On 27 March 2023, the Saudi Arabia Council of Ministers approved some amendments to the previously issued KSA Personal Data Protection Law (PDPL).
The amendments were adopted following a public consultation run by the Saudi Data & Artificial Intelligence Authority (SDAIA) in late 2022 and reflect a number of important requests from private stakeholders doing business in or providing services to users in the Kingdom, including AG and a number of trade associations. Many of the amendments that have now been formally adopted were incorporated in a revised version of the PDPL published as part of the consultation.
This welcome development demonstrates SDAIA's willingness to work collaboratively with and to address the concerns of industry. The revision of the PDPL so soon after its publication also reflects the critical role that the Saudi legislature expects the regulatory framework for personal data to play in shaping the Kingdom's digital future. We elaborate on the impact of the main amendments made to the PDPL in this alert.
- Effective Date and Enforcement Date
The amended PDPL will come into force on 14 September 2023 (Effective Date). The PDPL provides that the Executive Regulations to the PDPL (Regulations) shall be issued prior to the Effective Date. This follows the adoption of a Royal Order dated 11 March 2022, which approved the postponement of the PDPL's original planned effective date (namely 23 March 2022) until 18 March 2023.
Following the entry into force of the PDPL, organisations will benefit from a one-year grace period (namely until 14 September 2024) to achieve compliance with the PDPL, subject to any further discretionary extension period afforded by SDAIA.
- Key Changes to PDPL
Introduction of the "legitimate interest" legal basis for processing
Previously, unless the data subject's consent was obtained, processing could only be carried out in certain limited scenarios, being:
- 1. where processing achieves a definite interest for the data subject and it is impossible or difficult for the data subject to be contacted;
- 2. where processing is required by law;
- 3. implementation of an earlier agreement to which the data subject is a party; or
- 4. if the controller is a public entity and such processing is required for security purposes or to meet judicial requirements.
The PDPL now provides that processing can also be undertaken without the data subject's consent if it is necessary to achieve the legitimate interests of the data controller, "provided that this does not prejudice the rights of the data subject, nor conflict with their interests".
This new legal basis for processing without consent appears to reflect the commonly relied upon "legitimate interest" legal basis under the EU GDPR. The PDPL states that the Regulations will contain further controls in respect of the use of this new legal basis.
Critically, the legitimate interest legal basis is not available when the data being processed is sensitive personal data (for example health data). Accordingly, obtaining the consent of the data subject is still likely to remain critical in order to legitimise personal data processing in certain contexts.
Fortunately, the definition of sensitive personal data for the purposes of the PDPL has also been revised to exclude specific reference to data relating to non-governmental associations as well as location data and credit data. This will allow businesses to rely on the legitimate interest legal basis in a broader array of circumstances than was originally permitted.
The same concept of "legitimate interest" has also been introduced as an additional ground permitting the disclosure of personal data. This together with some other important limitations has introduced some much-needed flexibility to the PDPL's previously broad disclosure restrictions.
Further allowances for international data transfers
Previously the PDPL stated that by default personal data should remain within the Kingdom and should only be transferred outside of the Kingdom where it was necessary to protect the vital interests of the data subject, prevent or deal with a public health issue, or to protect the interests of the Kingdom.
While it was envisaged that further exceptions to the default rule would be introduced in the Regulations, the amended PDPL removes this assumption and instead introduces grounds to legitimise cross-border transfers of personal data in a manner like established foreign data protection laws, such as the EU GDPR. The export of personal data from the Kingdom will now be permitted where it is made pursuant to a contract to which the data subject is a party. This amendment reflects one of the various grounds that is set out in the data transfer principles contained in the National Data Management Office's (NDMO) National Data Regulations. The Regulations may provide for additional purposes for which international data transfers are permitted. However, it remains to be seen whether any of the further grounds set out in the National Data Regulations will be adopted in the PDPL.
Helpfully, the amended PDPL no longer envisages that all international data transfers must be approved by SDAIA. We will need to wait for the Regulations to be published to see what, if any, additional formalities will apply in this regard.
Data Protection Officer
Previously, the PDPL envisaged that all data controllers would be obliged to appoint one or more persons to be responsible for ensuring compliance with the PDPL. This appeared to suggest that each organisation would require a Data Protection Officer (DPO) to be appointed.
The amended PDPL takes a more nuanced approach, providing that in certain circumstances specified in the Regulations, a DPO will be required to be appointed. This aligns more closely with the position under the GPDR, where, unless the organisation's core activities require large scale, regular and systematic monitoring of data subjects or large-scale processing of sensitive personal data, a DPO is not strictly required by law (although many businesses processing large amounts of personal data may opt to appoint one anyway).
