Balancing Privacy and Risk: A Critical Analysis of Personal Data Use as Governed by Saudi Insurance Law

Abstract

The Kingdom of Saudi Arabia (KSA) Personal Data Protection Law (PDPL) was enacted in 2021. In its brief three-year existence, the PDPL has attracted significant academic and legal practitioner attention. This critical analysis focuses on three key questions: (1) What are the key PDPL objectives? (2) How does this legislation compare with privacy–data protection approaches adopted in other jurisdictions (notably the European Union General Data Protection Regulation 2016 (GDPR))? and (3) Does the PDPL achieve a reasonable, workable balance between personal data protection (‘data subjects’ interests) and risks associated with personal data being shared with KSA insurers? The analysis confirms that these PDPL measures appear sound, but a definitive assessment of the ‘balance’ objectives highlighted here requires ongoing attention—three years of PDPL use is an insufficient basis to reach final conclusions regarding PDPL fitness for purpose. However, a tentative ‘soundness’ conclusion has reasonable support when the relevant authorities are collectively assessed, particularly regarding the treatment of personal data by KSA insurers in the context of personal insurance policies.

1. Introduction

Human rights-based understandings of privacy and personal data protection have undergone significant reworkings across the entire international landscape in recent years. These changing notions of rights are directly linked to the modern digital communications era, one that began in earnest with the Internet’s late 20th-century emergence. These rapid technological advances have enabled governments, private insurers, law enforcement agencies, and other institutions to collect, process, store, and share vast amounts of personal data on an unprecedented scale (Scassa 2020).

These developments have also sparked serious human rights concerns—individuals’ rights to privacy and their ability to ensure that personal data are not misused by those who acquire them; they must be safeguarded wherever reasonably possible (Lu 2022). Many international community members have devoted significant law reform attention to building and implementing more robust privacy and personal data protection measures (Lu 2022, pp. 4–5).

The Kingdom of Saudi Arabia (KSA) leadership is committed to its ambitious Vision 2030 programs. These far-reaching initiatives are collectively designed to propel the nation along a pathway towards greater prosperity (Kingdom of Saudi Arabia 2024). Its authors describe Vision 2030 as a longer-term planning blueprint that will secure greater economic diversification, citizen empowerment, and a more robust investment climate and establish the KSA “as a global leader” (Kingdom of Saudi Arabia 2024).

Three broad Vision 2030 strategic objectives are outlined: ‘an ambitious nation, ‘a thriving economy’, and a ‘vibrant society’ (Kingdom of Saudi Arabia 2024). This study adopts a doctrinal–comparative method, examining statutes, executive regulations, and policy documents, primarily comparing KSA’s PDPL with the EU’s GDPR to assess the balance between data protection and insurers’ legitimate data use. The analysis also considers the influence of Sharia principles and authoritative interpretations (such as fatāwā and Council of Ministers decisions), which fundamentally shape the KSA legal and ethical landscape, including approaches to data governance and individual rights. The following critical analysis of the KSA’s Personal Data Protection Law (PDPL) is presented against this still-evolving Vision 2030 backdrop (Personal Data Protection Law 2021). Viewed from a reasonably well-informed international observer’s perspective, a ‘vibrant society’ is one where all human rights (including privacy) are valued.

Vision 2030 policy directions directly influence how the current PDPL regime must be understood. KSA leadership has clearly committed itself to a privacy–data protection legislative model that signals the Kingdom’s commitment to enact and enforce laws that mirror accepted practices in many other countries. For this reason, the European Union General Data Protection Regulation 2016 (GDPR) provisions are given detailed comparative analysis attention in the following project parts (General Data Protection Regulation 2016; Article 29 Data Protection Working Party 2017). The project also adopts the terminology employed in PDPL and GDPR contexts. Individuals whose rights are potentially impacted are ‘data subjects’; insurers, government agencies, and others who lawfully acquire personal data are ‘data controllers’ or ‘data processors’ (depending upon the data protection–rights context) (General Data Protection Regulation 2016, art. 1; Personal Data Protection Law 2021, art. 3).

The GDPR has attracted often intense judicial and scholarly scrutiny throughout its history. It is widely regarded as having promoted an attractive balance between the rights of individuals to be protected from data-related privacy intrusions and the ability of data users (such as insurers) to use personal data for their legitimate risk assessment purposes (KPMG 2024). A central research question is therefore addressed in different ways throughout this critical analysis: if the GDPR is regarded as the international personal privacy and data protection gold standard, does the PDPL offer similarly strong but balanced outcomes as its EU counterpart? The GDPR has received widespread scholarly and judicial attention and is often cited as a benchmark in global privacy law reform efforts (Voigt and von dem Bussche 2017).

