In early 2018 (following a public consultation process held during 2016), the Saudi Communications and Information Technology Commission (CITC) issued the Cloud Computing Regulatory Framework (CCRF). The CCRF entered into force 30 days from its publication on 6 February 2018 (corresponding to 20 Jumada Al-Awwal 1439 H), and thus came into effect on 8 March 2018.
In addition to the CCRF, and with a view to providing further background information on the regime and its related compliance obligations, the CITC issued the following documents:
- Guide for Cloud Service Providers;
- Individual Customers' Guide to Cloud Computing Services;
- Enterprises' Guide to Cloud Computing Services; and
- Government Agencies' Guide to Cloud Computing Services.
We discuss the new CCRF framework in further detail below.
Scope of application
Generally speaking, the CCRF applies where "Cloud Services" are provided to customers who are Saudi residents and/or have an address in the Kingdom. Cloud Services are very broadly defined as any kind of information and communications technology services provided via a cloud-based platform (including the storage, transfer, or processing of Customer Content).
The CCRF also applies where a Cloud Service Provider (CSP) is processing or storing Customer Content within the Kingdom and to the ownership, operation, or offering of access to Datacentres or cloud systems in Saudi Arabia. The CCRF requirements will apply regardless of whether the CSP captured by the regime was the same entity that concluded the cloud contract with the Cloud Customer(s) in question.
Any person who engages in either of the following activities or services must submit a valid and complete registration with the CITC:
- the exercise of direct or effective control over Datacentres or other critical cloud system infrastructure hosted in Saudi Arabia and used, in whole or in part, for the provision of Cloud Services; or
- the exercise of direct or effective control over the processing and/or storing of Customer Content classified as "Level 3" Customer Content (see Section 5 below for security level categories).
The obligation for CSPs to register with the CITC enters into force on 7 April 2018 (one month after the CCRF came into effect) although CSPs may elect to file registration applications prior to this time.
The scope and quantum of potential penalties for a violation of the CCRF have not yet been specifically established by the CITC. Rather, the CCRF provides that any violation of its provisions shall incur such penalties as "the [CITC] may impose under [CITC] statutes", and may also incur penalties under other applicable laws in the Kingdom. Such other applicable laws include, in particular, the Anti-Cyber Crime Law and the Electronic Transactions Law, and any laws or provisions that may amend or replace them in the future.
Cloud content security
The CCRF provides that "Customer Content can be subject to different levels of information security, depending on the required level of preservation of the Customer Content's confidentiality, integrity, and availability" as set forth in the table below:
Classification of Customer Content by level of required information security
Categories of Customer Content
Non-sensitive Customer Content of individuals or private sector companies not subject to any sector-specific restrictions on the outsourcing of data.
Customer Content qualifying for Level 2 or Level 3 treatment, for which the Cloud Customer agrees with Level 1 treatment.
Sensitive Customer Content of individuals not subject to any sector-specific restrictions on the outsourcing of data.
Sensitive Customer Content of private sector companies or organisations not subject to any sector-specific restrictions on the outsourcing of data.
Non-sensitive Customer Content from public authorities.
Customer Content qualifying for Level 1 or Level 3 treatment, for which the Cloud Customer requests Level 2 treatment.
Any Customer Content from private sector-regulated industries subject to a level categorisation by virtue of sector-specific rules or a decision by a regulatory authority.
Sensitive Customer Content from public authorities.
Customer Content qualifying for Level 1 or Level 2 treatment, for which the Cloud Customer requests Level 3 treatment.
Highly sensitive or secret Customer Content belonging to relevant governmental agencies or institutions.
The CCRF also sets forth a number of statutory presumptions regarding how such Customer Content should be classified from an information security standpoint (unless the relevant Cloud Customer has requested otherwise). These information security presumptions (by category of Cloud Customer) are:
- for natural persons with a residence in the Kingdom: Level 1 treatment of Customer Content;
- for private sector legal persons, such as companies, other corporate entities, associations or organisations incorporated or with a customer address in the Kingdom: Level 2 treatment of Customer Content;
- for any government or state services or agencies: Level 3 treatment of Customer Content; and
- for all other categories: Level 1 treatment of Customer Content.
Further, the CCRF provides that Cloud Customers are required to inform the CSP with whom they conclude a Cloud Contract of the level of information security required for their content, should that level of security differ from the statutory presumptions outlined above.
In terms of the information security compliance parameters, the CCRF provides that (unless expressly allowed by other laws or regulations of the Kingdom) CSPs must ensure, among other obligations, that:
- no Level 3 content is transferred outside of the Kingdom for any reason; and
- no Level 3 content is transferred, stored, or processed in any Public Cloud, Community Cloud, or Hybrid Cloud, unless and for as long as they are validly registered with the CITC.
The CCRF also establishes obligations for CSPS to report security breaches to the Cloud Customer and/or to the CITC, depending on the nature of the breach and the Customer Content that was involved.
One area of particular interest with regards to the revision of the CCRF from its original consultation draft in 2016 is the numerous additions of the phrase "Infringing Content" to the CCRF takedown provisions, where, previously, only "Illegal Content" was addressed. This is noteworthy in that the CCRF defines "Infringing Content" as "Customer Content or Third Party Content that infringes a Person's intellectual property rights" with no territorial restriction on the ownership of the IP or registration requirement. This addition would seem to signal an increased awareness of the importance of international intellectual property rights, despite the fact that CSPs are expressly excused under the CCRF from having any legal obligation to monitor their systems or platforms for such infringing or illegal content.
While the Kingdom has lofty ambitions not only to become a larger participant in the field of ICT, but to be an innovator as well, the numerous bureaucracies in place in the Kingdom can be a hindrance to the drafting and enacting of all-encompassing legislation in the field. That said, despite the fact that the general rule in the past has been that the legislative process in Saudi Arabia is a slow one, recent overhauls in other areas of the government have signalled a progression towards much quicker reforms. Further, the CITC has in place numerous laws and regulations relating to a variety of technological fields (as do numerous other government ministries). Accordingly, it is reasonable to speculate that further regulatory documents dealing with other areas in the field of ICT will be forthcoming from the CITC and that this is simply one of many first steps toward a clearer and more transparent approach towards this sector in the Kingdom.