• PRO
  • Events
  • About Blog Popular
  • Login
  • Register
  • PRO
  • Resources
    • Latest updates
    • Q&A
    • In-depth
    • In-house view
    • Practical resources
    • FromCounsel New
    • Commentary
  • Research tools
    • Global research hub
    • Lexy
    • Primary sources
    • Scanner
    • Research reports
  • Resources
  • Research tools
  • Learn
    • All
    • Webinars
    • Videos
  • Learn
  • Experts
    • Find experts
    • Influencers
    • Client Choice New
    • Firms
    • About
    Introducing Instruct Counsel
    The next generation search tool for finding the right lawyer for you.
  • Experts
  • My newsfeed
  • Events
  • About
  • Blog
  • Popular
  • Find experts
  • Influencers
  • Client Choice New
  • Firms
  • About
Introducing Instruct Counsel
The next generation search tool for finding the right lawyer for you.
  • Compare
  • Topics
  • Interviews
  • Guides

Analytics

Review your content's performance and reach.

  • Analytics dashboard
  • Top articles
  • Top authors
  • Who's reading?

Content Development

Become your target audience’s go-to resource for today’s hottest topics.

  • Trending Topics
  • Discover Content
  • Horizons
  • Ideation

Client Intelligence

Understand your clients’ strategies and the most pressing issues they are facing.

  • Track Sectors
  • Track Clients
  • Mandates
  • Discover Companies
  • Reports Centre

Competitor Intelligence

Keep a step ahead of your key competitors and benchmark against them.

  • Benchmarking
  • Competitor Mandates
Home

Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Register now for your free, tailored, daily legal newsfeed service.

Questions? Please contact [email protected]

Register

Saudi Arabia regulates cloud computing services

Baker McKenzie

To view this article you need a PDF viewer such as Adobe Reader. Download Adobe Acrobat Reader

If you can't read this PDF, you can view its text here. Go back to the PDF .

Saudi Arabia March 9 2018

What's changed

In a significant development for the Saudi Arabian's information technology and communications sector, the Communications and Information Technology Commission ("CITC"), Saudi Arabia's telecommunications regulator, has regulated Cloud Computing in Saudi Arabia. The CITC published on its website a Cloud Computing Regulatory Framework ("CCRF") that will enter into force after 30 days from 20 Jumada Al-Awal 1439 (corresponding to 6 February 2018).

The CCRF aims to provide clarity and certainty on the rights and obligations of Cloud Service Providers ("CSPs") and users of cloud services ("Cloud Customers"). It establishes a framework to manage the potential security risks connected with cloud and encourages improved quality of service. 

The CCRF represents one of only a few examples of cloud-specific regulatory frameworks around the world. Some of the provisions, such as security breach notification, are in line with the approach taken in other jurisdictions, i.e. the European Union; while others, such as the registration obligation and content classification are unique to the Kingdom.

What it means for you

Scope of application. The provisions of the CCRF lay down two distinct rules on the scope of application of the law.

First, the CCRF applies to any Cloud Computing service provided to Cloud Customers having a residence or Customer Address (address provided in the Cloud contract or invoicing address) in Saudi Arabia. This will also be the case even if a CSP is not the CSP who has concluded a Cloud contract with Cloud Customers, if the former CSP has datacenters or other elements of the cloud system in the Kingdom (e.g. if the CSP is providing wholesale cloud infrastructure to a retail Software-as-a-Service provider).

Second, certain provisions of the CCRF are binding on a CSP who owns, operates or offers access to the relevant datacenters or other elements of a cloud system located in the Kingdom, even if its customers are located outside the Kingdom. The applicable provisions include reporting on major information security breaches, take down of unlawful or infringing content, and notification of violations of the Anti-Cyber Crime Law.   

Registration obligation. Conducting certain cloud computing activities such as (i) the exercise of control over data centres or other critical cloud system infrastructure hosted in the Kingdom; or (ii) the processing and/or storing of Customer Content classified as "Level Three" (including Customer content from sector-regulated industries and sensitive Customer Content from public authorities), trigger a registration requirement with the CITC.  

The CSPs' obligation to register with the CITC shall enter into force one month after the CCRF's entry into force.

Reporting of security breaches. CSPs must inform Cloud Customers, without undue delay, of any security breach or information leakage that those CSPs become aware of, if such breach or leakage affects, or is likely to affect, those Cloud Customers' cloud content, customer data or cloud service. CSPs are also subject to notification requirements to the CITC with respect to security breaches or information leakage that they become aware of in certain circumstances.

