KSA: Public consultation on Draft “AI Hub” Law

CST, Saudi Arabia’s Communications, Space & Technology Commission, has initiated a public consultation on a new “Global AI Hub Law”. While “AI” itself is only specifically mentioned in the title, the term “advanced technologies” is used in connection with data centre operations, cross-border data handling and other digital services, providing broad application, providing a more accurate context to the focus of the draft law.

One feature of the draft law is the introduction of a ‘data embassy’ type concept, allowing foreign governments or technology providers the comfort of knowing that data hosted in the Kingdom pursuant to the law will be subject to the laws of the country of origin. The draft law aims to establish Saudi Arabia as a premier destination for hosting and managing data infrastructure, providing privileges and cross-border legal recognition. It proposes a framework for different types of data centres (referred to as "Hubs"), each subject to tailored rules and oversight. 

In this note we discuss key developments and possible implications. If you would like to contribute to the discussion, the Public Consultation opened on 14 April 2025 and closes on 14 May 2025. Further details are available here and here.

Establishment of Three Distinct Hub Categories

A central pillar of the draft law is the creation of three types of Hubs - Private, Extended and Virtual - to address the varied needs of foreign governments and technology providers.

• Private Hubs are data centres operated by a foreign government (a "Guest Country") with sovereign immunities and privileges recognised in the Kingdom.
• Extended Hubs host data for a Guest Country but are managed by an approved Operator that undertakes full responsibility for compliance and operations.
• Virtual Hubs are data centres operated by local Service Providers, yet they allow foreign legal jurisdictions to govern the data stored within them.

Cross-Border Data Sovereignty and Jurisdiction

A distinctive element of the draft law is its approach to data sovereignty. Any data, applications or services hosted in a Virtual Hub are subjected to the legal regime of the “Designated Foreign State” where the Customer is domiciled. Competent courts and authorities of that foreign jurisdiction may issue binding orders for the production, disclosure or preservation of Customer Content, effectively extending their oversight into the Kingdom. Although local authorities in Saudi Arabia will cooperate in enforcing final and executable orders from those foreign courts, the local authorities can reserve the right to intervene if this activity threatens the Kingdom’s vital interests.

Diplomatic Privileges and Immunities for Private Hubs

Private Hubs are granted extensive privileges, mirroring diplomatic immunities typically afforded under international law. According to the draft, their physical premises, data and personnel can operate with reinforced protection from local interventions, except in emergencies. For instance, Saudi authorities may enter these facilities only to address critical threats such as fire or national emergencies. Through bilateral agreements, the Kingdom will pledge to safeguard connectivity and resources ensuring each continuity.

Termination and Cancellation Safeguards

Another notable feature is the mechanism allowing the Council of Ministers to terminate bilateral agreements or approvals granted pursuant to the law. This may become necessary to protect national security or when the Kingdom ceases to have diplomatic relations with a Guest Country or a Designated Foreign State. While termination ends the arrangement, the privileges conferred under the law will, in some cases, continue for a defined transition period to permit orderly wind-down or relocation of data operations.

Role of the Competent Authority

Oversight and execution of the law fall primarily to the "Competent Authority," a designated entity empowered to approve Guest Countries, Operators and Service Providers. (Whether this will be CST remains to be seen.) Among the Competent Authority's key responsibilities are:

• Maintaining a register of all Hubs, corresponding foreign states and agreements.
• Reviewing and approving each Virtual Hub and the associated Designated Foreign States.
• Monitoring compliance with international standards for data security, privacy and lawful conduct across the Hubs.

Implications

Taken together, these provisions illustrate a forward-thinking strategy by Saudi Arabia to foster international partnerships and digital infrastructure investment. Governments and businesses may benefit from streamlined access to global markets, enhanced data sovereignty arrangements and robust physical and legal protections. On the other hand, compliance with multiple jurisdictions’ laws and the Kingdom’s power to terminate agreements will require stakeholders to carefully navigate the law’s operational and diplomatic dimensions. Ultimately, the Global AI Hub Law signals the Kingdom’s determination to become a key hub for digital services - offering both new opportunities and novel regulatory responsibilities for international actors.

For any further information relating to data centre regulation in Saudi Arabia, please contact Nick O’Connell or Charlie Christie.