Decoding Saudi Arabia’s Personal Data Protection Law

In an era where data privacy is increasingly paramount, the Kingdom of Saudi Arabia (KSA) has introduced its own Personal Data Protection Law (PDPL). Becoming fully enforceable from 14th September 2024, the PDPL represents a significant milestone in Saudi Arabia’s efforts to regulate the processing and protection of personal data within its borders and beyond.

Scope and Applicability of the PDPL

The PDPL is comprehensive in its coverage, applying to any personal data processing activities that occur within Saudi Arabia, as well as the processing of KSA residents’ data outside the country. The law defines personal data broadly, encompassing any information that could directly or indirectly identify an individual. This includes, but is not limited to, names, personal identification numbers, addresses, contact numbers, and sensitive data such as health and financial information.

Significantly, the PDPL also extends its protections to data concerning deceased individuals, provided that the information can be used to identify the individual or their family members. This broad scope underscores the law’s rigorous approach to personal data protection.

Core Concepts and Roles

The PDPL introduces two primary roles for entities dealing with personal data: the Controller and the Processor.

• Controller: This is the entity that determines the purposes and methods of processing personal data. Controllers bear the ultimate responsibility for ensuring compliance with the PDPL, which includes defining the purpose of data processing, ensuring the legal basis for such processing, and maintaining accurate records.
• Processor: This role is assigned to entities that process personal data on behalf of the Controller. Processors must follow the Controller’s instructions and are required to implement appropriate measures to protect personal data.

Legal Bases for Data Processing

For data processing to be lawful under the PDPL, there must be a legitimate basis for it. The PDPL outlines several legal bases, including:

• Consent: The data subject has explicitly consented to the processing of their personal data.
• Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party.
• Legal Obligation: Processing is required to comply with legal obligations.
• Public Interest: The processing is necessary for public interest or security purposes, particularly relevant for public entities.
• Legitimate Interests: Processing is necessary to pursue the legitimate interests of the Controller, provided that this does not harm the data subject’s rights and freedoms.

Data Subject Rights

The PDPL grants individuals robust rights regarding their personal data. These include the right to be informed about the purposes of data collection, the right to access their data, the right to request corrections or updates, and the right to request the deletion of their data. Additionally, individuals have the right to withdraw their consent for data processing at any time.

Controllers are obligated to respond to these requests within a maximum of 30 days, with the possibility of an extension under certain circumstances.

Compliance and Enforcement

Compliance with the PDPL is not merely advisory but mandatory, with substantial penalties for non-compliance. The Saudi Authority for Data and Artificial Intelligence (SDAIA) is the designated supervisory authority responsible for overseeing the implementation of the PDPL. SDAIA has the power to request documentation from entities to verify compliance, and breaches of the PDPL can result in fines of up to SAR 5 million (approximately $1.3 million). In cases of repeated violations, fines can be doubled, and severe breaches, such as the unlawful disclosure of sensitive data, can lead to imprisonment for up to two years.

Conclusion

The PDPL marks a pivotal development in Saudi Arabia’s legal landscape, aligning the Kingdom with global standards of data protection. For businesses operating within or with the KSA, understanding and complying with the PDPL is essential. As the law becomes fully enforceable by September 2024, entities must ensure they have the necessary frameworks in place to protect personal data, respect individual rights, and avoid the significant penalties associated with non-compliance.

If your organization is dealing with copious amounts of personal data, do visit www.tsaaro.com.

Check out our white paper on the KSA PDPL here.

News of the Week

1. US and German Authorities Shut Down Global Ransomware Group, Dispossessor

Authorities in the US and Germany have dismantled the globally active ransomware group Radar/Dispossessor, which has targeted at least 43 companies since August 2023. Servers and domains in multiple countries were taken down and 12 suspects have been identified. Investigations continue to identify additional suspects and uncover other victimized companies.

https://www.reuters.com/technology/cybersecurity/dispossessor-ransomware-group-shut-down-by-us-european-authorities-2024-08-13

2. X Faces 9 GDPR Complaint Over AI Training

Austrian advocacy group NOYB filed a GDPR complaint against X, accusing the company of using EU users’ personal data to train its AI without consent. NOYB has submitted GDPR complaints to nine EU authorities to increase pressure on Ireland’s DPC. NYOB seeks to ensure complete adherence to EU law, which requires, at a minimum, obtaining user consent in this case.

https://www.reuters.com/technology/x-hit-with-austrian-data-use-complaint-over-ai-training-2024-08-12

3. Texas Sues GM for Selling Driver Data Without Consent

Texas sued General Motors (GM), accusing it of installing technology on over 14 million vehicles to collect and sell drivers’ data to insurers without consent. The lawsuit accuses GM of using this data to create “Driving Scores,” potentially impacting insurance decisions. Texas seeks data destruction, driver compensation, and penalties for violating state law.

https://www.reuters.com/legal/texas-sues-general-motors-allegedly-collecting-selling-drivers-private-data-2024-08-13

4. Enzo Biochem Settles for $4.5 Million After Ransomware Attack

Enzo Biochem will pay $4.5 million to settle claims from New York, New Jersey, and Connecticut for failing to protect personal and private health information. The settlement follows a ransomware attack that compromised data of 2.4 million patients in 2023.

https://www.reuters.com/technology/cybersecurity/enzo-biochem-pay-45-mln-failing-safeguard-patient-data-2024-08-13

5.  UK Considers Stricter Online Safety Act After Riots

The British government is considering revisions to the Online Safety Act aimed at regulating social media companies, in response to a week of racist riots fuelled by false information spread online. The Act, passed in October but effective next year, allows the government to fine social media companies for failing to police illegal content. Proposed changes may extend penalties to companies that permit “legal but harmful” content, such as misinformation.

https://www.reuters.com/world/uk/uk-revisits-online-safety-act-after-far-right-riots-2024-08-09/