In the following project parts, the phrase ‘data protection’ includes privacy and data components unless otherwise indicated. The analysis draws largely on personal and not corporate insurance examples, as data protection issues arise less frequently when corporate insurers seek insurance coverage (Katsabian 2019). Part 1 now sets out how global and KSA insurers have sought to incorporate data protection into their various operations and product offerings.

2. Part 1: Historical Context of Insurance and Data Protection

2.1. Risk, Underwriting, Claims Processing, and Data Sharing

It is essential to appreciate the following core insurance concepts when considering the present topic and research question outlined above. The Bank for International Settlements (BIS) provides the following guidance: Insurance is a form of risk management where the chance of financial or property losses associated with any activity is spread across a group (Bank for International Settlements 2024). Insurers assess risk through their assessment of two general risk factors: (1) the activity itself and (2) the individual seeking insurance coverage. For example, operating a motor vehicle on busy Riyadh roadways will carry greater risks of possible collisions than when the same vehicle is driven in more rural eastern KSA regions. Similarly, a driver with 40 years’ experience and no collision history is logically regarded as a lower insurance risk than a newly qualified driver or an individual with multiple prior accidents on their record (Saudi Central Bank (SAMA) 2024).

Insurance involves predicting future financial risks under uncertainty. Unlike gambling, insurance is governed by structured legal and regulatory frameworks. Underwriters assess whether the premiums collected from insured parties, pooled as reserves to cover valid claims, will be sufficient to meet total costs (including risk assessment, administration, claims investigation, and settlement). Where an insurer’s internal processes result in underwriting errors, profitability can decline. Accordingly, the business side of insurance directly influences how insurers operate, including the implementation and monitoring of personal data protection safeguards (Insurance Authority 2024).

Risk assessment is the first use that insurers make of personal data collected from (or in relation to) their insured data subjects. Insurers also need these data to make effective underwriting decisions (the evaluation of their potential policyholders’ risk profiles) (Insurance Authority 2024). Claims processing will invariably involve personal or sensitive data being communicated to an insurer (these data protection terms are given further attention below). For example, if an insured is injured in a motor vehicle accident and they require medical attention, treatment details that would otherwise be handled confidentially between the doctor, any involved facility, and the patient must be disclosed to the insurer before a claim can be evaluated (and compensation paid out) (Insurance Authority 2024).

The common thread that connects these various insurance–data protection circumstances is data sharing—insurance policies and coverages cannot work unless accurate, current, and verifiable information concerning a data subject is shared in accordance with the PDPL protection frameworks outlined here (Insurance Authority 2024).

For these reasons, insurers must have access to their prospective insured parties’ personal data—otherwise insurers could not accurately assess the two risk factors identified above. No sensible insurance business can operate in a data vacuum. The research question posed above thus invites consideration from a narrower perspective: (1) Individuals’ personal data must be made available to their insurers for the system to exist (thus insurers can permissibly collect personal data); however, (2) what reasonable legal limits must be imposed on (i) what specific personal data insurers can collect, (ii) how they may use it (including where such data are stored or shared), and (iii) when must these data be destroyed? (KPMG 2024).

2.2. Data Protection as a Human Right

Data protection–human rights legislative frameworks have been steadily expanded and intensified as the digital era has moved onwards. The GDPR is one of numerous global examples where the following anchoring principles are present: Data protection is considered a human right, and like all other human rights, it is protected by various legal frameworks (national, regional, and global legal instruments) (e.g., European Convention on Human Rights 1950, art. 8). Here are some key points: Privacy has universal human rights recognition (European Data Protection Supervisor 2024); personal data protection has similar human rights status; any effective balancing of interests between data users—processors (like KSA insurers) and individuals—must align with these rights (European Data Protection Supervisor 2024).

It is interesting to contrast human nature with these human rights concepts when considering the project topic and its nuances. Individuals should embrace robust, transparent data protection as crucially important in modern societies where data can be shared with ease across multiple platforms at any time (Ervits and Maintz 2024, pp. 2–5). Conversely, contemporary consumer societies (a status that KSA Vision 2030 objectives appear to endorse) have increasingly been prepared to trade fewer personal data protection safeguards for more personal convenience (Kingdom of Saudi Arabia 2024).

