The Swedish government has introduced a new bill proposal in parliament concerning data storage for telecommunications companies, mandating applications like WhatsApp and Signal to retain a record of messages. This proposal has encountered strong opposition from various stakeholders, including tech companies such as Signal and Meta (the owner of WhatsApp), as well as the Swedish Defense Forces. The latter has advised its personnel to use the Signal app to avoid surveillance. Critics have cautioned that the proposed legislation would create security vulnerabilities, potentially allowing external entities to exploit them and facilitate breaches that could compromise encryption and expose communications to unauthorized access.

Signal is a U.S.-based application established in 2010 by Whisper Systems. It serves as an encrypted messaging platform, facilitating the exchange of text and voice messages, photos, videos, and enabling voice and video calls. The app is distinguished by its robust features, particularly its high standards of privacy and security. It ensures the protection of users’ conversations by encrypting every message sent or received, making Signal a preferred choice for numerous users globally. Furthermore, the app does not store user data on its servers, which significantly enhances users’ sense of security and trust in the platform.

In this context, Meredith Whittaker, the CEO of Signal, expressed her categorical rejection of the suggestion, stating that introducing “backdoors” would force Signal to compromise its encryption standards, which are essential to the app’s operation. She emphasized that the requirement to store user data would jeopardize the entire structure of the app, and Signal would be unable to comply with such requirements. Whittaker added that implementing this law would intentionally create vulnerabilities in software, which could be exploited, thereby ultimately threatening user privacy. She also announced that the company would withdraw from the Swedish market if the law were to pass.

On the other hand, Swedish Justice Minister Gunnar Strömmer emphasized the importance of this suggestion in enhancing the ability of security authorities to uncover serious crimes more quickly, by accessing the message records of suspects when a crime is suspected. He considered stored data to be a crucial tool in criminal investigations and noted that the proposed law aims to align with European Union directives on data retention.

Signal’s stance has sparked widespread concern about privacy and human rights in the digital age. Whittaker pointed out that privacy violations have become a global issue as governments and companies increasingly use mass surveillance technologies, making it essential to have tools like Signal that provide secure communication spaces away from prying eyes, especially as digital rights violations escalate globally.

Amidst the global tension between digital privacy and security, Saudi Arabia’s personal data protection system serves as a model aiming to strike a balance between protecting individuals’ rights over their personal data and the needs of public entities. In this framework, the Kingdom has implemented a personal data protection system regarding access to data by public and governmental bodies, ensuring a balance between safeguarding individual rights and fulfilling the requirements of public entities to achieve their goals, particularly security, health, and public safety.

Given the role of the Saudi Data and Artificial Intelligence Authority in raising awareness among entities covered by the Personal Data Protection Regulations (the Regulations) and their implementing regulations, and enabling them to understand their obligations as outlined in Articles 15 and 16 of the Regulations, as well as the provisions mentioned in Article 20 of the Implementing Regulations, the Saudi Data and Artificial Intelligence Authority has issued a guidance document to assist entities in identifying situations where personal data disclosure is permissible and its restrictions.

This guidance document aims to:

  • Empower entities to effectively apply the provisions of the Personal Data Protection Regulations.

  • Enhance the adoption of best practices concerning the disclosure of personal data, ensuring adherence to the Regulations.

  • Offer clear directives to assist entities subject to the Regulations in understanding and implementing the disclosure provisions, as outlined in the Regulations and their Implementing Regulations.

  • Safeguard the privacy of personal data owners and preserve the confidentiality of their information.

In the context of this topic, we outline below the disclosure obligations from both public entities and controllers:

Obligations of the Controller when Responding to a Disclosure Request:

  1. Document the disclosure request.

  2. Precisely identify the type of personal data required for disclosure.

  3. Include personal data disclosure processes in the records of personal data processing activities and document their dates, methods, and purposes.

  4. Comply with the requirements for transferring personal data outside the Kingdom when disclosing personal data, in accordance with the conditions and requirements specified in the Regulations and their Implementing Regulations.

  5. When disclosing personal data linked to another individual’s data, the controller must exercise due care and provide adequate safeguards to maintain the privacy of the other individual and ensure it is not violated, including encrypting personal data that identifies the other individual whenever possible.

Obligations of Public Entities when Requesting Access to Personal Data from any Controller to Achieve a Public Interest, for Security Purposes, to Implement Another Regulation, or to Fulfill Judicial Requirements:

  1. Verify that such access is essential for achieving a clearly defined public interest.

  2. Ensure that the public interest aligns with their legally mandated competencies.

  3. Implement appropriate measures to mitigate potential harm, including establishing necessary administrative and technical controls to ensure that their personnel adhere to Article 41 of the Regulations, which requires maintaining confidentiality of data-related secrets even after the termination of employment or contractual relationships.

  4. Document these processes in the records of personal data processing activities.

  5. Collect and process only the minimum amount of personal data necessary to fulfill the purpose.

To access the guidance document for personal data disclosure scenarios, click here.

Privacy Professionals

Privacy Professionals

Joined February 24, 2026
Posts 12
View All Posts

You Might Also Like

Data DataProtection privacy

Updates to the Children’s Online Privacy Protection Act (COPPA) for 2025

Data DataProtection Deepfake privacy

A New Legal Weapon Against #Deepfake Abuse

Data DataProtection privacy

A New Framework for DATA PROTECTION Service Providing

Cookies Data DataProtection privacy

Cookies and Privacy Compliance: Lessons Learned from the Honda Settlement

Data DataProtection Uncategorized

َUpdate to the U.S. Privacy Law: A New Context for Data Protection

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *