An overview of Saudi Arabia's amended Personal Data Protection Law
Technology, Media & Telecoms Focus
Nick O'ConnellPartner, Head of Digital & Data, Saudi Arabia
When originally published on 24 September 2021, Saudi Arabia’s Personal Data Protection Law (Royal Decree M/19 of 9/2/1443H (16 September 2021); Ministerial Resolution No. 98 of 7/2/1443H (14 September 2021) was expected to come into effect on 23 March 2022. Instead, the Law was essentially suspended. Then, following public consultation in late 2022, amendments to the Law were approved in by Royal Decree M/148 of 5/9/1444H (27 March 2023). The Law will now come into force in early September 2023, 720 days from original publication.
Significantly, the Royal Decree under which the Law was originally passed provides for a twelve-month grace period, from the date of coming into force, within which time those subject to the Law will need to ensure their personal data processing activities are compliant.
Further essential detail will be set out in the associated Regulations, which should be issued by mid-September 2023 when the Law comes into force. (An opportunity for public consultation on the Regulations is expected.) In this note, based on an article first published in Law Update in October 2021, we provide a general overview of the Law, along with some observations on implications of key amendments.
We have not sought to provide a detailed review of the terms defined in the Law. Some of these require further scrutiny, although in very general terms they do not seem to be far removed from the corresponding terms as used in other data protection laws.
With the exception of personal data processing for personal or domestic purposes, the Law applies to all personal data processing undertaken in Saudi Arabia, extending to personal data processing undertaken outside Saudi Arabia in respect of data subjects in Saudi Arabia. Personal data processing in respect of deceased persons is also within the scope of the law, if such processing could lead to the identification of that person or his or her family. The Law is to be read subject to any other law or treaty that better protects personal data. We understand this to mean, if any other specific provisions of other Saudi laws, or treaties to which Saudi Arabia is a signatory, provide for stronger protection of personal data, then such stricter requirements will prevail. At a practical level, it is difficult to know what this will look like.The Law is without prejudice to the authority of the National Cybersecurity Authority (“NCA”) in respect of the cybersecurity subject matter for which it is responsible. It is unclear whether this is to be understood broadly, or whether it will be qualified in any way.For the first two years, the ‘competent authority’ responsible for the implementation of the Law will be the Saudi Data & Artificial Intelligence Authority (“SDAIA”). The supervisory function will eventually shift to the National Data Management Authority (“NDMO”), which falls under SDAIA, as the data protection landscape develops. Different licensing authorities may be delegated responsibility for the functions of the competent authority in respect of entities in the industry sectors for which they are responsible, although this is unclear. As the competent authority, SDAIA is required to issue the Regulations prior to the Law coming into effect in September 2023. The Regulations will be developed in consultation with various government entities, including the Ministry of Communications & Information Technology, the Ministry of Foreign Affairs, the Communications, Space & Technology Commission (“CST”, the Saudi telecoms regulator), the Digital Government Authority, the National Cybersecurity Authority, the Central Bank (“SAMA”), and the Saudi Health Council.The Law as originally published contemplated controllers and processors outside Saudi Arabia, that process personal data of data subjects in Saudi Arabia, each appoint their own representative in Saudi Arabia to fulfil their obligations under the Law and Regulations. In the amended Law, the specific wording setting out this requirement was removed, although there is now general wording allowing the competent authority to determine appropriate tools and mechanisms to ensure such foreign entities are meeting their obligations under the Law. Accordingly, we expect the Regulations to introduce more detail on how foreign controllers and processors will be required to evidence their compliance, and we cannot rule out the possibility that they may each need to appoint a representative in the Kingdom. More broadly, the amended Law clearly provides that the competent authority (in consultation with other concerned authorities) is empowered to set the requirements for practising commercial, professional or non-profit activities relating to the protection of personal data in the Kingdom, and to establish a licensing and certification regime in respect of activities in the personal data protection space. The competent authority is expected to educate data subjects, as well as personnel in data controller entities, with respect to rights and obligations set forth in the Law. Data controllers will need to hold workshops for personnel in order to train them on concepts and principles found in the Law, and the competent authority may be called on to provide support in this regard.
