Saudi Arabia: New Personal Data Protection Law – What you need to know
Following a series of data protection developments in the Middle East, the latest marks Saudi Arabia's first data protection law, namely the Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 dated 14 September 2021 ('PDPL'), which was published in the Official Gazette on 24 September 2021. This article aims to summarise key provisions of the PDPL, as well as the key considerations and challenges for practitioners to build and progress their privacy programs towards compliance with the PDPL.
The PDPL designates the Saudi Data & Artificial Intelligence Authority ('SDAIA') as the competent authority responsible for supervising and enforcing the implementation of the PDPL for an initial two-year period, after which the supervisory role may be transferred to the National Data Management Office ('NDMO'), the SDAIA's regulatory arm. Notably, the SDAIA highlighted that the aim of the PDPL is to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data, in order to bring Saudi Arabia into closer alignment with both its Middle East counterparts as well as international standards.
In relation to the key features of the PDPL, Dale Waterman, OneTrusts's PrivacyConnect Co-Chair in the UAE, commented, "Like the various data protection laws already enacted by its neighbours, […] the PDPL has leveraged many of the global data protection principles and best practices we are familiar with as privacy professionals. Examples include data subject rights, purpose limitation, data minimisation, controller obligations and breach notification."
The PDPL provides that it shall be applicable to the processing of personal data by companies or public entities, by any means, that (Article 2(1) of the PDPL):
- takes place in the Kingdom of Saudi Arabia; or
- relates to the personal data of residents of the kingdom by companies located outside the Kingdom.
Personal data is defined in Article 1(4) of the PDPL as any information through which an individual may be directly or indirectly identified, including name, social security number, numbers, addresses, bank account and credit card details, and pictures. Additionally, personal data includes the data of a deceased person, if such data would lead to his/her identification or a family member's identification (Article 2(1) of the PDPL).
Notably, processing of personal data for personal or family use is, as long as it is not shared and disclosed to others, exempt from the scope of the PDPL (Article 2(2) of the PDPL).
Key principles and accountability obligations
Controller obligations under the PDPL range from specific obligations to more general requirements to adhere to certain principles and safeguards to ensure data security. Below are some of the notable controller obligations/requirements found in the PDPL.
When choosing the means by which to process data, a controller must have in place measures that guarantee it gives effect to the provisions of the law and must regularly check the conformity of its means of processing with data protection principles (Article 8 of the PDPL).
In relation to the controller's purpose for collecting the personal data, Article 11(1) notes that this must have a direct link to the controller's processing purposes. Article 11 further details the manner in which controllers should collect personal data and notes that personal data collected should be specific to the controller's purposes and limited to what is required to satisfy such purposes (Article 11(2) and (3) of the PDPL).
Moreover, and emphasising controller accountability, Article 14 of the PDPL provides that controllers shall not process personal data without taking sufficient steps to check that such data is up-to-date, accurate, complete, and specific to the purpose for which it was collected. Article 18(1) of the PDPL further provides that the controller is required to erase the personal data it possesses after the purpose for its processing terminates, unless the personal data is kept in an anonymised form ensuring that data subjects cannot be identified. Exceptions to this requirement are found in Article 18(2).
Data protection officer appointment
Lastly, Article 30 of the PDPL provides that controllers are required to appoint a person (or several persons) to be responsible for implementing the provisions of this law. Notably, controllers that operate outside the Kingdom and process personal data of Saudi citizens must appoint a representative in the Kingdom that the competent authority can resort to regarding compliance with the applicable laws (Article 33(2) of the PDPL).
Records of processing activities
Controllers are also required to keep records of their processing activities as per Article 31 of the PDPL and for a period determined by the executive regulations. Furthermore, Article 32 of the PDPL provides that the competent authority will establish an online portal to build a national database of controllers, to which each controller must register to and pay an annual fee not exceeding SAR 100,000 (approx. €22,800). Additionally, within this portal, each registered controller shall have their own register where its processing activities and any other documents related to the processing of personal data may be recorded.
Data Protection Impact Assessment
Notably, controllers are also required to make an assessment of the consequences of processing personal data for their processing activities according to their nature, noting that the executive regulations shall set forth the relevant requirements for such assessments (Article 22 of the PDPL).
Processing of health and credit data
Article 23 of the PDPL particularly addresses the processing of health data, and states that such personal data should be processed in a manner that guarantees the confidentiality of data subjects and protection their rights, including the implementation of access controls to restrict access to individuals to whom access is necessary, further details to which will be found in the executive regulations. Likewise, Article 24 provides requirements for the processing of credit data and highlights additional measures that shall be included in the executive regulations.
Data transfers and residency
In relation to data transfers outside the Kingdom of Saudi Arabia, Article 29 of the PDPL provides that except in cases of extreme necessity relating to a threat to the life of the data subject, controllers may not transfer personal data outside the Kingdom unless the transfer is required to comply with an agreement to which the Kingdom is party, to serve Saudi interests, or for other purposes set out in the executive regulations, provided that the following conditions set in Articles 29(1) to (4) are met:
- the data transfer must not prejudice national security or the Kingdom's vital interests;
- the transferring entity must provide adequate guarantees for protecting the personal data that will be transferred or disclosed and maintain its confidentiality, so that the data protection standards are not less than the standards stipulated in the PDPL and executive regulations;
- the transfer must be restricted to the minimum personal data that is necessary for its purpose; and
- the competent authority must approve the transfer.
