Al Madani & Co. Law Firm & Legal Consultants

Ensuring Security and Reliability in E-Commerce: Requirements of the Saudi E-Commerce Law

Amid rapid technological advancement and the increasing spread of the internet and smart devices, the Saudi market has witnessed significant growth in e-commerce in recent years. To ensure this vital sector’s regulation and protect consumers and businesses, the Kingdom of Saudi Arabia enacted the E-Commerce Law in 2019. This law serves as a roadmap for businesses operating in this field to understand the legal requirements and obligations.

E-commerce refers to any economic activity undertaken by a service provider and a consumer, either wholly or partially, by electronic means to sell products, offer services, advertise, or exchange data related to such activities.

The Saudi E-Commerce Law is a comprehensive legal framework that regulates all commercial activities conducted via the internet or other electronic means. The law aims to enhance trust in the digital environment, encourage innovation and fair competition, and protect the rights of both consumers and merchants.

What is the scope of application of the E-Commerce Law?

E-Commerce Law applies to all commercial activities conducted via the Internet or other electronic means, including the sale of goods and services, electronic payments, digital marketing, delivery, and shipping. It covers business-to-consumer (B2C) transactions as well as business-to-business (B2B) transactions.

The law applies to service providers within the Kingdom. It also covers foreign entities offering products or services within the Kingdom in a manner that allows consumers to access them. The provisions also apply to consumers of these services.

Are the registration procedures for e-commerce different from other commercial registrations?

There are some differences in the registration procedures for companies operating in the field of e-commerce compared to traditional commercial registration in Saudi Arabia. According to the E-Commerce Law, these differences include:

1. E-Commerce Licenses:

o Companies wishing to engage in e-commerce activities must obtain a special license from the Saudi Data and Artificial Intelligence Authority (SDAIA).
o Obtaining the license requires meeting specific requirements related to cybersecurity and data protection.

2. Electronic Security Requirements:

o Companies applying for registration must submit a detailed plan outlining the cybersecurity measures they will implement.
o These measures include protection against breaches, encryption of transactions, and identity and access management.

3. Reliance on Digital Infrastructure:

o Registration and licensing processes for e-commerce are conducted electronically through approved digital platforms.
o This requires certain technical and technological capabilities from the applying companies.

4. Ongoing Supervision and Oversight:

o After obtaining the license, companies are subject to continuous monitoring and oversight by the regulatory authority.
o This ensures their ongoing compliance with the prescribed security and legal requirements.

Overall, these differences aim to ensure the security and safety of the e-commerce environment in Saudi Arabia and protect consumers.

What ongoing supervision and oversight does the regulatory authority impose?

The E-Commerce Law provides continuous supervisory and oversight mechanisms enforced by the regulatory authority (SDAIA) on companies operating in the e-commerce field. These mechanisms aim to ensure the ongoing protection of data and transactions in Saudi Arabia’s e-commerce environment. They include the following:

1. Periodic Reporting:

o Companies must submit regular reports to the authority regarding their compliance with specific security requirements.
o These reports should include information on the security measures implemented and any potential violations or breaches.

2. Audits and Inspections:

o The regulatory authority has the right to conduct audits and inspections of licensed companies’ systems and data.
o This includes reviewing records and documents and conducting penetration tests to verify actual compliance.

3. Ongoing Risk Assessment:

o The authority conducts ongoing assessments of cybersecurity risks facing licensed companies.
o Based on these assessments, it may require companies to implement improvements or additional measures.

4. Response to Security Incidents:

o In the event of a security breach or incident, companies must immediately notify the authority.
o The authority will investigate the incident and issue necessary directives to address it.

5. Compliance Evaluation and Enforcement:

o The authority regularly evaluates the compliance of licensed companies with security requirements.
o In cases of non-compliance, the authority may impose penalties such as fines or suspension of licenses.

Has the E-Commerce Law imposed specific requirements regarding electronic security?

There are several key obligations placed on companies operating in the field of e-commerce in the Kingdom, including:

1. Protection of Customers' Personal Data:

o Safeguarding customers’ personal data (such as names, addresses, and payment information) in a secure manner.
o Obtaining customers’ consent before collecting or using their personal data.
o Providing clear privacy policies and making them available to customers.
o Implementing appropriate security measures to protect personal data from leaks or breaches.

2. Encryption and Protection of Financial Transactions:

o Using modern encryption technologies to protect all electronic financial transactions.
o Ensuring that payment processes are conducted through secure and approved platforms.
o Providing backup mechanisms and business continuity plans for service interruptions.

3. Identity and Access Management:

o Implementing strong procedures for verifying users’ identities before granting access.
o Utilizing multi-factor authentication methods such as passwords and verification codes sent via messages.
o Establishing a system for authorization and permissions to regulate users’ access to information.

4. Monitoring and Detecting Activities:

o Implementing monitoring and audit systems to track and log all activities on the system.
o Conducting periodic penetration tests to detect any potential security vulnerabilities.
o Promptly addressing any security threats and reporting them to the relevant authorities.

5. Compliance with Security Standards and Guidelines:

o Adhering to relevant international security standards such as PCI-DSS and ISO 27001.
o Following the guidelines and recommendations of the Saudi Data and Artificial Intelligence Authority (SDAIA).
o Collaborating with regulatory authorities and implementing any additional requirements.

What penalties are imposed if companies fail to comply with security requirements?

The law provides for legal penalties and sanctions against companies that fail to comply with the security requirements outlined in the law. These penalties include:

1. Financial Fines:

o Companies may be subject to fines for violating the cybersecurity provisions of the law.
o Fines range from SAR 100,000 to SAR 5 million, depending on the nature and severity of the violation.

2. Business Suspension:

o In cases of repeated or serious non-compliance, the regulatory authority (SDAIA) may suspend the offending company’s business operations.
o This includes the suspension of the commercial license and a ban on conducting e-commerce activities.

3. Criminal Liability:

o In cases of serious and intentional violations, company officials may face criminal penalties, including imprisonment and fines.
o This includes crimes related to privacy breaches or tampering with electronic transactions.

4. Compensation for Damages:

o Consumers who suffer damages as a result of security violations have the right to seek compensation from the violating company.
o Compensation may cover both material and moral damages suffered by consumers.

These strict penalties are designed to ensure companies’ compliance with security requirements and to protect consumers in Saudi Arabia’s e-commerce environment.

Does the law include specific obligations regarding electronic marketing?

The law outlines specific obligations that apply to companies and establishments engaged in electronic marketing activities. Key obligations include:

1. Transparency and Disclosure:

o Companies must clearly disclose their identity and contact information in all electronic marketing materials.
o They must also disclose the nature of the products or services being marketed, along with the terms and conditions of sale.

2. User Consent:

o Companies must obtain the user’s consent before sending any marketing or promotional messages via email or SMS.
o Users must be allowed to opt out of marketing lists at any time.

3. Protection of Personal Data:

o Companies must comply with personal data protection rules regarding the use of customers’ data in electronic marketing activities.
o They must not disclose customers’ data or use it for commercial purposes without their consent.

4. Lawful Marketing Practices:

o Companies must refrain from engaging in deceptive or misleading marketing practices, such as false or exaggerated claims.
o They should avoid targeting vulnerable groups such as children or the elderly in inappropriate marketing efforts.

5. Compliance with Ethical Standards:

o Companies must adhere to ethical principles and standards in their electronic marketing activities.
o They must not infringe upon the social and cultural values of Saudi society.

By adhering to these regulations, companies can ensure responsible and transparent electronic marketing practices that gain consumers’ trust.