The journey so far
The Kingdom of Saudi Arabia's (KSA) federal data protection regime is finally emerging and is already having significant business impact.
As background, the central instrument to the KSA framework is the Personal Data Protection Law (PDPL) - with the addition of supplemental regulations in the form of the implementing regulation to the PDPL (Implementing Regulation) and the regulation on personal data transfer outside the KSA (Transfer Regulation). The KSA's data protection regime became effective on the 14 September 2023 with a further one year statutory grace period (until 14 September 2024) for organisations to comply.
The journey towards enactment has not been straightforward and, unlike other laws in the KSA, it cannot be described as having been rushed through. The data protection authority in the KSA, the Saudi Authority for Data and Artificial Intelligence (SDAIA), was established over four years before the effective date, and the body of the legislation has seen a number of seemingly ad hoc alterations and draft versions released selectively for comment and feedback. There has even been some wholesale withdrawal and replacement of certain elements of the legislation. We discussed some of these earlier developments in our previous article and this history remains relevant when trying to understand the likely policy thinking of the regulator and relevant lawmakers.
History aside, the long-anticipated 14 September 2023 effective date is now behind us, with the KSA framework now in a seemingly settled form. As we look ahead to the full enforcement date in 2024, we set out a few areas within the framework which are likely to raise questions and may need additional guidance as the regulatory landscape continues to unfold.
International data transfers
The Transfer Regulation is somewhat similar to what we have seen in other comparable data privacy regimes such as the UAE financial freezones and the UK/Europe. The relevant clauses on data transfers specifically mention familiar concepts including adequacy decisions and relevant exemptions, binding corporate rules and standard contractual clauses. There is also an obligation to conduct transfer risk assessments in certain contexts such as when relying on safeguards or exemptions for international transfers, or when the transfer involves continuous or large-scale sensitive data.
However, organisations (particularly foreign-based service providers/processors engaging with KSA-based customers/controllers) should tread carefully at this stage in relation to any proposed transfer activities given that SDAIA have not yet published any model standard contractual clauses or a list of jurisdictions deemed to provide an adequate level of protection for personal data (mechanisms which are most commonly used globally and generally accepted as safeguarding efficient transfers). This means that currently there may be very few appropriate transfer mechanisms to rely on in practice.
Express data subject consent is also not a prescribed lawful basis to transfer data outside of the KSA, and many of the other exemptions come with conditions that may be problematic to comply with in practice.
Given the evolving geo-political and national security factors which underpin data transfer positions, it will be prudent for organisations to consider the range of risk mitigation steps while awaiting how the regulatory landscape will settle before pressing ahead with data transfer arrangements from the KSA.
Criminal sanctions
The PDPL imposes potential fines of up to $800,000 (3m SAR) and/or imprisonment for 2 years to individuals who "disclose or publish sensitive data in violation of the PDPL and with the intention of harming the data subject or achieving a personal benefit".
Even though this infringement is quite specific on the face of it, it has not yet been tested in practice, so there are no public case studies or guidance to demonstrate how the regulator will determine the thresholds or key drivers which may trigger breaches. For example, could infringements be interpreted on a wide basis and go as far to include the disclosure of sensitive data in the course of business while incorrectly relying on legitimate interests as the lawful basis for processing? This adds to the myriad of criminal sanctions under KSA law that can attach to certain types of activities relating to processing of data.
The wording of the provision also fails to clearly set out the focal point for liability. Perhaps fines will be imposed at an organisational-level, but it is not clear which individuals(s) will be liable for the custodial element of the penalties (i.e. whether this will be board level/management, the individual employee who commits the infringement or even the DPO, similar to the position under the Egyptian data protection regime, or perhaps a combination)?
Sub-processing
The Implementing Regulation contains mandatory contractual provisions to be included in contracts between a controller and a processor which are broadly similar to what we have seen from comparable data privacy regimes globally.
However, unlike such other regimes, the KSA framework does not appear to currently contain a mechanism to allow controllers to provide "general authorisation" for a processor to appoint sub-processors. Therefore a continual prior acceptance regime may be required by processors from controllers on every occasion where the processor wishes to engage a sub-processor.
This position may be particularly problematic for international service providers/processors who roll out a standard "one-to-many" service model or those in the growing XaaS economy who utilise numerous third party sub-processors as part of their customer proposition.
To ensure that the KSA maintains its wider objectives to attract business from the international community and achieve its digital ambitions, further guidance on this issue would be widely welcomed. It is noteworthy that in the context of cloud-related services, data transfers and data classification as well as regulatory licensing attracts a host of additional requirements which sit outside SDAIA's jurisdiction. Therefore, the industry is reliant on some intra-state co-ordination to see more pro-business changes around this and other points of practical concern.
Data protection impact assessments (DPIAs)
The Implementing Regulation broadly aligns with the common requirement under data protection laws generally to undertake DPIAs before carrying out certain processing activities that may be deemed as high risk. However, there are a few features of the KSA DPIA regime that are particularly noteworthy.
First, unlike other comparable data privacy regimes such as the UAE financial freezones and the UK/Europe, there does not appear to be any requirement under the KSA framework to engage in "prior consultations" with SDAIA if a DPIA identifies a high risk to the rights to individuals.
In addition, the threshold to perform a DPIA under the KSA regime is materially lower in some circumstances. For example, a DPIA is required in the KSA when a controller merely processes any sensitive data, whereas under other comparable regimes, DPIAs are likely to only be required in this context when "a material amount" or "large scale" sensitive data is processed. In the absence of further guidance, this is likely to mean that most KSA controller organisations processing even small amounts of sensitive data, such as ad-hoc employee sickness absences or ethnicity information will need to conduct DPIAs to ensure compliance.
The Implementing Regulation also contains a blanket requirement for controllers to provide DPIAs to any appointed processors acting on the controller's behalf for a specific processing activity. There is no requirement for the processor to request the DPIA beforehand, which is therefore likely to create significant administrative obligations for the parties.
Further guidance
This release of the Implementing Regulation is not the end of the privacy law story in KSA. Article 9 of the Implementing Regulation expressly states that SDAIA will issue further guidance in relation to the PDPL, with a number of other provisions setting out specific areas where such guidance can be expected. These appear to include guidance and rules relating to (i) appointing a data protection officer; (ii) registration in the national register of controllers; and (iii) licensing entities that issue accreditation certificates for controllers and processors and/or undertake in auditing or checking processing activities.
The privacy law framework also brings into play other KSA government agencies as, for example, compliance may also be required with the National Cybersecurity Authority's controls, standards and rules in relation to information security obligations in certain contexts, as well as the Ministry of Health, the Saudi Health Council, the Saudi Central Bank, the Council of Health Insurance and other related entities in the KSA in relation to the processing of health data. While SDAIA's mandate is broad (and arguably broader than equivalent bodies elsewhere in the world), it is certainly not the whole universe of privacy and data regulation in KSA.
Next steps
As we gear up towards full enforcement of the PDPL in 2024, it is clear that there remains a level of uncertainty which cannot be ignored.
We therefore recommend that organisations remain vigilant and be ready to quickly digest and incorporate any new expected guidance into their upcoming KSA data compliance programmes. We also recommend that any plans to grow business in the KSA should include specific consideration around data processing and the applicability of sensible mitigation steps which is part of the rationale for the window between now and September 2024.
If you would like to discuss in more detail the KSA data protection framework and how we can help your business in this regard, please contact us.
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
