Saudi PDPL Enforcement Now Reaches AI Data | TLY

AI Regulation Tracker  /  Enforcement

Saudi Arabia steps up PDPL enforcement as SDAIA committees issue penalties of up to SAR 5 million

Saudi Arabia's data protection authority has moved from guidance to active enforcement, issuing formal penalty decisions under the Personal Data Protection Law. Any organization processing Saudi personal data, including for AI and automated processing, now faces investigations, fines, and criminal exposure for sensitive-data disclosure.

Saudi Arabia steps up PDPL enforcement as SDAIA committees issue penalties of up to SAR 5 million regulation briefing
The Leveraged Years AI Regulation Tracker

Saudi Arabia's Personal Data Protection Law has entered its enforcement phase. The Saudi Data and AI Authority (SDAIA), the regulator responsible for the law, has established specialized committees that review violations of the PDPL and its implementing regulations and impose the penalties the law prescribes. According to the International Association of Privacy Professionals (IAPP), 48 enforcement decisions had been issued as of early 2026. For any organization that processes the personal data of people in the Kingdom, the practical message is direct. The period of guidance and grace has closed, and formal penalty decisions are now being issued.

From transition to active enforcement

The PDPL came into force in September 2023, followed by a compliance grace period that ended in September 2024. That structure gave organizations time to build lawful bases, consent mechanisms, and safeguards before penalties applied. The reported wave of 48 decisions represents the first substantive body of adjudications since that grace period closed. The 48 figure comes from IAPP rather than a line item on the SDAIA site, so it should be read as a reported count, not an official tally confirmed here. The direction, however, is not in question. SDAIA's committees are reviewing violations and issuing decisions. Reported cases have included collecting and processing personal data without a legal basis, disclosing personal data without justification, failing to put appropriate organizational and technical safeguards in place, and sending marketing messages without the consent of the recipient. Those categories cover routine business activity, which is why the enforcement wave reaches ordinary commercial operators and not only large data platforms.

What the penalties actually are

The PDPL sets two distinct penalty tracks. Article 36 covers the general category. For violations not addressed by the criminal provision, it authorizes a warning or a fine of up to SAR 5 million. That fine may be doubled for a repeat violation, even where doubling exceeds the stated ceiling, provided it does not exceed twice that limit. Article 35 is the criminal provision. A person who discloses or publishes sensitive data in violation of the law, with the intention of harming the data subject or achieving personal benefit, faces imprisonment of up to two years, a fine of up to SAR 3 million, or both. Sensitive data under the PDPL includes categories such as health, genetic, biometric, and religious information, so the criminal exposure is not theoretical for organizations that handle those records.

Why AI and automated processing are in scope

The PDPL regulates the processing of personal data, and it does not exempt processing carried out by algorithms. An AI model trained on, or making decisions about, the personal data of individuals in Saudi Arabia is processing that data within the meaning of the law. The same obligations apply: a lawful basis, appropriate technical and organizational safeguards, and valid consent where consent is the basis relied on. Organizations that have deployed analytics or machine-learning systems without mapping the personal data those systems touch are the most exposed, because the requirement is to prove compliance, not to explain intent after a decision is issued.

What this does not do

Active enforcement does not change the substantive obligations that have applied since the grace period ended. It does not create new categories of covered data, and it is separate from SDAIA's AI Adoption Framework, which addresses responsible AI use rather than personal-data penalties. What has changed is the risk. Obligations that could once be treated as aspirational are now backed by committees issuing fines and, for sensitive-data disclosure, criminal referral.

The cross-border angle

The PDPL applies to the processing of the personal data of individuals in Saudi Arabia regardless of where the processing organization sits. A US firm with Saudi customers, users, or employees can fall within scope without a physical presence in the Kingdom. For compliance leaders outside Saudi Arabia, this places the PDPL alongside the GDPR as a law with extraterritorial reach that a global data map must account for. The reported enforcement activity signals that SDAIA intends to use the authority the statute gives it.

For any organization touching Saudi personal data, the operating assumption should now be that the PDPL is enforced, not merely enacted. The safeguards, legal bases, and consent records the law requires need to exist and be producible before a committee asks for them.

Frequently Asked Questions

What changed with Saudi PDPL enforcement?

SDAIA has moved the Personal Data Protection Law from its transition and guidance phase into active enforcement. Specialized committees now review violations and impose the penalties the law sets. IAPP reports that 48 enforcement decisions had been issued as of early 2026.

Who does the PDPL affect?

Any organization that processes the personal data of individuals in Saudi Arabia, across all sectors, whether or not it is based in the Kingdom. This includes compliance teams, data protection officers, and AI or analytics teams whose systems process Saudi personal data.

What are the maximum penalties under the PDPL?

Under Article 36, general violations carry a warning or a fine of up to SAR 5 million, doubling for repeat offenses. Under Article 35, disclosing or publishing sensitive data with intent to harm or for personal benefit carries up to two years imprisonment, a fine of up to SAR 3 million, or both.

Does the PDPL apply to AI and automated processing?

Yes. The law regulates the processing of personal data and does not exempt processing performed by AI or automated systems. Models that train on or make decisions about the personal data of individuals in Saudi Arabia must have a lawful basis, documented safeguards, and valid consent where consent is relied on.

Is this the same as SDAIA's AI Adoption Framework?

No. This concerns PDPL enforcement and personal-data penalties. SDAIA's AI Adoption Framework is a separate instrument addressing responsible AI use, and it is covered separately.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.