The Legal Framework for Privacy and Data Protection in Saudi Arabia

Vol. 41 No. 4


John M. B. Balouziyeh ( and Amgad T. Husein ( are corporate attorneys at SNR Denton in Riyadh and co-authors of the Legal Guide to Doing Business in Saudi Arabia (forthcoming). 

The cultural emphasis on privacy is one that permeates every level of Saudi Arabian society. One finds, for example, the grounds of private residences enclosed by lofty stone walls, restaurants with opaque curtains enshrouding each dinner party, and private, separate female waiting areas and building entrances. Even Saudi cultural dress reflects this emphasis on privacy: traditionally, women wear abayas (loose black robes from head to toe) and face coverings with only their eyes in public view.

As one might expect, this emphasis on privacy is strongly reflected in Saudi Arabia’s laws. The Shari’a (Islamic law), as interpreted and applied in Saudi Arabia, establishes privacy as a right based on the dignity of the individual. Moreover, the Saudi Constitution (Basic Law of Governance) repeatedly makes mention of the right to privacy. The Constitution guarantees, for example, the privacy of telegraphic and postal communications, as well as that of telephonic and other means of communication. At the same time, it prohibits surveillance or eavesdropping of such communications (art. 40), except as provided by law (e.g., in the case of a threat to national security).

The explicit mention of the right to privacy in the Saudi Constitution can be contrasted with the constitutions of many common law and civil law jurisdictions, which make no express mention of the right to privacy. In the United States, for example, the constitutional right to privacy derives from “penumbras,” or peripheral rights, stemming from those explicitly enumerated in the Bill of Rights (see Griswold v. Connecticut, 381 U.S. 479 (1965)). In Spain, the constitutional right to privacy derives from the right to personal honor and intimacy, as laid out in Article 18.1 of the Constitution (“derecho al honor, a la intimidad personal y familiar y a la propia imagen”).

Based on the Saudi Constitution, and elaborating on basic Shari’a principles that create a tort claim (masouliya taqsiriya) for damages caused by the wrongful disclosure of a person’s private information, Saudi data-related legislation has focused on privacy violations relating to telecommunications and information technology. For example, the Telecommunications Act, issued under the Council of Ministers Resolution no. 74 (2001), prohibits Internet service providers and telecommunications companies from intercepting telephone calls or data carried on public telecommunications networks (art. 37.7). It also prohibits intentionally disclosing the information or contents of any message intercepted in the course of its transmission (art. 37.13), other than in the course of duty (e.g., where law enforcement is required to investigate ongoing fraud). The Act imposes fines of up to SR 5,000,000 (US$1.3 million) for violations.

Similarly, the Anti-Cyber Crime Law (2007), enacted by Royal Decree no. M/17, imposes heavy civil and criminal sanctions for spying on or intercepting personal data, including the reception of data transmitted through an information network without legitimate authorization and the illegal access of bank data or computers to modify, delete, damage, or redistribute private data. Penalties of up to SR 3,000,000 and four years’ imprisonment may apply (see, e.g., arts. 3–5).

Saudi Arabia’s data protection laws and implementing regulations are still relatively new and developing. They reflect, however, the growing global recognition of the importance of control over private data in the digital age, as well as Saudi Arabia’s strong cultural emphasis on privacy.


Fall 2017 Spring Meeting
2017 Eurpoe Forum
2017 Fall Meeting



  • Call for Articles

  • Contact Us

  • International Law News


  • Editor-in-Chief

  • Deputy Editors

  • Sample Issues