In addition, the amended PDPL now acknowledges that the DPO will have certain statutory responsibilities. These will be detailed in the Regulations.
Data breach notification requirements
Previously, the PDPL required that controllers notify SDAIA of data breaches as soon as they became aware of the breach. The amended PDPL now provides that notification should be made to SDAIA when a breach occurs, in accordance with the requirements of the Regulations. There is accordingly some scope for the Regulations to introduce a materiality threshold for notifying SDAIA, as is common in other leading data protection laws like the EU GDPR.
The amended PDPL also introduces a welcome threshold test, which must be met in order to trigger an obligation to notify data subjects affected by a data breach; namely where the breach would cause serious harm to the data subject's data or where it prejudices their rights or interests. Further detail on this data subject notification requirement will be specified in the Regulations.
A Potential Revision of the Implementation Framework
The amended PDPL has consolidated several of the existing provisions, which envision how the PDPL will be implemented. In particular, it removes the express reference to an online portal which all controllers are required to register on. Instead, SDAIA may, if it deems it necessary to monitor compliance with the PDPL, implement a national register that controllers may be required to register on and through which services can be provided to assist with the protection of personal data.
A reference to these more generic concepts may have been introduced due to the fact SDAIA has changed its plans for the law's implementing framework and it no longer wishes to be tied to any mode of operation, or it could simply be due to the fact that it intends to set out a more comprehensive description of this aspect of the regime in due course, either in the Regulations or in the associated policies. Only time will tell.
Removal of some criminal sanctions
The PDPL no longer imposes criminal sanctions for unauthorised transfers of personal data overseas. Previously, this breach of the law would have given rise to imprisonment for a period not exceeding one year and/or a fine not exceeding one million Riyals.
- A Developing Regulatory Landscape
The PDPL represents just one piece of a rapidly developing regulatory landscape related to data protection, cybersecurity and information communication technologies.
In addition to the PDPL, businesses will need to consider their obligations, including with respect to data localisation and information security, under other sector specific laws, such as the Kingdom's Labour Law, ICT Law, IoT Law, Cloud Computing Regulatory Framework, banking, tax and financial services laws and the aforementioned NDMO National Data Regulations.
- What can businesses do now to prepare?
Whilst further information is yet to be revealed in the Regulations, businesses can (and should) begin taking steps to comply with the PDPL in readiness for it coming into force on 14 September 2023. These include:
- 1. Audit and data mapping: The first step on any business' compliance journey should be an audit and data mapping exercise to enable it to understand exactly what personal data it processes, why, how, for how long it is routinely held, where that data is stored, whether any of that data is transferred outside of the Kingdom, when it is due to be deleted and the security measures applied to protect it. This will enable businesses to populate registers of processing activities that record personal data use, prepare privacy notices and polices and respond effectively to data subject access requests.
- 2. Breach Management: Businesses should begin implementing processes and procedures to respond to data breaches. These should enable the business to notify SDAIA and affected data subjects of the breach promptly, and in accordance with any specific timescales specified in the Regulations.
- 3. Responding to Data Subjects: Data subjects are granted a number of rights under the PDPL. An efficient process will need to be implemented to identify these requests and to enable the business to respond to any requests received from data subjects, including to provide a copy of their personal data where required by law.
- 4. Employment: Companies should update employment arrangements to reflect the PDPL regime, taking note of any changes that will need to be made to their existing consent collection processes (although notably the standard for consent under the PDPL remains to be confirmed).
- 5. Supply Chain Management: Companies outsourcing their processing activities (e.g., to procure services related to payroll processing, HR, recruitment, direct marketing, employee benefits etc.) will need to enter into robust data processing agreements with their suppliers to ensure that their statutory obligations are imposed on their processors and that the arrangements are otherwise compliant with the PDPL. Audits of supply chain will be essential to monitor compliance with the same.
- 6. Policies & Notices: Businesses should ensure that employees, customers and suppliers are all informed of how and why their personal data is being processed and the data subject rights they benefit from by law. This will require updating of existing privacy notices and policies to ensure they accurately reflect the requirements of the law.
- 7. Training: Companies should undertake staff training to ensure that changes are understood and to explain what is expected of staff when handling personal data.
How can we help?
AG has extensive experience assisting businesses across the UK, Europe and the Middle East in complying with their data protection and cyber security compliance obligations. For practical assistance or to learn more please contact our team.