Saudi Arabia: Draft PDPL regulations - what you need to know
With the Personal Data Protection Law (PDPL), in the recently amended version, set to enter into force on September 14, 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) issued for public consultation, on July 11, 2023, draft PDPL Implementing Regulations and draft Regulations on Personal Data Transfers. Both sets of regulations serve the purpose of providing further details regarding the application of the PDPL.
In this Insight article, OneTrust DataGuidance highlights some of the most significant aspects and key takeaways from the draft Implementing Regulations and the draft Data Transfer Regulations, featuring comments from Gianluca de Feo, Lawyer at AX Law.
Draft PDPL Implementing Regulations
The draft Implementing Regulations introduce new terms and further define key terms under the PDPL, such as 'anonymization,' 'pseudonymization,' or 'secondary use.'
Among other terms, the draft Implementing Regulations outlines the concept of 'actual interest,' which denotes any moral or material interest of the data subject that is directly linked to the purpose of processing personal data, and the processing is necessary to achieve that interest. When a processing activity serves such interest, certain documentation obligations are vested with the controller. In this regard, Gianluca comments "As the defined term refers to moral interest, the perimeter of what is considered an actual interest is open-ended and this might cause uncertainty that will need to be addressed on the basis of the enforcement decisions in Saudi Arabia."
In addition, 'explicit consent' is defined for the first time and is used to signify direct and explicit consent given by the data subject in any form that clearly indicates their acceptance of the processing of their personal data in a manner that cannot be interpreted otherwise, and whose obtention can be proven.
Moreover, the term 'personal data breach' captures both intentional and accidental incidents that lead to unauthorized disclosure, destruction, or access to personal data, carried out by any means, whether automated or manual.
Scope of application
The draft Implementing Regulations articulates the personal or family use exemption under Article 2 of the PDPL. In particular, certain activities are expressly identified as falling outside the exemption, and as such, the PDPL may apply to the following:
- an individual publishing personal data to the public or disclosing it to any person outside any social and family activity; and
- using personal data for professional, commercial, or non-profit purposes.
In accordance with Articles 6, 10, and 15 of the PDPL, the draft Implementing Regulations identify the following as legal bases for processing or disclosing personal data:
- the consent of the data subject;
- protecting the vital interests of the data subject or protecting them from any harm;
- if the controller is a public entity, and the processing is required by another law or is required for security purposes, to fulfill judicial requirements, or to achieve a public interest;
- to protect public health or safety, or a specific individual or individuals or their health;
- the legitimate interest of the controller or the data subject;
- processing is required under another law;
- executing an agreement in which the data subject is a party; and
- if the personal data is publicly available or collected from a publicly available source.
Regarding consent, the draft Implementing Regulations defines the conditions for valid consent mentioned under Article 5 of the PDPL.
In general, consent is deemed valid when the controller obtains this in any appropriate form or means, subject to certain conditions:
- consent must be freely given, not obtained through misleading methods, and in compliance with Article 7 of the PDPL;
- the purposes of the processing must be clear and specific, and explained and clarified to the data subject before or at the time of requesting consent;
- consent must be given by a person who has full legal capacity;
- consent must be documented; and
- separate declarations of consent must be obtained for each processing operation if there are multiple purposes.
However, in three, expressly defined cases, consent must be explicit (for the definition of 'explicit consent' please see the section of definitions above):
- when it is the sole legal basis for processing personal data;
- when the processing involves sensitive data; and
- when the processing involves credit data.
Separately, the data subject has the right to withdraw consent at any time, by informing the controller by any available means of this intention. Once consent has been withdrawn, any processing based on the same must cease and the controller must also notify those to whom the personal data has been disclosed and request its destruction.
If the data subject fully or partially lacks legal capacity, their legal guardian may provide consent to the processing. However, the controller is required to abide by certain requirements in this regard.
On the topic of consent, Gianluca considers that "The requirement of consent being obtained through non-misleading methods seems to introduce in the regulatory framework a foothold for banning dark-pattern practices for obtaining consent, especially common on social media platforms, that would result in consent not being freely given and, therefore, in an unlawful processing of personal data. Entities processing personal data should carefully (re-)assess their procedure for obtaining consent to ensure that also this risk is properly addressed. This entails evaluating misleading factors in user's interfaces, thus requiring to onboard UX designers and developers teams on the journey towards compliance.
