Introduction

As part of Saudi Arabia's ambitious Vision 2030, the Kingdom is embracing technological advancements as a means of diversifying its economy and improving the quality of life of its citizens. This includes promoting innovation and encouraging a knowledge-driven society, with artificial intelligence (AI) and data forming key pillars of Vision 2030's strategic objectives.

As with elsewhere across the globe, Saudi Arabia's digital transformation includes in a surge in growth of the GenAI market. A subset of AI, GenAI refers to a machine learning model that creates new content, including text, audio, images, and other forms of media, from existing data. While relatively new, GenAI has made significant strides in recent years and is being integrated into sectors ranging from oil and gas, construction, healthcare, education, retail, and financial services.

The opportunities GenAI has created for businesses are readily apparent. However, the development of GenAI has resulted in intense and sometimes polarizing debates at all levels of society, including in respect of the appropriate policies and regulations to be implemented to ensure GenAI is developed and used in a safe and beneficial way.

As such, with GenAI increasingly playing a pivotal role in many areas of daily life, understanding the implications, regulations, and opportunities of GenAI is crucial.

Policy and regulation - Kingdom of Saudi Arabia specific

Although the AI industry is developing on a global basis, there are regional divergences that are being driven by policy and regulatory factors, rather than technical issues. This includes Saudi Arabia, which has actively been developing laws and guidelines to address challenges posed by emerging technologies within the Kingdom. This includes in relation to GenAI.

As part of these efforts, Saudi Arabia has established a specific authority, the Saudi Data and Artificial Intelligence Authority (SDAIA), to develop a Saudi-specific response to the growing influence of AI. In particular, SDAIA was formed to 'drive the national agenda for Data & AI to elevate the Kingdom as a global leader in the elite league of data driven economies.' As it works towards its goals, it has established the National Strategy for Data & AI as well as a dedicated National Centre for Artificial Intelligence to carry out research, promote AI, and advise the government.

However, to date, there are no specific AI laws within the Kingdom, with businesses instead having to consider a range of different regulations, frameworks, and guidelines. The most relevant include:

• the SDAIA AI Ethics Principles;
• the Personal Data Protection Law (PDPL);
• National Data Governance Policies; and
• the Generative AI Guidelines.

SDAIA AI Ethics Principles

The SDAIA published its AI Ethics Principles (the Principles) in September 2023, which are designed to promote responsible AI usage. Although these Principles are not legally binding, they are currently the key regulatory framework for AI in the Kingdom and businesses will need to act in accordance with them.

The Principles include:

• Fairness - requiring actions to eliminate bias, discrimination, or stigmatization in the design, data, development, and use of AI systems;
• Privacy & Security - reinforcing the overarching values that AI systems are required to have, respecting the privacy of data collected, and emphasizing the highest levels of data security;
• Humanity - ensuring that AI systems are built using an ethical methodology;
• Social & Environmental Benefits - ensuring a benefit to individuals and the broader community;
• Reliability & Safety - ensuring that the AI system adheres to its specifications and behaves as the designers intended;
• Transparency & Explainability - requiring that the AI system is built with a high degree of clarity and explainability; and
• Accountability & Responsibility - holding designers, vendors, procurers, developers, and owners of AI systems to ethically responsible behaviors and standards, with proper mechanisms to avoid harm and misuse.

The Principles have a very broad scope. They apply to entities and individuals who are designing, developing, deploying, implementing, using, or being affected by AI systems within Saudi Arabia, in both the public and private sectors.

Although the SDAIA does not have enforcement powers in relation to the Principles, the SDAIA does monitor compliance and non-compliance could result in further investigations and potential breaches of other legislation.

Data protection

Ensuring GenAI does not infringe on individuals' privacy rights is a key concern of the legislators. As a result, although not specific to AI, Saudi data protection laws have started to evolve to address these concerns.

In September 2023, an amended version of the PDPL came into force.¹ Designed to align with global data protection standards, the PDPL applies to any processing of personal data that takes place in Saudi Arabia and extends to the processing of personal data relating to individuals residing in Saudi Arabia by entities outside Saudi Arabia.

