Saudi Arabia: Overview of the amended PDPL and key differences to the GDPR
An amended version of the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. Brian Meenagh and Lucy Tucker, from Latham & Watkins, LLP, discuss the amendments and draw comparisons between the PDPL and the General Data Protection Regulation (GDPR), with concluding thoughts on next steps.
The original PDPL was published in the Official Gazette in September 2021, but the Saudi Data & Artificial Intelligence Authority (SDAIA), which will be the competent authority for the PDPL for at least the first two years, issued a statement that enforcement would be delayed until March 2023. In November 2022, SDAIA issued suggested amendments to the PDPL for consultation. On March 21, 2023, the Council of Ministers approved an amended version of the PDPL, which has now been published in the Official Gazette. Implementing Regulations, which will set out finer compliance details, have not yet been published, but are expected shortly.
The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.
The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, as discussed below.
Key topics to note and differences between the PDPL and the GDPR
Personal data transfers (Article 29 of the PDPL)
The original PDPL required strict data localization and prior approval from SDAIA to transfer personal data outside of the Kingdom in the vast majority of cases. Although the amended PDPL relaxes these requirements to some extent, personal data can be transferred outside the Kingdom on only a very limited basis. Under the amended PDPL, in order to transfer personal data outside of the Kingdom, controllers need to carry out the transfer for a specific listed purpose (the most relevant purpose for private sector entities is in the performance of an obligation to which the data subject is a party, a purpose which appears similar to contractual necessity under the GDPR), and the controller needs to meet all of the following transfer conditions:
- the transfer does not prejudice national security or the interests of the Kingdom;
- the transfer takes place to a jurisdiction that has an adequate level of personal data protection (evaluation criteria/specific jurisdictions are to be confirmed based on an assessment by SDAIA); and
- the transfer is limited to the minimum amount of personal data required.
The amended PDPL does provide an exception to these requirements for data transfers required for extreme necessity to preserve the life or vital interests of the data subject, or to prevent, test, or treat infections.
Although the concept of adequacy has been introduced, other commonly relied-upon transfer mechanisms/derogations under international privacy laws, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), contractual necessity, and data subject consent are not included. Nor does the amended PDPL include an explicit fall-back position in which the SDAIA would provide approval. These differences from international privacy laws, combined with the requirement to also carry out the transfer based on a specific purpose (likely contractual necessity), mean that the PDPL is unclear about how businesses will transfer data outside of the Kingdom, unless the transfer is required to fulfill a contract with the data subject and the transfer is to an adequate jurisdiction.
The amended PDPL notes that the Implementing Regulations will specify further provisions relating to data transfers, including further exceptions.
Legitimate interests legal basis (Article 6(4) of the PDPL)
The amended PDPL includes legitimate interests as a legal basis for processing non-sensitive data. Under the GDPR, legitimate interests is a business-friendly, and frequently relied-upon, legal basis that allows controllers to balance their interests against the rights and freedoms of data subjects. The concept is a welcome addition to the PDPL and was not included in the original version. However, the amended PDPL does not contain specific balancing or overriding wording, so the application of legal basis remains uncertain, and further details are expected in the Implementing Regulations.
Contractual necessity legal basis (Article 6(2) of the PDPL)
The amended PDPL appears to include a contractual necessity legal basis; however, this basis is a little unclear as it is bundled with a legal obligation legal basis. The language about contractual necessity is the same as under the original PDPL and consultation draft.
Processing for marketing purposes (Articles 25 and 26 of the PDPL)
The amended PDPL requires businesses to gain consent to send direct marketing messages and to process personal data for marketing purposes. However, the Implementing Regulations are expected to set out further controls and the conditions for consent, as the definition of consent is not set out in the PDPL. Therefore, whether businesses could rely on implied consent for marketing purposes remains unclear.
No specific right to data portability
The amended PDPL does not include a specific right to data portability, a concept that was previously included by the consultation draft. However, the Implementing Regulations may set out other rights so this could be reintroduced.
Breach notification (Article 20 of the PDPL)
The amended PDPL requires controllers to notify SDAIA upon becoming aware of a personal data breach, without providing a specific time period or risk threshold, which could imply that immediate notifications are required for all types of personal data breaches. A requirement to notify impacted individuals is also included, although this appears to include a form of risk threshold. Further details are expected to be included in the Implementing Regulations.
Under the preambles, controllers are specifically required to carry out employee training sessions to introduce the PDPL concepts and principles.
Penalties (Article 35 to 38 of the PDPL)
The amended PDPL imposes fines of up to SAR 5 million (approx. $1.3 million) for non-compliance. Disclosing or publishing sensitive personal data with the intent to harm an individual or to achieve personal benefit is noted specifically as punishable by fines of up to SAR 3 million (approx. $800,000) and/or up to two years imprisonment. Fines may be doubled for repeat offenses. Any person who has suffered material or moral damage as a result of a violation may claim compensation from the controller. In addition, SDAIA may seize the controller's means or tools used in committing a violation until a decision is made, and a competent court may order the confiscation of funds obtained as a result of a violation.
As with the previous PDPL, the amended PDPL defers a number of finer compliance requirements to the Implementing Regulations, which have not yet been published. So a number of uncertainties remain, including:
- the definition of consent and situations for which consent must be express;
- data processor contractual requirements;
- thresholds for appointing a data protection officer (DPO);
- the timeline for responding to data subject rights requests;
- risk thresholds for requiring a Data Processing Impact Assessment (DPIA) (otherwise these are required for all products and services provided to the public); and
- whether controllers will be required to register on a national portal.
The PDPL preambles require a memorandum of understanding to be prepared between SDAIA and the Saudi Central Bank, as well as between SDAIA and the Communications, Space and Technology Commission (CST, formerly the CITC). The preambles also note that the amended PDPL does not prejudice the competencies and tasks of the National Cybersecurity Authority (NCA). Notably, the Saudi Central Bank, the CST, and the NCA have already issued sector-specific data localization requirements, and we expect controllers will still need to comply with these, even though the amended PDPL relaxes personal data transfer requirements. The Implementing Regulations will specify additional controls for processing health data and credit information.
Next steps and timing
The amended PDPL will come into force 720 days after the publication of the original PDPL in the Official Gazette (which took place in mid-September 2021). Implementing Regulations are also due to be published within the same period. We, therefore, expect that the amended PDPL will come into effect in September 2023. However, the preambles include an additional one-year transition compliance period, meaning that we do not expect enforcement activities to start until mid-September 2024. SDAIA has the authority to grant additional grace periods to entities at its discretion.