Furthermore, although there is no express requirement for consent being an affirmative action, it could be argued that scrolling or swiping through a webpage or similar user activity will not be a valid method of obtaining consent. This is certainly true for circumstances where an 'express consent' is necessary. For example, in case of advertising purposes, data subjects should be allowed to stop receiving advertising material with a procedure 'as easy as the procedures to obtain consent.' In line with international best practices established on the basis of guidance from the European Data Protection Board (EDPB), this implies that express consent cannot be sought by means of scrolling or swiping through webpages."
When the legal basis is legitimate interest, the draft Implementing Regulations also lay down a set of conditions that must be met, namely:
- compliance with laws;
- respect for the rights and interests of data subjects or any third parties;
- no negative impact on data subjects; and
- exclusion of sensitive data.
Importantly, the disclosure of fraud operations and the protection of network and information security are expressly qualified as 'legitimate interests' under Article 17(2) of the draft Implementing Regulations.
Moreover, prior to commencing a processing operation based on legitimate interest, the controller is obligated to perform and document an assessment of the envisaged processing and its impact on the rights and interests of data subjects. The assessment must address the following elements:
- purpose identification;
- legitimacy evaluation;
- necessity verification;
- reasonable expectations;
- potential harm assessment; and
- risk mitigation measures.
If the assessment indicates any violation of laws, or infringement on the rights and interests of data subjects, or any other party, the controller must modify the envisaged processing accordingly, and conduct a new assessment afterward.
Notably, Gianluca is of the opinion that "the 'necessity' requirement seems to be placed on the interest of the data controller in Article 1 of the Draft Implementing Regulations and on the processor in Article 17(3) of the Draft Implementing Regulations. In line with the General Data Protection Regulation (GDPR), the assessment on the lawfulness of a processing based on the legitimate interest would require evaluating whether the proposed processing, rather than the interest, is necessary. Otherwise, this might expose the assessment to a risk of being subjective rather than objective.
Moreover, the Draft Implementing Regulations misleadingly refer also to the legitimate interest of the data subject as a legal basis for the processing. Arguably, this wording refers to the 'actual interest' under Article 15 of the Draft Implementing Regulations rather than to the legal basis of the legitimate interest which would be limited to that of the data controller.
Hopefully, these inconsistencies will be corrected as part of the final version of the Implementing Regulations."
Execution of an agreement
Furthermore, Gianluca explains that "Notably, the legal basis of the execution of an agreement to which the data subject is a party does not appear to refer to any 'necessity' criterion, thus seemingly enabling data controllers to rely on this legal basis without carrying out an assessment on whether or not such data processing is actually necessary for the performance of the agreement. However, data controllers should adopt a cautious approach and avoid using this legal basis where there are realistic and less intrusive alternatives to reach the same objectives."
Alternative or complementary legal basis?
Gianluca comments that "The fact that explicit consent is required when consent is the sole legal basis for processing of personal data poses a question on the alternative or complementary nature of legal bases. Reading the letter option, one could argue that legal bases are complementary, meaning that data controller could identify more than one legal bases to validly process personal data. However, this contrast with the requirements of consent being specific and of separate declarations in case of multiple purposes. The latter requirements are in line with the requirement of granularity of consent established in international best practice, including the GDPR.
The fact that the nature of legal bases under the PDPL is different from the GDPR would not be surprising if one were to consider that the PDPL favors consent as a legal basis over other legal bases. However, a complementary nature of legal bases is detrimental to the specificity of each legal basis to the processing of personal data and, in the end, to the protection of personal data.
Thus, it is advisable to follow the best practices and identify at the outset one specific legal basis for the processing rather than relying on multiple legal bases with the hope that the invalidity of any of them can be superseded by the validity of another. Swapping between legal bases at convenience is usually not considered compliant with the protection of personal data."
