Saudi Arabia's ICT regulator, the Communications and Information Technology Commission (CITC), has published a public consultation document on a proposed cloud computing regulation and license regime in the KSA. The consultation aligns with CITC's goal to create a favourable environment to foster the provision and development of cloud computing services in the KSA. It forms part of a wider project being undertaken by CITC to review the existing regulations affecting computing and the need for any cloud-specific provisions.
Whilst cloud computing is not new, its regulation in the GCC is, pardon the pun, a bit "clouded". There is little to no published guidance from regulators in the region around cloud computing issues, for example whether a license is required to provide the service, or issues relating to data protection and cross border data transfer. Instead, cloud service providers and cloud service users have to navigate a maze of different legislation including telecommunications regulations and often the criminal or penal codes that might govern privacy of persons' secrets.
CITC's consultation is therefore a step in the right direction, promising a new wave of definitive regulation for the digital economy within the GCC region.
CITC proposes a three-category licensing scheme for Cloud Service Providers (CSPs):
- A "Cloud Infrastructure and Services License" (CISL). These licenses will cover CSPs with datacentres or other key cloud infrastructure in Saudi Arabia, and those processing or storing sensitive user content (i.e. ‘Level 3’ user content, as defined in Article 3.3 of the draft regulation);
- Other CSPs operating under a CSL or a simple registration process (an alternative being considered by CITC) based upon a declaration from the CSP; and
- CSPs having only a limited commercial presence in Saudi Arabia in terms of subscriber numbers or revenues, which may not require a license or registration.
A key feature of the draft regulation is the proposed restrictions regarding the cross border transfer of what the regulation categorises as "Level 3 User Data". This is data that falls into one of the following categories:
- Sensitive user content of private sector companies or organisations;
- Any user content from private sector regulated industries subject to a level categorisation by virtue of sector-specific rules or a decision by a regulatory authority;
- Public sector user content not in the public domain; and
- User content qualifying for Level 1 or Level 2 treatment, for which the customer requests Level 3 treatment.
This may be a concern for some cloud service providers or cloud service users, particularly those that want to transfer data outside of Saudi Arabia for processing or storage purposes.