Content filtering. The CITC is entitled, in accordance with a number of laws and regulations, to filter content generally. However, pursuant to the CCRF, the CITC may decide to exclude certain CSPs from applying the filtering requirements if Customer Data or Customer Content (a) is not directly accessible by any Cloud Users or Internet Users in the Kingdom; or (b) is accessible only to Cloud Users of (i) a private cloud; or (ii) a specific communications network limited to connections between a CSP and connections under the control of a single Cloud Customer. 

Customer Content classification. Customer Content can be subject to different levels of required information security. All content processed using cloud services must be identified as falling into one of four security levels; from non-sensitive content at Level 1 to highly sensitive public sector content belonging to governmental agencies or institutions at Level 4. Information classified under certain levels is subject to transfer restrictions outside the Kingdom.

CSPs disclosure obligations. CSPs are subject to a set of disclosure obligations including:

  • CSPs must disclose to the CITC the location and main features of any of their datacentres located in the Kingdom and the foreign country or countries where any of their datacentres used for the processing, storage, transit or transfer of Customer Data or Customer Content of Cloud Customers that have a residence or customer address in the Kingdom are located.
  • CSPs must inform their Cloud Customers in advance whether their Customer Content will be transferred, stored, processed outside the Kingdom, permanently or temporarily.

Protection of Customers Data. A number of Customer Data protections are contemplated in the CCRF and vary depending on the level of classification of the data. Except in certain limited circumstances, CSPs are not permitted to disclose Customer Content or Customer Data or process or use Customer Content or Customer Data for purposes other than those authorised by the Customer.

CSPs must adopt internal rules and policies on business continuity, disaster recovery and risk management and comply with certification schemes and/or standards (including encryption standards) that may be defined as mandatory by the CITC.

Cloud Customer protections. Prior to the conclusion of a Cloud Contract with a Cloud Customer, CSPs must provide clear and transparent information to that Cloud Customer on the object of the service, the conditions of use, Cloud Service levels and applicable payment terms. The CCRF provides for certain mandatory provisions that aim to protect the interests of the Cloud Customers that must be included in Cloud Computing contracts.

Actions to take

Consider if the services that you provide fall under the scope of application of the CCRF and comply with the new requirements imposed by the CITC.

Please feel free to contact our team for any assistance.

 

 

 

Zahi Younes Partner, Saudi Arabia / UAE [email protected] bakermckenzie.com

Ian Walden Of Counsel, London [email protected] bakermckenzie.com

 

www.bakermckenzie.com

Legal Advisors Abdulaziz AlAjlan & Partners

in association with

Baker & McKenzie Limited

Olayan Complex, Tower II,

3rd Floor, Al Ahsa Street, Malaz

P.O. Box 69103, Riyadh 11547

Saudi Arabia

Tel: +966 11 265 8900

Fax: +966 11 265 8999

 

Baker & McKenzie LLP

100 New Bridge Street

London EC4V 6JA

United Kingdom

Tel: +4420 7919 1000

Fax: +4420 7919 1999

©2018 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm.

This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

 

 

Content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes. For more information, please visit: www.bakermckenzie.com/en/client-resource-disclaimer.

Baker McKenzie - Zahi Y. Younes and Ian Walden

Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Filed under

  • Saudi Arabia
  • Internet & Social Media
  • Baker McKenzie

Topics

  • Cloud computing

Popular articles from this firm

  1. Saudi Arabia: CITC Issues Public Consultation on Digital Content Platform Regulations *
  2. Private Equity (Fund Formation) in Saudi Arabia *
  3. Q&A: tax issues for private equity funds in Saudi Arabia *
  4. Saudi Arabia: Labor Update - Labor reforms for foreign national private sector workers (2) - Conditions for each of the Initiatives *
  5. Private Equity (Transactions) in Saudi Arabia *

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].

Powered by Lexology

Related practical resources PRO

  • Checklist Checklist: Reducing the risk of Coronavirus (COVID-19) - guidance for employers (UK)
  • Checklist Checklist: Meeting with a competitor (UK)
  • How-to guide How-to guide: How to identify and prioritise competition law risk in your organisation (non-dominant and dominant organisations) (UK)

Related research hubs

  • Saudi Arabia
  • Internet & Social Media
Back to Top
Resources
  • Daily newsfeed
  • Commentary
  • Q&A
  • Research hubs
  • Learn
  • In-depth
  • Lexy: AI search
Experts
  • Find experts
  • Legal Influencers
  • Firms
  • About Instruct Counsel
More
  • About us
  • Blog
  • Events
  • Popular
Legal
  • Terms of use
  • Cookies
  • Disclaimer
  • Privacy policy
Contact
  • Contact
  • RSS feeds
  • Submissions
 
  • Login
  • Register
  • Follow on Twitter
  • Follow on LinkedIn

© Copyright 2006 - 2022 Law Business Research

Law Business Research