In line with global trends Saudi Arabia has taken decisive steps toward building a comprehensive framework for personal data protection. As Saudi Arabia's data protection regime takes shape, the intersection between data privacy and competition law becomes apparent. The overlap between these two regulatory regimes—each enforced by separate authorities—poses new compliance and operational risks for companies active in the Kingdom. This client brief considers the increasingly overlapping landscape of data protection and competition law in Saudi Arabia.
Saudi Arabia's Personal Data Protection Law, first introduced in 2021 and revised in 2023, introduced a significant shift in how personal data is governed in the Kingdom. The law is enforced by the National Data Management Office, a department of the Saudi Data and Artificial Intelligence Authority (SDAIA). At its core, the Data Protection Law seeks to ensure that personal data is collected, stored, processed, and transferred in a lawful, transparent, and secure manner. The Saudi legislator took substantial inspiration from the EU's General Data Protection Regulation (GDPR) when drafting the Kingdoms Data Protection Law. Still, some differences remain. Notably, the Saudi Data Protection Law adopts a more consent-heavy approach to data collection and processing—meaning that in most cases, organizations must obtain explicit permission before processing personal data. This creates a high bar for compliance, especially in digital sectors where user data flows constantly and often invisibly.
The law also places significant restrictions on cross-border data transfers, with a default requirement that personal data of Saudi residents be stored in Saudi Arabia. Data may only be transferred aboard with the prior approval of the SDAIA.
The overlap between data protection and competition law remains largely uncharted in Saudi legal discourse. However, as the General Authority for Competition (GAC) becomes increasingly interested in digital markets—such as fintech, e-commerce, logistics, and AI—the relevance of data in competition regulations processes is becoming more relevant and intersections of Saudi data protection and competition regulations become more frequent. In some cases the goals pursued through data protection and competition law will overlap, in other cases these goals may conflict. Both requiring alignment at the legislative level and management at the enforcer level. To date the SDAIA and the GAC cooperate rarely. This poses challenges in several areas.
Data as a competitive asset
In the digital age, access to user data is a key driver of market power. Amassing and processing vast amounts of personal data allows companies to build superior algorithms, target users more effectively, and develop network effects that establish or entrench their market dominance.
The Data Protection Law constraints the ability of companies to gather data by consent requirements to increase protection of individuals. While positive from a data protection perspective, this protection has negative effects for competition. Larger companies are better positioned to meet the demands of the Data Protection Law. They have more touchpoints with users, more resources to build consent flows, and greater brand trust. Smaller players may struggle to compete, leading to an environment where data protection mechanisms inadvertently reinforces market dominance of large tach companies. This exacerbation of market power discrepancy caused by data privacy provisions is currently not addressed by Saudi law.
Data portability: a missed opportunity
Unlike the GDPR, the Saudi Data Protection Law does not include a strong right to data portability; the right of customers to take their data from one service and move it to another. In the absence of such a mechanism, customers face difficulties when switching services, causing customers to more frequently stay with current providers. This provides barriers for market entry. Hence, data portability rights that serve to empower individuals by allowing them broader capacity to take ownership of their data also serve a function in competition regulations. From a competition regulations perspective data portability rights enable fair market entry conditions and consumer choice. The lack of robust data portability rights in Saudi Arabia, therefore, not only impacts data protection but also competition in the Kingdom.
Cross-border data flows as an economic lever
By requiring approval for cross-border transfers, the Data Protection Law grants SDAIA considerable authority to regulate cross-border data flows. This may serve national security interests and strengthen data privacy rights. On the other hand, these data localization rules disadvantage Saudi businesses and make investment in the Kingdom more costly. Saudi businesses and international businesses engaged in Saudi Arabia will have to set up separate facilities and processes to store and process data of Saudi residents where they cannot procure approval to transfer data aboard. This increases costs for investments in Saudi Arabia as well as costs of business operations in the Kingdom. Thus, it raises barriers for market entry and trade with Saudi Arabia; in particular, in data intensive sectors.
Merger control and data concentration
Aside from intersections of data privacy and competition regulations, the growing importance of data as an economic good requires competition enforcers to adjust. Currently, the Saudi merger control regime focuses on traditional indicators like revenue and value of sales. This system is less equipped to catch transactions where data-driven business models are involved. Customers pay for products or services of some tech companies not with cash but with data. These companies may not appear dominant when considering their monetary turnover alone. Hence, considering different modes of remuneration or considering different metrics such as active user figures may be necessary to adequately evaluate their market power. Furthermore, the combined datasets of parties to an economic concentration could significantly reduce competition. For example, by enabling the parties to conduct predictive analytics that rivals cannot match. In its current state the Saudi merger control regime is not equipped to address these issues.
This deficiency is not unique to Saudi Arabia. Many merger control regime around the world struggle with adequately addressing digital markets. Different approaches are being developed and refined in several jurisdictions. One tool the Saudi merger control regime offers the GAC in this respect is the GAC's authority to call in transactions that while not meeting the (Saudi) turnover notification threshold potentially affect competition in the Kingdom due to other factors. Still, this authority is only rudimentarily established in the Saudi Merger Guidelines. It primarily serves to catch transactions that generate cross-border effects of business activities in geographical markets outside of Saudi Arabia or trickle down effects of shifts in the competitive landscape globally. The Guidelines do not contemplate the GAC considering different matric such as active user data or effects of concentration of data stocks when assessing whether a transaction requires notification under the Saudi merger control regime. Including these may allow the GAC to more effectively address concentrations in digital markets or data focused sectors.
Way forward
Data privacy and competition intersect in several ways. In some cases the goals pursued with the different regulations align. In other cases they conflict. Either way alignment on the legislative and cooperation on the enforcer level are necessary to address these intersections. Furthermore, companies should be aware of the increasing interest the GAC takes in digital markets. This may cause the GAC to actively address conflicts between the Saudi data privacy and competition regimes and seek closer cooperation with the SDAIA. Furthermore, the GAC may expand their competitive assessments to include data specific metrics in an afford to more effectively expand their jurisdiction over digital markets and other data-heavy businesses.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
