Saudi Arabia’s Data Protection Law: The Personal Data Protection Law
On March 10, the Kingdom of Saudi Arabia’s Saudi Data & Artificial Intelligence Authority (SDAIA) issued a draft version of executive regulations supplementing the nation’s first standalone comprehensive data protection law, The Personal Data Protection Law (PDPL). PDPL was implemented by Royal Decree M/19 on September 17, 2021.
The PDPL aims to protect the personal data of citizens of the Kingdom of Saudi Arabia (KSA), and to prevent and mitigate the abuse of KSA citizens’ personal data.
Provisions of the Law
PDPL applies to all businesses that process or collect personal data belonging to KSA citizens, including personal data processed by entities outside of the country, and data that is collected by selling goods or services to KSA residents (“covered entities”).
The PDPL grants those who generate data (“data owners”) certain rights and protections where the data is considered “personal,” including:
The right to be informed about, and to gain accesses to, personal data being collected and retained;
the right to request correction of incorrect personal data;
the right to request, within limits, deletion of improperly stored or collected personal data; and
the right to file complaints relating to an alleged violation of PDPL with the SDAIA.
According to the supplemental material, the interest concerned under this article includes “any interest of material importance to the physical, psychological, moral, or financial safety” of the data owner.
Consent
Covered entities must establish and maintain a clear privacy policy establishing that data owners need to grant consent before their personal data can be collected or processed. This consent can be withdrawn at any time and for any reason. Consent is not required where:
The processing or collecting would establish a clear benefit to the data owner, and it would be impossible or impractical for the entity to contact the data owner to obtain consent within a reasonable amount of time;
Processing or collecting the personal data is required by law or is permitted by a prior arrangement to which the data owner is a party, such as an employment contract; or
The data processor or collector is a public entity and processing is required for a security or judicial purpose.
It’s important to note that, as a result of these exceptions to the consent requirement, the PDPL establishes two standards for consent: express and implied. Express consent must be documented in a manner that allows the data processor to evidence the consent at a later date. Implied consent can be established when express consent has not been received, but the data owner knows of the processing activities, and there is evidence that the data owner would have consented had the opportunity been presented to them.
However, the PDPL does require that when data being processed is considered to be “sensitive,” the data owner’s consent must be obtained in writing.
Personal Data Transfers
Aside from a few limited circumstances, the PDPL prohibits covered entities from transferring a KSA resident’s personal data to another entity that is outside of the KSA unless:
The transfer is necessary to the provision of the services requested by a KSA data owner, and the transfer is done in a manner that is in accordance with the data owner’s expectations and with the data owner’s consent; or
The transfer is done for purposes relating to the public interest.
The recently-released supplementary material for PDPL makes clear that the SDAIA may grant exemptions to this prohibition for those who apply to the relevant authorities. Following receipt of application, those relevant authorities have 30 days—unless they determine an extension is necessary—to conduct an impact assessment and issue written approval from the relevant agencies.
Outside of these parameters, data may only be transferred when doing so is necessary for saving the data owner’s life outside of the KSA or to preserve their “vital interests, or avoid, examine or treat an infection.”
Subsequent Contracts with Controller and Processor
Where a data controller contracts with a data processor, the PDPL requires that the controller choose an “entity that is the most efficient in providing the guarantees necessary to protect” the data owner’s personal data from any “illegal processing, including to conduct risk assessment on the processing of personal data.” Additionally, regulatory authorities must approve this contract.
Safeguarding, Disclosure, and Breach
In order to properly protect collected or processed personal data, covered entities are required to:
Adopt and implement the requirements and controls issued by relevant banking authorities;
Ensure that employees engaged in processing personal data are honest and responsible by requiring them to sign a nondisclosure agreement in relation to the data;
Incorporate relevant laws and regulations into covered entities’ employee code of conduct;
Assign each employee a task and responsibility in a manner which prevents overlap of roles, to create tiers of access to data among employees;
Document all stages of processing personal information; and
Refrain from copying official documents issued by public entities that identify a data owner.
Additionally, covered entities will be required to notify the relevant authorities of any breach, damage, or unauthorized access to personal data within 72 hours of such an incident.
Impact on United States Businesses
The PDPL Is set to take effect on March 17, 2023. However, this period may be delayed for up to five years for entities outside of the KSA.
Despite the timeframe provided for the effective date of the law, many United States entities are against its final implementation. According to a Bloomberg article, “the largest business lobbying group in the U.S. has warned Saudi Arabia that a new privacy and data law will raise the cost of doing business in the kingdom and complicate efforts to attract foreign investors and wean its economy off a dependence on oil sales.”
Nonetheless, covered entities should engage in a review of their policies and procedures to ensure that they are in compliance with these regulations, should they take effect.