Saudi Arabia’s data protection authority has now adjudicated 48 enforcement decisions in roughly twelve months, the first substantive wave of administrative actions since the Kingdom’s Personal Data Protection Law became fully enforceable in September 2024. The decisions cover unlawful collection, weak technical controls, and — most often — marketing messages sent without consent across retail, telecom, and finance. A region that for years was treated as a privacy backwater is now adjudicating real cases against real companies.
The shift extends well beyond Riyadh. The UAE’s federal Personal Data Protection Law sits in a strange middle state — in force, enforceable in part through adjacent statutes, but still waiting on Executive Regulations that will trigger its full operational regime. Oman’s law reaches full effect on 5 February 2026. Jordan’s came into enforcement on 16 March 2025. Bahrain has had a working law since 2019, Qatar since 2016. Companies that built a single Gulf compliance program around “we’ll deal with it when it bites” are out of room.
What’s actually live in the UAE today
The UAE federal framework is anchored by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data — the PDPL — which entered into force on 2 January 2022. A companion statute, Federal Decree-Law No. 44 of 2021, established the Emirates Data Office (often called the UAE Data Office) as the supervisory authority. The PDPL’s territorial reach is broad: any controller or processor inside the UAE processing personal data, plus controllers and processors outside the UAE processing data of UAE residents.
The wrinkle, four years in, is that the Executive Regulations promised within six months of issuance still haven’t been published as of early 2026. Without them, key mechanisms — fine schedules, breach-notification timelines, cross-border transfer instruments, DPO appointment thresholds — remain underspecified. Once the regulations land, controllers get six months to come into compliance, with the regulator empowered to extend that window.
That uncertainty has not produced a regulatory vacuum. The Cybercrime Law (Federal Decree-Law No. 34 of 2021) criminalizes unauthorized access, collection, processing, and disclosure of personal data through information systems, with enhanced penalties for medical, banking, and payment data. Sector laws cover telecoms (Federal Law No. 3 of 2003), healthcare ICT (Federal Law No. 2 of 2019), and banking (under the Central Bank’s regulatory framework, recently consolidated under Federal Decree-Law No. 6 of 2025). And the financial free zones — the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) — operate their own GDPR-style regimes, which have been actively enforced. The DIFC amended its Data Protection Law No. 5 of 2020 on 8 July 2025, with changes effective 15 July, tightening alignment with European standards.
A 2026 development worth flagging: Federal Decree-Law No. 26 of 2025 on Child Digital Safety layers obligations on top of the PDPL for any platform serving users under 18, including age verification, content filtering, and a prohibition on behavioral profiling of children for marketing. Penalties for child-data violations are explicitly heavier.
Saudi Arabia: from grace period to active enforcement
The Kingdom of Saudi Arabia’s PDPL was issued under Royal Decree No. M/19 of 9/2/1443 H, formally enacted on 14 September 2023, and amended by Royal Decree No. M/148 of 5/9/1444 H. After two extensions of the original grace period, the law became fully enforceable on 14 September 2024. The Saudi Data and Artificial Intelligence Authority (SDAIA) is the regulator.
The KSA PDPL’s reach is wider than the GDPR’s in one important respect: it applies to any processing of personal data of individuals in Saudi Arabia, without the GDPR’s narrowing requirement that the processing relate to offering goods or services or monitoring behavior. Tourists, residents, visitors — anyone physically present in the Kingdom — are covered. The law also protects personal data after death, a feature uncommon in global regimes.
Penalty exposure is real. Administrative fines reach SAR 5 million (roughly USD 1.33 million) per violation under Article 36, doubled for repeat offenses. Unlawful disclosure of sensitive data with intent to harm or for personal gain can trigger criminal liability — up to two years of imprisonment, fines up to SAR 3 million, or both. Unauthorized cross-border transfer of personal data carries the maximum SAR 5 million administrative fine.
