Amendments to the KSA Personal Data Protection Law
Introduction
In the 21st century of humankind, where modernization and globalization have hit their all-time high and while the emergence of communication instruments has connected humans throughout the globe, personal, corporate, and governmental data are more susceptible to abuse and mishandling than ever. Therefore, an international need for robust data privacy and protection laws and regulations has surfaced, demanding guarantees for persons’ and entities’ data to be handled correctly to connect and access modern technology more efficiently and safely.
With that being said, The Kingdom of Saudi Arabia (“KSA”) is rising as a top-tier competitor in the Global investment market. One of the most promising future economies in the world, especially with the latest diversification of key sectors and less dependence on the oil sector, has implemented in a short period many substantial laws and regulations that, if combined and enforced, may transform KSA into a safe haven for consumers and digital nomads that are eager to excel and dive into the wonders of technology development. One of the latest legal contributions in the KSA is the issuance of the Personal Data Protection Law (the “PDPL”) and, more recently, the issuance of the approved amendments to the PDPL (the “Amendments”). These Amendments intend to align the PDPL with international data protection standards while demonstrating the KSA’s commitment to safeguarding personal data and fostering trust in the digital economy. It is worth mentioning that in November 2022, a draft of proposed amendments was published to the public by the competent authority to enforce the PDPL, which is the Saudi Data and Artificial Intelligence Authority (SDAIA) (the “Proposed Amendments”). The Proposed Amendments gave a general overview of the expected amendments of the PDPL. Also, the Proposed Amendments were either approved, rejected, or partially approved, based on their relevance to the evolving digital landscape. Approved proposals include disclosure definition, explicit approval, legitimate interests of the data controller, privacy policy, legal basis of data collection, destruction of personal data when not needed, and empowering competent authorities.
Meanwhile, rejected proposals cover sensitive data definition, cases of application of the law, more reference to the relevant laws and implementing regulations, assessment of the effects on the processing of personal data, marketing purposes provisions, and supervising parties outside KSA, among others. Partially approved proposals include data subject rights, destruction of personal data without delay, notification of privacy policy upon the collection of the personal data, the appointment of a data protection officer, personal data transfer outside KSA, and more. Some amendments have been implemented without previous proposals, like non-disclosure exceptions, data controller supervision, etc.
This article will outline the key changes introduced by the Amendments to the Personal Data Protection Law.
Broader Definitions
The Amendments include better definitions for personal data destruction to assure anonymity of the personal data subject, the expansion of the sensitive personal data term to include leads to any trait of the personal data subject, and personal data subject that excludes any other person related to the personal data subject and updates the inclusion of the processing party in disclosure articles.
Additional References to the Awaited Implementing Regulations
While the issued PDPL had many references that supplement and complete the application of the PDPL, the Amendments have inserted many references to the implementing regulations to have a broad range of flexibility in the execution, arrangement, and enforcement of the PDPL. Some of the PDPL’s provisions that are dependent on the implementing regulations are (1) the duration of the right to access personal data, (2) the cases of explicit approvals for the processing of personal data, (3) some exemptions of collection of personal data restrictions, et cetera.
Data Controller Obligations
The Amendments have introduced some changes to the obligations of the data controller; some are about the processor, as the Amendments require the data controller to supervise the processor’s compliance with relevant laws and regulations while disregarding the continuous manner of this obligation and to implement a privacy policy.
Recognition of the Legitimate Interest Basis
Under the Amendments, a legitimate interest legal basis is now recognized as a valid justification for collecting and processing personal data. This legal basis allows for processing personal data in situations where the controller’s legitimate interests outweigh any potential harm to the data subject’s rights and interests. However, it is essential to note that this legal basis should not be used in cases where it conflicts with the rights and interests of the personal data subject. These Amendments aim to provide a more balanced approach to collecting and processing personal data while also ensuring that the rights and interests of the data subject are protected.
