Saudi Arabia

Summary

Saudi Arabia presents high risk for crawling involving personal data and moderate risk for pure content scraping. The Anti-Cyber Crime Law (Royal Decree M/17, 2007) criminalises unauthorized access, interception, and invasion of privacy, with up to one year's imprisonment and SAR 500,000 in fines for Art. 3 violations. The Personal Data Protection Law (PDPL, in force September 2023, grace period ended September 2024) is strict: explicit consent is required for processing personal data, there is no meaningful publicly-available-data exemption, and the SDAIA's August 2024 Transfer Regulation imposes strict cross-border transfer conditions (adequacy, SCCs, or BCRs). SDAIA enforcement is active: 48 formal decisions were issued against violating organizations in 2025, with fines up to SAR 5,000,000 per violation. A new Copyright Law (Royal Decree No. M/169, 13 February 2026) was enacted and takes effect 1 August 2026; it introduces an AI training exception (Art. 26, permitting reproduction for AI/algorithm development limited to what serves the purpose) and quadruples financial penalties relative to the current 2003 law. Until 1 August 2026, the current 2003 copyright law applies, which has no TDM exception and no EU-style sui generis database right. No scraping-specific case law is available in English.