In September 2021, the Kingdom of Saudi Arabia (KSA) issued its Personal Data Protection Law (PDPL) to regulate the processing of personal data. The PDPL is the first standalone data protection law of its kind in KSA and bears many similarities with the European Union’s (EU) General Data Protection Regulation (GDPR) when it comes to data owner rights and data controller responsibilities.
For the first two years, the authority responsible for the implementation of the law will be the Saudi Data & Artificial Intelligence Authority (“SDAIA”) but this function is set to be delegated to the National Data Management Authority (“NDMO”), which falls under SDAIA, two years from the implementation of the legislation.
The PDPL was set to come into effect 180 days after the original announcement—meaning the law would be effective March 23, 2022—but was postponed to March 17, 2023 based on feedback received by the authority during a public consultation on the draft.
Personal Data Protection Law (PDPL) at a glance
In terms of scope, the PDPL applies to any processing by businesses or public entities of personal data performed in KSA by any means whatsoever, including the processing of the personal data of KSA residents by entities located outside of Saudi Arabia. The PDPL grants many familiar rights to data owners including:
- a right to be informed
- a right to access the data collected about them
- a right to request correction, completion, and/or updating of their personal data
- a right to request the deletion of their data
The main basis for processing personal data under the PDPL is by obtaining the consent of the data owner. Data owners may withdraw their consent to the processing of personal data at any time. At the time of writing it is understood that consent must be an explicit opt-in. Consent is not required if the processing would achieve a clear benefit, if it is impossible or impractical to contact the data subject, if it is required by law or prior agreement with the data subject, or if the controller is a public entity and the processing is required for security or judicial purposes. So nothing too surprising so far, but where the legislation takes a different direction is on data transfers and enforcement.
The PDPL prohibits data controllers from transferring personal data to an entity outside of KSA unless required to comply with an agreement to which KSA is a party, to serve KSA interests, or for other purposes that will be set out in the regulations. Feedback on this point is the main reason for the delay in the legislation going live; it almost certainly means there will be additional exceptions but what they are and how to get one is yet to be confirmed.
Data controllers will also be required to register with, and pay a fee to, the SDAIA (up to SAR100,000 / $27,000 / £25,000 / €35,000). In addition, data controllers will be required to upload a record of processing activities to a new online portal that must include the purpose of the processing, entities to which the personal data was or will be disclosed, whether the personal data was or will be transferred outside of KSA, and the expected retention period.
Under the new law there are some serious penalties for non-compliance:
- The unlawful use of sensitive data can lead to imprisonment for up to two years and/or a fine of up to SAR3,000,000 / $800,000 / £660000 / €760,000.
- Failure to comply with the requirements relating to transfers of personal data can lead to imprisonment for up to one year and/or a fine of up to SAR1,000,000 (about USD 270,000).
- Both of the above constitute criminal offenses which would be investigated by the KSA Public Prosecutor.
- Failure to comply with the requirements of the legislation other than those specified above can lead to fines of up to SAR5,000,000 / $1,350,000 / £1,185,000 / €1,285,000.
- Repeated offenses can lead to penalties of up to twice the maximums outlined above including the length of imprisonment and the fine amount.
While it’s not certain who would be imprisoned in the case of a breach, I’d be more than mildly concerned if I was to be a DPO of an international organization doing business in KSA in 2023.
Additional highlights from the PDPL
The PDPL introduces a number of requirements that could significantly impact how companies operate in KSA including:
- Data controllers must create and maintain a record of how they process personal data which must be registered with the SDAIA.
- Any foreign company operating in the Kingdom and processing personal data of Saudi residents must appoint a local representative; additional guidance on this point is in the works.
- Organizations will also be expected to appoint data officers to manage compliance with the law.
- Data controllers must assess projects, products, and services to identify data protection risks posed to individuals (basically Impact Assessments).
- Data controllers must implement a privacy notice specifying how data will be processed prior to collecting personal data from individuals.
- Data controllers will be expected to report data breaches to the regulatory authority as soon as they become aware of an incident.
- Information such as genetic, health, credit, and financial data are deemed sensitive data, will fall under scope of the law, and likely to be subject to additional regulation.
What does this mean for you/r business?
Organizations operating in KSA should begin efforts to understand what data is collected, how it’s used, if it is transferred internationally, and where it is transferred to which is something your organization should have completed already or at the very least begun working on as part of compliance with existing privacy legislation in the EU and beyond. Beyond that, keeping a close eye on the additional guidance that is sure to be forthcoming, bookmark this article as we’ll be adding updates here as they come. If you’re not sure where to start in creating your privacy strategy, we’re here to chat.