Negligence and Data Breaches Under Saudi Arabian Personal Data Protection Law (PDPL): A Doctrinal Analysis Approach
DOI:
https://doi.org/10.56868/jadhur.v4i3.321Keywords:
PDPL, Data Breach, Negligence, Data Protection Law, Islamic Jurisprudence, Regulatory EnforcementAbstract
This study critically investigates the treatment of negligence under the Saudi Arabian Personal Data Protection Law (PDPL), aiming to diagnose its doctrinal weaknesses and propose evidence-based reforms. Employing a qualitative doctrinal legal research methodology to systematically investigate the treatment of negligence within the Saudi Arabian Personal Data Protection Law (PDPL). The analysis reveals the PDPL’s core deficiencies: a critically vague standard of care, an enforcement gap lacking robust deterrents, and procedural lacunae in breach notification and accountability. The findings demonstrate that the law’s undefined "appropriate measures" and reliance on a narrow deterrent model fail to effectively prevent or redress negligence-related data breaches. The study’s primary implication is the proposal of a unique hybrid reform path, strategically synthesizing the GDPR’s proactive accountability with the CCPA’s private litigation model. A key novelty of this research is its grounding of these reforms within the culturally resonant principles of Islamic jurisprudence (أمانة Amanah, ضرر Ḍarar), reframing data protection not as a foreign import but as a modern extension of the Kingdom's ethical heritage, thereby offering a coherent framework for legislative strengthening and enhanced compliance.
References
Abanumy, A., Al-Badi, A., & Mayhew, P. (2005). E Government Website Accessibility: In-Depth Evaluation of Saudi Arabia and Oman. Electronic journal of e-government, 3(3), 149-156. https://academic-publishing.org/index.php/ejeg/article/view/437/400
Abdullah, A. (2020). Consumers' personal data protection in Saudi Arabia: A comparative analytical study (Doctoral dissertation, University of Kansas). ProQuest Dissertations Publishing. https://www.proquest.com/openview/36ca660cf5d8a3728b428d64cefa780b/1?pq-origsite=gscholar&cbl=18750&diss=y
Al Harbi, I. (2025). Artificial Intelligence in Saudi Arabia: Intercultural Human Rights Perspectives on Legal Frameworks and Regulatory Protection (Doctoral dissertation, St. Thomas University).
Al Nafea, R., & Almaiah, M. A. (2021). Cybersecurity Threats in Cloud: Literature Review. International conference on information technology (ICIT) (779-786). IEEE. doi: 10.1109/ICIT52682.2021.9491638.
Alanazi, A. (2025). Assessing Clinicians’ Legal Concerns and the Need for a Regulatory Framework for AI in Healthcare: A Mixed-Methods Study. Healthcare, 13(13), 1487. https://doi.org/10.3390/healthcare13131487
Aldubayyan, A. (2023). Privacy regulation of cellular network data: A comparative study with recommendations for the Kingdom of Saudi Arabia (Doctoral dissertation, The University of Waikato). https://hdl.handle.net/10289/17061
Alfaifi, A. (2024). Lost profit damages for breaches of commercial contracts: Examining common law and civil law approaches to recovery and lessons for Saudi Arabia (Doctoral dissertation, University of Essex). https://repository.essex.ac.uk/37771/1/PhD%20Thesis.pdf
Alharbi, A. S., Halikias, G., Rajarajan, M., & Yamin, M. (2021). A Review of Effectiveness of Saudi E-Government Data Security Management. International Journal of Information Technology, 13(2), 573-579. https://doi.org/10.1007/s41870-021-00611-3
Alhashim, S. S., & Rahman, M. H. (2021). Cybersecurity Threats in Line with Awareness in Saudi Arabia. International Conference on Information Technology (ICIT), IEEE, (314-319). https://doi.org/10.1109/ICIT52682.2021.9491711.
