The new digital landscape: Managing risk and building resilience
Data Protection & Privacy
Saudi Arabia has issued its first comprehensive national data protection law to regulate the collection and processing of personal information. In this article we consider the implications of this important development for organisations operating in the Kingdom.
The Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021). It was published in the Official Gazette on 24 September 2021.
The Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered. The NDMO is the regulatory arm of SDAIA and had previously published interim data governance regulations in 2020, which we assume have now been superseded by the PDPL insofar as they relate to personal data protection.
According to SDAIA’s announcement, the PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent the abuse of personal data in line with the goals of the Kingdom’s Vision 2030 to develop a digital infrastructure and support innovation to grow a digital economy.
The PDPL is designed to protect “personal data”, i.e. any information, in whatever form, through which a person may be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person.
The PDPL applies to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means whatsoever, including the processing of the personal data of Saudi residents by entities located outside the Kingdom.
The PDPL does not apply to the processing of personal data for personal and family use.
Many of the features of the PDPL are consistent with concepts and principles contained in other international data protection laws, for example:
While the PDPL contains many aspects that are similar to the GDPR and other data protection laws around the world, there are a number of unique aspects:
Finally, there is a tacit acknowledgement that the PDPL may further evolve with a number of the opening provisions referring to coordination between SDAIA and other relevant entities to review and amend the PDPL both during the first year after the PDPL becomes effective and over a longer five-year timeline. There are also provisions suggesting that further details will be issued in respect of the processing of health and credit data and that SDAIA will liaise with the Kingdom’s financial and ICT regulators to align with existing rules in those sectors.
The disclosure or publication of sensitive data contrary to the PDPL may result in penalties of imprisonment for up to two years or a fine of up to SAR 3,000,000 (US$ 800,000).
Violation of the data transfer provisions could result in imprisonment for up to one year and a fine of up to SAR 1,000,000 (US$ 266,600).
In respect of all other provisions of the PDPL, the penalties are limited to a warning notice or a fine of up to SAR 5,000,000 (US$ 1,333,000).
Any of the fines could also be increased up to double the stated maximums for repeat offences and the court may order confiscation of funds gained as a result of breaching the law and/or require publication of the judgment in a newspaper or other media at the offender’s expense.
Parties affected by the offences may be able to claim compensation.
The PDPL is stated to take effect 180 days after its publication in the Official Gazette, which means that it will be effective from 23 March 2022. The executive regulations supplementing the Law should also be issued within this period. However, the implementing decree provides that:
Accordingly, it seems that there will be a transitional period of at least 18 months until the PDPL is fully enforceable against local entities (and potentially longer for organisations based outside the Kingdom). The Council of Ministers’ approval in the Resolution also notes that SDAIA will coordinate with the Saudi Central Bank and Communications and Information Technology Commission (CITC) to address the application of the PDPL to regulated financial institutions and ICT service providers respectively.
We anticipate that further details and guidance will be published during the period prior to the PDPL taking effect on matters such as the mechanisms and procedures for obtaining regulatory consent or notifying breaches. The timescales for implementation may also be clarified by further announcements and there is provision in the PDPL for SDAIA to review and suggest amendments within the first year from the effective date.
In any case, all businesses operating in Saudi Arabia or processing the data of Saudi residents will now need to start assessing their activities and making changes to align with the PDPL. Controllers will be required to hold training for staff on the terms and principles of the PDPL and will need time to ensure that a culture of data protection is suitably embedded into the organisation. We have previously issued tips for enterprises on how to create an effective privacy framework and worked with many companies to help them implement the required processes and policies for compliance.