Saudi Arabia’s law is based on Islamic Shari’ah, which generally affords protection to the privacy of persons. The Basic Law of Governance (a constitution-like document), states that the State shall protect human rights in accordance with the Islamic Shari‘ah. It also contains general protections on correspondence by telegraph and mail, telephone conversations, and other means of communication, which may not be seized, delayed, viewed, or listened to except in cases set forth in the law. The recently issued E-Commerce Law contains provisions relating to the protection of personal data in an e-commerce context, including both B2B and B2C e-commerce activities. The Cloud Computing Regulatory Framework, issued by the Communications and Information Technology Commission, contains restrictions relating to the use of cloud computing, and the transfer of customer data to recipients outside Saudi Arabia. The Labour Law contains provisions relating to the maintaining of a file for employees, although this does not go into any detail in terms of data protection principles. In general terms, these are the laws and regulations that we would consider in addressing data protection issues from a Saudi law perspective.

Local media reports indicate that a draft data protection law is currently under consideration by the Saudi legislative body. This is not yet publicly available, although it is unlikely that it has been prepared with GDPR in mind.