Saudi Arabia's data protection authority steps up enforcement

Saudi Arabia's data protection authority, the Saudi Data and Artificial Intelligence Authority, has entered a new phase of regulatory maturity, marking 2025 as a turning point in its oversight of data privacy practices. The authority announced that its specialized committees issued 48 decisions over the past year against organizations found in violation of the Personal Data Protection Law and its implementing regulations. This heightened enforcement activity underscores the government's determination to entrench data privacy as a cornerstone of the Kingdom's digital transformation agenda.

A structured phase of enforcement

The 48 decisions represent the first substantive wave of adjudications since the PDPL became enforceable in September 2023 following its initial transition period. These committees are vested with quasi‑judicial powers to investigate suspected infringements, review evidence, and impose administrative sanctions, including warnings, fines and orders to remedy noncompliant practices. Their growing caseload signals that enforcement mechanisms are now fully operational and that compliance with the PDPL is no longer optional.

According to the SDAIA's official announcement, the cases covered a diverse set of issues, ranging from unlawful collection and processing of personal data to insufficient technical and organizational security controls. A notable number of cases involved the sending of marketing and promotional messages without obtaining prior consent, a violation that remains widespread across sectors such as retail, telecommunications and financial services. The authority emphasized that such violations undermine individuals' confidence in digital communication channels and contravene the PDPL's principles of fairness, transparency and lawful processing.

Key areas of noncompliance

The authority's enforcement notice highlighted recurring themes among noncompliant organizations. Common violations included:

Processing without a lawful basis. Organizations collected personal data beyond what was necessary for the stated purpose or without a clear legal justification.