The PDPL and data sovereignty

The PDPL applies to the processing of the personal data of individuals in the Kingdom and to processing by any entity outside the Kingdom in respect of data subjects inside the Kingdom. There are several familiar data protection principles and obligations present. These include elements of accountability, purpose limitation, transparency, accuracy, the appointment of a data protection officer ('DPO'), a requirement for records of processing activities ('ROPAs'), and Data Protection Impact Assessments ('DPIAs').

A topic which has demanded the ongoing attention of both local and multi-national organisations in recent times, particularly after the accelerated adoption of a hyper-scale public cloud, has been the evolving data sovereignty landscape in Saudi Arabia.

In keeping with this trend, Article 29 of the PDPL provides that a controlling entity may only transfer personal data outside the Kingdom, or disclose it to a party outside the Kingdom, in specific circumstances and after certain conditions are met.

Article 29 of the PDPL

This excerpt is from an unofficial translation of Article 29 of the PDPL from Arabic into English. It is important to appreciate that there are often certain subtleties in context or meaning that may be lost in translation.

'Except when it is strictly necessary to protect the life of the owner of personal data outside the Kingdom or his vital interests or to prevent, examine, or treat an infection, the controlling entity may not transfer the personal data outside the Kingdom or disclose it to an entity outside the Kingdom, unless for the purpose of fulfilling an obligation under an agreement to which the Kingdom is a party, or of serving the Kingdom's interests, or for other purposes as determined by the regulations, and provided that the following conditions are met:

1. the transfer or disclosure of personal data does not prejudice national security or the Kingdom's vital interests;
2. sufficient guarantees for maintaining the confidentiality of the personal data that will be transferred or disclosed are guaranteed, such that the data protection standards are not less than the standards stipulated in the Law and Regulations;
3. the transfer or disclosure is restricted to the minimum personal data that is needed; and
4. the competent entity approves the transfer or disclosure as determined by the Regulations.

Except for the requirement outlined in paragraph (1) of this Article, the competent authority may exempt the controlling entity, on a case-by-case basis, from adhering to one of the above conditions, if the competent authority believes, individually or in association with other entities, that the personal data will enjoy an acceptable level of protection outside the Kingdom, provided that such data is not sensitive'.

Initial observations

Other purposes as determined by the Regulations

The 'other purposes as determined by the Regulations' would likely be similar in nature to the Article 49 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') derogations for specific purposes. Many readers will be familiar with these derogations. Vital interests and public interests have already been called out in Article 29 of the PDPL, but in addition to these, we may see derogations such as transfers made with explicit consent (the PDPL already mandates that with very few exceptions, personal data cannot be processed, or the purpose of the processing be changed, without the consent of the data subject), transfers necessary for the conclusion or performance of a contract, and transfers necessary for the establishment, exercise, or defence of legal claims.

The transfer must not prejudice national security

One of the conditions that needs to be met before a transfer of personal data outside the Kingdom may occur is that the transfer (or disclosure) should 'not prejudice national security'. Concerns with government surveillance are currently top of mind in global privacy circles and the Kingdom will possibly face some additional scrutiny. However, it is fair to call out that the rationale behind the inclusion of national security is not at odds with the position in many other jurisdictions. For example, Article 23 of the GDPR allows for the GDPR's principles and data subject rights to be restricted when it is deemed proportionate and necessary to safeguard national security and Section 26 of the UK's Data Protection Act 2018 grants a broad exemption in relation to national security and defence.

National security is not defined in the PDPL, but this is again not unusual either. The conventional approach has been not to define national security in legislation too precisely because of the argument that threats to national security are, by their very nature, constantly evolving. Legislators have therefore tended to recognise that security and intelligence agencies should not be constrained from effectively protecting the public from emerging threats by defining applicable circumstances too specifically.

The competent authority approves the transfer or disclosure

A transfer of personal data outside the Kingdom may not occur unless the 'competent authority approves the transfer or disclosure'. Noting the caveat that we await the publication of Executive Regulations, the obvious concern will be that this requirement may cause considerable practical challenges for both the competent authority and the organisations seeking approval. I base this initial reaction on my experience with the requirement imposed on financial institutions who currently need to seek case-by-case permission from the Saudi Central Bank ('SAMA') for data transfers to cloud computing data centers outside the Kingdom's borders. This has generally proved to be a complicated and protracted process for most banking institutions, even though they have mature compliance processes and experienced resources for regularity engagement.

The scale at which cross-border transfer approvals would need to be granted in the PDPL context leads me to form the opinion that the competent authority, namely the Saudi Data and Artificial Intelligence Authority ('SDAIA'), with the support of the National Data Management Office ('NDMO'), will likely seek to create some sort of mechanism that will enable approval through a method of appropriate self-assessment based on clear requirements set forth by the Executive Regulations. As a personal opinion only, I can envisage this taking the form of an assessment by the controller based on the Executive Regulations and the categories of personal data in question, with either:

• notification of a transfer beyond the borders of the Kingdom to the competent authority for certain lower risk categories of data; or
• a request to the competent authority for a case-by-case approval for agreed high risk categories of personal data. Data classification will likely be central to decision-making.

The requirement for approval does, on the face of it, represent a significant departure away from the principle of accountability introduced by the GDPR and other global regulations. This accountability principle requires organisations to take responsibility for the manner in which they process personal data and includes an obligation to demonstrate that compliance. Without wanting to make too lengthy a point about this, modern data protection regimes seem to recognise that mechanisms like licences or permits tend to reduce accountability and increase risk to personal data because they can create an environment where internal proactive monitoring and regular compliance health checks are reduced. However, if a self-assessment and notification mechanism is implemented then that may go some way towards reducing the apparent departure from the principle of accountability. As a side bar, it is worth mentioning that - unlike under the GDPR – controlling entities will be required to upload their ROPAs to an electronic portal maintained by the competent authority.

If we accept that the Executive Regulations will be published within the prescribed 180-day period and therefore before the PDPL is due to come into effect on 23 March 2022, then I am personally tentatively optimistic that we may have some form of public consultation in relation to the Executive Regulations in early 2022. Public consultation is certainly not the norm in the Kingdom, but the developing trend with data protection seems to be to align new laws in the Gulf Cooperation Council with global best practices. Part of that equation involves demonstrating a positive level of interaction with relevant stakeholders and increasing transparency. Public consultation is an important element of that process, and it would offer some additional insight in advance of March 2023 deadline.

Conclusion

In Part 2 of this Insight article, I will offer newly appointed compliance stakeholders a few suggestions of how they might consider beginning their preparation to manage future data sovereignty obligations in the Kingdom while they await the release of the Executive Regulations and the launch of the PDPL.

Dale Waterman Managing Director, Middle East & North Africa
[email protected]
Breakwater Solutions, Dubai

1. Available at: https://laws.boe.gov.sa/BoeLaws/Laws/LawDetails/b7cfae89-828e-4994-b167-adaa00e37188/1(only available in Arabic)
2. Available at: https://www.dataguidance.com/opinion/saudi-arabia-data-residency-under-pdpl-part-2-key