THE CONCEPT OF NEGLIGENCE IN DATA BREACH: A COMPARATIVE DOCTRINAL ANALYSIS OF THE EU, CALIFORNIA, AND SAUDI ARABIA

Hanan Ali Alnasser

doi:10.18623/rvd.v22.n3.3404

Authors

Hanan Ali Alnasser Faculty of Law, Universiti Malaya

DOI:

https://doi.org/10.18623/rvd.v22.n3.3404

Keywords:

Data Protection Governance, Negligence Standard, Saudi Arabia, GDPR, CCPA

Abstract

Data privacy and its safeguarding have become a critical concern for individuals, corporations, and governments worldwide in the swiftly advancing digital era. The concept of negligence has emerged as an important determinant of liability in data breach cases, yet it is disproportionately defined across jurisdictions. This paper undertakes a comparative doctrinal analysis of neg-ligence under the European Union’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA), and Saudi Arabia’s Personal Data Protection Law (PDPL). By examining statutory texts and legal commentary, the study explores how each regime frames the core elements of negligence in tort law (duty of care, accountability, and foreseeability). The research finds that while the GDPR and CCPA incorporate implicit negligence standards through accountability and reasonable security measures, and private rights of action, the PDPL remains underdeveloped both procedurally and doctrinally; It lacks key mechanisms such as private rights of action, an enforcement mechanism, and interpretive guidance. The study uniquely contextualises Saudi’s PDPL within its Sharia-based legal tradition, arguing for a culturally rooted reconstruction of negligence arising from moral principles of amanah (trust) and la darar wa la dirar (no harm, no reciprocation of harm). The paper recommends statutory amendments, the formation of an autonomous supervisory body, and the amalgamation of culturally echoed standards of care to enhance legal accountability and data governance in the Kingdom.

References

1. Abobaker, M. Y. (2024a). Analysis of Saudi Arabia's Legislative Reforms to Strengthen Compliance with The Convention on the Rights of the Child and SDGS: Enhancing Online Protection for Future Generations. Journal of Lifestyle and SDGs Review, 4(3), e02374-e02374.

2. Abobaker, M. Y. (2024b). Analysis of Saudi Arabia's Legislative Reforms to Strengthen Compliance with The Convention on the Rights of the Child and SDGS: Enhancing Online Protection for Future Generations. Journal of Lifestyle and SDGs Review. https://doi.org/10.47172/2965-730x.sdgsreview.v4.n03.pe02374

3. Acquah, E., Ganapati, S., & Choi, Y.-J. (2024). Examining the effects of California Consumer Privacy Act (CCPA) on Organizational Data Breach Notification. Proceedings of the 25th Annual International Conference on Digital Government Research. https://doi.org/10.1145/3657054.3657082

4. Alhazmi, A., & Daghistani, A. (2024). Privacy practices of popular websites in Saudi Arabia. Journal of Umm Al-Qura University for Engineering and Architecture. https://doi.org/10.1007/s43995-024-00085-x

5. Alhejaili, M. O. M. (2024). SECURING THE KINGDOM'S E-COMMERCE FRONTIER: EVALUATION OF SAUDI ARABIA'S CYBERSECURITY LEGAL FRAMEWORKS. Journal of Governance and Regulation/Volume. virtusinterpress. org.

6. Alkhamsi, N. N., & Alqahtani, S. S. (2024). Compliance Framework for Personal Data Protection Law Standards. International Journal of Advanced Computer Science & Applications, 15(7).

7. Alqarni, A., Timko, D., & Rahman, M. (2023). Saudi Arabian Perspective of Security, Privacy, and Attitude of Using Facial Recognition Technology. 2023 20th Annual International Conference on Privacy, Security and Trust (PST), 1-12. https://doi.org/10.1109/PST58708.2023.10320185

8. Alshehadeh, A. R., Elrefae, G. A., Khudari, M., & Injadat, E. (2022). Impacts of financial technology on profitability: Empirical evidence from Jordanian commercial banks. In S. G. Yaseen (Ed.), Digital economy, business analytics, and big data analytics applications (Studies in Computational Intelligence, Vol. 1010, pp. 487–496). Springer. https://doi.org/10.1007/978-3-031-05258-3_38

9. Alzahrani, R. B. (2024). An overview of AI data protection in the context of Saudi Arabia. International Journal for Scientific Research, 3(3), 199-218.