The PDPL contains a number of requirements that will affect AI systems where these involve the processing of personal data. Key aspects include:

• consent: Organizations must obtain explicit consent from individuals before collecting or processing their personal data;
• data minimization: Only the necessary data should be collected for the specific purpose;
• data subject rights: Individuals have the right to access, correct, and delete their personal data; and
• cross-border data transfer: Restrictions are placed on transferring personal data outside Saudi Arabia unless certain conditions are met.

Businesses will need to be mindful of the PDPL's requirements as they relate to the collection, processing, storing, and use of personal data by GenAI technology. This includes ensuring that GenAI models are trained on secure and reliable data sources.

National Data Governance Policies

The National Data Management Office (NDMO) has issued policies and guidelines designed to standardize data management practices across various sectors, in order to ensure data security and proper usage.

Key guidelines include:

• data classification and handling: Proper classification of data based on sensitivity and implementing corresponding protection measures;
• data governance: Establishing clear policies and procedures for data governance, including roles and responsibilities; and
• data sharing and access: Rules for sharing data within and outside the organization while ensuring privacy and security.

As with the SDAIA Principles, these guidelines are not legally binding. However, they are crucial for organizations involved in GenAI and other data projects.

SDAIA's Generative Artificial Intelligence Guidelines

In response to the attention GenAI has gathered in recent times, the SDAIA has proactively sought to develop specific guidelines for the use of GenAI in the Kingdom. In publishing the Generative Artificial Intelligence Guidelines (GenAI Guidelines), the SDAIA has expressly recognized that GenAI tools can improve efficiency and create new products for the benefit of the Kingdom and its citizens, while at the same time acknowledging the risks associated with the technology.

The GenAI Guidelines focus specifically on the use of generative AI technologies, both within the government and the general public. They apply to 'all stakeholders designing, developing, deploying, implementing, using, or being affected by GenAI systems within KSA.'

The GenAI Guidelines aim to ensure that when interacting with GenAI models and systems, developers and users adhere to certain guidelines throughout the model or the system's lifecycle. The starting point is a set of directives for the responsible use of GenAI technologies. This includes:

• responsible use: Ensuring that GenAI is used ethically, avoiding the creation and dissemination of harmful or misleading content;
• transparency: Clearly disclosing when content is generated by AI to maintain transparency with users and stakeholders;
• security and privacy: Incorporating robust security measures to protect data used in generative AI applications and ensure compliance with privacy laws; and
• monitoring and evaluation: Regularly monitoring and evaluating AI systems to ensure they operate within ethical and legal boundaries, making necessary adjustments to address emerging risks

In doing so, the GenAI Guidelines adopt the Principles that have already been published by the SDAIA (referred to above). The GenAI Guidelines repeat those Principles, with some specific commentary and observations specific to developers and users of GenAI tools.

Helpfully, the SDAIA has then set out some specific risks associated with GenAI, with accompanying mitigation strategies. These have been based on emerging trends in the use of GenAI, and include:

• deepfakes and misrepresentation: The GenAI Guidelines recognize the threat posed by scams, financial fraud, blackmail, and identity threats. Mitigation measures to counter this threat include: watermark implementation, KYC protocols, output verification, and enhanced digital literacy and online safety;
• safety threats: GenAI can be manipulated with malicious intent, which can compromise public safety and security. Mitigation strategies include content moderation and filtering, training dataset filtering, and limiting open access;
• misinformation and 'hallucination:' Some information provided by GenAI might be incorrect, and models can even over-generate 'facts' that are fiction (referred to as 'AI hallucination'). This information must be critically reviewed;
• classified data breaches: The unintentional exposure of sensitive information to third parties is a risk, which is compounded because GenAI models cannot ‘unlearn' the information. This can be mitigated by the use of protocols, data control, and employee awareness and training;
• certification fraud: Human certification processes such as evaluations are facing novel threats from GenAI, which can be used to provide model answers, essays, and research. Mitigation measures include enhancing the assessment, education, and training, and clear policies for the use of GenAI.;
• intellectual property (IP) infringement and protection: The rising use of GenAI can lead to the unauthorized use or replication of copyrighted material, which in turn can result in legal liabilities of IP. Mitigation measures include IP licensing and due diligence, and obtaining creator permission and compensation.; and
• variability of outputs: Users need to be vigilant when relying on outputs generated by GenAI, as GenAI services operate differently from traditional programmed services.