Data subjects' rights
The draft Implementing Regulations lay down the details and the procedure for the exercise of the rights granted to data subjects by the PDPL.
In this regard, the general provisions established under Article 4 of the draft Implementing Regulations only apply when the processing is based on consent, legitimate interest, or the execution of a contract to which the data subject is a party.
Regarding the timeframe for responding to a request, the controller must act within 30 business days of receiving a request, however, the timeframe may be extended, with notice to the data subject, in exceptional cases. Before responding, the controller must also verify the identity of the requestor. Requests, including oral ones, must be recorded and documented.
Controllers are required to provide appropriate means to process requests for the exercise of rights, and, in turn, the data subject has the choice to use one or more of the following means:
- text messages;
- electronic applications; or
- any other means provided by the controller.
Controllers may also refuse to act on certain requests, specifically in the case of:
- repetitive requests;
- manifestly unfounded requests; and
- requests that require a disproportionate effort.
Only data subjects with legal capacity may exercise their rights. If they fully or partially lack legal capacity, the legal guardian may exercise the rights on the data subject's behalf.
Further to the above, Articles 5 to 9 of the draft Implementing Regulations elaborate on each of the following data subjects' rights, namely:
- the right to be informed;
- the right of access to personal data;
- the right to request access to personal data;
- the right to request correction of personal data, and the right to obtain restriction of processing when the accuracy of the personal data is contested, for a period enabling the controller to verify the accuracy of the personal data; and
- the right to request the destruction of personal data.
Importantly, with the exception of the right to be informed, the above rights may be exercised solely when the legal basis for the data processing concerned is consent, the legitimate interest of the controller, or the execution of a contract to which the data subject is a party.
As mentioned in relation to consent above, when the data subject fully or partly lacks legal capacity, their legal guardian may exercise the data subject's right on their behalf.
On the topic of rights, Gianluca states that "De facto, data subjects' rights are conditioned to the chosen legal basis, relegating data subject's rights to a façade. In an economical context requiring internationalization of services and business, this element presents difficulties and risks for cross-border transfers of personal data, especially where Saudi Arabia entities act in a capacity of data importer. Consequently, in the next months, we could register a trend whereby companies with an international exposure prefer certain legal bases with the hope of easing their business partners' concerns pertaining to cross-border transfer of data and companies with a Saudi Arabia-focused market footprint opt for other legal bases that trigger lower compliance costs and procedures, with the ultimate consequence of unequal rights for data subjects."
The relationship between a controller and a processor must be governed by an agreement that includes certain mandated elements, including the processor's commitment to notify the controller in case of personal data breaches, clarifications on whether the processor is subject to the laws of other countries and the impact on its compliance with the PDPL and the draft Implementing Regulations, and the identification of any subcontractors.
Overall, the controller is responsible for periodically assessing the processor's compliance with the PDPL and the draft Implementing Regulations. In turn, the processor must abide by the controller's instructions or the agreement governing the relationship with the same. In case of violations, the processor is liable to be considered a controller and will be held directly accountable accordingly.
The processor must also comply with certain requirements before entering into any subsequent contract with a sub-processor. Gianluca warns that "It appears that a general authorization for the appointment of sub-processors is not permitted. Thus, processors should seek specific approval for each sub-processor. This could reveal to be a burdensome requirement for entities processing personal data."
Notification of data breaches
Personal data breaches must be notified to the competent authority within a delay not exceeding 72 hours of becoming aware of the incident, but only if such incident potentially causes harm to the personal data, the data subjects, or conflicts with their rights or interests. The notification obligations set out above do not prejudice the obligation of the controller or processor to submit any report or notification according to the National Cybersecurity Authority or any other laws or regulations.
The content of the notification is also specified in detail by the draft Implementing Regulations, which mandate to include elements such as a description of the personal data breach, the actual or approximate number of impacted data subjects, and a description of the actual or potential impact of the breach on personal data and data subjects. If, however, the controller is not able to provide the required information within the 72-hour timeframe, it may provide it at a later date, as soon as possible, with the reasons for the delay.
