Navigating Saudi Arabia’s Cross-Border Data Transfer Regulations

Saudi Arabia’s Personal Data Protection Law (PDPL) came into force on 14th September 2023, giving organizations 12 months until 14th September 2024 to comply with its provisions. To further supplement the PDPL, Saudi Arabia enacted the Implementing Regulations. The Regulation on Personal Data Transfer outside the Kingdom (cross-border data transfer regulations) was published on 7th September 2023 and is set to come into effect on 14th September 2024.

The PDPL allows controllers to transfer personal data outside Saudi Arabia for agreements involving or benefiting the kingdom, providing services or benefits to data subjects, complying with international agreements, necessary operations, or scientific research. Transfers must not harm national security or vital interests, and only essential data should be transferred. The data subject’s fundamental protection rights must remain uncompromised.

Transfer Based on Adequate Level of Protection

The controller must primarily identify whether the transferee or receiving country has an adequate level of protection as determined by the competent authority, SDAIA (Saudi Data and AI Authority), as equal to the protection provided by the PDPL. An official list of countries or international organizations shall be published by the authority and reviewed every four years or as deemed necessary. The assessment is done based on criteria such as the existence of data protection laws and the ability of data subjects to exercise their rights, overseen by a supervisory body that cooperates with the Kingdom of Saudi Arabia. Furthermore, the disclosure or transfer of data must align with domestic and international legal obligations.

If a regular review of the list reveals that a country no longer guarantees adequate level of protection, the SDAIA shall work with authorities of the concerned country of organisations to address the same.

Exemptions

While it is a general norm to follow the concept of transfer based on an adequate level of protection, Article 4 of the cross-border transfer regulations provides cases in which the controllers are exempted from complying with that requirement. However, exempted controllers must ensure that adequate safeguards of the following nature are implemented:

● Binding Common Rules: Rules adopted by a controller to ensure that all controller and processing parties within a multinational group provide adequate protection for personal data that is transferred beyond the borders of Saudi Arabia.

● Standard Contractual Clauses: Mandatory provisions in an agreement to ensure appropriate protection of personal data transferred outside Saudi Arabia.

● Certificate of Accreditation: A certificate of approval or accreditation issued by any authorized entity, certifying that adequate safeguards and protection measures are in place.

The Article specifies the following cases in which controllers are exempted from the general conditions set under Article 29 of the PDPL for the transfer of personal data outside Saudi Arabia, provided that adequate safeguards are implemented:

●       Transfer of data between public bodies for the implementation of an agreement that Saudi Arabia is a party to or to serve the interests of the kingdom. In such cases, standard data protection clauses must be included

●       In the case of limited and non-recurring transfers, the controller is expected to comply with standard contractual clauses. Additionally, if the transferee body has received a certificate of approval and the data is not sensitive, they are exempted.

●       Multinational groups or entities must adopt either binding common rules or standard contractual clauses to ensure data protection.

●       The controller is also exempted in cases where the transfer is made for providing service or benefit to the data subject and if the concerned data is not sensitive. Furthermore, in such cases, the transferee country or entity must receive an approval certificate.

●       In cases where the transfer of data is necessary for scientific research, the controller must either comply with standard contractual clauses or ensure that the transferee or receiving body has received an approval certificate. The data being transferred must be limited to what is necessary for the purpose of research.

If the controller has failed to implement the required safeguards or if the SDAIA determines that the safeguards are inadequate, the exemption may be revoked and the transfer shall be halted.

Risk Assessment

Article 7 mandates that a controller must conduct a risk assessment before transferring or disclosing personal data to a party outside the Kingdom. The assessment should address the purpose, legal basis, and nature of the transfer, including the geographical scope and activities involved. It must evaluate the safeguards and measures in place to ensure data protection that complies with local laws. Additionally, it should determine if the transfer is limited to the minimum necessary data, assess potential material or moral risks to data subjects, and outline controls to mitigate those risks.

