Saudi Arabia facial recognition law enforcement Asia

Saudi Arabia's Hajj AI Surveillance Scaled to 5,000 Cameras and 1.7 Million Pilgrims — With No Dedicated Biometric Data Law

SDAIA's Baseer and Sawaher platforms deliver real crowd-safety benefits at Hajj 2026, but the kingdom has no binding rules on retention, purpose limits, or redress for pilgrim biometric data.

People of Internet Research Team · 2026-06-24
Saudi Hajj AI Surveillance at a Glance People of Internet Research · Saudi Arabia 5,000+ Cameras at Hajj Sites Sawaher platform monitored pilgrim… <40 sec Biometric Capture Speed SDAIA's Banan device captures faci… 1,300+ 2024 Hajj Heat Deaths Pilgrims died in 2024 from extreme… peopleofinternet.com

Key Takeaways

The Scale of the Deployment

In May 2026, as approximately 1.7 million pilgrims descended on Mecca and the surrounding holy sites for the annual Hajj season, they entered the coverage zone of one of the most extensive biometric surveillance networks ever assembled around a single religious event.

The Saudi Data and Artificial Intelligence Authority (SDAIA), working in partnership with the Ministry of Interior, deployed two integrated AI platforms — Baseer and Sawaher — across more than 5,000 cameras at 80 sites along the pilgrimage route. Sawaher, the network's surveillance backbone, ran 16 AI algorithms across 31 operational dashboards, analyzing real-time feeds to track crowd density, movement patterns, and behavioral anomalies. Baseer used computer vision and large language models to process crowd flows at entrances to the Grand Mosque and adjacent holy sites, providing field commanders with analytical data precise enough to redirect pilgrims before dangerous congestion formed.

Beyond fixed cameras, SDAIA introduced mobile biometric devices capable of capturing a pilgrim's facial image, reading their passport, and verifying their permit in under 40 seconds — deployed at 17 international airports across 10 countries before pilgrims boarded, as part of the Makkah Route Initiative. SDAIA also maintained technical operations across 75 sites within the holy areas and 14 screening and security control centers throughout the season. In total, pilgrims were biometrically processed from the moment they booked travel through their departure from the kingdom.

The Safety Case Is Serious

The strongest argument for this infrastructure should be stated clearly before scrutinizing it. At the 2024 Hajj, more than 1,300 pilgrims died — most from heat exhaustion, and a significant proportion among unauthorized pilgrims who walked long distances without access to cooling facilities or logistical support. Saudi authorities face a genuinely difficult problem: concentrating 1.7 million people across a defined set of holy sites over six days in temperatures that have reached 51°C, with a religious obligation that compels attendance regardless of personal risk.

Baseer's permit verification function addresses one direct cause of those deaths. Sawaher's crowd density modeling is legitimate safety engineering. The pre-clearance biometric system reduces unauthorized pilgrim entry at the most dangerous chokepoints. These are defensible uses of AI surveillance — which is precisely why the governance framework surrounding them deserves the same rigor as the technology itself.

Where the Legal Framework Falls Short

Saudi Arabia's Personal Data Protection Law (PDPL), enacted by Royal Decree M/19 of 2021 and enforced since September 2024, classifies biometric data as sensitive personal data requiring enhanced safeguards. Violations involving the unauthorized disclosure of sensitive data carry penalties of up to 3 million Saudi Riyals or two years' imprisonment. SDAIA has demonstrated willingness to use the law: its specialized committees issued 48 enforcement decisions against non-compliant organizations over the past year, covering unlawful data collection, insufficient security controls, and unauthorized marketing communications. The institutional will to regulate data is present.

What the PDPL does not do is address facial recognition specifically. Saudi Arabia has no dedicated legal framework governing how real-time biometric identification systems at mass public events collect, retain, share, or delete the data they generate. SDAIA's AI governance stack — the PDPL, its non-binding AI ethics principles, and the 2025 AI Adoption Framework — articulates principles like transparency and human oversight but contains no binding rules specifying data retention periods for systems like Baseer and Sawaher, permitted secondary uses, inter-agency access controls, or mandatory audit requirements.

The PDPL does include a "public interest" and "security purposes" legal basis for processing data without consent — a provision broad enough to accommodate virtually any state security program. In the absence of a Hajj-specific data governance instrument, this is the legal basis under which pilgrim biometrics are processed, by default.

The Consent Asymmetry

There is a structural problem that legislation must eventually address: pilgrims cannot meaningfully opt out. Biometric registration is mandatory — those who decline cannot perform the pilgrimage. For the nationals of 180+ countries represented at Hajj 2026, this means their facial images and passport data are ingested by Saudi AI systems without any meaningful consent mechanism or established right of redress under home-country law.

The PDPL's cross-border transfer framework requires that international data flows serve "the interest of the Kingdom" but provides no mechanism for foreign governments to audit how data collected from their citizens is retained or repurposed after the Hajj season ends. Data minimization and purpose limitation — foundational in the PDPL's own framework — remain unapplied to Hajj surveillance because no instrument has applied them to this specific context.

What Proportionate Governance Would Look Like

The EU's AI Act, whose prohibitions on real-time biometric identification in publicly accessible spaces for law enforcement purposes took binding effect in February 2025, represents one regulatory reference point. Saudi Arabia's context differs — Hajj crowd management is not general law enforcement — but the analytical framework is instructive: define permitted purposes precisely, set mandatory data retention limits, require independent technical audits, and establish a right of redress for affected individuals.

Proportionate governance here would not require dismantling the surveillance infrastructure. It would require publishing a binding Hajj data governance instrument specifying: how long biometric data is retained post-season, which agencies can access it and under what authorization, whether it can be used for purposes beyond crowd safety and permit verification, and how foreign pilgrims can seek redress. Saudi Arabia's designation of 2026 as the "Year of AI," and its stated ambitions to project AI governance leadership internationally, create an obligation that its own flagship biometric deployment rests on a framework that can survive external scrutiny.

Running 5,000 cameras and 16 AI algorithms across one of the world's largest annual gatherings is technically impressive. It is not, by itself, a governance model. The safety case for Hajj surveillance is strong enough to carry binding regulation — which is exactly what it should get.

Sources & Citations

  1. SPA: SDAIA Concludes Hajj 2026 AI Operations
  2. DLA Piper: Saudi Arabia Data Protection Law
  3. Asharq Al-Awsat: Saudi Arabia Expands AI to Serve Hajj Pilgrims
  4. IAPP: Saudi Data Protection Authority Steps Up Enforcement
  5. ICLG: Data Protection Laws and Regulations — Saudi Arabia 2025-2026
  6. The Conversation: 1,300 Hajj Pilgrims Died in 2024 Heat