The Law prohibits the processing of personal data without the consent of the data subject, except in specific circumstances. Consent is generally also required where the data controller wishes to process personal data for purposes other than those for which consent was originally obtained. The Regulations will provide further detail in respect of consent, including information on circumstances where express consent is necessary, the ability of the data subject to withdraw consent at any time, and information on obtaining consent from those without legal capacity (such as minors). Consent is not to be a prerequisite for providing a service or benefit unrelated to the service or benefit in respect of which consent is sought / obtained.
The exceptions to the requirement for consent, as set out in the Law, may be summarised as follows:
When the processing activity is in the interest of the data subject, and it is impossible or difficult to contact him or her;
When the processing activity is carried out pursuant to another law, or to implement a prior agreement to which the data subject is a party; and
When the data controller is a public entity and the contemplated processing is required for national security or the administration of justice.
Significantly, the amended Law includes an additional exception: when the processing activity is necessary to achieve the legitimate interest of the data controller. This exception does not extend to sensitive personal data, and it is subject to the rights and interests of the data subject. Further detail is expected in the Regulations.
Some of these exceptions seem familiar, relative to the approaches taken elsewhere. Others seem to be broad, and could be subject to abuse in terms of the discretion available to the data controller.Generally, personal data may only be collected directly from data subjects, and processed only for the purposes for which it was collected. There are exceptions to this, enabling the processing of personal data collected other than directly from data subjects in certain circumstances. Further detail will be provided in the Regulations, although these exceptions include:
With the consent of the data subject;
If the personal data is collected from a publicly available source;
When the data controller is a public entity and the contemplated processing is required for national security or public interest purposes, the implementation of another law or the administration of justice;
If following this requirement may harm the data subject or affect the vital interests of the data subject;
If collecting or processing the personal data is necessary for protecting public health or safety or the life or health of an individual or specific individuals; and
If the personal data will be stored in a format that makes it impossible to identify the data subject.
Again, the amended Law includes an additional exception: when the processing activity is necessary to achieve the legitimate interest of the data controller. This exception does not extend to sensitive personal data, and it is subject to the rights and interests of the data subject. Further detail is expected in the Regulations.
Personal data may only be processed for lawful purposes, and the means of collecting and processing personal data need to be appropriate to the circumstances, bearing in mind the nature of the data subject, and the need for clarity and absence of deception.
There is a requirement for data minimisation, so that only the minimum personal data necessary for the contemplated purposes is collected and processed. Similarly, there is limitation requirement, whereby data controllers may retain personal data only for as long as is necessary to fulfil the purposes for which the data was collected. If personal data is no longer required, then it must be destroyed – although if it can be anonymised then it is permitted to retain it, as further detailed in the Regulations.
Besides considerations specific to sensitive data, the Law also provides specific considerations relative to certain types of sensitive data. Specifically, the Law contains particular restrictions applicable to health data and to credit information.
The following data subject rights are available, in accordance with the Law and the Regulations:
The right to know (and be informed) of the legal basis and purpose for personal data processing;
The right to have access to his or her personal data, in a legible and clear format, in accordance with the controls and procedures specified in the Regulations, and subject to restrictions set out in the Law (e.g. to protect data subject from harm, or for security purposes or to fulfil statutory requirements);
The right to have inaccurate personal data corrected or updated; and
The right to have personal data destroyed when it is no longer required for the purpose for which it was originally collected.
There is a restriction on the use of personal data, such as email addresses and postal addresses, to send promotional materials. This restriction does not apply to awareness-raising materials issued by government entities, or where the contact details are collected directly from the data subject and the consent of the data subject has been obtained in advance, and with a clear opt-out mechanism for such communications. The Regulations are to provide further controls in relation to marketing.
When personal data is collected directly from the data subject, certain information needs to be communicated to the data subject by way of a privacy policy. This includes:
The legal basis for the proposed personal data processing;
The purpose of the proposed personal data processing (and the fact that personal data will not be processed for other purposes except as permitted pursuant to the Law);
The identity and address of the data controller;The identity of any entities to
which the personal data will be disclosed, and in what capacity;
Whether the Personal Data will be transferred, disclosed, or processed outside Saudi Arabia;
The implications of not processing personal data in the manner contemplated;
The data subject rights as contemplated in the Law; and
Other considerations (to be specified in the Regulations), depending on the nature of the data controller’s activity.