In this respect, while PDPL, GDPR, and other legal instruments address potential data protection rights abuse, a logically sound argument can be made that human nature and the desire for consumer convenience directly contribute to increased data protection breach risks. The PDPL framework is now considered.

3. Part 2: KSA Legal Framework

3.1. PDPL Overview

This legislation has a clearly articulated objective: protecting all individuals’ “personal data”, where such data include any information created or communicated in any form that directly or indirectly might identify an individual (Clyde & Co 2022). The PDPL data definitions include items such as a person’s names, their government identification numbers, home address, telephone numbers, photographs, and video recordings depicting them (Clyde & Co 2022).

The legislation encompasses all personal data processing undertaken by all KSA businesses (including insurers) and public agencies in KSA using any means whatsoever. Data processing for personal or family use is excluded from the law (Personal Data Protection Law 2021, art. 2). The PDPL provisions also apply to personal data processing of KSA individuals by foreign entities (Personal Data Protection Law 2021, art. 2; Clyde & Co 2022). It is noted that this KSA legislative framework also aligns with the previously published (2020) Freedom of Information policies that bind all KSA government agencies (Saudi Data & AI Authority (SDAIA) 2020a, chapter [4.1]).

The entire PDPL framework is supplemented by detailed executive regulations (Saudi Data & AI Authority (SDAIA) 2021, art. 1). When taken together, KSA law encourages the clear impression that ‘data protection matters’ to KSA policymakers. This impression now informs us how the insurance industry must operate to comply with national law.

3.2. Overarching Data Protection Principles

The KSA has crafted a data protection regime that is avowedly principles-based (a feature shared with its GDPR counterpart, as further explained below) (Privacy Engine 2024). The KSA’s commitment to principles-based data protection is commendable when viewed from an international community–human rights vantage point. Five principles provide the PDPL regulations with their structure (Saudi Data & AI Authority (SDAIA) 2020b, [1.2]). It is important for the KSA–EU comparisons presented below to consider the principles’ precise content. Personal data are deemed to be ‘open by default’ (Article 1), where the general rule regarding data accessibility is qualified where data “nature or sensitivity” requires higher security measures to be applied (Saudi Data & AI Authority (SDAIA) 2020b, Principle 1).

A ‘necessity–proportionality’ standard must apply to all PDPL data classifications (Article 2). Classifications made here must include consideration of where the data value to its controller–processor is balanced against its confidentiality (Saudi Data & AI Authority (SDAIA) 2020b, Principle 2). This Article 2 language specifically aligns with the balancing of competing interests’ tests provided in many contemporary international human rights instruments (including the European Convention on Human Rights 1950) (European Convention on Human Rights 1950; Sunday Times (I) v. UK (ECtHR 1979, para. 62). Article 2 is thus further direct evidence that PDPL data protection has many ‘mainstream’ international human rights features.

The remaining three PDPL regulation principles provide further corroboration concerning the KSA’s data protection intentions—robust, effective lawmaking (Clyde & Co 2022). All personal data must be classified in a ‘timely’ manner (Saudi Data & AI Authority (SDAIA) 2020b, art. 3). Where doubt might exist concerning what classification level is appropriate, the relevant data must receive the highest available classification—a suggested ‘pro data subject’ measure (Saudi Data & AI Authority (SDAIA) 2020b, art. 4; Gibson 2022).

Finally, the KSA principles stress the importance of sound data controller internal organization when handling personal data (Saudi Data & AI Authority (SDAIA) 2020b, art. 5). Controllers must ensure that all “data classification, access, disclosure, use, modification, or destruction” work is segregated—a useful safeguard against single controller personnel having authority to make all data protection decisions within the controller’s organizational structure. Selected PDPL measures are now considered with these principles providing guidance concerning their practical interpretation.

3.3. Selected PDPL Articles

The PDPL Articles discussed, such as Articles 3, 4, and 5–8, are selected as they directly pertain to data subject rights, consent, information provision, and data management by controllers—all of which are central to the insurance sector’s data processing activities and the core research question of balancing privacy with legitimate use. The PDPL Article 3 ‘General provisions for Data Subject Rights’ language exemplifies how KSA policymakers endeavored to achieve the balancing of interests emphasized in the project introduction (individual data subject rights protections weighed against data processing uses). Where a data subject requests that a data controller abide by the subject’s rights as protected by law, the data subject may permissibly demand that such rights are upheld “without delay” and within 30 days of their making the initial demand in any event (Personal Data Protection Law 2021, art. 3(1)(a)).