In relation to the above conditions, Article 29 of the PDPL further notes that except for the condition of Article 29(1), the competent authority can excuse a controller, on a case-by-case basis, from compliance with any of the other conditions in Article 29, if the competent authority itself or in cooperation with other bodies, assesses that the personal data will be accorded with sufficient safeguards outside the Kingdom and so long as no sensitive personal data is included.
In relation to the above, Waterman commented, "[A]nyone vaguely familiar with the regulatory landscape in Saudi Arabia, or responsible for regulatory compliance, will be well aware that data sovereignty, or more specifically, data residency, has become a major challenge for multinational organisations and service providers. This was really brought to the fore for many organisations when the National Cybersecurity Authority issued their Essential Cybersecurity Controls in October 2018, which demanded site hosting and the storage of the entity information inside the Kingdom for all cloud computing. Previously, organisations could utilise data classification levels as a solution for all but the most sensitive data, but the ECC's imposed a hard blocker for government, semi gov, state owned enterprises and national critical infrastructure, and arguably some unintended consequences for the private sector. Once there has been an opportunity to assess the PDPL in more detail and the regulator issues the expected executive regulations, we should have further clarity on how organisations will be able to obtain approval from SDAIA and best manage cross-border data transfers. What is clear is that this will revolve around a government narrative about the impact to national security and local interests."
Data subject rights
The PDPL provides for the following data subject rights:
- the right to be informed (Article 4(1) of the PDPL);
- the right to access personal data (Article 4(2) of the PDPL);
- the right to correct, complete, and/or update personal data (Article 4(3) of the PDPL);
- the right to request erasure of personal data (Article 4(4) of the PDPL);
- the right to not have personal data processed, or the purpose of processing his/her personal data changed, without his/her consent (Article 5(1) of the PDPL);
- the right to withdraw consent at any time (Article 5(2) of the PDPL); and
- the right to make any complaints arising from breaches of the PDPL and executive regulations to the competent authority (Article 34 of the PDPL).
Article 21 of the PDPL provides that controllers must respond to requests from data subjects within the time period determined by the executive regulations. However, Article 9 of the PDPL provides that the controller may determine periods for exercising the right to access personal data pursuant to Article 4(2) of the PDPL in accordance with what the competent authority deems as a reasonable period, and further provides for circumstances where this right may be restricted by the controller.
Furthermore, Article 40 of the PDPL notes that damages are available to data subjects for material and non-material loss in relation to breaches of the PDPL and/or the executive regulations.
Security and incident response measures
Article 19 of the PDPL states that the controller is required to take appropriate technical and organisational measures to safeguard personal data, including on the transfer of such data.
Additionally, the implementing decree also notes that the competent authority, when preparing the executive regulations supplementing the PDPL, should consider establishing provisions and conditions relating to the technical and organisational measures attached to how personal data is kept by controllers, which should include the measures to safeguard personal data depending on its nature and sensitivity.
Controllers must inform the competent authority when they become aware of a data security breach (Article 20(1) of the PDPL). Furthermore, the executive regulations shall determine in which circumstances controllers must inform data subjects of a security breach of their personal data. However where such a breach may cause serious harm to the individual or their personal data, controllers must inform them immediately of the breach (Article 20(2) of the PDPL).
The penalty in relation to disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million (approx. €685,000) (Article 35(1)(a) of the PDPL).
The penalty in relation to violations of the data transfer provision in Article 29 of the PDPL may result in imprisonment for up to one year and/or a fine not exceeding SAR 1,000,000 (approx. €228,000) (Article 35(1)(b) of the PDPL).
For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5,000,000 (approx. €1,141,680) (Article 36(1) of the PDPL).
Notably, any of the aforementioned fines may be increased to up to double the stated maximums for repeat offences (Article 36(1) of the PDPL). The court may also order confiscation of funds gained as a result of violations of the law and/or require publication of the judgement at the offender's expense (Articles 38(1) and (2) of the PDPL).
The PDPL will take effect on 23 March 2022 as per Article 43 of the PDPL, and the implementing decree of the law provides for an 18-month transition period for data controllers to achieve compliance with the new law from the date of its publication in the Official Gazette.
This date may be delayed, as determined by SDAIA for a period of up to five years for companies located outside the Kingdom of Saudi Arabia that process personal data of Saudi Arabian residents.
Reference is made to the 'executive regulations' throughout the PDPL, which will be supplementary to the law and should be published in the period between the PDPL's publication and the date it takes full effect, i.e. 23 March 2022, to help organisations with the implementation of the PDPL. Notably, these regulations may set out certain conditions, time periods, and fee amounts attached to requirements under the PDPL.
Key challenges for organisations
Scaling up data protection programme maturity levels
Beyond compliance – building a culture of privacy and trust
Waterman continued, "I'd like to emphasise to organisations setting out on a privacy compliance journey for the first time that this is really about much more than compliance with a new law. For leadership teams this is about building your organisation's brand, about reputation, and earning the trust of your customers as you continue to collect and reason over their personal data to improve your products and services. It goes towards your ability to honour public and contractual promises made to your customers and partners at a time where customers, consumers, governments and partners are concerned about privacy and the security of personal data.
With that in mind, I'd encourage organisations to start as quickly as possible and not wait until you suddenly have 4 to 6 months left to deliver compliance for your boardroom. When you rush you typically end up building something that isn't fit for purpose and which often costs much more. It also makes for an unpleasant more stressful experience for your organisation at a time when you want position privacy as a positive aspect of your culture and values. Be planful, seek expert advice, agree an appropriate ambition level and start training leadership teams and staff as quickly as possible."
Alice Muasher Privacy Analyst
Comments provided by:
Dale Waterman OneTrust PrivacyConnect Co-Chair in the UAE