Conclusion

In conclusion, Saudi Arabia’s PDPL and its cross-border data transfer regulations emphasise the need to safeguard personal data when it is transferred outside the kingdom. Controllers must ensure that adequate protections are in place in the receiving country or that other sufficient safeguards are adopted for protecting personal data and data subject rights.

If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com.

Check out our blog on Saudi Arabia’s PDPL here.

News for the Week

1.   X Corp. Halts AI Data Processing Amid EU Privacy Concerns

Elon Musk’s X Corp. agreed to stop using European users’ personal data to train its AI chatbot, Grok, following demands from the EU’s Data Protection Commission (DPC). The company committed to deleting user data collected from public posts between May 7 and August 1, 2024. This decision came after the DPC filed a legal request in August, citing privacy concerns under EU law. X initially suspended data processing, which was made permanent, ending the legal dispute. The DPC has also urged EU regulators to explore AI’s interaction with data protection laws.

https://www.euronews.com/next/2024/09/06/irish-court-drops-privacy-case-after-x-agrees-to-never-use-eu-users-tweets-to-train-grok-a

2.   Central Government Inaugurates Key Initiatives to Strengthen Cybercrime Prevention in India

On September 10, 2024, Union Home Minister Amit Shah marked the first foundation day of the Indian Cybercrime Coordination Centre (I4C) by launching several initiatives to combat cybercrime. The Cyber Fraud Mitigation Centre (CFMC) was dedicated to the nation, enabling banks, financial intermediaries, telecom providers, and law enforcement agencies to collaborate in fighting online financial crimes. He also introduced the Samanvaya Platform, a comprehensive web-based portal for cybercrime data sharing and coordination among law enforcement agencies. Additionally, Shah inaugurated the ‘Cyber Commandos’ program, creating a specialized unit to counter cyber threats, and unveiled the Suspect Registry, a fraud prevention tool developed in collaboration with banks and financial intermediaries.

https://timesofindia.indiatimes.com/india/no-progress-possible-now-without-cybersecurity-amit-shah/articleshow/113243315.cms

3.   First International AI Treaty Ready for Signing by Global Nations

The world’s first legally binding AI treaty will be open for signatures on Thursday by countries that participated in its negotiations, including the U.S., Britain, and European Union members, according to the Council of Europe. Adopted in May after years of discussions among 57 nations, the AI Convention aims to address potential risks posed by artificial intelligence while encouraging responsible innovation.

https://www.business-standard.com/world-news/us-britain-eu-to-sign-first-legally-binding-international-ai-treaty-124090500972_1.html

4.     U.S. House Passes Biosecure Act Targeting Chinese Biotech Firms

The U.S. House of Representatives passed the Biosecure Act on Monday, aiming to restrict business with Chinese companies like WuXi AppTec, BGI, and others over national security concerns. The bill, which prohibits federal contracts with targeted firms and their affiliates, seeks to safeguard Americans’ health, genetic data, and pharmaceutical supply chains. It passed with a 306-81 vote, surpassing the required two-thirds majority. The legislation now moves to the U.S. Senate before heading to President Joe Biden for approval. Beijing has condemned the move.

https://www.usnews.com/news/top-news/articles/2024-09-09/us-bill-to-restrict-business-with-chinas-wuxi-apptec-bgi-passes-house

5.     Slim CD Inc. Reports Data Breach Exposing 1.7 Million Users’ Credit Card Information

Slim CD, Inc., a leading payment processing service for U.S. and Canadian merchants, has revealed a data breach impacting around 1.7 million users. The breach, which occurred between August 17, 2023, and June 15, 2024, may have exposed sensitive credit card data from transactions processed through their system. The company detected suspicious activity on June 15, 2024, and promptly launched an investigation, involving third-party experts to assess the damage. Findings indicated that an unauthorized party accessed or obtained certain credit card information during a brief window from June 14 to June 15, 2024.

https://hackread.com/payment-gateway-slim-cd-data-breach-millions-impacted/