Amendments to the KSA Personal Data Protection Law
In the 21st century of humankind, where modernization and globalization have hit their all-time high and while the emergence of communication instruments has connected humans throughout the globe, personal, corporate, and governmental data are more susceptible to abuse and mishandling than ever. Therefore, an international need for robust data privacy and protection laws and regulations has surfaced, demanding guarantees for persons’ and entities’ data to be handled correctly to connect and access modern technology more efficiently and safely.
This article will outline the key changes introduced by the Amendments to the Personal Data Protection Law.
The Amendments include better definitions for personal data destruction to assure anonymity of the personal data subject, the expansion of the sensitive personal data term to include leads to any trait of the personal data subject, and personal data subject that excludes any other person related to the personal data subject and updates the inclusion of the processing party in disclosure articles.
Additional References to the Awaited Implementing Regulations
While the issued PDPL had many references that supplement and complete the application of the PDPL, the Amendments have inserted many references to the implementing regulations to have a broad range of flexibility in the execution, arrangement, and enforcement of the PDPL. Some of the PDPL’s provisions that are dependent on the implementing regulations are (1) the duration of the right to access personal data, (2) the cases of explicit approvals for the processing of personal data, (3) some exemptions of collection of personal data restrictions, et cetera.
Data Controller Obligations
Recognition of the Legitimate Interest Basis
Under the Amendments, a legitimate interest legal basis is now recognized as a valid justification for collecting and processing personal data. This legal basis allows for processing personal data in situations where the controller’s legitimate interests outweigh any potential harm to the data subject’s rights and interests. However, it is essential to note that this legal basis should not be used in cases where it conflicts with the rights and interests of the personal data subject. These Amendments aim to provide a more balanced approach to collecting and processing personal data while also ensuring that the rights and interests of the data subject are protected.
Practical Measures for Smooth Application
Personal Data Subject Extended Rights
Alongside the personal data subject rights stipulated and safeguarded by the PDPL, the Amendments have added new provisions to protect the subject’s personal data during transfer to data controllers. These provisions include the right for individuals to access their personal data from the data controller and the requirement that personal data be registered and stored in a way that does not allow for identification of the personal data subject. Additionally, data controllers must provide personal data in a readable format. These measures aim to ensure a more trustworthy and safe handling of personal data.
Transfer of Personal Data Outside the KSA
The PDPL was deemed restrictive and had limited exemptions regarding data transfer outside the KSA; however, the Amendments have pivoted the PDPL to have a more flexible and permissive approach while maintaining the critical sovereignty factor in force. The Amendments identify the purposes for which personal data may be transferred and impose certain conditions that must be met, including an assessment of the adequacy of personal data protection outside the KSA by relevant authorities, while also giving due consideration to the interests of the data subject to some extent. In addition, the need for a data protection officer representative in the KSA is no longer mandatory. Nevertheless, the transfer of personal data remains subject to compliance with applicable laws, regulations, standards, and procedures. This allows for greater practicality and adaptability in the operations of data controllers while still maintaining the rights and interests of the data subject. The Amendments reflect a more modern and pragmatic approach to data protection in line with the evolving landscape of privacy laws and regulations.
Competent Authority’s Duties
The Amendments have resulted in the cancellation of the electronic portal project and the introduction of a requirement for a national register for data controllers to be established by the competent authority. The authorities are also mandated to provide services related to the PDPL through this register. Additionally, the Amendments grant the competent authority the power to delegate to other authorities to supervise the implementation of the PDPL and empower designated personnel to conduct inspections for potential infringements. Notably, a committee consisting of technical experts has been appointed to inspect infringements and impose penalties as deemed necessary. These changes aim to enhance compliance and enforcement of the PDPL and strengthen the oversight and accountability of data controllers.
PDPL Entry into Effect
The Amendments stipulate that the PDPL shall be enforced after (720) days from the publication date of the PDPL in the official gazette, which was 24 September 2021, so it shall be enforced on 15 September 2023.
Finally, the Amendments stipulate that the head of the competent authority shall issue the implementing regulations in a period that would not exceed 720 days from the PDPL issuance date of 16 September 2021; so, it should not exceed the date of 7 September 2023. The head of the competent authority should coordinate, before issuing the implementing regulations, with several ministries and authorities that are considered related to data privacy and protection in KSA.
A significant improvement in Saudi Arabia’s personal data protection framework may appear due to the PDPL’s Amendments. The KSA is proving its commitment to protecting the personal information of its citizens and entities, all while building a secure, reliable digital economy by complying with international data protection standards. To prevent potential fines and reputational harm, businesses that collect, store, register, or process personal data in the Kingdom of Saudi Arabia should be aware of the PDPL Amendments and implement their policies and practices accordingly.