Saudi Arabia: New Personal Data Protection Law - What you need to know
Following a series of data protection developments in the Middle East, the latest marks Saudi Arabia's first data protection law, namely the Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 dated 14 September 2021 ('PDPL'), which was published in the Official Gazette on 24 September 2021.
Although the PDPL's original entry into force date was set for 23 March 2022, and later postponed until 17 March 2023, that date now stands at 14 September 2023, following the recent approval of amendments to the PDPL (reference to the 'PDPL' henceforth refers to the PDPL as amended).
In this Insight article, OneTrust DataGuidance Research summarises key provisions of the PDPL, as well as key considerations and challenges for practitioners to build and progress their privacy programs towards compliance with the law.
More specifically, in late November 2022, the Saudi Data & Artificial Intelligence Authority ('SDAIA') issued amendments to the PDPL, and after a period of public consultation, ending on 20 December 2022, the Saudi Council of Ministers approved the PDPL in its final form. Importantly, the amendments clarify the timeframe of the PDPL coming into force as mentioned above, setting the entry into force date 720 days from the date of the PDPL's publication in the Official Gazette (i.e. 24 September 2021), namely on 14 September 2023. Additionally, according to the preamble of the PDPL, entities will have a one-year transition period from such date to bring their operations into compliance.
Importantly, the PDPL also promises the issuance of executive regulations ('the Regulations') to supplement its provisions; the amendments to the PDPL highlight that the Regulations will be issued by the entry into force date of 14 September 2023 (Article 42 of the PDPL).
The PDPL designates the SDAIA as the competent authority responsible for supervising and enforcing the implementation of the PDPL for an initial two-year period, after which the supervisory role may be transferred to the National Data Management Office ('NDMO'), the SDAIA's regulatory arm. Notably, the SDAIA highlighted that the aim of the PDPL is to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data, in order to bring Saudi Arabia into closer alignment with both its Middle East counterparts, as well as international standards.
In relation to the key features of the PDPL, Dale Waterman, OneTrusts's PrivacyConnect Co-Chair in the UAE, commented, "Like the various data protection laws already enacted by its neighbours, […] the PDPL has leveraged many of the global data protection principles and best practices we are familiar with as privacy professionals. Examples include data subject rights, purpose limitation, data minimisation, controller obligations, and breach notification".
The PDPL provides that it shall be applicable to the processing of personal data by companies or public entities, by any means, that (Article 2(1) of the PDPL):
- takes place in the Kingdom of Saudi Arabia; or
- relates to the personal data of residents of the Kingdom by companies located outside the Kingdom.
Personal data is defined in Article 1(4) of the PDPL as any information through which an individual may be directly or indirectly identified, including name, social security number, numbers, addresses, bank account and credit card details, and pictures. Additionally, personal data includes the data of a deceased person, if such data would lead to their identification or a family member's identification (Article 2(1) of the PDPL).
Notably, processing of personal data for personal or family use is, as long as it is not shared and disclosed to others, exempt from the scope of the PDPL (Article 2(2) of the PDPL).
Key principles and accountability obligations
Controller obligations under the PDPL range from specific obligations to more general requirements to adhere to certain principles and safeguards to ensure data security. Below are some of the notable controller obligations/requirements found in the PDPL.
When choosing a processor to process data on its behalf, the controller must ensure the processor it chooses has in place measures that guarantee that it gives effect to the provisions of the PDPL and its Regulations and must regularly check its conformity with the same, without prejudice to the controller's responsibilities towards data subjects or the competent authority (Article 8 of the PDPL).
Importantly, the Regulations shall specify further details with regard to this provision, which will also include provisions governing the engagement of any sub-processors (Article 8 of the PDPL).
In relation to the controller's purpose for collecting the personal data, Article 11(1) of the PDPL notes that this must have a direct link to the controller's processing purposes. Article 11 further details the manner in which controllers should collect personal data and notes that personal data collected should be specific to the controller's purposes and limited to what is required to satisfy such purposes (Articles 11(2) and 11(3) of the PDPL). Additionally, if the purpose for collecting the personal data no longer persists, then the controller must stop collecting such data and dispose of it without delay (Article 11(4) of the PDPL).
Moreover, and emphasising controller accountability, Article 14 of the PDPL provides that controllers shall not process personal data without taking sufficient steps to check that such data is up-to-date, accurate, complete, and specific to the purpose for which it was collected. Article 18 of the PDPL further provides that the controller is required to dispose of the personal data it possesses after the purpose for its processing terminates, unless the personal data is kept in an anonymised form ensuring that data subjects cannot be identified.
Data protection officer appointment
Article 30(2) of the PDPL provides that the Regulations will specify the circumstances in which controllers are required to appoint a person (or several persons) to be responsible for implementing the provisions of the PDPL, as well as the responsibilities of such a person or persons.
Records of processing activities
Controllers are also required to keep records of their processing activities as per Article 31 of the PDPL and for a period determined by the Regulations.
Data Protection Impact Assessment
Notably, controllers are also required to make an assessment of the consequences of processing personal data for their processing activities according to their nature, noting that the Regulations shall set forth the relevant requirements for such assessments (Article 22 of the PDPL).
Processing of health and credit data
Article 23 of the PDPL particularly addresses the processing of health data, and states that such personal data should be processed in a manner that guarantees the confidentiality of data subjects and protection of their rights, including the implementation of access controls to restrict access to individuals to whom access is necessary, further details to which will be found in the Regulations. Likewise, Article 24 provides requirements for the processing of credit data, including obtaining data subjects' express consent and informing the same if their personal data is requested by another entity, and further highlights that additional measures in this regard shall be included in the Regulations.