By including these risks and mitigations in the GenAI Guidelines, the SDAIA is providing more tools for the developers and users of GenAI to ensure the services conform with the ethical and legal requirements. However, as the use of GenAI becomes more widespread, the potential that these risks will evolve and become greater is significant.

Broader challenges

The impact of GenAI on data privacy considerations is an obvious area where users of GenAI need to be particularly mindful. However, the impact of GenAI is likely to be particularly broad. This may include:

• cybersecurity : GenAI poses significant risks for cybersecurity that have been recognized in the GenAI Guidelines and the AI Ethics Principles. Saudi Arabia has taken steps to strengthen its cybersecurity framework in recognition of these challenges. For example, the National Cybersecurity Agency (NCA) has developed a comprehensive cybersecurity strategy that includes guidelines for the protection of critical infrastructure, data privacy, and incident response. This includes the Essential Cybersecurity Controls (which is a framework outlining the necessary cybersecurity measures organizations must implement to protect data and systems) and the Cloud Computing Security Controls (which contain specific requirements for securing cloud environments, often used in AI projects).  Businesses will need to proactively adopt the relevant regulations, implement stringent cybersecurity measures, and remain vigilant against emerging threats to ensure safe and ethical deployment of GenAI technologies;
• IP: The intersection between AI and IP can lead to unique challenges. As GenAI systems generate innovative solutions and creative works, determining ownership and protection of these IP assets becomes crucial. For example, questions around AI-generated inventions, authorship, and patentability will inevitably arise. The IP regime in the Kingdom does not have separate rules regarding AI (at least, at present). However, currently, it only recognizes persons and not machines or algorithms as authors; and
• consumer protection: Saudi Arabia is working on its consumer protection laws. This will likely include protections in relation to GenAI. For example, and as set out in the AI Ethics Principles, entities developing the use of GenAI will need to adhere to certain principles concerning interacting with end users and ensure that end users are provided with full information about the AI system in question.

Practical guidance for businesses

Technology continues to advance rapidly, and GenAI is no exception. It is inevitable that GenAI will be transformative across a range of industries and sectors, but this also comes with significant challenges and risks. As a result, businesses will need to carefully navigate a range of regulatory, legal, and ethical considerations which, although there is a drive towards a uniformed global approach, could nevertheless vary depending on jurisdiction (including within the Middle East and the Gulf Cooperation Council (GCC)). This is particularly true as the relevant legislation struggles to keep pace with technological advancements.

Saudi Arabia is striving to be at the forefront of this digital transformation and is dealing proactively with issues arising from GenAI in the Kingdom. Businesses across all industries that are using GenAI and working within the Kingdom will, however, need to ensure compliance with the specific legislative and regulatory framework within Saudi Arabia that applies to GenAI. In particular, as well as abiding by the Principles, as further clarified in the GenAI Guidelines, businesses must ensure they understand, and comply with, various other laws and regulations such as the PDPL and those relating to cybersecurity, IP rights, consumer protection, and copyright.  

In addition, the integration of GenAI into various industries has practical implications for the workforce. While GenAI can enhance productivity and create new job opportunities, it may also create the risk of job displacement and -at worst- redundancies. Businesses must ensure they understand the relevant employment and labor laws to ensure the protection of workers' rights and fair HR practices.

Finally, the growth and widespread use of GenAI may also lead to a new wave of disputes and claims between businesses. From fraud claims, wrongful disclosure of personal information, cross-border supply disputes, regulatory breaches, copyright and IP infringements, and general breach of contract claims - a variety of disputes may give rise to novel and untested issues, in which determining liability within the GenAI context becomes more complex. Having a comprehensive set of internal guidelines and procedures, as well as regular and transparent interaction with the regulators, will put businesses in a stronger position to protect themselves against these inherent challenges.

Conclusion

Navigating the regulatory landscape for GenAI in Saudi Arabia requires businesses to adopt a comprehensive and proactive approach. By integrating the Principles, complying with the PDPL, adhering to GenAI guidelines, and aligning with national data governance policies, businesses can leverage AI technology responsibly and ethically. This not only ensures regulatory compliance but also builds trust with stakeholders and contributes to the sustainable development of AI in the Kingdom.

Randall Walker Partner
[email protected]
Hogan Lovells, Saudi Arabia