to be adopted by data users: 

  • immediate gathering of essential information relating to the breach; 
  • contacting the interested parties and adopting measures to contain the breach; 
  • assessing the risk of harm; 
  • considering the giving of data breach notification: notifying the affected data subjects, the relevant parties, the law enforcement agencies, the Commissioner, relevant regulators and such other parties who may be able to take remedial actions as soon as practicable after the defection of the data breach.  For notifying the Commissioner, a “Data Breach Notification Form” can be used.

National Data Regulations

The National Data Regulations requires notification of the relevant regulatory authority and NDMO in the event of a severe data breach.

Telecommunication

The Telecom Data Processing Principles requires that service providers notify CITC immediately when a breach of customers’ personal data occurs.

Ecommerce

The Implementing Regulations of the Ecommerce Law require notifying the Ministry of Commerce in the event of a breach of customers’ personal data.

Financial

The Saudi Central Bank should be notified in the event of a data breach.

13. Direct marketing

The data user must:

  • inform the data subject (i) that the data user intends to so use the personal data; and (ii) that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use – this “consent” needs to be “an indication of no objection to the use or provision” and hence, silence or lack of response will not be deemed to be consent;
  • provide the data subject with the following information in relation to the intended use (i) the kinds of personal data to be used; and (ii) the classes of marketing subjects in relation to which the data is to be used –  the description of such classes should be specific, making reference to the distinctive features of the goods, facilities or services so that it is practicable for the customers to ascertain the goods, facilities or services to be marketed with a reasonable degree of certainty; and
  • provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended use – a data user can only elect a response channel that enables the data subject’s consent to be made in writing.

There is no general legislation in relation to direct marketing in KSA, although the ECommerce Law appears to require express consent to be obtained by ECommerce Store operators in order to carry out direct marketing to their customers

14. Cookies and adtech

There are no specific requirements in relation to use of cookies.  

However, the use of cookies to collect personal data needs to be in compliance with Data Protection Principle 1(3) in Schedule 1 to the Ordinance that requires: 

  • the data subject is explicitly or implicitly informed, on or before collecting the data, of (i) whether it is obligatory or voluntary for him or her to supply the data; and (ii) where it is obligatory for him or her to supply the data, the consequences for him or her if he or she fails to supply the data; and 
  • he or she is explicitly informed: (i) on or before collecting the data, of (A) the purpose (in general or specific terms) for which the data is to be used; and (B) the classes of persons to whom the data may be transferred; and (ii) on or before first use of the data for the purpose for which it was collected, of (A) his or her rights to request access to and to request the correction of the data; and (B) the name or job title, and address, of the individual who is to handle any such request made to the data user.

There is no specific legislation in relation to cookies in KSA.

15. Risk scale

Moderate

Severe.

Cybersecurity

1. Local cybersecurity laws and scope

  • The most significant laws that cover cybersecurity matters include provisions under: 
  • Crimes Ordinance (Cap 200): (1) s.161 Access to computer with criminal or dishonest intent; and (2) s.60 Destroying or damaging property; 
  • s.27 A (unauthorised access to computer by telecommunications) under Telecommunications Ordinance (Cap 106); 
  • Control of Obscene and Indecent Articles Ordinance (Cap. 390); 
  • Prevention of Child Pornography Ordinance (Cap 579); and 
  • The Unsolicited Electronic Messages Ordinance (Cap 593)

Cybersecurity

The Anti-cybercrimes Law of 2007 (the “Cybersecurity Law”) is a general law that addresses cybersecurity.

The National Cybersecurity Authority (the “NCA”) issued certain guidelines and mandatory documents to regulate cybersecurity. These mandatory documents include (i) Essential Cybersecurity Controls of 2018 (the “ECC”); (ii) Cloud Cybersecurity Controls of 2020; (iii) Critical Systems Cybersecurity Controls of 2019; and (iv) Remote Work Cybersecurity Controls (English version not available).

There are also other sector-specific laws and other mandatory documents that address cybersecurity.

Telecommunication

The CITC issued the Cybersecurity Regulatory Framework in June 2020 to address cybersecurity risks in the information and communications technology and the postal sector.

Ecommerce

The NCA issued the Cybersecurity Guidelines for ECommerce Service Providers of 2019 (“CGESP”) and the Cybersecurity Guidelines for ECommerce Consumers of 2019 (“CGEC”) to address cybersecurity in ecommerce activities.

Financial

The Saudi Central Bank (formerly the Saudi Arabian Monetary Authority) issued the Cybersecurity Framework of 2017 (the “Cybersecurity Framework”) to regulate cybersecurity in the financial institutions regulated by the Saudi Central Bank. These financial institutions include banks, insurance and reinsurance companies, financing companies, and credit bureaus.

