The Saudi Arabia Council of Ministers has approved a series of changes to the Kingdom's Personal Data Protection Law (PDPL) that was issued in 2021. The new amendments have been implemented via Royal Decree No. M147 of 5/9/1444H (corresponding to 27 March 2023), which also pushes the effective date of the PDPL to September 2023.
The updated PDPL takes into account some of the amendments that were proposed in a consultation paper issued by the Saudi Data & Artificial Intelligence Authority (SDAIA) in November 2022, although not all of those proposals have been implemented. The amendments introduce several concepts that will align the PDPL more closely to international standards such as the EU General Data Protection Regulation (GDPR).
What are the key changes to the PDPL?
Some of the most important changes introduced by the new decree include:
- More business-friendly data transfer mechanisms: The strict prohibition on transfers of personal data outside Saudi Arabia has been amended, and international transfers no longer require exceptional approval from SDAIA. International transfers are now generally permitted if they are in implementation of obligations under international agreements to which Saudi Arabia is a party, if it serves national interests, if they are in implementation of any obligations to which the data subject is a party, or any other purposes determined by the executive regulations once they issue. Controllers will need a specific purpose to transfer or disclose data outside the Kingdom and transfers appear to be limited to territories that SDAIA determines as having an appropriate level of protection for personal data, which will be further clarified once they issue evaluation criteria for this purpose. However, the pending executive regulations to be issued under the law should set out cases where controllers may be exempt from this condition.
- New grounds for processing: Controllers may now rely on “legitimate interests” as a lawful basis to process and disclose personal data, although this does not apply to sensitive personal data, or processing that contravenes with the rights granted under the PDPL and its executive regulations. This change will make the grounds for processing more consistent with GDPR and similar legislation.
- Reduced number of criminal offences: Criminal sanctions for violating the PDPL’s data transfer restrictions have been removed. There remains only one criminal offence in relation to the disclosure or publication of sensitive personal data in violation of the law. Otherwise, the penalties for breaching the PDPL will be a warning or a fine of up to SAR 5,000,000 (USD 1,333,000) that may be doubled for repeat offences.
- Removal of registration requirement for controllers: The amended law no longer refers to the creation of an electronic portal or any requirement for a controller to register their processing activities. However, SDAIA has been authorised to issue the requirements for practicing activities related to data protection, in cooperation with any other relevant authorities. SDAIA also has the mandate to license auditors and accreditation entities and create a national register if it determines that it would be an appropriate tool and mechanism for monitoring the compliance of controllers.
- Data breach notification timeline eased: Notifications of a personal data breach to SDAIA no longer have to be made ‘immediately’. Further detail is again expected to be added in the pending regulations, which could include specific deadlines for notifying data breaches or materiality thresholds. A new requirement has been added for controllers to notify data subjects where a breach would cause damage to personal data or contravenes the data subject’s rights or interests.
What are the timelines for compliance?
The PDPL is now stated to take effect 720 days after the publication of the original law in the Official Gazette, which means that it should be formally effective from 14 September 2023. The executive regulations supplementing the PDPL should be issued prior to this date.
The preamble to the PDPL provides controllers with a one-year grace period to comply with the PDPL from the date it comes into force. Accordingly, organisations within the scope of the law will have until 14 September 2024 to adjust their status in accordance with the provisions of the PDPL.
What should companies do next?
While further details are expected to be provided in the regulations (for example, conditions for consent, timelines for complying with data subject access requests, procedures for notifying breaches and mechanisms for exporting personal data), there are steps that organisations can take ahead of time to prepare for compliance:
- All businesses operating in Saudi Arabia or processing any data of Saudi residents should start assessing their data processing activities, including any international data transfers, with a view to understanding the impact on their operations and any changes that will be necessary to align with the PDPL.
- Policies and processes will need to be developed or amended, and contracts reviewed or updated to take account of new rights and obligations.
- Controllers will be required to train staff on the terms and principles of the PDPL and will need time to embed data protection within the culture of their organisations.
We have worked with many organisations to help them understand and implement the required processes and policies for compliance with data protection laws around the world. Our team of data privacy and cybersecurity specialists in the Middle East have been closely monitoring the development of the PDPL and other regional legislation.
If you would like further information on how to create an effective privacy framework or advice on the PDPL, please contact us.