Where the request is determined as one requiring the controller’s “disproportionate effort” to satisfy it, or where the controller has received multiple requests from the same data subject, the controller may (i) extend the action period for another 30 days, so long as (ii) the controller advises the subject why the additional time is necessary (Personal Data Protection Law 2021, art. 3(1)(a)). A controller may lawfully refuse to comply with a request if the controller determines that the request “… is repetitive, manifestly unfounded, or requires disproportionate efforts” (the data subject must be notified accordingly) (Personal Data Protection Law 2021, art. 3(1)(a)).

PDPL Article 4 rights concerning all information that data subjects must receive from controllers and processors are also instructive in this context. Where data controllers receive personal data directly from any subject, the controllers are mandated to take steps that include (i) the controller’s legal basis for collecting these data and (ii) their “… specific, clear, and explicit purpose for its collection” (Personal Data Protection Law 2021, art. 4(1)(c)).

This Article 4 language is attractive for its directness and ease of understanding. In other words, KSA entities that may lawfully collect, store, and process personal data must nonetheless provide the data subject with details regarding why such activity is allowed by law (Herbert Smith Freehills 2023). Recognizing that actual data controller–processor practices may not necessarily reflect what Article 4 requires, this provision clearly promotes data protection transparency—a key element driving public trust and confidence in overall PDPL soundness (Herbert Smith Freehills 2023).

The remaining PDPL Articles that are relevant to KSA insurers are best understood as data subject rights protection measures. These rights include subjects’ access to their collected data, requesting corrections be made where the subject identifies an error in their data (such as data being old or obsolete), and (in appropriate circumstances) requiring that certain data be destroyed by the controller (Personal Data Protection Law 2021, arts. 5–8).

3.4. What Is a ‘Legitimate Interest’?

PDPL provisions include a “legitimate interest” concept. Data controllers and processors can lawfully deal with personal data (not including the processing of sensitive data, as this distinction is further explained below). A ‘legitimate interest’ is not specifically defined, but the relevant authorities confirm that interests such as assessing insurance risk, underwriting, and determining insurance claims legitimacy will all satisfy this PDPL requirement (Personal Data Protection Law 2021).

It is useful to consider how the defined ‘Data Protection Officer’ (DPO) role is linked to this concept and the broader PDPL protection schemes (Personal Data Protection Law 2021). In some circumstances (such as when the controller is a KSA public entity like a state agency or institution), data controllers must appoint a DPO. The officer is conceived as a vital safeguard where the entity is responsible for processing large volumes of personal data, and the primary data controller’s activities include “regular and continuous monitoring of individuals on a large scale, and where the core activities of the data controller consist of processing sensitive data…” (Personal Data Protection Law 2021). In this respect, the DPO is also reasonable assurance that the data controller will not arbitrarily classify personal data in ways that defeat all other PDPL transparency objectives. The following GDPR–PDPL comparison is also informed by these PDPL provisions. Table 1 shows six headline features of the GDPR that are most frequently cited in insurance-sector compliance guidance (scope, lawful bases, data–subject rights, consent standard, DPO trigger, and breach notification). The right-hand column then shows how each feature is transposed, sometimes verbatim, into the PDPL. The notes column flags the single most practical divergence practitioners should note.

Table 1. Key GDPR features and their PDPL equivalents relevant to insurers.

Feature	PDPL (KSA)	GDPR (EU)	Notes/Key Differences
Scope	Applies to the processing of personal data of KSA residents by entities inside or outside KSA.	Applies to the processing of personal data of EU data subjects by controllers/processors in the EU or targeting EU subjects.	Similar extraterritorial reach.
Lawful Bases for Processing	Consent, contract, legal obligation, vital interests, legitimate interests (explicitly defined by SDAIA).	Consent, contract, legal obligation, vital interests, public task, legitimate interests.	PDPL’s legitimate interest basis is more centrally defined by the regulator (SDAIA).
Data Subject Rights	Right to be informed, access, correction, destruction (erasure), and data portability (to be detailed in regulations).	Right to be informed, access, rectification, erasure, restrict processing, data portability, object.	Broadly similar rights. PDPL details on portability are evolving via regulations.
Consent	Must be explicit for sensitive data and for purposes beyond original collection.	Must be freely given, specific, informed, and unambiguous. Explicit consent for sensitive data.	Both require strong consent, especially for sensitive data. PDPL emphasizes consent for new purposes.
Data Protection Officer (DPO)	Mandatory for public entities performing large-scale monitoring or processing sensitive data as a core activity.	Mandatory for public authorities, large-scale systematic monitoring, or large-scale sensitive data processing.	Similar thresholds, focusing on public entities and high-risk processing.
Data Breach Notification	To competent authority (SDAIA) and data subjects under specific conditions and timelines.	To supervisory authority within 72 h if likely to result in risk; to data subjects if high risk.	Both mandate notifications. GDPR has a more specific initial timeframe for authority notification.
Cross-Border Data Transfers	Permitted if recipient jurisdiction offers adequate protection or specific derogations (e.g., consent, contract). SDAIA maintains a list of adequate countries.	Permitted to adequate countries (Commission decision), or with safeguards (SCCs and BCRs), or derogations.	Both use adequacy decisions and derogations. PDPL’s framework is still developing its list and specific mechanisms, potentially aligning with GDPR standards.
Enforcement and Penalties	Fines up to SAR 5 million and imprisonment up to 2 years for sensitive data disclosure. New SAMA regulations for the financial sector.	Fines up to EUR 20 million or 4% of global annual turnover.	Both have significant financial penalties. PDPL includes potential imprisonment.

3.5. An Initial GDPR–PDPL Comparison

Exhaustive EU–KSA data protection comparative jurisdiction analysis is beyond the present project research scope. However, the above-cited sources confirm that PDPL and GDPR similarities are more numerous than their differences, as highlighted in the table above. In his detailed 2022 report written from a legal practitioner’s perspective, Gibson observes that the two legislative frameworks are principles-based and rights-driven (Gibson 2022). Individuals must provide data controllers and processors with consent before personal data can be used. Each law has clear data protection benchmarks, and all data use must be justified; arbitrary data use of any kind is plainly unlawful.

When these comparable PDPL and GDPR measures are collectively assessed, the necessity–proportionality principles highlighted above are brought into even clearer focus. The fact that a data subject might object to how their personal information is being handled by a private commercial entity like an insurer or a state agency is not determinative of the subject’s request (Herbert Smith Freehills 2023). Any relevant controller–processor interest also must be weighed and valued. How these Articles are specifically understood in current KSA insurance contexts is now examined.

3.6. Key PDPL Provisions with Insurance Sector Relevance

As outlined above, modern insurance coverage is based on the insurer’s ability to assess risk. It is impossible to make these assessments without insurers having the ability to obtain, process, and store their insured parties’ data. Subject to the KSA motor vehicle insurance laws outlined below, all insurance contracts are commercial bargains where each party acquires legal rights and assumes specified legal obligations (Saudi Central Bank (SAMA) 2022). English common law distinguishes (i) the ordinary implied duty of good faith that colors performance of all contracts and (ii) the long-standing insurance-specific duty of utmost good faith (uberrimae fidei) codified in the Marine Insurance Act 1906. Because the Consumer Insurance (Disclosure and Representations) Act 2012 and the Insurance Act 2015 have now replaced the pre-contract utmost-good-faith disclosure rule with a duty of fair presentation of the risk, modern UK insurance law recognizes three separate but related duties. While both Saudi and UK insurance laws impose duties of good faith, the UK position now comprises three separate strands: (1) the general duty of good faith that underlies the performance of all contracts; (2) the historic duty of utmost good faith in insurance (Marine Insurance Act 1906 s 17); and (3) the duty of fair presentation of the risk introduced by the Insurance Act 2015, supplemented for consumer business by the Consumer Insurance (Disclosure and Representations) Act 2012 (Khalifa 2022; Marine Insurance Act 1906; Consumer Insurance (Disclosure and Representations) Act 2012; Insurance Act 2015). By contrast, Saudi courts continue to treat utmost good faith as a single, Sharia-derived organizing principle that governs every phase of an insurance contract, from negotiation to termination. Influenced by the Qur’an and its Sharia principles, KSA courts recognize good-faith principles applying to all contract stages commencing with contract negotiation and concluding with its termination (Khalifa 2022).

Saudi statutory materials reinforce that general principle. Article 53(1) of the Insurance Control Law and Articles 24–26 of the Market-Conduct Rules oblige insurers—before a policy is issued—to place the full terms, conditions, and exclusions before the customer and to act “honestly, transparently, and fairly” (CICCL 2003, art. 53(1); IMCCR 2019, arts. 24–26).

