Data Privacy & Digital Rights

Saudi Arabia's Personal Data Protection Law (PDPL, Royal Decree M/19 of 2021) is fully enforced since 14 September 2024. SDAIA enforces; admin fines up to SAR 5M. Anti-Cyber Crime Law + Anti-Harassment Law 2018 cover NCII and online harassment.

Covered in this guide:

Saudi Arabia entered a new data-rights era when the Personal Data Protection Law (PDPL) entered full enforcement on 14 September 2024, after a 1-year grace period from the initial enforcement date of 14 September 2023. The PDPL — issued by Royal Decree M/19 of 16 September 2021 and amended by Royal Decree M/148 of 2023 — is the Kingdom's first comprehensive data-protection statute. The regulator is the Saudi Data and AI Authority (SDAIA), working with the National Data Management Office (NDMO). The Implementing Regulations were issued 7 September 2023; the Regulation on the Transfer of Personal Data Outside the Kingdom was replaced by a new version on 1 September 2024.

For non-consensual intimate imagery (NCII), deepfake sexual content, and sextortion, the criminal framework is the Anti-Cyber Crime Law 2007 (Articles 3, 4, 6) and the Anti-Harassment Law 2018 (Royal Decree, defines harassment broadly to include modern-technology channels). Investigation runs through Public Security + Public Prosecution; victims should also use StopNCII.org (for adults 18+ at the time the image was taken) or takeitdown.ncmec.org (for content depicting under-18s) — both free, both work in KSA.

Key Laws

Personal Data Protection Law (PDPL) — Royal Decree M/19 of 2021 (amended M/148 of 2023)

Royal Decree M/19 of 14 Sept 2021; amended Royal Decree M/148 of 27 March 2023

KSA's first comprehensive data protection statute. Enforced 14 September 2023; full compliance from 14 September 2024 (1-year grace). Regulator: SDAIA + NDMO. Administrative fines up to SAR 5,000,000; criminal penalties up to 2 years for serious offences. Implementing Regulations 7 Sept 2023; cross-border Transfer Regulation re-issued 1 Sept 2024.

Anti-Cyber Crime Law (Royal Decree M/17 of 2007)

Royal Decree M/17 of 26 March 2007

Article 3 — defamation / harm via IT devices (up to 1 year / SAR 500,000). Article 4 — unauthorised access + blackmail / coercion (up to 5 years / SAR 3,000,000). Article 6 — offences against public morality / privacy / family values via electronic means.

Anti-Harassment Law (Royal Decree M/96 of 1439H / 2018)

Royal Decree M/96 of 2018

Article 1 defines harassment broadly as any saying, act, or sign of sexual significance directed at a person — explicitly includes 'modern technology'. Covers cyberstalking, online sexual harassment, and NCII alongside the Anti-Cyber Crime Law.

Removing Non-Consensual Intimate Imagery (NCII)

NCII — non-consensual intimate imagery — in Saudi Arabia runs on three parallel paths. The criminal path is the Public Security Department + Public Prosecution under the Anti-Cyber Crime Law 2007 Arti...

Read more

Your Rights Under the Saudi Personal Data Protection Law (PDPL)

The Saudi Personal Data Protection Law (PDPL) — Royal Decree M/19 of 14 September 2021, amended by Royal Decree M/148 of 27 March 2023 — entered enforcement on 14 September 2023 with a 1-year grace pe...

Read more

Cyberstalking and Online Harassment in Saudi Arabia

Cyberstalking and online harassment in Saudi Arabia are criminal under two layered statutes. The Anti-Cyber Crime Law 2007 (Royal Decree M/17) covers: Article 3 defamation and harm via IT devices (up...

Read more

You came here to know your rights — help someone else know theirs.

Support This Mission