Data subjects may also need to be informed. Specifically, the controller must notify the data subjects without undue delay, and in a simple and clear manner, if the breach may cause damage to their data or to their rights and interests.
Controllers must also keep a copy of the notification submitted to the competent authority and document any corrective measures taken.
The draft Implementing Regulations provide details on various obligations imposed on controllers by the PDPL. Some of these are described below.
Data protection officers
Pursuant to Article 30(2) of the PDPL, the draft Implementing Regulations require controllers to appoint one or more individuals as data protection officers (DPOs), to be responsible for the protection of personal data in any of the following cases:
- the controller is a public entity that provides services that involve the processing of personal data on a large scale;
- the primary activity of the controller consists of processing operations that require regular and systematic monitoring of individuals on a large scale; or
- the core activities of the controller consist of processing sensitive personal data.
The draft Implementing Regulations further notes that DPOs may be officials, employees, or external contractors. Apart from this, the establishment of further rules on the appointment of DPOs, as well as their duties and responsibilities, is deleted to the competent authority.
Record of Processing
The draft Implementing Regulations determine the periods of time during which controllers must keep written records of their processing activities.
Among other things, the controller must keep a record of processing activities during the period of its activity related to personal data processing, in addition to the following periods:
- three years, starting from the date of termination of the controller's activity, for controllers whose activities involve: processing personal data on a large scale or on a regular basis for individuals that fully or partially lack legal capacity, or for processing activities that require continuous monitoring of data subjects, or for processing personal data using new technologies, or for making decisions based on automated processing of personal data; or
- one year for controllers not concerned by cases stated above.
According to Gianluca "These provisions will require an organized and segregated data storing procedure which adds a layer of complexity to the compliance exercise for data controllers."
Data Protection Impact Assessment
Pursuant to Article 22 of the PDPL, the draft Implementing Regulations lay down the rules governing the controller's obligation to conduct and document an assessment of the potential impacts and risks of certain processing activities. The assessment is mandated in the following cases:
- the controller processes sensitive personal data;
- the controller collects, compares, or links two or more sets of personal data obtained from different sources;
- the activity of the controller includes systematic large-scale processing of personal data of those who fully or partially lack legal capacity, processing operations that by their nature require continuous monitoring of data subjects, processing personal data using new technologies, or making decisions based on automated processing of personal data; or
- the controller provides a product or service that involves processing personal data that is likely to cause serious harm to the rights and privacy of data subjects.
In addition, the assessment must include a set list of elements, such as the impact of the processing, based on its severity, materially and morally, and the likelihood of any negative impact on data subjects, including any psychological, social, physical, or financial impact, and the likelihood of their occurrence.
Requirements related to specific purposes or data
The draft Implementing Regulations also establish rules for certain processing activities or for processing involving specific types of personal data.
Among others, in the case of 'secondary use' of personal data, that is a processing activity for purposes other than those for which the data was initially collected, the draft Implementing Regulations set out the provisions, controls, and procedures related to the same.
Similarly, in relation to health data as well as credit data, the draft Implementing Regulations indicate the controls and procedures that should be put in place, which include the adoption and implementation of the requirements and controls issued by relevant authorities.
Regarding direct marketing, controllers, among other things, need to obtain consent from data subjects, which must comply with the conditions set out under Article 12 of the draft Implementing Regulations (please see the subsection on consent above). Notably, Gianluca considers that "as the processing for direct marketing will be permitted under the legal basis of consent, entities will have to implement burdensome procedures to manage their advertising strategies, considering that legitimate interest, a much more business-friendly legal basis, is not available. This has a material implication for those companies with a strong presence in other jurisdictions that have been more open with respect to the legal basis for direct marketing. Notably, big techs that have been relying on legitimate interest and even performance of an agreement for targeted advertising will have to adapt their procedures to the local market."
National register of controllers
The draft Implementing Regulations assign to the competent authority the responsibility to establish the National Register of Controllers, including the identification of the rules for its functioning and the controllers that would be required to register therein.
Draft Data Transfers Regulations
On the other hand, the draft Data Transfers Regulations set out the rules for the transfer of personal data outside Saudi Arabia, which is permitted, under certain conditions, pursuant to Article 29 of the PDPL.
