An overview of Saudi Arabia’s new Personal Data Protection Law

Saudi Arabia’s new Personal Data Law has just been published in Umm al Qura, the Official Gazette.  Overall, we think the Law looks pretty good, although a significant amount of detail will be required in the Regulations.

Application

Our understanding is that the Law will come into effect on 23 March 2022, and data controllers will have a year from that date in which to modify their arrangements to ensure compliance.

With the exception of personal data processing for domestic purposes, the Law applies to all personal data processing undertaken in Saudi Arabia. Although there is some ambiguity in the drafting, it appears to extend to personal data processing undertaken outside Saudi Arabia in respect of data subjects in Saudi Arabia.

Competent Authority

Initially, the competent authority responsible for the implementation of the Law is SDAIA, the Saudi Data & Artificial Intelligence Authority. The supervisory function will eventually shift to the National Data Management Office, which falls under SDAIA.

As the competent authority, SDAIA is required to issue the Regulations prior to the Law coming into effect. The Regulations will be developed in consultation with various government entities.

The Law establishes a requirement for entities outside Saudi Arabia, that are processing personal data of data subjects in Saudi Arabia, to appoint a representative in Saudi Arabia to fulfil their obligations under the Law and Regulations. This is not an immediate requirement; the competent authority must implement this requirement within five years of the Law coming into effect.

There are record keeping obligations on data controllers, and an obligation to make such information available to the competent authority upon demand. The Law contemplates the competent authority establishing a dedicated online portal through which data controllers will be required to register the fact of their data processing activities. It also contemplates administrative fees of up to SAR100,000 (about USD27,000).

Principles

The Law prohibits the processing of personal data without the consent of the data subject, except in specific circumstances. Some of these exceptions seem familiar, relative to the approaches taken elsewhere. Others seem to be broad, and could be subject to abuse in terms of the discretion available to the data controller.

Generally, personal data may only be collected directly from data subjects, and processed only for the purposes for which it was collected. There are exceptions to this, enabling the processing of personal data collected other than directly from data subjects in certain circumstances.

Personal data may only be processed for lawful purposes, and the means of collecting and processing personal data need to be appropriate to the circumstances, bearing in mind the nature of the data subject, and the need for clarity and absence of deception.

There is a requirement for data minimisation, so that only the minimum personal data necessary for the contemplated purposes is collected and processed. Similarly, there is a data retention limitation requirement, whereby data controllers may retain personal data only for as long as is necessary to fulfil the purposes for which it was collected.

Data Subject Rights

The data subject rights available under the Law are subject to limitations to be specified in the Regulations. The rights include:

• The right to be informed of the legal basis for personal data processing;
• The right to have access to personal data, including the right to review it and obtain a copy in a clear format;
• The right to have inaccurate personal data corrected or updated; and
• The right to have personal data destroyed when it is no longer required for the purpose for which it was originally collected.

Certain information needs to be communicated to the data subject in advance by way of a privacy policy, and this includes information on data subject rights.

Governance, security and breach notification

The concept of ‘privacy impact assessment’ appears in the form of an obligation on the data controller to evaluate the personal data protection implications of any product or service provided by the data controller.

When selecting a data processor, data controllers must choose data processors able to give effect to the provisions of the Law. There is an obligation on data controllers to ensure data processors comply with the requirements of the data controller, in a manner consistent with the Law, and without prejudice to the rights of the data subject or the requirements of the competent authority.

Data controllers are required to apply appropriate technical and organisational measures to ensure the security of personal data, in accordance with the provisions of the Regulations.

In the event of a data breach incident, whether it be a leak, unauthorised access, or unintended destruction, there is an obligation to notify the competent authority. If such incident could cause serious damage to the data subject, there is also an obligation to notify the data subject.

Data transfers

In terms of transfers of personal data outside the Kingdom, there is considerable ambiguity. It will be interesting to see what the Regulations provide, but our reading is that there may still be a requirement to obtain a permit from the competent authority – and this has potential to be impractical.

Remedies

The Law permits aggrieved data subjects to submit a complaint to the competent authority in respect of any issue arising from the Law and Regulations, and further details on the complaint process are expected in the Regulations. The aggrieved party may also file a claim for damages before the competent court.

Violations of the Law can attract serious penalties, including imprisonment for up to two years and fines of up to SAR5,000,000 (about USD1,350,000), depending on the violation.

We will be happy to share further insight on this significant development. If you would like a copy of our fuller note on this topic, please email Nick O’Connell directly or follow our Digital & Data ‘showcase’ page on LinkedIn.