Toward a Risk-Calibrated Civil Liability Framework for Personal Data Breaches: A Comparative Study of Saudi, Jordanian, and EU Law

Emad Ahmad Abousud; Mustafa Ibrahim Araibi

doi:10.48161/qaj.v6n2a2514

Authors

Emad Ahmad Abousud Department of Business Administration, College of Business Administration, Imam Mohammad Ibn Saud Islamic University, Riyadh 11565, Saudi Arabia https://orcid.org/0009-0006-8659-0540
Mustafa Ibrahim Araibi Department of Business Administration, College of Business Administration, Imam Mohammad Ibn Saud Islamic University, Riyadh 11565, Saudi Arabia

DOI:

https://doi.org/10.48161/qaj.v6n2a2514

Keywords:

Civil liability, Data breaches, General Data Protection Regulation (GDPR), Comparative data protection law, Risk-calibrated accountability model

Abstract

This study provides a theory-driven comparative analysis of civil liability for personal data breaches across three comparative legal frameworks: Saudi law, Jordanian law, and the European Union’s data protection regime, with particular emphasis on the interaction between civil liability rules and personal data protection regulation, and the European Union General Data Protection Regulation (GDPR). It examines how these frameworks address key liability challenges arising from digital harms, including burden of proof, attribution of responsibility, non-material damages, and multi-party processing environments. Methodologically, the study adopts a functional comparative approach, complemented by a post-functional critical perspective that assesses the transferability of legal doctrines across jurisdictions. It develops a five-indicator analytical matrix to operationalize adequacy and effectiveness in civil liability systems, focusing on burden distribution, damage recognition, attribution mechanisms, preventive capacity, and judicial accessibility. Drawing on recent jurisprudence of the Court of Justice of the European Union (notably C-300/21 and C-340/21), the study identifies structural limitations in both Saudi and Jordanian regimes, particularly their continued reliance on traditional fault-based liability and limited doctrinal clarity regarding intangible harm and causation in complex digital environments. Building on these findings, the paper proposes a Risk-Calibrated Accountability Model (RCAM), which integrates a calibrated fault standard based on objective security benchmarks, a conditional presumption of liability, a structured approach to non-material damages, and layered joint attribution for distributed data processing. The model is theoretically grounded in accountability theory and moderate strict-liability principles, while remaining aligned with the institutional and doctrinal structures of Saudi and Jordanian law. The study concludes with targeted legislative and regulatory recommendations to enhance the effectiveness and coherence of civil liability for data breaches in both jurisdictions.

Downloads

Download data is not yet available.

References

Manrique, J. I. T., & Mukhtar, R. (2025). Regulating Intelligent Systems in Digital Governance and Legal Transformation. Qubahan Techno Journal, 4(3), 24-40.

Alshamrani, A. (2022). Data protection and privacy law in Saudi Arabia: Emerging challenges and regulatory responses. Arab Law Quarterly, 36(2), 145–168.

Solove, D. J., & Citron, D. K. (2018). Risk and anxiety: A theory of data breach harms. Texas Law Review, 96(4), 737–786.

Abraham, M. M., Dev, S. I., & Manrique, J. I. T. (2024). Asymmetric surveillance governance: A thematic analysis of privacy, national security, and AI regulation in India. Qubahan Political Journal, 3(1), 1-11.

Court of Justice of the European Union (2023). Judgment of 4 May 2023, UI v Österreichische Post AG, Case C-300/21, ECLI:EU:C:2023:370. CJEU.

Court of Justice of the European Union (2023). Judgment of 14 December 2023, VB v Natsionalna agentsia za prihodite, Case C-340/21, ECLI:EU:C:2023:986. CJEU.

Sarabdeen, J., & Mohamed Ishak, M. M. (2025). A comparative analysis: health data protection laws in Malaysia, Saudi Arabia, and the EU GDPR. International Journal of Law and Management, 67(1), 99–119.

Alnasser, H. (2025). Negligence and data breaches under Saudi Arabian Personal Data Protection Law (PDPL): A doctrinal analysis. Journal of Advances in Humanities Research, 4(3).

Kingdom of Saudi Arabia (2023). Civil Transactions Law, Royal Decree No. M/191 of 29/11/1444H (18 June 2023), entered into force on 16 December 2023—official Gazette of the Kingdom of Saudi Arabia.

Hashemite Kingdom of Jordan (2023). Personal Data Protection Law No. 24 of 2023, Official Gazette No. 5881, p. 4338 (17 September 2023), entered into force on 17 March 2024—official Gazette of the Hashemite Kingdom of Jordan.

Filler, D. M., Haendler, D. M., & Fischer, J. L. (2022). Negligence at the breach: Information fiduciaries and the duty to care for data. Connecticut Law Review, 54(1), 105–162.

