From Algorithms to Accountability: Saudi Arabia's Path to AI Healthcare Regulation

ABSTRACT Artificial intelligence is transforming healthcare, but it creates a fundamental regulatory tension. AI systems derive their clinical value from large-scale, multipurpose, and longitudinal use of health data precisely the processing that robust data protection law is designed to constrain. This article argues that Saudi Arabia's Personal Data Protection Law (PDPL) creates a protective-but-underspecified environment for healthcare AI. Its consent-first architecture, broad definition of sensitive health data, and accountability mechanisms provide a strong privacy foundation that, in several respects, exceeds the European Union's General Data Protection Regulation (GDPR). Yet the PDPL lacks the research derogations, standardised transfer instruments, and AI-specific interpretive guidance needed to enable data-intensive AI development. Using doctrinal and comparative legal methods, the article examines four dimensions—consent, data minimisation and retention, cross-border transfers, and accountability for automated decision-making—against the GDPR, the EU AI Act (Regulation (EU) 2024/1689), and the European Health Data Space Regulation. It finds a normative asymmetry: the PDPL is formally more protective but structurally less enabling of the data uses on which clinical AI depends. The article proposes four reforms: research derogations via amended Implementing Regulations; standardised transfer instruments; sector-specific guidance on automated clinical decisions; and an integrated governance framework grounded in Islamic bioethical principles and Vision 2030.