In February 2018, Saudi Arabia’s telecoms regulator issues the Cloud Computing Regulatory Framework to regulate cloud service providers (CSPs) and cloud services in the Kingdom.

While any move to regulate any technology is often decried by tech companies as an unnecessary burden, cloud users could benefit from a Framework that offers substantial new legal protection.

Among the various administrative requirements of the new Framework (including a licensing regime for CSPs providing services into Saudi Arabia or operating cloud infrastructure from the Kingdom), the following new rights create a substantially improved legal landscape for customers:

  1. Information provision - the requirement on CSPs to make certain pre-contract information available to customers and to include mandatory information within customer contracts will help customers better understand their rights and the CSPs’ cloud service offerings.
  2. Data protection - personal and business data must be protected under the Framework with specific rules including a prohibition on dissemination to any third parties unless required by law or with the consent of the customer.
  3. Consumer protection - CSPs are restricted from limiting their liability unreasonably and certain contractual terms are deemed unfair.
  4. Breach notification - in the event of a data breach or loss of data, CSPs may be required to notify the authorities and/or customers with details of the incident.
  5. Security classification - cloud users can specify the level of security to be applied to their cloud content, allowing greater flexibility around security treatment.

As the Kingdom’s sweeping changes under Vision 2030 gather pace, technological innovation will be a key catalyst for the transformation. The Saudi government will hope that the Cloud Framework accelerates adoption of technology to support this change.