Good faith recognition and enforcement is given enhanced status under KSA insurance law, as the following source confirms (General Secretariat of Committees for Resolution of Insurance Disputes and Violations 2024). The General Secretariat of Committees for Resolution of Insurance Disputes and Violations underscores this core good faith–insurance coverage proposition: all insurance contract parties are bound by the principle of “utmost good faith”, where they must fully and clearly disclose all material facts and matters within their knowledge that might influence the other party to accept all contract terms (General Secretariat of Committees for Resolution of Insurance Disputes and Violations 2024, pp. 3–6).

This principle is universally adopted across the international commercial world—another clear indication of KSA law being well-aligned with prevailing global insurance coverage practices (Mdala 2022, pp. 2–3). The specific ways that PDPL provisions govern personal data collection and use are now analyzed.

4. Part 3: Collection and Use of Personal Data in Insurance

4.1. Key Definitions

These selected definitions expand upon the general PDPL concepts introduced above. Personal data are any data that might contribute to an individual being specifically identified. Sensitive data are personal data subsets. They might reference an individual’s racial or ethnic origins; their religious, intellectual, or political beliefs; personal criminal or national security data; and their biometrics, genetics, creditworthiness, or parentage–adoption records where such data exist (Saudi Data & AI Authority (SDAIA) 2020a).

One might reasonably conclude that any personal data might conceivably have sensitive data status—depending on the circumstances associated with its collection, use, and intended processing purposes. Further, it is obvious that if sensitive data were not subject to enhanced protections, insurer data collection and processing transparency would be more difficult to ensure (Saudi Data & AI Authority (SDAIA) 2020a). The fact that anyone violating PDPL sensitive data protection rules faces a two-year prison term upon conviction is a further testament to the seriousness attached to these PDPL safeguards (PwC 2023).

4.2. What Personal Data Sources Do Insurers Use?

It is important to appreciate that the human nature–consumer convenience points outlined above have another dimension in these insurance contract–coverage contexts. It is doubted that modern societies could function without insurance. For example, a business owner might choose to have limited or no insurance coverage. The reasons for making this decision are likely part of their broader cost–benefit-based analysis, one captured by the rhetorical question—What is the minimum (lowest cost) insurance that I can purchase and still have sufficient protection against possible future losses? (PwC 2023).

However, in some KSA consumer law areas, insurance is mandatory. Notable examples include the following: (1) motor vehicles (all vehicles operated on KSA public roads must be insured), and (2) all KSA resident foreign nationals must have health insurance (KSA citizens have the benefit of national healthcare access) (Saudi Central Bank (SAMA) 2024; Council of Health Insurance 2024). In these insurance spheres, the PDPL and its regulations’ emphasis placed on data subjects always providing their prior consent to personal data collection acquires a new meaning. Mandatory insurance means that prospective KSA insureds must provide any requested information to their insurers—or they will not have insurance coverage (Saudi Central Bank (SAMA) 2024; Council of Health Insurance 2024). In the technical sense, these individuals are consenting to their data being used by insurers for risk assessment purposes, but they have no option but to consent (Saudi Central Bank (SAMA) 2024; Council of Health Insurance 2024).

Insurers thus gather personal information about their insureds by consent. They also can search across existing public databases, online platforms, media sources, and through private investigation (Saudi Central Bank (SAMA) 2024; Council of Health Insurance 2024). All KSA insurers are bound by the PDPL Articles and its supporting regulations (including the five enumerated principles). Of all the various KSA insurance–data protection concepts identified above, transparency is arguably the most important. Where insurers are required to make full disclosure of their data controller-processing activities, KSA regulators like SAMA and insurance consumers can trust the risk, underwriting, and claims-handling processes.

4.3. Risk Assessment and Ethical Considerations

It is equally apparent that when insurers collect personal or sensitive data through the three processes highlighted above, ethical issues acquire greater prominence. ‘Trust’ is again the operative concept. Insurers cannot function without data, but they will only maintain their consumers’ trust if personal privacy rights are respected. Two well-known risk assessment concepts now merit additional consideration here: adverse selection and moral hazard.

Adverse selection results where service providers (insurers) and consumers (their insureds) have asymmetrical (differing) information that benefits one party more than the other (Akerlof 1970, p. 500). Given that in most commercial contract dealings, businesses have more research and data-gathering resources than individual consumers, adverse selection in insurance contracts often means the insurer has a negotiating advantage over their insureds. For example, where insurer X knows that its competitors Y and Z will often offer similar insurance packages for less than what X will charge an insured, it is in X’s interest to keep this information from its insureds. X thus benefits from this information asymmetry.

