What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
Saudi Arabia does not currently have an overarching privacy framework or data protection law. In Saudi Arabia, laws are generally based on Shari’ah principles including protecting an individual’s right to privacy, prohibiting the invasion of individuals’ private lives and, prohibiting the disclosure of secrets in most cases. Laws that relate to data protection include:
The Law of Governance (March 1, 1992), which sets the basic right that the “privacy of telegraphic and postal communications, and telephone and other means of communication, shall be inviolate.” Surveillance and eavesdropping are prohibited except when permitted by law (Art. 40).
Law No. 32 of 1421 AH concerning Printed Materials and Publication (Publications Law) criminalizes the "encroachment of people's dignity and freedom, extortion or defamation of persons.” Under this law, parties who possess personal data must consider whether the disclosure of personal data would be considered a violation of the private lives of individuals. Processing HR related data for employment purposes would generally be allowed, but processing employee personal data for other purposes that an individual may not expect or be aware would increase risk.
The Saudi Cloud Computing Regulatory Framework (CCRF) applies to cloud computing services in Saudi Arabia (where the cloud infrastructure is in Saudi Arabia or, a Saudi business is the provider) or procured by Saudi businesses and imposes security requirements on the provider.
There are other sectoral laws and regulations that apply to the collection and use of individual’s personal information, but these generally don’t apply to human resources related records.
There is no privacy authority responsible for the enforcement of data privacy laws and regulations in Saudi Arabia. Privacy related infringements of basic laws would be investigated as criminal complaints by the police, and if there is a basis for charges, would be given to the public prosecutor.