With regard to accuracy, the Law requires data controllers to take adequate steps to verify that personal data is accurate, complete, kept up-to-date, and relevant to the purposes for which it was collected. The Law also requires data controllers to ensure that any entity to which personal data has been disclosed is notified of any changes/amendments to such personal data. The Regulations are to specify further details in terms of timelines to which the obligation to update applies, along with procedures for managing the impact of processing inaccurate or outdated personal data.
When selecting a data processor, data controllers must choose data processors able to give effect to the provisions of the Law and Regulations. There is an obligation on data controllers to verify data processors comply with their obligations, in a manner consistent with the Law and Regulations, and without prejudice to the rights of the data subject or the requirements of the competent authority. The amended Law states that the Regulations shall specify the provisions necessary for this (including provisions relating to any subsequent contracts made by the processor). This seems to hint at the Regulations providing for ‘standard contractual clauses’, issued by the competent authority.
Generally, a data controller may only disclose personal data personal data in limited circumstances, including:
When the entity requesting disclosure is a public entity and the contemplated processing is required for public interest or national security purposes, the implementation of another law or the administration of justice.
If disclosure of the personal data is necessary for protecting the public health or safety or the life or health of an individual or specific individuals; and
If the disclosure will be limited to processing in a manner that makes it impossible to identify the data subject.
The amended Law includes an additional exception: when the disclosure is necessary to achieve the legitimate interest of the data controller. This exception does not extend to sensitive personal data, and it is subject to the rights and interests of the data subject.
The Law sets out restrictions on disclosures applicable to some of these scenarios, including where the disclosure poses a risk to national security, affects the integrity of ongoing criminal investigations, violates the privacy of another data subject, or breaches professional or other confidentiality obligations.
There is a requirement to destroy personal data without delay after the purpose for which it was collected has been achieved. If the data is anonymised, this requirement no longer applies; nor does it apply in circumstances where there is a legal justification for retaining it, or where the personal data is closely related to legal proceedings and needs to be kept for such purpose.
Data controllers are required to apply appropriate technical and organisational measures to ensure the security of personal data, in accordance with the provisions of the Regulations. In the event of a data breach incident, whether it be a leak, unauthorised access, or unintended corruption or destruction, the Law contemplates an obligation to notify the competent authority. If such incident could cause damage to the personal data or to the data subject, the Law contemplates an obligation to notify the data subject. The Regulations will provide further specifics applicable to these scenarios, presumably including aspects such as thresholds and timeframes.The concept of ‘privacy impact assessment’ appears in the form of an obligation on the data controller to evaluate the personal data protection implications of any product or service provided by the data controller. The Regulations will address this further.
Processing data for scientific, research or statistical purposes is permitted, without the consent of the data subject, if the identity of the data subject is removed or will be destroyed in the course of the processing. (There is a limitation to this latter exception in the context of sensitive personal data.) Other exceptions apply, and we expect further detail in the Regulations.
The revised Law retains a provision that limits the photocopying of official ID documents, with further detail to be provided in the Regulations.
The Law as originally published contemplated each data controller appointing one or more employees to perform a data protection officer type function, being responsible for compliance with the Law and Regulations. The amended Law states that the Regulations shall specify cases in which a data controller must appoint a Data Protection Officer, along with the responsibilities of a DPO. This indicates that not all data controllers will be required to appoint a DPO, and that there is likely to be a threshold element. This seems to be a pragmatic development.
The data transfer provision in the Law as originally published was cumbersome, resulting in significant concern in the market. The amended Law addresses these concerns to a degree, although the data transfer provisions could be understood as substantially the same provision - albeit it somewhat better drafted.
Under the amended Law, transfers of personal data outside the Kingdom are permitted only to achieve one or more of the following purposes: to fulfil an obligation falling on the Kingdom, to serve the Kingdom’s interests, to fulfil an obligation to which the data subject is a party, or for other purposes to be specified in the Regulations.
Except in cases of extreme necessity to protect the vital interests of the data subject or to prevent, test or treat a pathological infection, a transfer of personal data to a recipient outside the Kingdom is only permitted if all the following requirements are met:
The transfer is not prejudicial to national security;
An appropriate level of protection is available to the Personal Data outside the Kingdom, not less than is available under the Law and Regulation, as assessed by the competent authority; and
The personal data being transferred is the minimum necessary for the purposes contemplated.
