Saudi Arabia’s Updated Personal Data Protection Law

Amendments to the Kingdom of Saudi Arabia’s (“KSA”) Personal Data Protection Law (“PDPL”), that was issued in 2021, have been confirmed. These new amendments resolve some of the practical difficulties implicit in the original text of the law, and help to align it more with international norms. Nevertheless, there remain some interesting particularities to the law, which mean that a “lift and shift” of GDPR practices, for example, will not necessarily deliver compliance.

Countdown to compliance

The new amendments have been implemented via Royal Decree No. M147 of 5/9/1444H (corresponding to 27 March 2023). The PDPL will now take effect 720 days after the publication of the original law in the Official Gazette; this means an effective  date of 14 September 2023. The executive regulations supplementing the PDPL should be issued before then.

Organisations that fall within the ambit of the PDPL will have a one-year grace period to comply with the PDPL from the date it comes into force, i.e., until 14 September 2024.

Key amendments

Some of the key amendments introduced are described below.

Introduction of legitimate interests basis

• One of the key changes that aligns that PDPL more closely to the GDPR, is the addition of an apparent “legitimate interests” basis. Previously, the PDPL only provided for consent as the primary ground for processing personal data, and only in very limited circumstances would consent not be required. However, controllers will be able to rely on this new lawful basis to process personal data. The basis does not extend to processing of sensitive personal data and appears to be subject to further refinement in accordance with the executive regulations to the law.      

The new wording reads: “When processing is necessary for achieving legitimate interests for the controlling entity, provided that this does not prejudice the rights of the personal data owner or conflict with their interests and unless such data is sensitive. The Regulations shall specify the provisions and controls related thereto.

(Articles 6, 10 and 15 of the PDPL)

Easing of international transfer regime for personal data

• One criticism of the original text of the PDPL was the strict prohibition on transfers of personal data outside KSA, other than in very limited circumstances. This has now been amended so that international transfers no longer require exceptional approval from the Saudi Data & Artificial Intelligence Authority (“SDAIA”) and are not subject to such strict additional criteria. Nevertheless, the regime remains more restrictive, pending the executive regulations, than many others.
• The revised PDPL permits a new basis for international transfers if they are necessary for fulfilling an obligation to which the personal data owner is a party. This is clearly a very welcome relief for service providers, particularly for providers of online services which necessitate international communications and transfers (social media platforms, content sharing sites, e-commerce and so on). However, this is still a relatively narrow basis, as it is contingent on the data subject being party to the contract that is being performed. In order to capture, for example, the transfer of staff data from one entity to an affiliate service company entity based overseas for the purposes of IT support services, it would be a requirement for the transferring company to show that it is necessary to use overseas IT support services (on the face of it, it might be convenient, indeed economically and practically rational to do so, but “necessary” implies a lack of domestic alternative). The breadth of practical application of this basis will therefore depend to a large extent on the regulatory interpretation of “necessary”.
• The pending executive regulations may provide further routes to achieve international transfers in a compliant manner and should hopefully provide further clarity in relation to how the transfer regime is to be understood.      

(Article 29 of the PDPL)

Reduction in criminal sanctions

• Violation of the PDPL’s international data transfer provisions will no longer be a criminal offence.
• The only criminal offence in the revised law, is the offence of disclosing or publishing sensitive personal data in violation of the law. Businesses which handle such data in volume should therefore be particularly careful. The criminal sanction which will apply is a fine of up to SAR 3,000,000 and detention for up to 2 years.
• The administrative penalties for breaching the PDPL include a warning or a fine of up to SAR 5,000,000. Fines may be doubled for repeat offences.
• It is slightly curious that the maximum fine attaching to the criminal breach is less than the administrative fine attaching to civil breaches and it is not entirely clear how criminal sanctions relating to detention would be applied to criminally unlawful processing carried out systematically by an organisation.
• The removal of the criminal offence of breaching the international transfer provisions will be welcomed by global businesses.     

Introduction of Data Protection Officer

• The executive regulations will specify the cases in which a controlling entity shall appoint or designate one (or more) personal data protection officer(s), and shall also specify their responsibilities. The original text of the law did not make any explicit reference to “data protection officer” as a concept.

(Articles 30 and 35 of the PDPL)

Location data is not Sensitive Personal Data

• The definition of Sensitive Personal Data has been amended to remove the reference to “location” data that was in the original text of the law. This is quite significant, noting that the new legitimate interests processing basis does not apply to the processing of Sensitive Personal Data and noting that the sole remaining criminal offence relates to Sensitive Personal Data.       

Other Changes

Removal of registration requirement for controllers and representative for overseas entities

• The new PDPL has removed the requirement for the supervising authority to create an electronic portal, and the express requirement for a controller to register their processing activities. However, the revised Article 30 does still provide that the supervisory authority may establish a national registry or controllers, along with other appropriate tools and mechanisms.
• Previously, the PDPL required overseas entities subject to the law to appoint a representative in KSA. The revised PDPL does not include this obligation, but provides for the supervising authority to determine the appropriate tools and mechanisms for monitoring the compliance by entities outside KSA, of their obligations under the PDPL.    

(Article 30 of the PDPL)

Time period for data breach notification eased

• Under the new PDPL, the express requirement for notifications of personal data breaches to SDAIA to be made “immediately” has been removed, although notification is still mandated.
• The executive regulations will provide further detail and clarification, which will likely include specifying a new time period for notifying data breaches.
• A new requirement has been added for controllers to notify data subjects where a breach would cause damage to personal data or contravenes the data subject’s rights or interests. No timeline is specified so, again, we expect the executive regulations to clarify further.       

(Article 20 of the PDPL)

Implication that consent need not be “written”

• The original version of the PDPL provided that the executive regulations would set out conditions for valid consent and cases where a “written” consent would be required. This has been changed to refer instead to cases where an “explicit” consent would be required. This change is presumably intended to recognise that consent can be given through means other than in writing.

Territorial scope remains very broad

The new PDPL amendments have not changed the extra-territorial scope of the PDPL. The GDPR (in addition to applying to EU establishments) only applies to non-EU established entities who are engaged in offering goods or services into the EU or in monitoring EU-based individuals. In other words, the mere incidental processing by a “foreign” business of EU national or resident data does not compel the business to comply with GDPR. It has to satisfy a test which, in essence, measures whether it is actually trying to process the personal data of such people. By contrast, the PDPL applies to any entity located outside (or inside) KSA who is processing the personal data of individuals residing in the KSA.

Without the qualitative tests of the GDPR, this creates the problematic scenario of businesses becoming subject to the PDPL in a passive or even unaware manner. For example, a cloud hosting business with servers in India would, according to a literal reading of the PDPL, become subject to the PDPL if one of its customers happens to have dealings with end users based in KSA and uses the cloud service provider’s services to process their personal data; an obvious example where this might occur is in the context of hosted CRM systems. We hope that the executive regulations address this point with further detail.

Closing Remarks

The amendments to the PDPL are very welcome, however the further detail in the executive regulations, such as clarification on conditions for consent, procedures for notifying breaches and mechanisms for exporting personal data, will be required to help controllers and processors comply fully with the law.  

Article co-authored by Bethania Berhane, Trainee Solicitor at CMS.