Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Saudi Arabia: Why the amendments proposed to the PDPL are good news for business
Saudi Arabia's much awaited Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021 ('PDPL') was issued in September 2021. Originally it was due to come into force on 23 March 2022. Following amendments published in March 2023, the PDPL is now expected to come into effect on 14 September 2023. Simon Stokes and Nick O'Connell, from Al Tamimi & Company, provide a brief overview of the proposed amendments and how businesses can prepare.
This Insight article was updated in May 2023.
Background
In late November 2022, the Saudi Data & Artificial Intelligence Authority ('SDAIA') issued draft revisions to the PDPL. After a period of public consultation ending on 20 December 2022, a Royal Decree was issued in March 2023 to approve amendments to the PDPL. Importantly, the revisions clarify the timeframe of the PDPL coming into force, noting that its entry into force date is 720 days from the date of publication in the Official Gazette. Additionally, according to the preamble of the PDPL, entities will have a one-year period from such date to bring their personal data processing operations into compliance.
The revisions to the PDPL highlight that Regulations will be issued by the time the PDPL comes into force.
The revisions to the PDPL will no doubt be welcomed by businesses operating in the Kingdom of Saudi Arabia ('KSA') or processing personal data of individuals residing in the KSA. Some of the more significant proposed changes are outlined below.
Significant changes
Addition of legitimate interests as a legal basis for data processing
One of the criticisms of the PDPL as originally published is that consent was the primary ground for processing personal data, with only very limited circumstances in which consent would not be required. The revisions permit processing to also be carried out where it is necessary to achieve a legitimate/lawful interest of the controller or another person and this does not prejudice the data subject's rights. Significantly, however, this legal basis will not apply to sensitive personal data. This legitimate interests basis has been added throughout the PDPL as a legal basis for processing, a basis for collection of personal data from a source other than the data subject or a change in the purpose of processing, and a basis for disclosure of personal data to third parties.
This revision is welcome as it brings the PDPL closer to its global counterparts. As to its practical effect, it will enable organisations to avoid the need to rely on consent where they have a legitimate interest to process the personal data in question, provided it is not sensitive personal data. Besides data subject consent, the PDPL has only a limited number of grounds that allow the processing of personal data, so the addition of legitimate interests is very helpful.
The details of the application of legitimate interests to the processing of personal data has been left to the Regulations. These will set out the applicable rules and provisions. In particular, it is hoped light will be shed on how a data controller's legitimate interests are to be balanced against the rights or interests of the data subject.
International data transfers
Another criticism of the PDPL as originally published is that it made the international transfer of personal data subject to an approval mechanism, except in limited cases. The relevant provision dealing with international transfers, namely Article 29, has been rewritten.
Article 29 is permissive provided certain conditions are satisfied and there is no special treatment of sensitive personal data. Article 29 provides that, in addition to certain specific and limited cases, a controller may transfer personal data outside the KSA if all the following are satisfied:
- The purpose of the transfer (a) is a requirement under an agreement to which the KSA is a party, (b) is to serve the interests of the Kingdom, (c) is in implementation of an obligation to which the data subject is a party, or (d) “is in implementation of other purposes specified in the Regulations.” Clearly, purpose (d) is going to be fundamental in providing clarity on what international transfers are permitted provided the other conditions noted below are also satisfied. Our expectation is that these purposes will be permissive and “pro business”, but we await the Regulations.
- The country to which the personal data is transferred protects personal data to at least the same standard as the KSA; essentially a form of 'adequacy' requirement. How this will be assessed is left to the local data protection authority, which is to carry out an evaluation. We have no information on this evaluation as yet and whether it will be applied by the data protection authority to create an official list of 'adequate' jurisdictions (although that is our expectation). What is clear from the March 2023 Royal Decree and the PDPL is that the evaluation will require consultation within the KSA government including submitting the results to the Prime Minister. Unlike the draft Regulations that were withdrawn from circulation, there is no clarity on whether, in the case of jurisdictions not considered 'adequate', another transfer mechanism (e.g. Standard Contractual Clauses) can be used. Our expectation is that the Regulations, once issued, will provide more clarity.
- The transfer does not adversely affect national security or 'vital interests' of the KSA. At present there is no clarity on this but we would expect the vast majority of data transfers not to affect national security or the vital interests of the KSA.
- The transfer is limited to the minimum amount of personal data required. This is not contentious and reflects general data protection principles.
The revised Article 29 is a considerable improvement to the PDPL as originally published. However, there remains uncertainty as to what the Regulations will provide for in terms of permitted purposes for transfers, what jurisdictions will be considered 'adequate' jurisdictions and whether personal data can be transferred to jurisdictions not considered 'adequate'. Also, businesses involved in processing government data will be looking for clarity on when national security or similar considerations mean personal data cannot be transferred.
No requirement for offshore entities to appoint a representative in the KSA
The express requirement in Article 33(2) of the PDPL, as originally published, for entities outside the KSA that process the personal data of individuals residing in the KSA to appoint a representative in the KSA, has been removed. However, the data protection authority now has the power to identify suitable tools and mechanisms to monitor how such entities comply with the law and to identify suitable procedures to implement the law outside the KSA.
New data subject rights?
The revised PDPL has been restructured as regards the right of access by data subjects to their data – it is unclear whether additional data portability right is intended – we expect the Regulations will be likely to clarify this.
Removal of reference to an electronic portal
Article 32 of the PDPL, as originally published, required the data protection authority to establish an electronic portal to build a national record of controllers and controllers were also required to register in the portal and pay a fee. This Article has been deleted in its entirety. Instead, Article 30(4)(c) talks about the data protection authority building a national register of data controllers. The data protection authority also has the power to collect fees for services it provides. The amendment removes the immediate requirement for a national record/register to be established, but it appears that such a record (which presumably will be online) is still contemplated.
Other changes
Other areas addressed by the proposed amendments include modifications to some of the penalties for breaches of the PDPL, the definition of sensitive personal data (which no longer includes location data), amendments that will make it easier for a controller to appoint a data processor, and clarifying the powers and functions of the data protection authority. The mechanics of notifying data breaches will be contained in the Regulations but notifications to both the data protection authority and the data subject are envisaged as further determined by the Regulations.
Conclusion
The revisions are very welcome, however, but their overall impact will depend on the shape of the yet unpublished implementing Regulations. So, for Saudi Arabia, the data privacy advice to business remains 'watch this space'.
Simon Stokes Senior Counsel
[email protected]
Nick O' Connell Partner
[email protected]
Al Tamimi & Company, Riyadh