Saudi Arabia has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Data Protection Law (PDPL) establishes a comprehensive data protection regime in Saudi Arabia. The PDPL applies to any processing of personal data carried out in Saudi Arabia by companies or public entities by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom. Furthermore, the second clause of the law establishes the Saudi Data & Artificial Intelligence Authority (SDAIA) as the competent authority to supervise the implementation of the provisions of the system and its regulations. However, a transfer of supervision to the National Data Management Office (NDMO) will be considered in the future.

Art. 7 of the Internet of Things (IoT) Regulatory Framework requires that IoT service providers must provide the technical capabilities in the IoT devices and machines to save and maintain the data to make it possible to be reviewed for a duration not less than 12 months or any other duration specified by the Communications, Space & Technology Commission (CST). This requirement is not included in the in force IoT Regulatory Framework of 2024.

Pursuant to Art. 31 of the Personal Data Protection Law, the Controller must maintain records of personal data processing activities, in a manner appropriate to the nature of its operations, and make such records available to the competent authority upon request. Art. 33 of the Implementing Regulation further specifies this obligation, requiring the Controller to retain these records for the entire duration of the processing and for an additional five years following the end of any personal data processing activity.

According to Art. 5.2 of the General Principles for Personal Data Protection in the Telecommunication, IT, and Postal Services, service providers in certain sectors, including telecom and IT, are mandated to assign the role and responsibilities of customers’ personal data protection to an independent function, which can be intended as a data protection officer.

The Personal Data Protection Law mandates data privacy impact assessments whereby controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public.

Arts. 6, 10, and 15 of the Personal Data Protection Law delineate the circumstances under which a public entity may request access to data: namely, for purposes of public interest, security, implementing another law, or fulfilling judicial requirements. Notably, there is no stipulation requiring the presence of a court order or warrant. However, Art. 21 of the Implementing Regulations imposes additional obligations on public entities that process personal data obtained indirectly from data subjects for public interest purposes. These obligations include ensuring that the processing is necessary to achieve a clearly defined public interest, that such interest is related to a mandate specified by law, and that appropriate measures are taken to mitigate any potential harm resulting from the processing.

Art. 9.3 of the "Regulations for the Classification of Licences for Telecommunications Services" stipulates that telecom service providers must furnish the Communications, Space and Technology Commission (CST) with any data it requests within the prescribed timeframe. In addition, providers are required to update the CST promptly in the event of any change to their submitted information. However, the provision does not clarify whether the disclosure of such data must be supported by a judicial warrant or court order.

The E-commerce Law establishes a safe harbour regime for intermediaries for copyright infringements. Art. 12 of the law provides a safe harbour for intermediary liabilities by excluding them from penalties if the intermediary platforms delete any content that violates the provisions of the laws and regulations within one day from the date of notification by the government.

The E-commerce Law establishes a safe harbour regime for intermediaries beyond copyright infringement. Art. 12 of the law provides a safe harbour for intermediary liabilities by excluding them from penalties if the intermediary platforms delete any content that violates the provisions of the laws and regulations within one day from the date of notification by the government.

Saudi Arabia has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Art. 13.8 of the Regulations for Licensing of Telecommunications and Information Technology Equipment provides a general requirement to disclose details of encryption systems contained in telecommunications and IT equipment intended to be supplied and used in the kingdom.

Trade secrets are governed by the Regulations for the Protection of Confidential Commercial Information (Trade Secrets Regulations). A commercial secret is defined under the Trade Secrets Regulations as information not known in its final form or where information is not usually easily obtainable by those engaged in this type of business, as well as where the information is of commercial value due to its confidentiality, and where the rightful owner takes reasonable measures to maintain its confidentiality. However, the Trade Secrets Regulations do not protect commercial secrets which are inconsistent with Shariah, public order and/or public morals (Art. 7). Obtaining, using or disclosing any commercial secret in a manner that is inconsistent with "honest commercial practices" and without the consent of the rightful owner is deemed an abuse of the commercial secret under the Trade Secrets Regulations.

It is reported that there is an obligation for passive infrastructure sharing in Saudi Arabia to deliver telecom services to end users. It is practised in both the mobile and fixed sectors based on commercial agreements.

Pursuant to Section 11.03 of the Ministry of Investment Services Manual, foreign ownership in the telecommunications sector is generally permitted, subject to specific restrictions depending on the nature of the activity. For telecommunications services, foreign ownership is limited to a maximum of 60%, whereas for value-added communications services, the cap is set at 70%.