Data transfers and residency
In relation to data transfers outside the Kingdom of Saudi Arabia, Article 29 of the PDPL provides that the controller may, subject to conditions specified in Article 29(2) of the PDPL, transfer personal data outside Saudi Arabia, or disclose it to a party outside Saudi Arabia, if the transfer is made for any of the following purposes:
- for the implementation of an obligation under an agreement to which the Kingdom is a party;
- to serve the interests of the Kingdom;
- to give effect to an obligation to which the data subject is a party; and/or
- for the implementation of other purposes as specified by the regulations.
In this regard, Article 29(2) specifies the following conditions:
- the transfer or disclosure shall not prejudice the national security or vital interests of the Kingdom;
- the country to which the personal data is transferred protects personal data to at least the same standard as the Kingdom, according to the results of an evaluation conducted by the competent authority in this regard in coordination with those concerned; and
- the transfer or disclosure should be limited to the minimum amount of personal data that is required.
Importantly, the above conditions do not apply in cases of extreme necessity to preserve the life of the data subject or their vital interests, or to prevent, examine, or treat a pathological infection (Article 29(3) of the PDPL).
Notably, the Regulations will specify provisions and procedures in relation to the abovementioned purposes and conditions (Article 29(4) of the PDPL).
Moreover, the competent authority will also determine the methods of monitoring the compliance of controllers outside Saudi Arabia with the provisions of the law and Regulations, where such controllers process the personal data of data subjects resident in the Kingdom, and the related enforcement procedures in that regard (Article 33(4) of the PDPL).
Data subject rights
The PDPL provides for the following data subject rights:
- the right to be informed (Article 4(1) of the PDPL);
- the right to access personal data (Article 4(2) of the PDPL);
- the right to obtain personal data in a clear and legible form (Article 4(3) of the PDPL);
- the right to correct, complete, and/or update personal data (Article 4(4) of the PDPL);
- the right to request erasure of personal data (Article 4(5) of the PDPL);
- the right to not have personal data processed, or the purpose of processing their personal data changed, without their express consent (Article 5(1) of the PDPL);
- the right to withdraw consent at any time (Article 5(2) of the PDPL); and
- the right to make any complaints arising from breaches of the PDPL and the Regulations to the competent authority (Article 34 of the PDPL).
Article 21 of the PDPL provides that controllers must respond to requests from data subjects within the time period determined by the Regulations. However, Article 9 of the PDPL provides that the controller may determine periods for exercising the right to access personal data pursuant to Article 4(2) of the PDPL in accordance with what the competent authority deems as a reasonable period, and further provides for circumstances where this right may be restricted by the controller.
Furthermore, Article 40 of the PDPL notes that damages are available to data subjects for material and non-material loss in relation to breaches of the PDPL and/or the Regulations.
Security and incident response measures
Article 19 of the PDPL states that the controller is required to take appropriate technical and organisational measures to safeguard personal data, including on the transfer of such data.
Additionally, the implementing decree also notes that the competent authority, when preparing the Regulations supplementing the PDPL, should consider establishing provisions and conditions relating to the technical and organisational measures attached to how personal data is kept by controllers, which should include the measures to safeguard personal data depending on its nature and sensitivity.
Importantly, controllers must inform the competent authority when they become aware of a data security breach (Article 20(1) of the PDPL). Furthermore, controllers must inform data subjects of a data security breach in the event that such a breach may cause the data subject harm or interfere with their rights or interests, subject to the provisions set forth by the Regulations (Article 20(2) of the PDPL).
Enforcement and fines
The PDPL designates the competent authority as the authority responsible for the enforcement of the law and Regulations (Article 30(1) of the PDPL), and in specifying some of the powers it holds to do so, Article 30(4)(c) of the PDPL provides that the competent authority will, among other things, specify appropriate tools and methods to monitor the continuous compliance of the PDPL and Regulations, including the establishment of a public register of controllers.
In addition, Article 30(4)(d) of the PDPL provides that the competent authority, in the exercise of its powers to enforce and oversee compliance with the law, may, among other things, offer services related to personal data protection through the register, or any other method, and may charge a fee for providing such services.
With regard to specific penalties, the penalty in relation to the disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million (approx. €728,800) (Article 35(1) of the PDPL).
For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million (approx. €1,214,958) (Article 36(1) of the PDPL).
Notably, any of the aforementioned fines may be increased to up to double the stated maximums for repeat offences (Articles 35(4) and 36(1) of the PDPL). Additionally, the court may also order confiscation of funds gained as a result of violations of the law and/or require publication of the judgement at the offender's expense (Articles 38(1) and (2) of the PDPL).
Key challenges for organisations
Scaling up data protection programme maturity levels
Beyond compliance - building a culture of privacy and trust
Waterman continued, "I'd like to emphasise to organisations setting out on a privacy compliance journey for the first time that this is really about much more than compliance with a new law. For leadership teams this is about building your organisation's brand, about reputation, and earning the trust of your customers as you continue to collect and reason over their personal data to improve your products and services. It goes towards your ability to honour public and contractual promises made to your customers and partners at a time where customers, consumers, governments, and partners are concerned about privacy and the security of personal data.
With that in mind, I'd encourage organisations to start as quickly as possible and not wait until you suddenly have four to six months left to deliver compliance for your boardroom. When you rush you typically end up building something that is not fit for purpose and which often costs much more. It also makes for an unpleasant more stressful experience for your organisation at a time when you want position privacy as a positive aspect of your culture and values. Be planful, seek expert advice, agree an appropriate ambition level, and start training leadership teams and staff as quickly as possible".
Alice Muasher Privacy Analyst
Comments provided by:
Dale Waterman OneTrust PrivacyConnect Co-Chair in the UAE