Practical Measures for Smooth Application
Under the original PDPL, certain cases required written approvals or notifications for processing or collecting personal data. However, the Amendments have replaced this requirement with the need for explicit approvals, making it more practical for the controller to carry out data operations. Despite this change, the full rights of the personal data subject are still maintained, ensuring that their interests and rights are protected. This shift from written to explicit approvals streamlines the operations of the controller while upholding the rights of the personal data subject. Additionally, it aligns with the evolving landscape of data protection laws and practices. Moreover, the need for the destruction of personal data and other cases has become mandatory in a reasonable timeframe “without delay” instead of “immediately” (for example, the notification of breach, destruction, or illegal access of personal data cases). Also, it is worth mentioning that the controller must notify the individual data subject in some instances while executing his obligations regarding the right to know or the privacy policy without saying the technical basis of the policy or the execution of the data operations.
Personal Data Subject Extended Rights
Alongside the personal data subject rights stipulated and safeguarded by the PDPL, the Amendments have added new provisions to protect the subject’s personal data during transfer to data controllers. These provisions include the right for individuals to access their personal data from the data controller and the requirement that personal data be registered and stored in a way that does not allow for identification of the personal data subject. Additionally, data controllers must provide personal data in a readable format. These measures aim to ensure a more trustworthy and safe handling of personal data.
Transfer of Personal Data Outside the KSA
The PDPL was deemed restrictive and had limited exemptions regarding data transfer outside the KSA; however, the Amendments have pivoted the PDPL to have a more flexible and permissive approach while maintaining the critical sovereignty factor in force. The Amendments identify the purposes for which personal data may be transferred and impose certain conditions that must be met, including an assessment of the adequacy of personal data protection outside the KSA by relevant authorities, while also giving due consideration to the interests of the data subject to some extent. In addition, the need for a data protection officer representative in the KSA is no longer mandatory. Nevertheless, the transfer of personal data remains subject to compliance with applicable laws, regulations, standards, and procedures. This allows for greater practicality and adaptability in the operations of data controllers while still maintaining the rights and interests of the data subject. The Amendments reflect a more modern and pragmatic approach to data protection in line with the evolving landscape of privacy laws and regulations.
Competent Authority’s Duties
The Amendments have resulted in the cancellation of the electronic portal project and the introduction of a requirement for a national register for data controllers to be established by the competent authority. The authorities are also mandated to provide services related to the PDPL through this register. Additionally, the Amendments grant the competent authority the power to delegate to other authorities to supervise the implementation of the PDPL and empower designated personnel to conduct inspections for potential infringements. Notably, a committee consisting of technical experts has been appointed to inspect infringements and impose penalties as deemed necessary. These changes aim to enhance compliance and enforcement of the PDPL and strengthen the oversight and accountability of data controllers.
PDPL Entry into Effect
The Amendments stipulate that the PDPL shall be enforced after (720) days from the publication date of the PDPL in the official gazette, which was 24 September 2021, so it shall be enforced on 15 September 2023.
Finally, the Amendments stipulate that the head of the competent authority shall issue the implementing regulations in a period that would not exceed 720 days from the PDPL issuance date of 16 September 2021; so, it should not exceed the date of 7 September 2023. The head of the competent authority should coordinate, before issuing the implementing regulations, with several ministries and authorities that are considered related to data privacy and protection in KSA.
Conclusion
A significant improvement in Saudi Arabia’s personal data protection framework may appear due to the PDPL’s Amendments. The KSA is proving its commitment to protecting the personal information of its citizens and entities, all while building a secure, reliable digital economy by complying with international data protection standards. To prevent potential fines and reputational harm, businesses that collect, store, register, or process personal data in the Kingdom of Saudi Arabia should be aware of the PDPL Amendments and implement their policies and practices accordingly.
Authors: Amr Hammad, Partner, Ahmad Saleh, Senior Associate, and Mario Fakhry, Associate
For further information, please contact Amr Hammad (amr.hammad@glaco.com) and Ahmad Saleh (ahmad.saleh@glaco.com).