Saudi Arabia’s ‘Cloud Computing Regulatory Framework’ is no more… or is it?
Digital & Data / KSA
Saudi Arabia’s Communications, Space and Technology Commission (CST) recently issued ‘Cloud Computing Services Provisioning Regulations’ (Cloud Regulations).
Law Update: Issue 364 - Healthcare & Life Sciences Focus
Nick O’ConnellPartner, Head of Digital & Data - Saudi Arabia
Saudi Arabia’s Communications, Space and Technology Commission (CST) recently issued ‘Cloud Computing Services Provisioning Regulations’ (Cloud Regulations). The Cloud Regulations replace the third version of the Cloud Computing Regulatory Framework (the old. Framework), which was most recently updated in December 2020. In this article, we look at whether the new regulatory document brings any substantive changes to the cloud regulatory landscape. In a subsequent article, we look at the implications of the introduction of a new Data Centers Services Regulation.
The Cloud Regulations, recently issued by CST (formerly known as CITC or the Communications & Information Technology Commission), do not contain wholesale changes that entirely up-end the previous regulatory regime in this space. They do, however, warrant some attention.
The changes as discussed below can be summarised broadly as follows:
Minor changes as to form
Changes to cybersecurity aspects
Breach notification obligations
“Safe harbour”
Mandatory requirements of cloud contracts
The majority of the changes in the Cloud Regulations relate to form rather than substance. Besides the change in the name of the document itself, the Cloud Regulations are very similar to what was previously known as the Cloud Computing Regulatory Framework. The Cloud Regulation reflects that CST’s name has been changed from CITC.
The introduction at the beginning of the document reflects Saudi Arabia’s ‘new’ Telecommunications & Information Technology Law 2022 (issued under Council of Ministers Resolution No. 592 (dated 01/11/1443H; 31 May 2022) and approved by Royal Decree No. M/106 (dated 02/11/1443H; 2 June 2022)), rather than the ‘old’ Telecommunications Law 2001 that it replaced. The new introduction lists the purposes of the Cloud Regulations as to encourage digital transformation, to motivate adoption of technologies in all sectors, and to provide an attractive investment environment that appeals to leading multinationals in the sector.
There are also some adjustments (at least in the English) to the terms used to refer to levels of confidentiality of data of Saudi government agencies.
The old Framework included a number of implications related to cybersecurity and the powers of the National Cybersecurity Authority (NCA). For the most part, these cybersecurity considerations are not reflected in the Cloud Regulations. We summarise these changes briefly as follows:
The old Framework (at 3.1.2) provided a number of obligations applicable to the processing or storing of subscriber content or data, temporarily or permanently, in data centers (or in other elements of a cloud computing system) located in the Kingdom. One of these (at 3.1.2.1) was the obligation to report major cybersecurity incidents. This requirement no longer appears in the Cloud Regulations.
The old Framework (at 3.3.2) provided that the provisions were not to be understood as prejudicing any rules in the Kingdom applicable to certain activities, including (at 3.3.2.2) the obligation on cloud computing subscribers, in relation to outsourcing, transmission, processing or storage, to comply with restrictions or preventative measures in respect of cybersecurity or data protection or integrity in addition to those set out in the old Framework. (The reference to cybersecurity was couched in terms of, ‘as long as they do not conflict with what is issued by the National Cybersecurity Authority’.) Regulation 3.3.2.2 of the Cloud Regulation no longer features reference to preventative measures in respect of cybersecurity or data protection or integrity.
Under the heading ‘Subscriber Data Classification Responsibility’, the old Framework included (at 3.3.5) a requirement that cloud computing subscribers be responsible for implementing all cybersecurity requirements applicable to any part of their content. This has been removed, and the Cloud Regulations (at 3.3.4) continue to require cloud computing subscribers to choose the appropriate data classification as set out in the Cloud Regulations (or any other similar list provided for this purpose by the cloud computing service provider), which is in conformity with their security requirements, specific needs, obligations and duties.
Under the heading ‘Subscriber Content Site and Transfer’, the Cloud Regulations no longer feature wording previously found (at 3.3.7) in the old Framework and that required the cloud computing service provider to inform cloud computing subscribers of the cybersecurity requirements that the cloud computing service provider provides or that apply to the cloud computing subscriber's content.
A heading that previously referred to ‘Reporting of Cybersecurity Incidents’ now refers to ‘Reporting Subscriber's Information and Documents Breaches’. An obligation to report cybersecurity incidents or violations of cybersecurity to NCA (at 3.3.12 of the old Framework, alluded to when discussing 3.1.2, above) does not appear in the Cloud Regulations.
Under a heading related to content in violation of law or intellectual property rights, in respect of an obligation to notify CST and and/or any competent authority without undue delay, the Cloud Regulation includes (at 3.5.6) additional wording that carves out application of such obligation in respect of cybersecurity matters.
Under a heading relating to, ‘Quality Standards’, reference (at 3.8.1.3) in the old Framework to an obligation on cloud service providers to adhere to any documentation plans and/or standards that can be defined as mandatory by virtue of a decision from CST, has been amended in the Cloud Regulations to omit reference to encryption standards issued by the National Cybersecurity Authority. The Cloud Regulations removes an entire provision (3.8.3 of the old Framework) permitting CST to issue decisions – provided they do not conflict with NCA – in respect of authentication plans and standards for cloud computing that may differ according to the required level of cybersecurity, […] or other standards.