SDAIA’s enforcement posture has matured visibly. The authority has issued standard contractual clauses for data transfers, a transfer regulation, binding common rules guidelines, DPO appointment rules, privacy notice guidance, and destruction/anonymization criteria. A public consultation on amendments to the Implementing Regulations ran through 27 May 2025, with proposed changes simplifying communications to data subjects, clarifying registration and oversight, and easing some marketing and complaint-handling requirements. Breach notification under the existing rules requires controllers to notify SDAIA within 72 hours of becoming aware of a breach that may harm data subjects, and to register on SDAIA’s platform before any breach can be reported.
The 48 enforcement decisions disclosed in early 2026 mark the operational turning point. The bulk involve unsolicited marketing messages, weak technical and organizational controls, and unlawful collection. SDAIA has so far prioritized warnings and corrective orders over headline fines — closer to a graduated approach than the EU’s first-fine pattern — but the committees are vested with full quasi-judicial powers under Article 36 and have begun using them.
The wider GCC and Levant patchwork
A regional compliance program in 2026 has to account for at least seven other live or imminent regimes.
Bahrain has had Law No. 30 of 2018 in force since 1 August 2019, supplemented by ten ministerial resolutions including Decisions 42, 43, 46, and 48 of 2022. Liabilities include suspension of processing, withdrawal of authorization, fines that reach roughly USD 53,000, and imprisonment of up to one year. Biometric and genetic data processing requires written authorization from the Personal Data Protection Authority. Breach notification: 72 hours.
Qatar’s Law No. 13 of 2016 was the GCC’s first general data protection statute. It sat largely dormant for years; the Compliance and Data Protection Department within the Ministry of Communications and Information Technology has more recently begun issuing guidance and signaling enforcement intent. The Qatar Financial Centre (QFC) Data Protection Regulations and Rules 2021 apply separately within the QFC and have extraterritorial reach.
Oman’s Royal Decree No. 6 of 2022 entered into force on 13 February 2023; full operational compliance was extended to 5 February 2026. Oman’s framework recognizes biometric data as sensitive and requires explicit consent.
Kuwait does not yet have a general PDPL, but the CITRA Data Privacy Protection Regulation applies to telecommunications service providers and the country is widely expected to introduce a broader law.
Jordan’s Personal Data Protection Law entered enforcement on 16 March 2025 with administrative fines that, while modest by GDPR standards (capped around USD 14,000), include controller and processor obligations and DPO requirements in defined cases. Egypt has had Law No. 151 of 2020 since 2020. Israel’s Privacy Protection Law was substantively amended in 2024 with multi-million-shekel fines and extraterritorial reach taking effect through 2025.
The fragmentation matters because the laws are similar but not interchangeable. Consent rules differ — Bahrain, KSA, and Oman each impose specific capacity requirements; KSA requires explicit consent for sensitive data, credit data, and decisions made solely by automated processing, while several neighbors permit broader bases for sensitive data. Cross-border transfer mechanisms diverge: Bahrain permits transfers to adequate jurisdictions without prior authorization; KSA has approved SCCs but has not yet published its adequacy list; the UAE awaits its own framework.
Why enforcement is accelerating now
Three forces are converging. The first is institutional capacity. SDAIA spent its grace period building registration platforms, issuing SCCs and BCR guidelines, drafting DPO appointment rules, and standing up the Article 36 review committees. By the time enforcement powers activated, the regulator had infrastructure to use them. Bahrain’s authority has had years of practice. The DIFC Commissioner has been publishing enforcement decisions since well before the 2025 amendment.
The second is policy alignment with broader national strategies. Saudi Arabia’s PDPL is an explicit pillar of Vision 2030’s digital economy plan. The UAE’s framework — both onshore and in the free zones — is positioned to attract regulated industries that demand GDPR-grade assurance. Investor and partner pressure compounds the regulatory pressure: a foreign multinational opening a UAE office or a KSA subsidiary needs to be able to point to documented compliance, not promises.
