A New Legal Basis for Cybersecurity in the Middle East

Saudi Arabia’s Anti-Cybercrime Law is a cybersecurity law that was passed in 2007. While Saudi Arabia has yet to pass a national comprehensive data protection law, the country does have a robust legal framework as it relates to cybersecurity. To this end, the Anti-Cybercrime Law was passed to help both combat and identify cybersecurity threats within Saudi Arabia, as well as impose penalties and punishments for individuals who are found to have violated the law. As such, the Anti-Cybercrime Law ensured that information security within Saudi Arabia was enhanced, the rights of Saudi Arabian citizens were protected as it pertains to the legitimate use of information and computer networks, the public interests, morals, and common values of the Saudi Arabian populace were protected, and the national economy of Saudi Arabia was protected.

How does the Anti-Cybercrime Law define information systems and networks?

Under the Anti-Cybercrime Law, an information system is defined as “a set of programs and devices designed for managing and processing data, including computers”. Alternatively, the law defines an information network as “an interconnection of more than one computer or information system to obtain and exchange data, e.g. Local Area Network (LAN), Wide Area Network (WAN), and World Wide Web (Internet)”. Moreover, the law defines cybercrime as “any action which involves the use of computers or computer networks, in violation of the provisions of the law”. Additionally, the law defines a person as “any natural or corporate person, whether public or private”.

Conversely, the law defines data to mean “information, commands, messages, voices, or images which are prepared or have been prepared for use in computers. This includes data that can be saved, processed, transmitted, or constructed by computers, such as numbers, letters, codes, etc.”. What’s more, the law defines a computer as “any electronic device whether movable or fixed, wired or wireless, which is equipped with a system to process, store, transmit, receive or browse data and perform specific functions according to programs and commands”, while unauthorized access is defined as the “the deliberate, unauthorized access by any person to computers, websites, information systems, or computers networks”.

What are the provisions of the Anti-Cybercrime Law?

Saudi Arabia’s Anti-Cybercrime Law established several regulations and provisions as it relates to cybersecurity in the country. Some of these regulations and provisions include:

• Article 3– Any person who is found to have committed one of the following cybercrimes is subject to a term of imprisonment not exceeding one year, as well as a fine of five hundred thousand riyals ($133,274): Spying on, intercepting, or receipting data transmitted through a computer or information network without proper and legitimate authorization, unlawfully accessing computers for the purposes of blackmailing a person to compel them to either refrain from or take an action, be it unlawful or lawful, unlawfully accessing a website or hacking a website with the purposes of changing its design, destroying or modifying it, or occupying its URL, the invasion of privacy through the misuse of “camera-equipped mobile phones and the like”, and defaming or inflicting damage upon others through the use or implementation of information technology devices.
• Article 4– Any person who is found to have committed one of the following cybercrimes subject to a term of imprisonment not exceeding three years, as well as a fine of two million riyals ($533,278): Acquiring bonds or movable property for oneself or others through the use of a false name, identify, or others means of fraud, the illegal access of credit or bank data, pertaining to the “ownership of securities with the intention of obtaining data, information, funds, or services offered”.
• Article 7– Any individual who commits any of the following cybercrimes will be subject to a term of imprisonment not exceeding ten years, as well as a monetary fine not exceeding five million riyals ($1,133,132): Constructing or publicizing a website on a computer or information network for terrorist organizations for the purposes of facilitating communication with members or leaders of such organizations, financing them, promoting their ideologies, publicizing methods for manufacturing incendiary devices or other explosives, or any other methods or means used to further terrorist activities, or, unlawfully accessing a website or information system directly, or through an information network or computer for the purposes of obtaining information or data that would jeopardize the internal or external security of Saudi Arabia or its national economy.
• Article 9– Any individual who assists or collaborates with others for the purposes of committing any of the crimes stipulated in the law shall be “subject to a punishment not exceeding the maximum punishment designated for such crimes”.

What are the penalties for violating the Anti-Cybercrime Law?

As stated above, individuals who are found to be in violation of the Anti-Cybercrime Law are subject to a range of monetary penalties, as well as criminal liability. However, article 8 of the law also stipulates that the term of imprisonment or monetary fine imposed may not be less than half of the maximum should the violation of the law be coupled with one of the following circumstances:

• The crime was conducted or perpetrated through the use of organized crime.
• The offender in question holds a public office in Saudi Arabia, and the crime that was committed is related to said public office, or the crime was committed as a result of the power and influence of holding said public office.
• The crime involved the luring or exploitation of minors.
• The offender in question has been previously convicted of similar crimes in the past, be they within or outside of the country of Saudi Arabia.

Much like the Chinese Cybersecurity Law, Saudi Arabia’s Anti-Cybercrime Law was passed specifically for the purpose of tackling cybercrimes within Saudi Arabia. As China has also passed other legislation in recent years that pertain to data protection and privacy, including the Personal Information Security Specification, Saudi Arabia could seek to take a similar approach in the future. However, despite the fact that Saudi Arabia does not have a national data protection law, the Anti-Cybercrime Law does stand as a major deterrent to individuals who look to misuse the personal data of Saudi Arabian citizens for nefarious purposes or means, as the punishments that can be imposed as a result of failing to comply with the law can be extremely steep.