Law: The Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021, and amended on 21 March 2023 (available in Arabic here and in English here) ('PDPL, as amended')
Regulator: The Saudi Data & Artificial Intelligence Authority ('SDAIA').
Summary: The PDPL was published in the Official Gazette on 24 September 2021 and marks the introduction of Saudi Arabia's first data protection law. Additionally, a draft version of the executive regulations supplementing the PDPL ('the Executive Regulations') was issued, on 10 March 2022, for public consultation but was then withdrawn.
The aim of the PDPL is to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data. Notably, the PDPL covers key principles such as purpose limitation and data minimisation, controller obligations, including registration and maintenance of data processing records, data subject rights, and penalties for breach of provisions.
The PDPL will bring Saudi Arabia into closer alignment with both its Middle East counterparts as well as international standards. In the meantime, the National Data Management Office has developed the National Data Governance Interim Regulations which encompass the Personal Data Protection Interim Regulations ('the Data Protection Interim Regulations') and the Data Sharing Interim Regulations ('the Data Sharing Interim Regulations'). The Data Protection Interim Regulations cover key principles such as accountability, transparency, data disclosure, and data subject rights, while the Data Sharing Interim Regulations address data security, legal basis, and ethical data use.
At the end of November 2022, SDAIA launched a public consultation on proposed amendments to the PDPL, which were approved by the Saudi Council of Ministers on 21 March 2023 and thereafter by the Bureau of Experts at the Saudi Council of Ministers. According to Article 43 of the PDPL, as amended, the same shall enter into force 720 days from the date of publication in the Official Gazette (i.e. 24 September 2021), namely on 14 September 2023. In addition, according to the preamble of the PDPL, as amended, entities will have a one-year transition period from such date to bring their operations into compliance.
On September 7, 2023, the PDPL Implementing Regulations (only available in Arabic here) and the Regulations on personal data transfers (only available in Arabic here) were published in the Official Gazette of Saudi Arabia, after a public consultation launched by SDAIA in July 2023. Both sets of regulations will enter into force with the PDPL on September 14, 2023.