Alhejaili, M. O. M. (2024). Securing the Kingdom’s e-commerce frontier: Evaluation of Saudi Arabia’s cybersecurity legal frameworks. Journal of Governance & Regulation, 13(2), 275–286. https://doi.org/10.22495/jgrv13i2siart4
Al-Mashaqbeh, Y. A. (2025). Legislative Framework Regulating Digital Media in Jordan and Arab Countries: A Study on The Legal Dimensions. Lex localis-Journal of Local Self-Government, 23(10), 1-20. https://doi.org/10.52152/
Almulihi, A. H., Alassery, F., Khan, A. I., Shukla, S., Gupta, B. K., & Kumar, R. (2022). Analyzing the Implications of Healthcare Data Breaches through Computational Technique. Intelligent Automation & Soft Computing, 32(3). https://doi.org/10.32604/iasc.2022.023460
Almutairi, S. (2025). Kuwait’s fragmented data protection framework: Toward reform through comparative analysis with the GDPR and Saudi Arabia’s PDPL. SSRN. https://doi.org/10.2139/ssrn.5464634
Alnasser, A. (2023). Rhetorical Strategies and Ideologies in Saudi TEDx talks. International Journal of Linguistics, Literature & Translation, 6(3). https://doi.org/ 10.32996/ijllt.2023.6.3.22
Alnasser, H. A. (2025). The Concept of Negligence in Data Breach: A Comparative Doctrinal Analysis of the EU, California, and Saudi Arabia. Veredas do Direito, 22(3), e223404-e223404. https://doi.org/10.18623/rvd.v22.n3.3404
Alqahtani, F. (2024). Persuasion Strategies in Saudi Arabia Vision 2030 Document: A Critical Discourse Analysis Approach. Theory & Practice in Language Studies (TPLS), 14(4). https://doi.org/10.17507/tpls.1404.32
Alsadhan, A. A. (2025). A Survey of Security Threats and Challenges Related To 5G Networks in Saudi Arabia. Qubahan Academic Journal, 5(3), 474-501. https://doi.org/10.48161/qaj.v5n3a1849
Al-Saggaf, Y., & Weckert, J. (2011). Privacy from a Saudi Arabian Perspective: The case of students in a private university. Journal of Information Ethics, 20(1), 34. https://www.proquest.com/openview/d77227c0f1beaa8d3271d6e8a3d215d6/1?pq-origsite=gscholar&cbl=2035668
Alzahrani, R. B. (2024). An Overview of AI Data Protection in The Context of Saudi Arabia. International Journal for Scientific Research, 3(3), 199-218. https://vsrp.co.uk/wp-content/uploads/
Ams, S. (2023). Blurred Lines: The Convergence of Military and Civilian Uses of AI & Data Use and Its Impact on Liberal Democracy. International Politics, 60(4), 879-896. https://doi.org/10.1057/s41311-021-00351-y
Awwad, A., & Abdelsattar, A. (2025). Digital Evidence in Forensic Accounting-A Study in Saudi Legislation. Cogent Social Sciences, 11(1), 2522958. https://doi.org/10.1080/23311886.2025.2522958
Bouderhem, R. (2024). A review of Saudi e-commerce regulation under the scope of the GDPR. Arab Law Quarterly, 1(aop), 1-19. https://doi.org/10.1163/15730255-bja10154
Boudjemaa, Y. (2024). Ensuring Regulatory Compliance in Cloud-based Big Data Systems: A Framework for Global Operations Adhering to GDPR and CCPA. Studies in Knowledge Discovery, Intelligent Systems, and Distributed Analytics, 14(9), 15-27. https://edgescholar.com/index.php/SKDISDA/article/view/e-2024-09-07
Bygrave, L. A. (2017). Data Protection by Design and by Default: Deciphering the EU’s Legislative Requirements. Oslo Law Review, 4(2), 105-120. https://doi.org/10.18261/issn.2387-3299-2017-02-03
Corrales Compagnucci, M., Aboy, M., & Minssen, T. (2021). Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and New Standard Contractual Clauses (Sccs). Nordic Journal of European Law, 4(2). https://doi.org/10.36969/njel.v4i2.23780
Drechsler, L., & Kamara, I. (2022). Essential equivalence as a benchmark for international data transfers after Schrems II. In E. Kosta, R. Leenes, & I. Kamara (Eds.), Research handbook on EU data protection (pp. 314-352). Edward Elgar Publishing. https://doi.org/10.4337/9781800371682.00022
