The Personal Data Protection Law is the first legislation of its kind in Saudi Arabia. The law aims to protect the rights of individuals regarding their personal data, while also ensuring compliance with the principles of effective and responsible data protection.
In this Op-Ed, Philip Gilboy, the legal director for the Middle East at Sovereign & PRO Partner Group, looks at the latest updates made this March, comparisons to GDPR, compliance issues, data breaches and other key related regulations.
PDPL: Background and importance to Saudi companies, clients, consumers and the economy
According to the Saudi Data & Artificial Intelligence Authority, the PDPL has been created by Saudi Arabia to safeguard the privacy of a legal individual’s personal information and to govern the acquisition, handling, sharing and storage of such data by organizations.
This entails upholding personal data confidentiality, overseeing data exchange and counteracting the misuse of personal information in order to align with the objectives of Saudi Arabia’s Vision 2030. The Vision’s purpose includes enhancing digital infrastructure and foster innovation for the advancement of a digital economy.
The current PDPLs within the Kingdom are the Royal Decree M/19 of September 17t, 2021 – approving Resolution No.98 dated September 14, 2021, and the amendment as on March 21, 2023.
The latest changes added in March 2023 – What added value did they bring?
In November 2022, SDAIA put forth proposed revisions to the PDPL, which then subsequently gained approval on March 21, 2023. As stipulated in the revised Article 43 of the PDPL, its implementation is scheduled to begin 720 days subsequent to the publication in the Official Gazette on September 24, 2021. This signifies that the PDPL, in its updated form, will officially take effect on September 14, 2023, introducing several valuable updates.
1- More commercially focused data transfer methods: Rules surrounding the cross-border movement of personal data from the Kingdom of Saudi Arabia have changed. International data transfers are now generally allowed and no longer necessitate SDAIA approval, provided they align with commitments of international agreements to which Saudi Arabia is a participant, if they advance national interests, correspond to obligations that the data subject is engaged in, and/or the other objectives established by the forthcoming executive regulations.
2- Elimination of controller registration obligation: Revised legislation no longer mentions the establishment of an electronic platform or the necessity for controllers to register data processing actions. Powers granted to the SDAIA include formulating the stipulations for conducting operations related to data protection and collaborating with pertinent authorities. Additionally, SDAIA is empowered to grant licenses to auditors and accreditation bodies and establish a national registry if deemed a suitable means for overseeing controllers’ compliance.
Data compliance, implementation issues and deadlines in Saudi
The PDPL updates officially take effect from September 14, 2023. to bring in valuable updates to Saudi Arabia’s data regulations. Enterprises will be granted a transitional period of one year to elevate their operations and practices to meet the compliant criteria. During this time, they will need to ensure they:
1- Create/update existing data protection policies
2- Conduct training for employees on PDPL
3- Appoint a data protection officer (the PDPL states that executive regulations shall specify the circumstances in which a controller must appoint or designate a person as a personal data protection officer)
4- Conduct regular data protection audits
5- Implement privacy-by-design and privacy-by-default principles
6- Establish a process for handling data requests, access, rectification or deletion
7- Develop a procedure for reporting relevant PDPL breaches
8- Update, review and maintain these policies and procedures
Data breaches and protection in Saudi Arabia – update
The penalties involved for breaching the PDPL through disclosing sensitive data contrary to the PDPL may result in imprisonment for up to two years or a fine of up to SAR 3 million ($800,000). Both individuals and organizations can be sanctioned. Other provisions of the PDPL have penalties such as a warning notice or a fine of up to SAR 5 million ($1,333,000). For repeat offenses fines can increase and double in certain circumstances.
How comparable is PDPL to GDPR?
Fresh avenues for data processing have emerged, permitting controllers to justify their actions based on “legitimate interests” as a lawful foundation for both processing and revealing personal data. However, this exemption does not extend to sensitive personal data or procedures that infringe upon the rights established within the PDPL and its accompanying executive regulations. This alteration serves to align the grounds for data processing more closely with the principles upheld by the General Data Protection Regulation and similar legislations, and thereby, the revisions introduce a range of concepts that will bring the PDPL into closer alignment with global benchmarks.
The implementation and supervision of the PDPL shall be enforced by the SDAIA as the primary body responsible for the first two years. This includes levying penalties, advising organizations on internal transfers, and tracking data subject rights requests received by organizations, among others. After this initial two-year period in 2024, there will be a review to potentially transfer the supervisory role to the National Data Management Office, an arm of the SDAIA responsible for regulatory matters.
The addition of the PDPL to the KSA regulation system is a clear indication that the regulatory landscape of the Kingdom is aligning itself with international best practices, creating a better framework for international business in Saudi Arabia.
Philip Gilboy is legal director for the Middle East at Sovereign & PRO Partner Group
For more legal reviews, click here.