Out-Law Analysis 3 min. read
14 Jun 2023, 11:16 am
Businesses engaged in the provision of emerging ICT services could find themselves subject to telecoms legislation in Saudi Arabia.
The Telecommunications and Information Technology Act was published on 10 June last year and came into effect on 8 December 2022. The new Act replaced previous Saudi telecoms legislation that had been in place since 2001 and, among other things, aims to support the development of the Saudi telecoms and IT sector and encourage digital transformation in the country.
Under the new Act, a greater range of services are potentially subject to telecoms licensing and regulatory requirements than was the case before.
For example, while the Act lists certain services that were already subject to licensing – like providing telecoms services to the public, providing infrastructure service for public telecommunications networks, using numbering resources or radio frequency spectrum, – it also requires obtaining a licence for providing Saudi domain name registration services. Further, it gives the board of the Communications, Space & Technology Commission (the CST) discretion to require businesses to obtain a licence or register with it in some circumstances. This includes if the business:
At a time of increased digital connectivity across the economy, this power could potentially be used to bring businesses across sectors into scope of telecoms regulation in Saudi – the CST board is empowered to set the necessary controls for obtaining a licence, registration or permit, and implementing regulations that supplement the Act provide the board with further scope to cap the number of licences, registrations or permits issued for various activities.
Telecoms licences in Saudi obtained prior to the new Act taking effect remain valid, although such licensees must ensure compliance with any new requirements and bridge any regulatory gaps by 8 December 2023. Significantly, many of the core telecoms aspects remain the same. Issues such as frequencies, numbering, interconnection, use of real estate, competition and M&A, as well as violations and penalties are dealt with in a manner similar under the Act to the old law.
However, in addition to the expanded scope of the Act referenced above, there are a few other important changes.
For example, fixed and mobile telecommunication services no longer need to be provided through joint stock companies that place their stock for public subscription. This may be welcomed as a positive development by businesses interested in offering fixed and mobile services in Saudi as it reduces market entry barriers.
In addition, service providers are now required to obtain the CST’s approval before making any “substantial change” in ownership. This is without prejudice to notification duties under the competition and merger telecoms regime. The implementing regulations provide further detail on what constitutes a “substantial change” – examples include where the provider wishes to amend “any of the essential clauses in the memorandum of association or the articles of association” or where there is “any legal action resulting in another person owning a stake equal to 5% or more of the licensee’s capital”.
Similarly, service providers are now also required to obtain a non-objection certificate from the CST for making any substantial changes in its senior management. The implementing regulations provide further detail on this aspect.
Another notable issue dealt with by the new Act pertains to internet filtering. While historically and in practice, the CST has been responsible for internet filtering in the Kingdom, this was never expressly set out in the old telecoms law. The new Act specifically empowers the CST, after coordinating with other competent authorities, to filter the internet and limit access to specific content online, and to prevent or restrict access to internet services on the gateways. By-passing or circumventing the Kingdom’s internet filtering system is also prohibited.
The new Act has also introduced new obligations in relation to user data confidentiality and protection, supplementing the new Saudi Personal Data Protection Law that will take effect in September. Allied to this, the royal decision approving the Act stressed the importance of the National Cybersecurity Authority (NCA) and compliance with its cybersecurity considerations – for service providers considered as critical national infrastructure, in particular.
The NCA is empowered to require service providers subject to the new Act to conclude mutual agreements to realise cybersecurity objectives, in accordance with NCA’s controls and guidelines, for example. The NCA can also follow up and verify the cybersecurity compliance level of service providers, in accordance with those controls and guidelines, and impose the cost of that follow-up on the providers if they are found negligent. Perhaps most notably, the NCA can also impose penalties provided for in the Act on service providers for violating cybersecurity obligations. Once the NCA coordinates with the CST on a compliance program, such powers may be revoked.
Against the backdrop of new data protection and cybersecurity obligations, it is as yet unclear how potentially overlapping obligations under the Act to communicate details of data breach incidents to the CST, and to affected users, immediately, will interplay in practice.
Co-written by Zil Rehman of Pinsent Masons.
12 Apr 2023