Saudi Arabia is proposing something no G20 nation has done before: let foreign governments and companies host data on Saudi soil while keeping their own legal jurisdiction over it. Think of a diplomatic embassy, but instead of a building, it is a data centre.
The Communications, Space and Technology Commission (CST) published a draft Global AI Hub Law in 2025. It has since entered consultation. If it passes in its current form, it creates a legal framework for what the law calls "data embassies" — sovereign data environments hosted within the Kingdom where the host nation's laws, not Saudi laws, govern the data.
For enterprise AI programmes operating in or targeting the GCC, this is worth understanding before the final text lands.
What a data embassy actually is
The concept is borrowed from Estonia, which pioneered the idea of virtual embassies in Luxembourg as a post-Brexit continuity measure. Saudi Arabia's version is broader and more commercially ambitious.
Under the draft law, a foreign entity — a government, a bank, a technology company — can establish a sovereign data centre within Saudi Arabia where:
- The data remains physically inside the Kingdom
- The legal jurisdiction governing the data is the foreign entity's home country
- The hosting agreement includes continuity provisions if the relationship between countries changes
- Saudi authorities have defined and limited access rights, not general access
The strategic intent is clear. Saudi Arabia sits geographically between Europe, Asia, and Africa. It has invested heavily in hyperscale data centre infrastructure. And it wants to become the preferred hub for organisations that need low-latency, sovereign-compliant AI infrastructure serving multiple regions simultaneously.
Why this matters for enterprise AI
Most enterprises deploying AI in the Gulf face a version of the same problem: they need to process sensitive data — customer records, health information, financial transactions — in close proximity to their users, but they are reluctant to put that data fully under the jurisdiction of a foreign regulatory regime.
The current workaround is a patchwork: data residency clauses, contractual limitations on access, local cloud regions with carefully negotiated terms. It works, imperfectly, at significant compliance cost.
The data embassy model, if it works as drafted, collapses that complexity. You physically locate data in the Gulf. You retain your home jurisdiction's legal protections. Your GDPR obligations, your sector-specific data regulations, your audit rights — all travel with the data.
For a European financial institution building AI for GCC clients, this is significant. For a healthcare provider wanting to run AI diagnostics on data that cannot leave EU legal jurisdiction, it is potentially transformative.
The sovereignty paradox
There is an obvious tension in the concept that enterprises should interrogate before building infrastructure strategies around it.
Physical control and legal control are not the same thing. When data sits on a server in Riyadh, Saudi authorities retain physical proximity to it regardless of what a legal framework says. The protections offered are contractual and jurisdictional, but enforcement mechanisms if those protections are breached are untested.
This is not a theoretical risk. The history of data protection frameworks contains numerous examples where physical access and legal access have diverged in practice, particularly in contexts of geopolitical tension or national security demands.
Estonia's embassies in Luxembourg work partly because Luxembourg is an EU member state with a shared rule-of-law framework. Saudi Arabia's position is different: a strong rule of law for commercial matters, significant sovereign discretion on national security, and a different relationship with international arbitration.
None of this makes the framework unworkable. It means enterprises need to be precise about what data they put into a data embassy and what risks they are actually mitigating versus accepting.
What to watch as the law progresses
The draft is out for consultation. Several provisions will likely change before enactment. The questions that matter most for enterprise AI programmes are:
Access protocols
The draft is vague on what access Saudi authorities retain in national security contexts. The final text needs to be explicit about the carve-outs. If Saudi authorities can access the data under a broad national security exemption, the embassy concept is materially weakened.
Dispute resolution
If a foreign entity believes its data sovereignty has been violated, where does it go? International arbitration is specified in the draft, but the seat of arbitration, the governing law, and the enforcement mechanism matter enormously.
Certification and audit rights
Organisations subject to sector-specific regulation — banking, healthcare, defence — will need to demonstrate to their own regulators that their data remains within scope of those frameworks even when physically hosted in a third country. The audit trail needs to be independently verifiable, not just contractually guaranteed.
Reciprocity
Saudi Arabia is likely to expect something in return from countries whose entities use the framework. Understanding what that looks like in practice — market access, procurement preference, regulatory co-operation — is part of the commercial calculus.
The immediate implication for AI programmes
Do not restructure your infrastructure strategy around this law until it is enacted and tested. Data embassy frameworks of this kind have never been stress-tested in a major geopolitical dispute, and you do not want your AI programme to be the first.
What you should do now: map the data flows in your current or planned GCC AI programmes and identify which data would benefit most from this kind of framework if it works as drafted. That exercise is worth doing regardless, because it will clarify your current data sovereignty risks and the contractual gaps in your existing arrangements.
Saudi Arabia is serious about becoming the AI infrastructure hub for the region. HUMAIN, the sovereign AI company backed by the Public Investment Fund, is building the compute layer. The data embassy law is meant to provide the legal framework that makes foreign organisations comfortable putting their sensitive workloads there.
Whether the execution matches the ambition is a question that will take years to answer. But organisations planning GCC AI programmes in 2027 and beyond need to be watching the answer take shape now.