By contrast, moral hazard occurs when a particular ‘economic actor’ (such as an insured party) lacks any meaningful incentive to guard against a particular risk because they believe that they enjoy full protection from any consequences associated with the risk occurrence (Ben-David 2020, pp. 2–3). Moral hazards have received significant scholarly attention during recent financial crises. Many commentators suggested that financial institutions took excessive commercial risks because they assumed that no matter what happened, governments would ultimately bail them out (Ben-David 2020, pp. 2–3).

By its nature, all insurance coverage carries moral hazard potential. Motor vehicle operators might be more inclined to drive recklessly (thus risking greater personal injuries and property damage) if they believe their insurer will provide claims compensation. Individuals might live less healthy lives (including poor dietary practices) if they have full health insurance coverage. It is doubted that the PDPL provisions extracted for analysis here can be improved upon regarding better avoidance or mitigation of adverse selection and moral hazard possibilities. The law and its regulations properly emphasize insurer transparency and data collection consent—key counterweights to adverse selection. Moral hazard is a natural part of any insurance scheme; it cannot be eliminated given the important purposes that insurance is designed to achieve (Çil 2024).

However, the universality of the KSA healthcare system invites a brief comment on potential moral hazard dynamics. Access to free public health services may encourage positive health-seeking behaviors, such as routine check-ups that enable early detection of chronic conditions (e.g., hypertension, cholesterol, and diabetes). Early detection can reduce long-term treatment costs and contribute to a more productive population. Nevertheless, the broader impact of free healthcare on moral hazard must be understood in the context of Saudi Arabia’s Vision 2030, which seeks to transform the health system by enhancing private sector participation and introducing more insurance-based models (Ministry of Health 2022).

4.4. A KSA Health Insurance Case Study

Vision 2030 makes extensive reference to KSA public health objectives (Vision 2030 2024a). Among other commentaries, the KSA healthcare sector and its Healthcare Sector Transformation Program (HSTP) are self-described as “… more comprehensive, effective, and integrated than ever before” (Vision 2030 2024a). HSTP is now an “enhanced system [where] innovation, financial sustainability … disease prevention [and improved] access to healthcare” are prioritized (Vision 2030 2024a).

Vision 2030 also sets out an ambitious healthcare system reform program that reflects how the Kingdom leadership seeks to build out high-technology healthcare services (including expanded e-health services and digital solutions) that also ensure international treatment standards adherence (Vision 2030 2024a). When the full sweep of Vision 2030 healthcare system objectives is understood, improved health insurance will contribute to positive KSA economic growth and lower government healthcare costs (AlJohani and Bugis 2024, p. 9).

KSA health insurance is a useful case study for present critical analysis purposes because the healthcare system arguably has more wide-ranging data protection issues than any other single KSA sector. It is recalled that health insurance data protection might include personal or sensitive information pertaining to the insured (patient), any involved family members, their treatment professionals and team, caregivers, or banking or financial arrangements; the possibilities seem endless (Vision 2030 2024a).

4.5. Points of Intersection—Personal Genetic Data

It is equally apparent from the PDPL overviews outlined above that there are numerous potential points of intersection between the legislative–regulatory measures and health insurance-related data protection (Vision 2030 2024a). A specific area is highlighted here: whether, or to what extent, KSA insurers can gather, store, process, or distribute genetic data pertaining to the individual insureds.

Vision 2030 also influences this narrower data protection analysis. The KSA leadership has prioritized the Saudi Genome Project (SGP), where this cutting-edge scientific research is expected to position the KSA healthcare sector as a global hub for collaborations concerning “prevalent genetic diseases”, leading the Middle East–North African region in genetics and genomics studies, and using this research to deliver high-quality healthcare to all KSA citizens (Vision 2030 2024b).

As seen in Vision 2030, genomics research emphasizes that KSA insurers might reasonably approach genetic data gathering from two data protection perspectives. The first concerns the sensitive personal data definition explained above. Genetic data are sensitive data; they include markers that reliably identify the individual involved. Insurers have a positive PDPL obligation to use enhanced data protection wherever such information is gathered (Vision 2030 2024b).

Conversely, given that KSA policy is prioritizing genomic research, it seems possible that insurers might be expected to share their gathered sensitive data in the national interest (the Vision 2030 objectives highlighted above). There is not yet sufficient information to determine whether this possibility might become a KSA reality. A brief hypothetical scenario illustrates this problem. Twenty-five-year-old P applies for private health insurance from company H. P undergoes testing, and it is determined that P is at very high risk of cardiac arrest and sudden death. H advises P that it will not insure them. P seeks insurance from another insurer (Q). P does not disclose her earlier testing results, and Q does not require the test. Should KSA data protection law require all insurers to share information such as P’s test results on necessity and proportionality grounds, notwithstanding its otherwise clear sensitive personal data status?

