The Proposed Amendments To Saudi Arabia’s Personal Data Protection Law.
The gaining importance of data privacy and protection has led many countries to pass laws and regulations for protecting citizens’ data. The laws were also amended based on further developments and the needed requirements. So, the Kingdom of Saudi Arabia has passed its law on Personal Data Protection Law, but it had multiple questions regarding the date on which it will come into force and the inclusion of the proposed amendments.
THE TIMELINE OF PDPL
The Data Protection Law of Saudi Arabia, which was implemented by the Royal Decree M/19 of 17 September 2021 approving resolution No.98 dated 14 September 2021 (PDPL) was issued in September 2021, and it marks the introduction of Saudi Arabia’s first data protection law. The entry into force of PDPL was postponed to 17 March 2023, however, originally it was expected to take effect from 23 March 2022.
There was another significant possibility that the entry into force of the PDPL would further be delayed due to the following reasons.
The Saudi Data & Artificial Intelligence Authority (SDIA) held a public consultation on the proposed changes to the PDPL, that ended on 20 December 2022. The PDPL requires the implementation of executive regulations, where the draft of which was published for consultation in 2022, but within a few days it was withdrawn. The new set of regulations reflecting the amended PDPL was expected to be released soon but it ended up in further delay of the enforcement of the PDPL. There was another significant possibility that the entry into force of the PDPL would further be delayed for the following reasons.
THE PROPOSED AMENDMENTS
The proposed significant changes are mentioned below.
New data subject rights
The data subjects were provided with new rights, where they’ll be provided the right to data portability, the right to be informed about the purpose of collection of data, the legal basis of it, and additional protections are also added regarding the use of the personal data for the purpose of marketing.
The definition of sensitive personal data, controller, processor, and other changes in the definition was suggested.
International data transfer or data transfer outside KSA
The Article regarding the transfer of personal data outside the kingdom or international data transfers was completely rewritten. Originally the Article on international data transfer dealt with Article 29 but now it is dealt with Article 28.
According to this Article, the controller may transfer personal data outside the Kingdom of Saudi Arabia (KSA), in specific and limited cases only if,
- Protection with the same standard as KSA: the personal data transferred to a country outside KSA must protect those data to at least the same standard as KSA. It remains unclear whether the data protection authority will create an official list of adequate jurisdictions or whether it’ll be left to the data controllers to self-evaluate the transfers based on the specified criteria. This requirement criterion will remain unclear until the regulations are introduced. And expected to provide more clarity once the requirement is issued.
- Not affecting the National Security of KSA: the data transfer does not affect the KSA’s national security or vital interest.
- The transfer is limited to a minimum amount of personal data: The transfer of personal data is limited to a minimum amount, where this is not contentious and reflects the general data protection principles.
The above-mentioned suggested changes are a considerable improvement but remain uncertain on the criteria to determine the adequate jurisdiction and which are not considered adequate. And also, there is no clarity on the processing of government data, for the businesses that are involved in processing such data will be unclear on when the data cannot be transferred on the purview of national security.
Legitimate interest as a legal basis for processing data
Consent is considered to be a primary ground in processing personal data, and in some circumstances, their requirement of consent is not needed in limited circumstances where it remained as a criticism in the originally published version of PDPL but the revision permit that the processing can be carried out when there is a necessity to achieve a legitimate or a lawful interest of the controller that does not affect the data subject rights. In accordance with sensitive data, this legal basis will not be applied.
And this legitimate interest remains the legal basis for the collection of personal data and also for the disclosure of personal data to third parties.
The addition of legitimate interest seems to be beneficial as the PDPL has only limited interest in processing personal data. The details of the application of the legitimate interest have been further left to the regulations.
Entities outside KSA are not required to appoint a representative in KSA
In the revised version, there is no requirement for entities outside the KSA who process the personal data of the residents of KSA to appoint a representative in KSA. Now the data protection authority has acquired the power to identify tools and mechanisms that are suitable to monitor the compliance of such entities with the law and also to identify the suitable procedures for the implementation of the law outside KSA.
Other significant changes are made which include the removal of reference to the electronic portal, modifications of the penalties for the breaches of PDPL, powers, and functions of data protection authorities, etc.,
As the PDPL was expected to come into force on 17 March 2023, there was a question that arose about whether the prosed changes or the amendments will be approved, whether the executive regulation of personal data protection law will be approved, and whether the 2021 version will come to force on 17 March 2023 or the amended version.
These were the questions that arose among privacy enthusiasts, privacy professionals, and business organizations.
Finally, on 21 March 2023, the cabinet of Saudi Arabia approved the proposed amendments to the Personal Data Protection Law.