Saudi Arabia’s amended Personal Data Protection Law has now been published in the Official Gazette. While further detail will be set out in the associated Regulations, the Law seems to be a significant step in the right direction.
On data transfers, the key differences compared to the Law as originally drafted can be found in the removal of a specific requirement for the competent authority to approve the proposed transfer, and movement away from wording requiring the recipient to provide adequate guarantees (and replacement with reference to adequacy assessments by the competent authority). The removed aspects could still find their way into the Regulations, although if this were to happen we would expect them to be subject to thresholds and not of general application. The amended Law also alludes to the possibility of exemptions from some data transfer requirements.
Ultimately, the Regulations are to set out the provisions, standards and procedures relating to data transfers, and care will need to be taken to ensure that this key aspect is addressed appropriately. It is anticipated that the Regulations will include details that will facilitate the transfer of personal data to recipients outside the Kingdom, showing that the intention behind the Law is to facilitate cross-border data transfers and not unnecessarily hinder it.
The competent authority is responsible for supervising the application of the Law and its Regulations. (There is also mention in Ministerial Resolution No. 98 of SAMA and CST having certain powers – in respect of entities licensed by SAMA and CST, respectively.) Data controllers are required to cooperate with the competent authority. The competent authority also has various powers including: i. to request from the controller such documents or information that the competent authority may require in order to verify compliance with the Law and its Regulations; ii. to seek the assistance of any other entity to support it in performing its role; iii. to identify appropriate tools and mechanisms for monitoring compliance with the Law and Regulations (including a ‘national register’ of controllers); and iv. to provide services (including for a fee) related to personal data protection through such national register (or other means). The competent authority has the power and discretion to delegate aspects of its function to other entities.
There are record keeping obligations on data controllers, and an obligation to make such information available to the competent authority upon demand. At a minimum, the record keeping obligations require data controllers to keep the following:
Contact details of the data controller;
Purpose of the processing activities;
Description of the categories of data subjects;
Identity of any entity to which personal data will be disclosed;
Whether any personal data will be transferred to an entity outside Saudi Arabia; and
Expected personal data retention timeframe.
The Law as originally published contemplated the competent authority establishing a ‘dedicated online portal’ through which data controllers will be required to register the fact of (and maintain a record of) their data processing activities, and pay an associated fee. These specific provisions were removed in the amended Law, although the national register referred to above, and the ability of the competent entity to charge for its services, would seem to address the same point, albeit in a less prescribed form.
As noted above, there is no longer a specific requirement in the Law for foreign data controllers to appoint a representative in Saudi Arabia, although general wording allowing the competent authority to determine appropriate tools and mechanisms to ensure compliance could result in such a requirement being introduced under the Regulations.
The Law permits aggrieved data subjects to submit a complaint to the competent authority in respect of any issue arising from the Law and Regulations, and further details on the complaint process are expected in the Regulations. The aggrieved party may also file a claim for damages before the competent court.
Under the Law, the unlawful disclosure or publication of sensitive personal data, with the intention of harming the data subject or for personal benefit, attracts serious penalties, namely imprisonment for up to two years and/or a fine of up to SAR3,000,000 (about USD 800,000). This constitutes a criminal offence, which would be investigated by the Public Prosecutor. Recidivism can attract penalties of up to twice the maximum contemplated in the Law. Under the Law as originally published, failure to comply with the requirements relating to transfers of personal data was also criminalised, attracting significant penalties, namely imprisonment for up to one year and/or a fine of up to SAR1,000,000 (about USD 270,000). In the amended Law, this specific offence (and its penalty) has been removed. The Law also provides for fines of up to SAR5,000,000 (about USD1,350,000) in respect of failure to comply with the requirements of the Law and its Regulations other than those specified above. (Again, recidivism can attract higher penalties.) The competent court can also confiscate funds generated from violations of the law.
The competent authority will appoint officers to identify violations (supported by police, or other authorities, if required), and may seize equipment as part of its investigation. The competent authority will also establish a violations committee responsible for assessing such violations and determining the appropriate penalties. The decisions of the violations committee may be appealed to the competent court.
A further penalty available in respect of violations that become the subject of a final court decision or a final judgement of the violations committee is publication of the decision in a local newspaper.
The Law also provides for obligations of confidentiality for entities and personnel involved in personal data processing.
For further information, please contact Nick O'Connell or Simon Stokes.
Published in May 2023