10. Balkin, J. (2016). Information Fiduciaries and the First Amendment. https://consensus.app/papers/information-fiduciaries-and-the-first-amendment-balkin/d6f3c69d99bf5f72882273346bfc9b38/

11. Balkin, J. M. (2020). The fiduciary model of privacy. Harv. L. Rev. F., 134, 11.

12. Bankins, S., Ocampo, A., Marrone, M., Restubog, S., & Woo, S. (2023). A multilevel review of artificial intelligence in organizations: Implications for organizational behavior research and practice. Journal of Organizational Behavior. https://doi.org/10.1002/job.2735

13. Bunyamin, B. (2021). The Effectiveness of Legal Protection for the Victims of Violence Due to the Criminal of Mishandling. Al-Ishlah: Jurnal Ilmiah Hukum. https://doi.org/10.33096/AIJIH.V24I2.279

14. Chandler, J. (2007). Negligence Liability for Breaches of Data Security. https://consensus.app/papers/negligence-liability-for-breaches-of-data-security-chandler/3d8d5eef1fbb5da69c4920854f209392/

15. Claudia, Z., & Gunadi, A. (2023). Vicarious Liability in Personal Data Protection. Rechtsidee. https://doi.org/10.21070/jihr.v12i2.995

16. Comandè, G., & Schneider, G. (2021). Can the GDPR make data flow for research easier? Yes it can, by differentiating! A careful reading of the GDPR shows how EU data protection law leaves open some significant flexibilities for data protection-sound research activities. Computer Law & Security Review, 41, 105539.

17. Dąbrowska, J., Almpanopoulou, A., Brem, A., Chesbrough, H., Cucino, V., Di Minin, A., Giones, F., Hakala, H., Marullo, C., & Mention, A. L. (2022). Digital transformation, for better or worse: a critical multi‐level research agenda. R&D Management, 52(5), 930-954.

18. Dorton, S., Ministero, L., Alaybek, B., & Bryant, D. (2023). Foresight for ethical AI. Frontiers in Artificial Intelligence, 6. https://doi.org/10.3389/frai.2023.1143907

19. Filler, D. M., Haendler, D. M., & Fischer, J. L. (2022). Negligence at the Breach: Information Fiduciaries and the Duty to Care for Data. Conn. L. Rev., 54, 105.

20. Giliker, P. (2010). Vicarious liability in tort: A comparative perspective (Vol. 69). Cambridge University Press.

21. Greenleaf, G. (2021). Global data privacy laws 2021: Despite COVID delays, 145 laws show GDPR dominance.

22. Hamdani, R. E., Mustapha, M., Amariles, D. R., Troussel, A., Meeùs, S., & Krasnashchok, K. (2021). A combined rule-based and machine learning approach for automated GDPR compliance checking. Proceedings of the Eighteenth International Conference on Artificial Intelligence and Law. https://doi.org/10.1145/3462757.3466081

23. Hamon, R., Junklewitz, H., Sanchez, I., Malgieri, G., & De Hert, P. (2022). Bridging the Gap Between AI and Explainability in the GDPR: Towards Trustworthiness-by-Design in Automated Decision-Making. IEEE Computational Intelligence Magazine, 17, 72-85. https://doi.org/10.1109/MCI.2021.3129960

24. Herijanto, H. (2022). Al amanah in al qur’an vs trust: a comparative study. International Journal of Ethics and Systems. https://doi.org/10.1108/ijoes-03-2021-0064

25. Hylton, K. N. (2014). Information and Causation in Tort Law: Generalizing the Learned Hand Test for Causation Cases. Journal of Tort Law, 7(1-2), 35-64.

26. Ikram, N. A. H. S. (2024). Data breaches exit strategy: A comparative analysis of data privacy laws. Malaysian Journal of Syariah and Law, 12(1), 135-147.

27. Ishwara Bhat, P. (2020). Idea and methods of legal research.

28. Islam, M. T. (2018). Abu Bakar Munir, Siti Hajar Mohd Yasin and Ershadul Karim, Data Protection Law in Asia (Vol. 8). Oxford University Press.

29. Islam, M. T. (2022). An Assessment of Privacy Regime in Bangladesh: A Legal Analysis. UUM Journal of Legal Studies, 13(2), 77-108.

30. Juma’h, A., & Alnsour, Y. (2020). The effect of data breaches on company performance. International Journal of Accounting and Information Management, 28, 275-301. https://doi.org/10.1108/ijaim-01-2019-0006

31. Jun, J., & Kim, J.-Y. (2024). Strict liability versus negligence in the case of data breach. International Review of Law and Economics. https://doi.org/10.1016/j.irle.2024.106218

32. Kaminski, M., & Malgieri, G. (2020). Multi-layered explanations from algorithmic impact assessments in the GDPR. Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency. https://doi.org/10.1145/3351095.3372875

33. Kanojia, S. (2023). Ensuring privacy of personal data: a panoramic view of legal developments in personal data protection law in Saudi Arabia. J. Int'l L. Islamic L., 19, 270.

