Cloud Computing Regulatory Framework (CCRF) in Saudi Arabia

1. What's its scope?

The CCRF is intended to apply to cloud service providers ("CSPs") who conclude agreements for cloud computing services ("Cloud Services") with customers (referred to as "Subscribers") based in the Kingdom of Saudi Arabia ("KSA"). There are also provisions that also apply to CSPs involved in the provision of Cloud Services to Subscribers in the KSA, even if the Subscriber's residence or address is not in the KSA or there is no contract between the CSP and the Subscriber.

2. What does "Cloud Services" mean?

Cloud Services has a broad meaning, being defined as "information and communications technology (ICT) services provided through cloud computing, which include, but are not limited to, the storage, transfer of processing of customer content in a cloud system".

3. Are there registration requirements?

Yes. In order to be able to provide Cloud Services, the CSP must first register with the Communications & Information Technology Commission ("CITC") and only use communications infrastructure licensed by the CITC. CSPs must also follow the registration requirements and procedures laid out in the "Guide for Cloud Service Providers in the Kingdom of Saudi Arabia".

4. What's the data classification landscape?

The CCRF distinguishes between "Saudi Government Data" and "Non-Government Data". Within these two categories, Subscriber data that is uploaded into a CSP's cloud system may then be subject to additional levels of classification, depending on the required level to preserve the confidentiality, integrity and availability of the data in question. In particular, Saudi Government Data may be classified as either "Top Secret", "Secret", "Confidential" or "Public". Whereas Non-Government Data can be divided between "Data Received from Saudi Government Entities" and "Other Data". Importantly, the primary responsibility for data classification rests with the Subscriber. Earlier versions of the CCRF differed on this point.

5. How are security incidents addressed?

In the event of any cybersecurity or data breach, CSPs must, without undue delay, inform: (a) the CITC; and (b) Subscribers where the cybersecurity or data breach affects, or is likely to affect, the Subscriber's data or the services they receive from the CSP.  CSPs must also inform Subscribers of any insurance coverage held in respect of any civil liability to those Subscribers.

6. What are the data location and transfer restrictions?

Subscribers must be informed in advance if their data will be transferred, stored or processed outside of the KSA, whether permanently or temporarily. More importantly, neither CSPs nor Subscribers may transfer any Saudi Government Data outside the KSA for any purpose, whether permanently or temporarily, unless such transfer is expressly permitted by law. Similarly, the CCRF prohibits Subscribers from transferring any Saudi Government Data to any CSP, unless that CSP is properly registered with the CITC.

7. Is there any CSP liability for content?

The CCRF makes it clear that CSPs are not under a legal obligation to monitor their cloud computing systems for any illegal content or subscriber's content that infringes third party intellectual property rights. Additionally, the CCRF confirms that a CSP shall not incur liability in respect of such content which has been uploaded, processed or stored on the CSP's cloud system. That being said, CSPs are still under a duty to remove content where instructed to do so by the CITC.

8. How is Subscriber data protection addressed?

The CCRF draws upon features of personal data protection laws in other jurisdictions to protect Subscriber data. However, it applies these principles more widely to all forms of electronic Subscriber data and not just personal data. For instance, CSPs are not allowed to provide, nor authorise another party to provide, any Subscriber data to any third party, except where the CSP is required to disclose or process that data under the laws of the KSA. Equally, CSPs may not process or use Subscriber data for any purposes other than those allowed under the terms of the cloud computing service agreement with the Subscriber, unless: (a) the data in question has been classified as 'Other Data'; and (b) the express prior consent is given by the Subscriber. Upon request, CSPs must also return Subscriber data in a commonly used format upon termination of the cloud contract.

9. Are contractual terms left entirely to the parties?

No. The CCRF sets out various minimum requirements for contracts between a CSP and a Subscriber. In addition, the CCRF protects Subscribers by prohibiting certain "unfair" contract terms. For example, a CSP may not exclude their liability for any loss of, or damage to, Subscriber data due to the intentional or negligent acts or omissions of the CSP.

10. CITC enforcement powers

For any violation of the CCRF, the CITC may: (a) impose a fine; (b) suspend or revoke the registration/license of the CSP; (c) request any reports or information that it may require from the CSP to be handed over; and/or (d) take any other legal action in accordance with its mandate.

For further detail regarding the information above or Cloud Computing Regulatory Framework in the Kingdom of Saudi Arabia please contact Raza Rizvi.