It is noted EU policymakers have endeavored to address this issue directly, yet there is no clearly defined policy (Mitchell 2020). It seems likely that GDPR compliance regarding genomic–genetic data protection will be pursued through mandatory anonymizing of all such data. It is unclear how this approach will adequately address the scenario issues outlined above (Mitchell 2020). It is noted that under GDPR Article 40, it is possible that EU policymakers can devise codes of conduct that will both contribute to a crystallized data protection best practice and encourage creating a consensus concerning “key safeguards and legal interpretations in the genomic context” (Mitchell 2020). The project conclusions are presented accordingly.

5. Conclusions

The various points developed in the preceding sections bring the entire project full circle—the research question posed in the Introduction Section can now be effectively resolved. The research question asked whether PDPL provisions were well aligned with the EU’s GDPR, also the presumptive international personal privacy–data protection gold standard. The answer is clear. The analyses undertaken above confirm that, as a general proposition, the PDPL provides similarly strong but balanced data protection outcomes as its EU counterpart.

The sources cited throughout the analysis confirm that KSA policymakers have succeeded in devising and implementing data protection frameworks that are based on accepted principles. The KSA appears to have deliberately used the same terminology as that employed in the GDPR—a sensible building block for anyone seeking to craft legislation that advances the same desired data protection objectives. It is noted that while the KSA does not have a specialist court devoted to its PDPL interpretation in the same way that EU leaders can rely upon the European Court of Human Rights (all EU member states being Council of Europe contracting states), it seems likely that if the KSA modeled its data protection laws on the GDPR provisions, its KSA interpretations will also be similar.

As the KSA’s commitments to advancing its Vision 2030 objectives intensify, it seems likely that the KSA insurance sector is now governed by sound regulations that have brought the KSA’s laws into the international community mainstream. The emphasis KSA laws place on the necessity–proportionality requirements that are fundamental to overall GDPR strength and utility are also likely its most important comparative features. If the PDPL functions in the same way as its EU counterpart, as KSA policymakers clearly intend, KSA citizens and all KSA insurance industry stakeholders can safely trust the law as one that will likely advance the ambitious insurance sector directions that have been declared in Vision 2030.

It is not suggested that the PDPL regime is perfect. Given that PDPL enforcement only effectively commenced in 2023, there is a lack of long-term empirical data on breaches, complaints, or enforcement actions, which limits a comprehensive assessment of its practical efficacy at this stage. It is impossible to reach definitive conclusions regarding its legislative fitness for purpose when the PDPL track record is less than three years long. The points made regarding Vision 2030 and genomics–genetic data reinforce this view—the opinions expressed here regarding overall PDPL legislative soundness must be qualified accordingly. It is anticipated that after perhaps another five years of existence, the new law could be reevaluated and targeted law reforms could be proposed. For example, it will take more time to determine how well PDPL provisions deal with genetic personal data and its distribution. These comments aside, it appears certain that at this moment, KSA data protection law is taking a positive trajectory.

Looking beyond genetic information, all compulsory insurance classes in the Kingdom engage PDPL-defined “sensitive personal data”. Motor insurers, for instance, already harvest telematics and facial-recognition footage to price compulsory third-party liability policies, while expatriate health insurers routinely process biometric passports, SIMAH credit scores, and cross-border medical files. Because these data flows arise from mandatory coverage, policyholders cannot opt out, so robust safeguards are essential. Three recommendations follow. First, data minimization and strong pseudonymization should be built into sector-specific codes of conduct for every compulsory line (motor, expatriate, professional, and public health). Second, insurers that share sensitive data across the market—whether via SAMA’s motor database or CHI’s unified health-policy portal—should do so only through end-to-end encrypted APIs and auditable access logs. Third, the Data Authority’s forthcoming implementing regulations should oblige all insurers to carry out line-by-line legitimate-interest assessments, with an explicit balancing test between underwriting efficiency and individual privacy. These wider safeguards will place motor, health, and any future compulsory products on the same compliant footing as the genetic-data scenario analyzed above, thus ensuring that PDPL continues to mirror GDPR standards and Vision 2030s ambition for a trustworthy, data-driven insurance market.