Saudi Arabian Law Overview

The Electronic Transactions Regulation

The Electronic Transactions Regulation, Royal Decree No M/18 of 8 Rabi Awal 1428 Hejra (corresponding to 26 March 2007) and its Implementing Rules are based on the relevant documents prepared by the United Nations Commission on International Trade Law.

The legislation is aimed at establishing functional equivalence between the following electronic communications and their paper-based counterparts:

1. documents or information stored in paper with documents or information stored in the form of an electronic record;
2. documents, records or information provided in written form with documents, records or information provided in electronic form;
3. written contracts made through offer and acceptance with contracts concluded by electronic means; and
4. written signatures with electronic signatures.

The Electronic Transactions Regulation sets out the technical requirements which electronic documents have to satisfy in order to unquestionably produce presumed legal effect, validity and enforceability, which are:

1. the content of electronic documents is stored in a way that preserves these documents in their original form by keeping electronic records in the form in which they were initiated, sent or delivered, attesting a time seal recognized by the National Center for Digital Certification or any time seal expressly agreed by the parties;
   
   
2. information in electronic form can be lined to particular persons or entities for ensuring the integrity of such information, for which purpose electronic documents need to be accompanied by a digital certification certificate, issued by an authorised service provider, generating the legal presumption for courts that the electronic signature is a valid signature; and
   
   
3. authorship of information is secured, for which purpose holders of digital certificates must take necessary precautions to avoid any unlawful use of the data pertaining to the construction of signature and to personal equipment relating to their signature, to exclude unauthorised access to the digital certificate and the electronic signature documents, to apply safe technology as prescribed in the digital certificate, and to notify the certification service provider of unlawful use of the electronic signature.

Electronic documents that satisfy the above requirements must be admitted as presumptive evidence in legal proceedings. If, however, electronic transactions do not satisfy the above requirements, as may be the case for many electronic transactions, the Regulation prescribes the following methods to assess their reliability to qualify as evidence:

1. the method of creating, storing or communicating an electronic record and the possibility of tampering therewith;
   
   
2. the method of maintaining the integrity of information; and
   
   
3. the method of identifying the originator.

The E-Commerce Regulation

On 24 October 2019, the E-Commerce Regulation, Royal Decree No M/126 of 7 Dhul Qada 1440 Hejra (corresponding to 9 July 2019) came into effect. Electronic commerce is defined under Article 1 of the E-Commerce Regulation as an economic activity, conducted either wholly or partially electronically, with the goal of selling products, providing services, advertising or exchanging information in relation to the same. The E-Commerce Regulation applies to both service providers (that is to say, merchants or traders) within Saudi Arabia, and traders outside Saudi Arabia who offer their products and services in the country in a way that makes them obtainable to consumers. The E-Commerce Regulation’s provisions also apply to consumers, and govern various aspects of consumer-service provider relationships online, namely the content of advertisements, service provider disclosure obligations and consumer data protection measures.

Disclosure Obligations

Service providers must display the following information on their websites:

1. the service provider’s name and any distinctive identifier they possess;
2. the service provider’s address;
3. the service provider’s contact details;
4. the name of the register in which the service provider is registered and their number, if registered in a commercial register or other public register;
5. the privacy policy (if any);
6. systems for receiving and resolving consumer complaints; and
7. the service provider’s tax number (if any).

Service providers practicing professions subject to particular forms of regulation, and which can only be practiced upon the granting of a permit or licence, must in addition to the above disclose the following:

1. The authority that licensed the service provider, and the particulars of the licence or permit issued including the licence or permit number and the expiry date; and
2. The service provider’s professional title, and the country that granted it.

Data Protection

Consumer personal information is any data which could lead to the identification of the consumer, including names, identity information, addresses, contact numbers, licence numbers, records, personal property numbers, account numbers, and still or moving pictures. Such data is not to be retained for any purpose outside of fulfilling the service provider’s duties, unless the consumer has consented otherwise.

Service providers may not retain consumers’ personal information and electronic communications beyond the time period required by the nature of the transaction with the consumer as electronic commerce. Where the relationship between service provider and consumer is an ongoing one, and utilizes the establishment of an online account to facilitate contracts, service providers may, with consumer consent, retain consumer personal information until the consumer requests account closure. Measures must be taken to protect this information throughout the period that it is retained by the service provider from access, disclosure, alteration or processing in service of illegitimate purposes. The service provider retains the responsibility for protect this information regardless whether it is under his care, or the control of the bodies he transacts with or their agents.

In the case of a breach of consumer personal information, the service provider must notify the Ministry of Commerce within three days of the service provider learning of the breach, and must inform the Ministry of Commerce of the scope of the breach, its effects and the measures being taken in response.

Advertisements

Electronic advertisements are binding on contracting parties, and are considered supplementary documents to contracts. They must also contain the following details:

1. the name of the product or service being advertised;
2. the name of the service provider, and any distinctive identifier they possess, unless the service provider is registered with one of the website authentication authorities;
3. the contact details of the service provider;
4. a clear statement that it is an advertisement; and
5. information on the product or service that enables consumers to make informed decisions.

Penalties

Persons who violate the regulation are at risk of being subjected to one or more of the following penalties:

1. a warning;
2. a monetary fine of up to SAR 1 million;
3. a suspension of their e-commerce activity which may be either temporary or permanent;
4. the temporary or permanent taking down of their website.