A passport substitute, but only within the Kingdom
On 4 May 2026, Saudi Arabia's General Directorate of Passports announced that Hajj pilgrims arriving in the Kingdom can travel domestically using a digital visitor ID issued through the Absher platform, in place of carrying their physical passport. The directorate confirmed the credential is recognised as an official travel document for internal movement during pilgrimage — between Jeddah, Makkah, Madinah and Mina — though not as a substitute for the passport at international borders.
The change is narrow on its face: a paper-to-screen swap for one document, in one country, during one season. But it is the first time a Gulf state has elevated a mobile digital ID to formal travel-document status at the scale of a religious gathering. The General Authority for Statistics (GASTAT) reports that Hajj 1446H/2025 drew 1,673,230 pilgrims, of whom 1,506,576 arrived from outside Saudi Arabia. The 1447H/2026 season is expected to land in a similar range.
Steelmanning the surveillance concern
Critics of state-issued digital ID in restrictive jurisdictions have a real case to make, and it deserves a fair hearing before dismissal. Saudi Arabia is enforcing the Personal Data Protection Law (PDPL), fully in force since 14 September 2024 and overseen by the Saudi Data and Artificial Intelligence Authority (SDAIA). To date, the IAPP records, enforcement has focused on private controllers — the harder test of whether SDAIA will police state agencies has not yet arrived.
In parallel, civil-society documentation is unflattering. On 20 May 2026, a coalition led by Access Now, ALQST and Democratic Diwan reported that over 100 Facebook pages and Instagram accounts had been restricted from reaching audiences in Saudi Arabia and the UAE since March 2026, at the request of the Saudi government. In an environment where the state already pressures intermediaries to silence diaspora voices, a new digital travel-document layer can plausibly be read as another checkpoint on movement and association.
That reading deserves a hearing. But it does not, on inspection, fit the change announced on 4 May.
Why this specific design is proportionate
Three features of the announcement make it a reasonable use of digital identity rather than an expansion of state visibility.
First, the identity layer already exists, mandatorily. Hajj 2026 pilgrims are already required to carry the Nusuk card, a smart credential issued by the Ministry of Hajj and Umrah that the ministry confirms "must be carried throughout the Hajj period in all transfers from arrival and within the holy sites until departure." The Nusuk card already binds the pilgrim's identity, group, accommodation and health information to a single token used by Saudi authorities at every checkpoint between the airport and the rites. Adding Absher as an accepted alternative to a physical passport for domestic transit creates no new visibility — it lets pilgrims leave the passport in a hotel safe.
Second, the underlying platform is mature. The Ministry of Interior records that Absher processed more than 448 million digital transactions in 2025, with roughly 417 million from individuals and 31 million from businesses. The platform has issued over 28 million unified digital identities since launch. Stress-testing a brand-new identity rail on more than a million heat-exposed pilgrims would be reckless; layering a new use case onto a system already serving more than a million transactions a day is not.
Third, the scope is genuinely domestic. The directorate's notice is specific: the digital ID substitutes for the passport "within Saudi Arabia." International entry and exit still go through the physical document and biometric border controls. That is the right boundary — comparable to India's DigiYatra, where a facial-recognition credential linked to Aadhaar lets passengers traverse airport e-gates while the underlying boarding pass and travel document remain in the verification chain. The general lesson of mature DPI deployments is that a digital ID works best as a convenience layer over, not a replacement for, the existing documentary infrastructure.
The harder question: PDPL enforcement against the state itself
The right critique is not that the credential exists. It is that the credential sits inside a privacy framework that has not yet been tested against the government. SDAIA has begun issuing enforcement decisions against private controllers; the harder case will come when a domestic activist, or a pilgrim from a diaspora community, asks whether Absher logs of internal travel can be queried for purposes unrelated to mobility — and whether they can be cross-referenced with the kind of content-restriction requests Access Now documented this month against Meta.
The PDPL allows fines up to SAR 5 million per violation, doubled for repeat offences. Whether that bite extends to ministries, not just merchants, will determine whether Saudi Arabia's new digital travel document is a mobility convenience or a movement-tracking instrument. Estonia's e-ID, Singapore's Singpass and DigiYatra all show that mobile identity can simplify high-throughput travel without functioning as surveillance — but only because each is paired with enforceable limits on secondary use that bind the state. Saudi Arabia has the statute on the books. It does not yet have the precedent.
Read the right lesson
Other APAC and MENA jurisdictions designing DPI for mass events — religious, sporting, or pilgrimage-adjacent — should take two lessons. The proportionate one: an opt-in, domestic-only digital credential layered on existing mandatory identity is a workable template, and forcing 1.5 million visitors to clutch a paper passport through a desert pilgrimage was never a privacy safeguard. The cautionary one: any digital travel document's credibility depends on a data-protection authority that can credibly tell its own government no. SDAIA's next enforcement cycle, more than the 4 May announcement itself, is what will decide whether Absher's new role is a model worth copying.