The third is incident reality. SDAIA’s enforcement decisions cover real failures — missing consent for marketing, weak technical controls, unlawful collection. The Saudi Oversight and Anti-Corruption Authority separately reported the suspension of an employee for accepting payments to disclose customers’ personal data. The cases exist because the underlying behaviors are common.
What changes for compliance programs
A program built only against GDPR will be close, but not aligned. The KSA PDPL’s broader extraterritorial reach captures activities that Article 3 of the GDPR would not. Lawful bases differ — Saudi explicit-consent requirements for sensitive data, automated decision-making, and credit data are stricter than GDPR equivalents. Data localization expectations differ across the region; the UAE has sectoral localization requirements in healthcare and financial services even before the federal Executive Regulations land.
Cross-border transfer mechanisms are jurisdiction-specific. SDAIA-approved SCCs are not interchangeable with EU SCCs. A risk assessment is required for SCC-based transfers involving sensitive data on a continuous or large-scale basis. The Kingdom reserves a right to halt transfers immediately on national-interest grounds — language that is broader and less procedurally constrained than equivalent EU adequacy mechanisms. Companies operating across the GCC need a transfer matrix, not a single global instrument.
Breach notification is more uniform than other areas — 72-hour windows are common across KSA, Bahrain, ADGM, and the DIFC — but registration prerequisites differ. KSA controllers must register on SDAIA’s platform before they can submit a breach notification; a company first registering during an active incident is already behind.
Marketing practices are the single highest-risk operational area. The largest cluster of SDAIA enforcement decisions in the first wave concerned marketing without prior consent. Pre-ticked boxes, soft opt-in, and bundled consents that work elsewhere fail the explicit-consent standard. Telecom, retail, and financial services compliance teams should treat consent records as audit-ready artifacts, not internal hygiene.
FAQ
Does the UAE PDPL apply to companies in the DIFC or ADGM?
No. Both free zones operate their own regimes — the DIFC under Data Protection Law No. 5 of 2020 (as amended July 2025) and the ADGM under its Data Protection Regulations 2021. The federal PDPL expressly excludes them. Companies with operations both onshore and in a free zone may need to comply with both frameworks simultaneously.
Is GDPR compliance enough for the UAE and Saudi Arabia?
Close, but no. A GDPR program is a strong foundation, but PDPL-specific gaps remain — Saudi explicit-consent rules for sensitive and credit data, SDAIA-specific SCCs and BCR guidance, registration on SDAIA’s platform, UAE Cybercrime Law overlap, and pending UAE Executive Regulations. A documented gap analysis against each in-scope national law is the minimum.
What’s the maximum fine under the KSA PDPL?
SAR 5 million (about USD 1.33 million) per administrative violation, doubled for repeat offenses. Criminal liability for unlawful disclosure of sensitive data with intent to harm or for personal benefit reaches up to two years’ imprisonment and SAR 3 million in fines.
When will the UAE Executive Regulations be published?
Unconfirmed as of April 2026. They were originally due within six months of the PDPL’s issuance in 2021. Once published, controllers will have six months to come into full compliance, with the regulator empowered to extend that window.
The compliance posture that holds up
Treating GCC data protection as a 2027 problem is the wrong reading of the evidence. SDAIA is enforcing. The DIFC has been enforcing for years. Oman’s full compliance deadline is two months past as of this writing. Jordan is enforcing. The UAE’s federal regime sits in waiting, but the Cybercrime Law, the Child Digital Safety Law, the free-zone regimes, and the sectoral statutes are not waiting on anyone.
The work that pays off across every regime: data inventory and ROPA, mapped lawful bases per processing activity, working DPO function where required, breach response procedures pre-registered with each relevant regulator, transfer instruments tailored per jurisdiction, marketing consent records that survive an audit, and a documented gap analysis against each national law in scope. None of this is novel. What’s changed is that the regulators now have the capacity, the mandate, and — increasingly — the case files to act.