34. Ke, T., & Sudhir, K. (2022). Privacy Rights and Data Security: GDPR and Personal Data Markets. Manag. Sci., 69, 4389-4412. https://doi.org/10.1287/mnsc.2022.4614

35. Ke, T. T., & Sudhir, K. (2023). Privacy rights and data security: GDPR and personal data markets. Management Science, 69(8), 4389-4412.

36. Kesan, J., & Hayes, C. (2018). Liability for Data Injuries. University of Illinois Law Review, 2019, 295-363. https://consensus.app/papers/liability-for-data-injuries-kesan-hayes/f3443085d15b502fa026a6e31aae5c25/

37. Khan, S., Kabanov, I., Hua, Y., & Madnick, S. (2022). A Systematic Analysis of the Capital One Data Breach: Critical Lessons Learned. ACM Transactions on Privacy and Security, 26, 1-29. https://doi.org/10.1145/3546068

38. Krishnamurthy, V. (2020). A tale of two privacy laws: The GDPR and the international right to privacy.

39. Labadie, C., & Legner, C. (2022). Building data management capabilities to address data protection regulations: Learnings from EU-GDPR. Journal of Information Technology, 38, 16-44. https://doi.org/10.1177/02683962221141456

40. Lim, S., & Oh, J. (2025). Navigating Privacy: A Global Comparative Analysis of Data Protection Laws. IET Information Security, 2025(1), 5536763.

41. Masur, P. K. (2020). How online privacy literacy supports self-data protection and self-determination in the age of information. Media and Communication, 8(2), 258-269.

42. Memish, Z. A., Altuwaijri, M. M., Almoeen, A. H., & Enani, S. M. (2021). The Saudi Data & Artificial Intelligence Authority (SDAIA) vision: leading the kingdom’s journey toward global leadership. Journal of epidemiology and global health, 11(2), 140-142.

43. Mirshekari, A., Ghasemi, R., & Fattahi, A. (2020). Digital accounts after death: a case study in Iran law. UUM Journal of Legal Studies, 11(2), 153-182.

44. Morrow, P., & Fitzpatrick, T. (2020). U.S. and International Legal Perspectives Affecting Cybersecurity Corporate Governance. International Relations and Diplomacy. https://doi.org/10.17265/2328-2134/2020.06.001

45. Nusairat, W. M. (2024). Legal Protection of Personal Data Privacy in the Kingdom of Saudi Arabia. Manchester Journal of Transnational Islamic Law & Practice, 20(1).

46. Ou, L. (2025). Regulatory Responses to Data Breaches: Evaluating the Effectiveness of GDPR and CCPA in Consumer Protection. International Journal of Social Sciences and Public Administration. https://doi.org/10.62051/ijsspa.v6n1.22

47. Pemuli, R., & Barkatullah, A. H. (2024). Liability Of Business Actors For Breaches In Electronic Banking Systems. JURNAL HUKUM SEHASEN. https://doi.org/10.37676/jhs.v10i2.6839

48. Pernot-Leplay, E. (2020). EU Influence on Data Privacy Laws: Is the U.S. Approach Converging with the EU Model? , 18, 25-48. https://consensus.app/papers/eu-influence-on-data-privacy-laws-is-the-us-approach-pernot-leplay/6e036795f7885084933af53832d6ca61/

49. Pimenta Rodrigues, G. A., Marques Serrano, A. L., Lopes Espiñeira Lemos, A. N., Canedo, E. D., Mendonça, F. L. L. d., de Oliveira Albuquerque, R., Sandoval Orozco, A. L., & García Villalba, L. J. (2024). Understanding data breach from a global perspective: Incident visualization and data protection law review. Data, 9(2), 27.

50. Posner, R. A. (2004). Frontiers of legal theory. Harvard University Press.

51. Quinn, P., & Malgieri, G. (2021). The difficulty of defining sensitive data—the concept of sensitive data in the EU data protection framework. German Law Journal, 22(8), 1583-1612.

52. Regulation, P. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council. Regulation (eu), 679, 2016.

53. Rogers, W. V. H. (2010). Winfield and Jolowicz on tort (Vol. 515). Sweet & Maxwell London.

54. Sarabdeen, J., & Mohamed Ishak, M. M. (2025). A comparative analysis: health data protection laws in Malaysia, Saudi Arabia and EU General Data Protection Regulation (GDPR). International Journal of Law and Management, 67(1), 99-119.

