Saudi Arabia PDPL
Personal Data Protection Law (Royal Decree M/19)
Saudi Arabia's comprehensive personal data protection law with extraterritorial scope, DPO requirements for sensitive processing, and National Data Governance Platform registration.
Jurisdiction
Saudi Arabia
SA
Enacted
Sep 14, 2021
Effective
Sep 14, 2024
Enforcement
Saudi Data and Artificial Intelligence Authority (SDAIA)
Extraterritorial application; complements SDAIA Framework
What It Requires
Who Must Comply
This law applies to:
- • Data controllers and processors in Saudi Arabia
- • Entities outside Saudi Arabia processing Saudi residents' data
- • Sensitive data processing including health
Capability triggers:
Who bears obligations:
Safety Provisions
- • Extraterritorial application to data of Saudi residents
- • Data Protection Officer for sensitive data processing
- • National Data Governance Platform registration
- • Data Protection Impact Assessment for high-risk processing
- • Cross-border transfer restrictions
Enforcement
Enforced by
Saudi Data and Artificial Intelligence Authority (SDAIA)
Penalties
SAR 3M
Fines up to SAR 3 million
Quick Facts
- Binding
- Yes
- Mental Health Focus
- Yes
- Child Safety Focus
- No
- Algorithmic Scope
- Yes
Why It Matters
Saudi Arabia's PDPL with extraterritorial scope and National Data Governance Platform creates comprehensive compliance framework for AI chatbots serving Saudi users globally. Complements existing SDAIA AI Framework.
Recent Developments
Effective September 2024 after 3-year implementation period
Cite This
APA
Saudi Arabia. (2021). Personal Data Protection Law (Royal Decree M/19). Retrieved from https://nope.net/regs/sa-rd-m19
BibTeX
@misc{sa_rd_m19,
title = {Personal Data Protection Law (Royal Decree M/19)},
author = {Saudi Arabia},
year = {2021},
url = {https://nope.net/regs/sa-rd-m19}
} Related Regulations
SDAIA AI Framework
Comprehensive AI governance from Saudi Data & AI Authority: Ethics Principles (Sep 2023), Generative AI Guidelines (Jan 2024), AI Adoption Framework (Sep 2024). Combined with PDPL creates binding + guidance framework.
Israel Privacy Amendment 13
Israel's most significant privacy reform in 40 years, explicitly covering AI systems. Requires Data Protection Officers (DPOs) for entities processing sensitive data at scale, mandates Data Protection Impact Assessments (DPIAs) before AI deployment, and enhances Protection of Privacy Authority enforcement powers. One of first data protection laws to explicitly require DPIAs before AI development or deployment.
Jordan PDPL
Jordan's data protection law with medical data processing exceptions, data portability rights, and oversight including security services.
Oman PDPL
Oman's data protection law with world's strictest health data regulation: outright BAN on health data processing without Ministry of Health permit. Also requires 72-hour breach notification.
Egypt AI Strategy 2025
Ambitious national strategy positioning Egypt as regional AI hub for Africa and Middle East. Targets 7.7% ICT sector GDP contribution by 2030, training 30,000 AI specialists, establishing 250 AI companies. Built on six strategic pillars: governance, infrastructure, technology, data, ecosystem, and talent. Accompanied by Egyptian Charter for Responsible AI (April 2023) with ethics principles.
Qatar QCB AI Guidelines
Binding AI governance requirements for Qatar's financial sector. Mandates board-level accountability, risk assessments, human-in-the-loop for high-impact decisions, and prior QCB approval for high-risk AI systems.