General data transfer provisions
Some rules of general application to all data transfers include ensuring that the transfer does not impact national security or the vital interests of Saudi Arabia, and is kept to the minimum necessary to achieve the purpose of the transfer or disclosure. This shall be determined by using data maps that indicate the need to transfer or disclose each transferred data and linking it to each processing purpose outside Saudi Arabia. In addition, the transfer should not impact the privacy of data subjects or the level of protection of personal data guaranteed under the PDPL and its regulations. Such assessment is achieved by ensuring that the transfer, at a minimum, does not compromise certain elements, laid down by Article 2(5) of the draft Data Transfers Regulations.
Provisions applicable to transfer based on an adequate level of protection for personal data
Transfers of personal data may be carried out to countries that present an adequate level of protection for personal data. Such evaluation must be made by the competent authority, in coordination with the Ministry of Foreign Affairs, the Ministry of Communications and Information Technology, the Ministry of Investment, the National Cybersecurity Authority, the Presidency of State Security, the Saudi Central Bank, and any other relevant authorities.
The evaluation is to be made considering various criteria, set out by Article 3(3) of the draft Data Transfers Regulations, which encompass the existence of data protection law, the rule of law, and the ability for data subjects to obtain redress.
The results of the evaluation should be submitted by the competent authority and may have three outcomes, namely the evaluation may recommend:
- the issuance of an adequacy decision;
- the performance of an international agreement; or
- not to issue an adequacy decision or perform an international agreement.
Whatever the results of the evaluations, the same should be reviewed when necessary and at least every four years.
In the absence of an adequacy decision, the controller may still transfer data outside Saudi Arabia subject to the condition that the legal requirements in the country of destination do not negatively impact the privacy of data subjects or their ability to exercise their rights (Article 6 of the draft Data Transfers Regulations). In addition to this, the controller must also adopt safeguards, such as Binding Common Rules or Standard Contractual Clauses (SCCs).
Alternatively, even in the absence of the additional safeguards, the controller may still be able to transfer data outside Saudi Arabia if (Article 7 of the draft Data Transfers Regulations):
- the transfer is necessary for the performance of an agreement to which the data subject is a party;
- if the controller is a public entity and the transfer or disclosure is necessary:
- for the protection of Saudi Arabia's national security or for the public interest;
- for the investigation or detection of crimes, or the prosecution of their perpetrators, or for the execution of penal sanctions; or
- the transfer is necessary to protect the vital interests of a data subject who is unreachable.
In any case, when a transfer is made under Articles 6 or 7 of the draft Data Transfers Regulations, the controller must immediately stop the transfer if it determines that the same affects national security or the vital interests of Saudi Arabia, or if the transfer causes harm to data subjects.
The draft Data Transfers Regulations also mandate controllers to undertake a risk assessment, when transferring personal data abroad based on Articles 6 or 7 of the draft Data Transfers Regulations, or in case of continuous or large-scale transfer of sensitive data, also detailing the content of the assessment.
If the risk assessment results in a determination according to which the envisaged transfer will harm data subjects, national security, or the vital interests of Saudi Arabia, the controller is required to take corrective measures and conduct a new risk assessment accordingly.
The public consultation for both the draft Implementing Regulations and the draft Data Transfers Regulations closed on July 31, 2023. The same is expected to enter into force from the date of the PDPL's enforcement, i.e., September 14, 2023. Gianluca highlights that "Although the changes introduced by the draft Regulations provide valuable inputs and further clarity on the applicable regulatory framework, it appears that the exercise to ensure compliance will be demanding. Overall, the regulatory framework seems to offer limited protections to data subjects, if compared to the GDPR for example, and, at the same time, to limit the options available to data controllers and processors when it comes to policies and strategies for the processing of personal data. These two elements could partially jeopardize the cross-border transfer of personal data and, consequently, be detrimental to a primary presence of the Saudi Arabian businesses in the international market fuelled by the processing of personal data."
Anna Baldin Senior Privacy Analyst
Comments provided by:
Gianluca de Feo Lawyer
AX Law, Dubai