55. Schlackl, F., Link, N., & Hoehle, H. (2022). Antecedents and consequences of data breaches: A systematic review. Inf. Manag., 59, 103638. https://doi.org/10.1016/j.im.2022.103638

56. Setyawan, F. R., Fajrin, Y. A., Prasetyo, S. N., Nuryasinta, R. K., Alam, S., Kurniawan, K., & Kurniawan, W. (2024). Preventive Legal Protection Against Leaks Consumer Data by Company Negligence Financial Technology. KnE Social Sciences. https://doi.org/10.18502/kss.v8i21.14745

57. Sinaga, H. (2023). Legal and Ethical Implications in Data Theft Cases in the Digital Era. East Asian Journal of Multidisciplinary Research. https://doi.org/10.55927/eajmr.v2i11.6791

58. Solove, D. J., & Hartzog, W. (2014). The FTC and the new common law of privacy. Colum. L. Rev., 114, 583.

59. Stallings, W. (2020). Handling of Personal Information and Deidentified, Aggregated, and Pseudonymized Information Under the California Consumer Privacy Act. IEEE Security & Privacy, 18, 61-64. https://doi.org/10.1109/MSEC.2019.2953324

60. Teichmann, F. M. J., & Wittmann, C. (2023). When is a law firm liable for a data breach? An exploration into the legal liability of ransomware and cybersecurity. Journal of Financial Crime, 30(6), 1491-1498.

61. Tene, O., & Polonetsky, J. (2013). A theory of creepy: technology, privacy and shifting social norms. Yale JL & Tech., 16, 59.

62. Terry, N. P. (2012). Protecting patient privacy in the age of big data. UMKC L. Rev., 81, 385.

63. Thomas, L., Gondal, I., Oseni, T., & Firmin, S. S. (2022). A framework for data privacy and security accountability in data breach communications. Computers & Security, 116, 102657.

64. Tschider, C. (2024). Unto the (Data) Breach. University of Richmond Law Review, Forthcoming.

65. Vaka, P. R. (2020). Data Breaches or Regulatory and Compliance. International Journal Of Multidisciplinary Research In Science, Engineering and Technology. https://doi.org/10.15680/ijmrset.2020.0312020

66. Voigt, P., & Von dem Bussche, A. (2017). The eu general data protection regulation (gdpr). A practical guide, 1st ed., Cham: Springer International Publishing, 10(3152676), 10-5555.

67. Voss, G. (2021). The CCPA and the GDPR Are Not the Same: Why You Should Understand Both. AARN: Law of Technology. https://consensus.app/papers/the-ccpa-and-the-gdpr-are-not-the-same-why-you-should-voss/8637bd3228d6595a9b45f0891d8c3ea0/

68. Weitzman, R. (2023). Forensic Statistics: Taking the Mishandling and Misuse of Statistics to Court. Journal of Forensic Sciences & Criminal Investigation. https://doi.org/10.19080/jfsci.2023.17.555955

69. Williams, S. (2020). CCPA tipping the scales: Balancing individual privacy with corporate innovation for a comprehensive federal data protection law. Ind. L. Rev., 53, 217.

70. Wong, R., Chong, A., & Aspegren, R. (2023). Privacy Legislation as Business Risks: How GDPR and CCPA are Represented in Technology Companies' Investment Risk Disclosures. Proceedings of the ACM on Human-Computer Interaction, 7, 1-26. https://doi.org/10.1145/3579515

71. Yang, P., Xiong, N., & Ren, J. (2020). Data security and privacy protection for cloud storage: A survey. Ieee Access, 8, 131723-131740.

72. Young, K., & Billings, K. (2020). Legal Consciousness and Cultural Capital. Law & Society Review. https://doi.org/10.1111/lasr.12455

73. Zhao, H., Jiang, N., Cai, Z., Lim, E. T., & Tan, C.-W. (2023). Toward a taxonomy of corporate data protection malpractices and their causal mechanisms: A regulatory view. Journal of Information Technology, 38(3), 319-333.

THE CONCEPT OF NEGLIGENCE IN DATA BREACH: A COMPARATIVE DOCTRINAL ANALYSIS OF THE EU, CALIFORNIA, AND SAUDI ARABIA

Authors

DOI:

Keywords:

Abstract

References

Downloads

Published

How to Cite

Issue

Section

License

Make a Submission

Scopus

Scimago

CiteScore

Visitors

Language