Changes to technology and data laws in Saudi Arabia
Technology, Outsourcing & Data
Saudi Arabia has updated its regulatory regime for telecommunications with the issuance of a new Telecommunications and Information Technology Act. This article considers the new features introduced by this legislation and how its broader focus on innovation and emerging technologies could support the digital transformation agenda in the Kingdom.
The Telecommunications and Information Technology Act enacted by Royal Decree No. M/106 dated 02/11/1443H (equivalent to 1 June 2022) (the Act) was published in the Saudi Official Gazette on 10 June 2022 and will take effect on 7 December 2022. The Act will repeal the Telecommunications Law enacted by Royal Decree No. M/12 dated 12/03/1422H (4 June 2001) (the Old Law), broadening the scope and focus from telecommunications to include new forms of technology and digital services.
The Act will be supplemented by additional regulations that are to be issued within 180 days from the date of the publication of the Act in the Official Gazette (the Rules). The Rules will enter into force at the same time as the Act and we anticipate that they will have a similar function to the existing Bylaws under the Old Law, which establish the basis of the current licensing regime and key obligations on licensed operators.
The Saudi Communications & Information Technology Commission (CITC) will remain the primary authority responsible for overseeing and enforcing the Act.
The Act has broadened the scope of application from purely telecommunications services under the Old Law to a range of ICT activities and services. The Act now regulates emerging technologies with a specific focus on promoting digital transformation in Saudi Arabia and encouraging innovation, entrepreneurship, research and technical development.
The definition of telecommunications is broadened to recognise machine-to-machine communication systems and apparatus. The Act also defines information technology in broad terms to include “technologies, software, systems, networks and any related processes for creating, compiling, securing, processing, storing or analysing data or information, including telecommunications and information technology applications.” This brings a range of digital service providers within the scope of the new regime.
The Act has clearly stated aims to develop and promote digital transformation in Saudi Arabia and upgrade the services provided within the ICT field.
There is a strong theme of innovation through entrepreneurship and research that is intended to help develop this field within the Kingdom. There is also specific reference to encouraging the development of emerging technologies, which are defined as technological innovations representing a progressive step in a certain field and achieving a competitive benefit over the prevailing technologies. This is consistent with the Kingdom’s wider plans to develop a digital economy, which is further evidenced by expressly stated aims in the Act to “transfer and localise” technology and develop the local content share.
As per the Old Law, the Act stipulates that service providers are responsible for implementing proper prices for ICT services and that controlling service providers (i.e. those with more than 40% of the relevant market) must meet interconnection or accessibility requests on fair terms and at fair prices based on CITC-approved costs.
Mergers between service providers (in the Kingdom or abroad) or the acquisition of more than 5% of stocks or shares in any licensed service provider are subject to prior approval from the CITC Board.
The Act also prohibits controlling service providers from abusing their dominant position and the Rules are expected to detail further anti-competitive practices that are prohibited.
Licences are now required not just for the provision of telecommunications services but also for using telecommunications networks for these purposes. This suggests the potential regulation of “over-the-top” services that provide telecommunications functionality.
Other licensable activities include providing infrastructure services to public telecommunications networks, using any numbering resource or frequency spectrum and providing Saudi domain names registration services or establishing centres for its registration. Further details of the licence requirements will be set out in the Rules.
In addition to the licensing regime, the Act also references alternative types of approval in the form of registration or authorisation. The Act states that the CITC Board may require a licence, registration or authorisation for the provision of specific services relating to telecommunications or information technology (including digital content platforms), possessing or using ICT devices and creating special telecommunications network. This allows for CITC to regulate current, emerging or future technologies by way of subsequent rules or decisions.
As per the Old Law, the CITC Board has the ability to cancel, suspend or modify any licence registration. However, this decision should be based on a reasoned ground or following a change in market conditions.
Finally, the Act revises the provisions for assignment of a licence. It requires the CITC’s approval to be obtained before making any material change of ownership of a licensee or registered provider. The CITC must issue its decision within 90 days following the lodging of an application, otherwise the application will be deemed successful. The Act does not define what constitutes a material change and it is expected that further clarity will be provided in the Rules.
A notable addition to the Act is a chapter on the protection of user data and confidential documents. This follows recent developments in Saudi Arabia that included the issuance of the Kingdom’s first personal data protection law in late 2021. The Act requires service providers to comply with the provisions of the new Personal Data Protection Law when using, controlling or processing any user’s personal data.
The Act requires service providers to take all the necessary steps and precautions to ensure the protection and confidentiality of users’ personal information and documents. User data cannot be disclosed without the consent of the user. Telephone communications or information disclosed over public communication networks are expressly stated to be confidential and may not be accessed, viewed or recorded unless required by law.
Service providers also have a duty to notify users and the CITC in the case of a breach of the user’s personal data or documents and to take the appropriate measures to protect personal data.
The Act specifies that CITC will ensure the protection of cybersecurity and critical infrastructure (defined as networks and IT devices whose equipment could totally or partially disrupt or impair the stability or security of the sector) by complying with the decisions issued by the National Cybersecurity Authority (NCA). The Act also notes that the CITC will assess the cybersecurity level of each service provider to ensure that the protection is adequate in accordance with the levels expected by the NCA.
The core offence of providing telecommunications services or establishing a public telecommunications network without a licence is necessarily broadened to cover the carrying out of any of the activities requiring licensing, registration or authorisation under the new regime (see ‘Licensing, registration and authorisation’ above). In addition, the Act now creates a wider offence in relation to the possession, sale, leasing, making available, manufacturing, production or trading in any equipment, services or software that does not match the required technical specifications and standards or does not otherwise comply with the rules, controls and requirements set out by CITC.
Sanctions that may be imposed include a fine of up to SAR 25,000,000 (US$ 6,657,500), which is consistent with the Old Law. As well as similar rights for the CITC to suspend the services of any operator that violates their licensing conditions, the Act also expressly references the total or partial blocking of digital content platforms and the CITC is empowered to provide technical support with enforcing final court judgments against digital platform service providers.
The Act introduces new concepts and has substantially broadened the core mandate of CITC under the Old Law to include providers of digital infrastructure and services in addition to telecommunications network operators. Businesses operating in this space should take steps to assess the application of the Act, including any licensing, registration or authorisation requirements.
While the Act has a focus on innovation and development of the local ICT sector, this will be subject to the framework of regulation and governance set out in the Act and the Rules.
The Act does not directly address specific technologies or issues such as cryptocurrency, NFTs, artificial intelligence or the metaverse. However, the Rules or future decisions under the Act may introduce specific regulation in those areas.