New Telecommunications and Information Technology Law in Saudi Arabia: Clyde & Co
Saudi Arabia has updated its telecommunications regulatory regime with the enactment of a new Telecommunications and Information Technology Law. This article examines the new features introduced by this legislation and how its broader focus on innovation and emerging technologies could support the digital transformation agenda in the Kingdom.
The Law on Telecommunications and Information Technology promulgated by Royal Decree No. M/106 of 02/11/1443H (equivalent to 1 June 2022) (the Law) was published in the Saudi Gazette on June 10, 2022 and will enter into force on December 7, 2022. The law will repeal the Telecommunications Law enacted by Royal Decree No. M/12 of 03/12/1422H (June 4, 2001) (the old law), expanding the scope and focus of telecommunications to include new forms of digital technology and services.
The law will be supplemented by additional regulations which must be published within 180 days from the date of publication of the law in the Official Gazette (the Rules). The rules will come into force at the same time as the law and we anticipate that they will have a similar function to the existing statutes under the old law, which establish the basis of the current licensing regime and the main obligations of operators. approved.
The Saudi Communications and Information Technology Commission (CITC) will remain the primary authority responsible for monitoring and enforcing the law.
The law extended the scope of purely telecommunications services under the old law to a range of ICT activities and services. The law now regulates emerging technologies with a particular focus on promoting digital transformation in Saudi Arabia and encouraging innovation, entrepreneurship, research and technical development.
The definition of telecommunications is expanded to recognize machine-to-machine communication systems and devices. The law also defines information technology in general terms to include “technologies, software, systems, networks and any related processes for creating, compiling, securing, processing, storing or analyzing data or information, including telecommunications and information technology applications.” This brings a range of digital service providers within the scope of the new regime.
Goals and objectives
The law clearly stated the objectives of developing and promoting digital transformation in Saudi Arabia and improving the services provided in the field of ICT.
A strong theme of innovation through entrepreneurship and research is intended to contribute to the development of this sector within the Kingdom. There is also specific reference to encouraging the development of emerging technologies, which are defined as technological innovations representing a progressive step in a certain field and achieving a competitive advantage over dominant technologies. This is in line with the Kingdom’s broader plans to develop a digital economy, as evidenced by the objectives expressly set out in the law to “transfer and locate» technology and develop local content sharing.
In line with the old law, the law states that service providers are responsible for setting appropriate prices for ICT services and that controlling service providers (i.e. those who hold more than 40% of the relevant market) must respond to requests for interconnection or accessibility under fair conditions and on fair terms. fair prices based on CITC approved costs.
Mergers between service providers (in the Kingdom or abroad) or the acquisition of more than 5% of the shares or shares of any approved service provider are subject to the prior approval of the CITC Board of Directors.
The law also prohibits controlling service providers from abusing their dominant position and the rules are expected to further detail prohibited anti-competitive practices.
License, registration and authorization
Licenses are now required not only for the provision of telecommunications services, but also for the use of telecommunications networks for these purposes. This suggests the possibility of over-the-top regulation of services that provide telecommunications functionality.
Other licensed activities include the provision of infrastructure services to public telecommunications networks, the use of any numbering resource or frequency spectrum and the provision of Saudi domain name registration services or the establishment of centers for its recording. Further details on licensing requirements will be set out in the rules.
Apart from the licensing regime, the law also refers to other types of approval in the form of registration or authorization. The law provides that CITC’s Board of Directors may require a license, registration or authorization for the provision of specific telecommunications or information technology services (including digital content platforms), possession or the use of ICT devices and the creation of a special telecommunications network. This allows CITC to regulate current, emerging or future technologies through subsequent rules or rulings.
Under the old law, the CITC Board of Directors has the ability to cancel, suspend or modify any license registration. However, this decision must be based on a reasoned reason or following a change in market conditions.
Finally, the law revises the provisions relating to the granting of a licence. It requires CITC approval before making any material change in ownership of a Licensee or Registered Supplier. The CITC must render its decision within 90 days of the filing of an application, failing which the application will be deemed accepted. The Act does not define what constitutes a material change and it is expected that more clarity will be provided in the Rules.
Data protection and cybersecurity
A notable addition to the law is a chapter on the protection of user data and confidential documents. This follows recent developments in Saudi Arabia, including the publication of the Kingdom’s first personal data protection law at the end of 2021. The law requires service providers to comply with the provisions of the new data protection law. personal data when using, controlling or processing any user’s personal data. .
The Act obliges service providers to take all necessary measures and precautions to ensure the protection and confidentiality of users’ personal information and documents. User data cannot be disclosed without the user’s consent. Telephone communications or information disclosed on public communication networks are expressly declared confidential and may not be consulted, viewed or recorded, except as required by law.
Service providers also have a duty to notify users and CITC in the event of a breach of user’s personal data or documents and to take appropriate steps to protect personal data.
The law specifies that the CITC will ensure the protection of cybersecurity and critical infrastructures (defined as the networks and computing devices whose equipment could totally or partially disrupt or undermine the stability or security of the sector) by complying with the decisions issued by the National Cybersecurity Authority (CNA). The law also notes that the CITC will assess each service provider’s level of cybersecurity to ensure that protection is adequate in accordance with the levels expected by the NCA.
Offenses and Penalties
The predicate offense of providing telecommunications services or establishing a public telecommunications network without a license is necessarily broadened to cover the exercise of any activity requiring a licence, registration or authorization under the new regime (see “Licensing , Registration and Authorization” above). . In addition, the law now creates a broader offense with respect to possessing, selling, leasing, making available, manufacturing, producing, or trading in any equipment, service, or software that does not meet specifications. techniques and standards required or which do not otherwise comply with the rules, controls and requirements established by the CITC.
Penalties that may be imposed include a fine of up to SAR 25,000,000 (US$6,657,500), which is in line with the old law. In addition to similar rights for the CITC to suspend the services of any operator who violates their license terms, the law also expressly refers to the total or partial blocking of digital content platforms and the CITC is empowered to provide technical support for the enforcement of final court judgments against digital platform service providers.
The Act introduces new concepts and significantly expanded CITC’s core mandate under the old Act to include providers of digital infrastructure and services in addition to telecommunications network operators. Businesses operating in this space should take steps to assess law enforcement, including licensing, registration, or authorization requirements.
Although the law emphasizes innovation and development of the local ICT sector, this will be subject to the regulatory and governance framework set out in the law and rules.
The law does not directly address specific technologies or issues such as cryptocurrency, NFTs, artificial intelligence, or the metaverse. However, the Rules or future decisions made under the Act may introduce specific regulation in these areas.