The Kingdom of Saudi Arabia (KSA) has invested heavily on state of the art digital infrastructure to support its ambitious Vision 2030 plans. Data processing, on an unprecedented scale, sits at the core of each of the Vision Realization Programs, each of which is set to be transformative for the economy and bring about lucrative opportunities for participants. KSA lawmakers have long recognised that the controls and rights around personal data need to be framed in a manner to help propel the economy in a way that is consistent with the vision. The legislative route for privacy in KSA has evidenced that this is not straightforward.
In the latest development, on 27 March 2023, (pursuant to Royal Decree No. M148 of 05/09/1444H) a number of amendments (the Amendments) to the KSA Personal Data Protection Law (PDPL) were approved.
The Amendments include some (but not all) of the proposed amendments to the PDPL contained in the consultation paper previously released by the Saudi Data and Artificial Intelligence Authority (SDAIA) on 22 November 2022.
Nevertheless, the Amendments contain material deviations from the original version of the PDPL which was released in 2021 - and those who have commenced or are considering compliance projects relating to the KSA personal data regime should take note of the points below.
1. Legitimate interests
Controllers can now rely on "legitimate interests" as a lawful basis when processing personal data in the KSA. This is encouraging for businesses as it introduces more flexibility when engaging in certain data processing operations and brings the PDPL more conceptually aligned with more mature data legislation seen around the world. However, business are prohibited from relying on legitimate interests in the KSA (i) if it violates the rights or interests of applicable data subjects, or (ii) when processing statutorily defined sensitive data.
2. Data transfers
The original position which placed uncomfortable restrictions on the transfers of personal data from the KSA has been softened. Controllers can now generally engage in transfers if they are necessary to satisfy certain obligations in respect of: (i) treaties to which the KSA is a party; (ii) serving national interests; or (iii) where the data subject is a party. Transfers may also be permitted for any other purposes determined by the impending Executive Regulations (once published).
In any case, any proposed transfers outside the KSA will be subject to additional conditions (such as national security and data minimisation obligations) and only to locations that the SDAIA deems as providing an adequate level of protection for personal data.
The Executive Regulations are expected to set out further detail on this important topic. It will be interesting to see how lawmakers find a balance which supports KSA's pro-business ambition and maintain control on KSA data (beyond personal data), particularly in the context of the deployment of software applications which leverage public cloud tools. We saw increased controls on outsourcing arrangements and call centre localisation in recent years so this tension will continue to play out across various domains and sectors.
3. Data breach notifications
The initial heavy requirement to notify SDAIA of personal data breaches "as soon as becoming aware" has now been removed. There is also a new obligation to notify data subjects when a breach would cause harm to their personal data or where it violates their rights or interests. The Executive Regulations are expected to include more detail in this regard, with issues such as breach notification deadlines, procedures and reporting likely to be addressed.
This is an area where emerging market privacy regimes have been known to diverge from more mature privacy legislation but we expect KSA to retain a heightened awareness of information security concerns with bodies like the National Cybersecurity Authority pushing their agenda on this point.
4. No more electronic registration requirement
SDAIA will no longer (at least for the time being) create a national electronic portal to monitor compliance of KSA controllers. However, other new provisions have been included in the Amendments to grant the SDAIA certain powers to track and monitor controllers' compliance (as detailed below), with specific reference to the establishment of a national registry - so it's likely that this may be implemented in the near future.
5. SDAIA powers
The SDAIA has been granted the authority to establish requirements for practicing commercial, professional and non-profit activities related to the protection of personal data in the KSA in cooperation with any other relevant authorities. These powers include the ability to appoint auditing and inspection agencies (together with the option to adopt a national registry, as stated above).
Interestingly, beyond the power to monitor compliance of controllers in the KSA, there appear to be extraterritorial powers to monitor the compliance of entities outside the KSA "by any means whatsoever". As decentralised architectures host applications and data, this sort of power is logical but the practical realities of exercising them is neither legally nor politically straightforward.
6. Amendment to the definitions of "Sensitive Data" and "Personal Data Owner"
The definition of "Sensitive Data" has been narrowed - with "credit data" and "location data" being removed from its remit. Organisations should now be able to process these categories of personal data in the KSA without needing to satisfy addition compliance obligations and restrictions tied to Sensitive Data under the PDPL.
The "Personal Data Owner" definition has also been stripped down to now only refer to the individual who the personal data relates (rather than the previous inclusion of the individual's legal representative or guardian).This adds a level of simplicity for controllers but leaves some questions about the role of third parties who may have an interest in relevant personal data.
7. Consent
The Amendments now require (in certain contexts) for consent to be "explicit". The Executive Regulations are expected to provide further clarity on the requirements for valid consent.
8. Data portability
Individuals have been granted a new right to "request obtaining their personal data available to the controller in a readable and clear format...". This has similarities to the right of 'data portability' as seen in international regimes such as the GDPR. The specific controls and procedures in respect of this right should be set out in more detail in the Executive Regulations. However it will be interesting to see whether the Executive Regulations expand on this right in line with international standards, such as to also allow data subjects to request that the controller transmits their personal data to another controller. This right will be increasingly relevant as various sectors (especially financial services) in KSA are moving towards a more open economy.
9. Fewer criminal penalties
To the relief of many international businesses, the custodial sanctions for breaching international data transfer rules have been removed from the PDPL. However, the criminal offence in relation to the unlawful disclosure or publishing of Sensitive Data still remains and the possibility of imprisonment for up to 2 years and/or a fine of up to 3 million SAR remain unaffected.
The enforcement style around PDPL breaches will be interesting to observe given the overall style of thematic crackdowns seen in the KSA in previous years. It's also worth noting that there is statutory provision for monetary fines to be doubled in the event of repeat violations and we have seen ancillary measures being taken by the authorities in the KSA where unacceptable behaviour has been reported - so the worst case scenario analysis for PDPL breaches is not always straightforward.
10. Effective date
The Amendments have pushed back the effective date of the PDPL to 720 days after the publication of the original PDPL in the KSA Official Gazette. Therefore, the PDPL should now come into force from 14 September 2023, regardless of whether the Executive Regulations are issued before then.
Notwithstanding this effective date, controllers have a one-year grace period to comply with the PDPL before enforcement may commence - so a hard deadline for prudent businesses to become compliant is 14 September 2024.
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