Elgujja, A. A. M. (2020). Adequacy of the legal safeguards of the patients’ confidentiality right under the Saudi Arabian laws (Doctoral dissertation, University of Salford). University of Salford Repository. https://salford-repository.worktribe.com/preview/1486896/Thesis%2000343621.pdf
Hoofnagle, C. J., Van Der Sloot, B., & Borgesius, F. Z. (2019). The European Union General Data Protection Regulation: What It Is and What It Means. Information & Communications Technology Law, 28(1), 65-98. https://doi.org/10.1080/13600834.2019.1573501
Hutchinson, C. S., & Treščáková, D. (2022). The Challenges of Personalized Pricing to Competition and Personal Data Protection Law. European Competition Journal, 18(1), 105-128. https://doi.org/10.1080/17441056.2021.1936400
Johri, A., & Kumar, S. (2023). Exploring Customer Awareness Towards Their Cyber Security in The Kingdom of Saudi Arabia: A Study in The Era of Banking Digital Transformation. Human Behavior and Emerging Technologies, 2023(1), 2103442. https://doi.org/10.1155/2023/2103442
Kanojia, S. (2023). Ensuring Privacy of Personal Data: A Panoramic View of Legal Developments In Personal Data Protection Law In Saudi Arabia. J. Int'l L. Islamic L., 19(3), 270-276. https://heinonline.org/HOL/LandingPage?handle=hein.journals/jispil19&div=51&id=&page=
Kärner, M. (2022). Interplay Between European Union Criminal Law and Administrative Sanctions: Constituent Elements of Transposing Punitive Administrative Sanctions Into National Law. New Journal of European Criminal Law, 13(1), 42-68. https://doi.org/10.1177/20322844221085918
Kilovaty, I. (2021). Psychological data breach harms. North Carolina Journal of Law & Technology, 23(1), 1–66. https://doi.org/10.2139/ssrn.3785734
Mashaabi, M., Al-Yahya, G., Alnashwan, R., & Al-Khalifa, H. (2023). Arabic privacy policy corpus and classification. In A. Gal, M. Jarrar, & Y. Kanza (Eds.), Applications of Natural Language to Information Systems (pp. 94–108). Springer Nature Switzerland. https://doi.org/10.1007/978-3-031-35320-8_7
Memeti, N. (2024). From Legislation to Enforcement: Tackling Digital Acquisitions in the Gulf Region. Digital Society, 3(3), 67. https://doi.org/10.1007/s44206-024-00152-9
Nusairat, W. M. (2024). Legal Protection of Personal Data Privacy in the Kingdom of Saudi Arabia. Manchester Journal of Transnational Islamic Law & Practice, 20(1). https://heinonline.org/HOL/LandingPage?handle=hein.journals/jispil20&div=19&id=&page=
Sarabdeen, J., & Moonesar, I. A. (2018). Privacy protection laws and public perception of data privacy: the case of Dubai e-health care services. Benchmarking: An International Journal, 25(6), 1883-1902. https://doi.org/10.1108/BIJ-06-2017-0133
Schmitz-Berndt, S., & Schiffner, S. (2021). Don’t tell them now (or at all)–responsible disclosure of security incidents under NIS Directive and GDPR. International Review of Law, Computers & Technology, 35(2), 101-115. https://doi.org/10.1080/13600869.2021.1885103
Suliman, H. O. H. (2025). Evaluating the effectiveness of Saudi Arabia’s PDPL in the global digital economy. Journal of Data Protection & Privacy, 8(1), 97-111. https://doi.org/10.69554/ELUX6976
Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A practical guide. Springer International Publishing.
Westin, A. F. (1967). Special report: legal safeguards to insure privacy in a computer society. Communications of the ACM, 10(9), 533-537. https://dl.acm.org/doi/pdf/10.1145/363566.363579
Zuboff, S. (2019). Surveillance capitalism and the challenge of collective action. In New labor forum. Sage CA: Los Angeles, CA: Sage Publications, 28(1), 10-29. https://doi.org/10.1177/1095796018819461
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Hanan Alnasse
This work is licensed under a Creative Commons Attribution 4.0 International License.