Tschider, C. (2024). Data governance failures and the problem of organizational negligence. Minnesota Journal of Law, Science & Technology, 25(2), 231–274.

De Hert, P., & Papakonstantinou, V. (2016). The new General Data Protection Regulation: Still a sound system for the protection of individuals?. Computer Law & Security Review, 32(2), 179–194.

Voigt, P., & von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A practical guide. Springer.

Zhao, X., Li, J., & Nguyen, H. (2023). Data protection and negligence liability: Comparative evidence from the EU and Asia-Pacific. Computer Law & Security Review, 50, 105850.

Brown, J. E., & Alothman, M. S. (2025). Balancing privacy and risk: A critical analysis of personal data use as governed by Saudi insurance law. Laws, 14(4), 47.

Citron, D. K., & Solove, D. J. (2022). Privacy harms. Boston University Law Review, 102(3), 793–863.

Schwartz, P. M., & Solove, D. J. (2014). The PII problem: Privacy and a new concept of personally identifiable information. New York University Law Review, 86(6), 1814–1894.

Li, S. (2023). Compensation for non-material damage under Article 82 GDPR: A review of Case C-300/21. Maastricht Journal of European and Comparative Law, 30(6), 612–628.

Walree, T. F. (2023). The relationship between Article 47 CFR and the concept of damages under Article 82 GDPR. International Data Privacy Law, 13(3), 169–185.

Zanfir-Fortuna, G. (2023). Article 82 GDPR: Right to compensation and liability. In C. Kuner et al. (Eds.), The EU General Data Protection Regulation (GDPR): A Commentary (pp. 1160–1179). Oxford University Press.

Alhejaili, A. (2024). Data protection and privacy in Saudi Arabia: Challenges under the PDPL. Arab Law Quarterly, 38(2), 145–170.

Alnasser, H. A. (2025). The concept of negligence in data breach: A comparative doctrinal analysis of the EU, California, and Saudi Arabia. Veredas do Direito: Direito Ambiental e Desenvolvimento Sustentável, 22(3).

Al-Tamimi, Y. (2021). Civil liability for technological harm under Jordanian law: Challenges and prospects. Jordanian Journal of Law and Jurisprudence, 13(1), 55–78.

Jabbour, M. S., & Jabbour, M. (2018). Personal data and Arab laws: Security concerns and individual rights. Arab Center for Legal and Judicial Research.

Bani Migdad, M. A. M. (2023). Publishing via social media sites and the civil liability of the publisher in the Jordanian legislation. International Journal of Membrane Science and Technology, 10(1), 1–12.

Maaytah, S., & Kobarie, H. (2024). The extent of the impact of cybersecurity rules on electronic civil transactions in Jordanian law. International Journal of Religion, 5(6), 1892–1904.

Al-Rawashdeh, A. M. (2025). Law applicable to civil liability for cyberattack from the perspective of Jordanian legislation. International Journal of Legal and Comparative Jurisprudence Studies, 6(Special Issue).

Khawaldeh, A. M. (2026). Civil liability odds in information leaks: Controversial legal debates and emerging judicial doctrines in Jordan: laws, 15(2), article 26.

Lynskey, O. (2016). Tortious liability and data protection under the GDPR. In O. Lynskey, The Foundations of EU Data Protection Law. Oxford University Press.

Koops, B. J. (2014). The trouble with European data protection law. International Data Privacy Law, 4(4), 250–261.

Kingdom of Saudi Arabia (2021). Personal Data Protection Law, Royal Decree No. M/19 of 09/02/1443H (as amended by Royal Decree No. M/148 of 05/09/1444H, 27 March 2023). Saudi Data and Artificial Intelligence Authority (SDAIA).

Wright, D., & De Hert, P. (2016). Privacy impact assessment. Springer.

European Data Protection Board (2021). Guidelines 01/2021 on data breach notification examples. EDPB.

Citron, D. K. (2019). Hate crimes in cyberspace. Harvard University Press.

Allakuliev, M. D. (2024). Legal regulation of liability for cyber attacks and data breaches. International Journal of Law, 10(5), 111–113.

Schlackl, F., Link, N., & Hoehle, H. (2022). Antecedents and consequences of data breaches: A systematic review. Information & Management, 59(7), 103638.

Jordanian Court of Cassation (Civil Capacity) (2019). Cassation Decision No. 1598/2019, 6 October 2019, and subsequent decisions to the same effect. Qararak Legal Publications.

Zweigert, K., & Kötz, H. (1998). An Introduction to Comparative Law (3rd ed.). Oxford University Press.

Michaels, R. (2019). The functional method of comparative law. In M. Reimann & R. Zimmermann (Eds.), The Oxford Handbook of Comparative Law (2nd ed.) (pp. 345–389). Oxford University Press.