Overall, the purposes of these amendments seem to be aimed at removing references to NCA where such references are not essential - rather than to suggest that cloud services or CST’s requirements in respect of the same are not subject to NCA to the extent they touch on cybersecurity.
Under a heading related to ‘Subscriber Protection and Unfair Contract Terms’, the old Framework listed (at 3.7.2.3) ‘any cybersecurity incidents’ in a list of circumstances for which cloud computing service providers do not have the right to disclaim liability, if such loss and damage could logically, wholly or partially, be attributed to intentional acts, negligence or omission by the service provider. The reference to ‘any cybersecurity incidents’ does not appear in the Cloud Regulations, with the implication being that cloud computing service providers are able to disclaim liability in respect of such events. Additionally, provisions found (at 3.7.5.3 and 3.7.5.4) of the old Framework that provided further specific scenarios where cloud service providers were able to limit their liability in circumstances where subscribers chose to self-insure (where this option was flagged to them by the cloud service provider) or opt out of back-up solutions offered by the cloud service provider, or – in respect of corporate subscribers (rather than individuals) - where the cloud service provider agreed with the subscriber that it could limit its liability. Both these scenarios alluded to the NCA, and neither of them remain in the Cloud Regulations. Our reading is that the removal of these requirements is aimed at removing provisions that were somewhat convoluted, and further clarifying the circumstances in which cloud service providers are able to limit liability.
Under a heading that now refers to, ‘Reporting Subscriber's Information and Documents Breaches’, the provisions relating to data breaches remove reference to notification to NCA, but maintain (at 3.3.9) an obligation on cloud service providers to notify the CST and cloud subscribers without undue delay of breaches of any user information or documents of which it becomes aware. (This wording is somewhat ambiguous, and would benefit from being aligned with the definition of Subscriber Data and Subscriber Content used in the Cloud Regulations.)
The provision also requires CST to notify the National Data Management Office if these breaches affect or are likely to affect government agencies (or) a large number of people in the Kingdom due to its reliance on the services of one or more cloud computing subscribers that have been affected by the breach. While the drafting would benefit from clarification, it is curious to note the suggestion that CST is responsible for notifying NDMO; presumably this is without prejudice to the personal data breach notification obligations arising under Saudi Arabia’s new Personal Data Protection Law and its Regulations.
Under a heading related to content in violation of law or IP rights, a provision that limits cloud service providers’ responsibility in respect of cloud subscribers’ content, to the extent that such content is in violation of laws or infringes the intellectual property rights of others, has been amended. Regulation 3.5.2 of the old Framework previously provided that a cloud service provider does not assume any administrative or criminal responsibility under [the old] Framework, or any law, regulation, decision or instructions, including the Anti-Cyber Crime Law, only based on the fact that the subscriber's content violates the law, or infringes the intellectual property rights of others, or has been downloaded, processed, or stored in a cloud computing system of the cloud computing service provider. This wording provide a fairly clear basis that a cloud service provider could rely on to argue that it would not be responsible under, for example, the Anti-Cyber Crime Law, in the event that it was found to be hosting subscriber content that was contrary to such law. In the Cloud Regulations, the new wording of this provision removes the specificity found in the old Framework, but still provides that a cloud service provider ‘does not assume any responsibility’; however, it also includes new wording, where it mentions that this limitation is, ‘without prejudice to applicable laws’. This could be seen to pull back from the broad protection afforded by the wording of the old Framework on this point.
A key aspect of the old Framework and the Cloud Regulations is the section that provides for information about cloud computing service contracts and mandatory minimum requirements. In the Cloud Regulations, these section remains largely unchanged, with limited exceptions.
There have been some adjustments to a provision (3.6.3.7) that focusses on the law applicable to cloud contracts. The amendments seem aimed at clarifying the position previously expressed, with the Cloud Regulations now providing that the applicable law of the cloud computing contract cannot nullify any of the provisions of [the Cloud Regulations] or any other obligatory laws applied in the Kingdom that may not be nullified by choosing other international laws. This hints at the possibility that parties to a cloud contract may agree to a governing law other than the law of Saudi Arabia, provided that in doing so the choice of law does not result in the Cloud Regulations, or other Saudi mandatory requirements, being over-ridden by such other law. To the extent that, under general principles, were a claim to be brought before a Saudi court, such court would apply Saudi law, and to the extent that there are requirements for Saudi government entities to have their contracts subject to Saudi law and Saudi courts, the practical application of this provision may have limitations for those hoping to apply a foreign law. We also note that the provision that allows for disputes to be submitted to CST for dispute resolution remains untouched.
There have also been adjustments to a provision relating to data portability following termination of a cloud contract. Under the old Framework (at 3.6.6.), there was a requirement for the cloud service provider, upon the request of the cloud subscriber, to provide the cloud subscriber with a copy of the subscriber’s content in a commonly used format – or make it available to another service provider at the subscriber’s direction. The Cloud Regulation has removed the somewhat prescriptive requirements found in the old Framework and replaced them with a more simple obligation to enable the subscriber to access its content, for a certain period of time and with the specific means and format, as agreed in the cloud computing contract. It will be important for the parties to ensure that this is reflected in the terms of their cloud computing contacts so as to avoid any disputes on this aspect.
The new Cloud Regulations warrant some attention. While they do not entirely change the previous regulatory regime, they do include some implications that may be relevant to cloud service providers, and their subscribers, particularly with regard to implications on limitations of liability and post-termination obligations.
For further information,please contact Nick O’Connell and Ali Abbas.
Published in January 2024