2. Anticipated changes to local laws

There are no anticipated changes to local laws, although there has been more pressure to introduce laws against doxing

There are no anticipated changes to local laws.

3. Application 

It mainly criminalises conduct around unauthorised access to computer and disseminating obscene, child pornography and unsolicited electronic messages. 

Cybersecurity

While the Cybersecurity Law applies across the board and penalises cybercrimes, NCA’s mandatory documents referred to above apply to government organisations in the KSA, including ministries, authorities, and establishments, and government-owned companies and entities, as well as private sector organisations owning, operating, or hosting Critical National Infrastructures (“NCI”). The NCA further defines CNIs as assets, such as facilities, systems, networks, processes, and key operators that operate and process them, whose loss or vulnerability to security breaches may lead to certain significant impacts. Further, the applicability will also depend on the technology being used by, or the business of, the concerned organisations.

Telecommunication

The Cybersecurity Regulatory Framework of the CITC applies to service providers in the information and communications technology and the postal sector.

Ecommerce

CGESP and CGEC are both non-binding documents setting out best practices for the protection of ecommerce data and systems. Whilst these are specifically ecommerce related, the banking and transactional aspects of cybersecurity are regulated differently.

Financial

The Saudi Central Bank’s Cybersecurity Framework regulates cybersecurity in the financial institutions regulated by the Saudi Central Bank. Said financial institutions include banks, insurance and reinsurance companies, financing companies, and credit bureaus.

4. Authority

Information Commissioner’s Office www.ico.org.uk

The Cyber Security and Technology Crime Bureau (Hong Kong Police) 
https://www.police.gov.hk/ppp_en/04_crime_matters/tcd/tcd.html

The Communications Authority (for reporting spam) Communications Authority - Home (coms-auth.hk)

5. Key obligations 

N/A – There is no prescribed obligation imposed on cyber users or operators to adopt security measures except those involving handling personal data as specified in Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”)

Cybersecurity

The ECC requires notifying NCA of any cybersecurity incidents, as well as sharing incidents notifications, threat intelligence, breach indicators and reports with NCA.

Telecommunication

The Cybersecurity Regulatory Framework of the CITC requires all service providers licensed by CITC that are classified as CNIs to comply with NCA’s ECC and is required to report to the CITC in addition to the NCA.

Financial

A financial institution regulated by the Saudi Central Bank should notify it when a medium or high-classified security incident occurs, and should submit a formal incident report after the incident.

6. Sanctions & non-compliance 

Administrative sanctions:

N/A

Criminal sanctions:

Hong Kong Police will enforce the provisions of the relevant Ordinances.  Penalties will range from a level 4 fine (HKD 25,000) to imprisonment for five years.

Others:

N/A

Administrative sanctions:

The Cybersecurity Law imposes fines of up to SAR 5m (USD 1.33m) for cybercrimes.  

Criminal sanctions:

The Cybersecurity Law provides for imprisonment of up to ten  years for cybersecurity crimes, depending on the severity of the cybercrime.

Others:

Any equipment used in committing a cybercrime can also be confiscated.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

No 

Saudi CERT is the national computer emergency response team, which falls under the NCA.

8. National cybersecurity incident management structure

N/A

The NCA is the main national authority for managing cybersecurity incidents. However, other regulators such as the CITC and the Saudi Central Bank have their own mechanism for receiving cybersecurity incident reports.

9. Other cybersecurity initiatives 

  • Hong Kong Monetary Authority has issued various non-binding cybersecurity guidelines for authorised institutions such as Cyber Resilience Assessment Framework and cybersecurity guidelines with respect to the use of stored value facilities, ebanking systems and artificial intelligence.
  •  Securities and Futures Commission has published guidelines and circulars such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading and specific guidelines in relation to the use of external electronic data storage.
  • Insurance Authority has issued the Guideline on Cybersecurity laying down the minimum cybersecurity standards that authorised insurers must observe.
  • The Commissioner for the Electronic Health Record has issued codes of practice regarding the use of the electronic health record sharing system by healthcare providers to access and share patients’ electronic health records. 
  • The Office of the Government Chief Information Office has issued guidelines on cybersecurity controls and measures applicable to various government offices and departments.

The Saudi Federation for Cyber Security and Programming (SAFCSP) is a national institution under the umbrella of the Saudi Arabian Olympic Committee, which seeks to build national and professional capabilities in the fields of cybersecurity and programming.

Portrait of Jonathan Chu
Jonathan Chu
Partner
Hong Kong (CMS CMNO - Lau, Horton & Wise LLP)
Portrait of Ben Gibson
Ben Gibson
Legal Director
Dubai