A close-up on Saudi Arabia’s proposed personal data transfer regulations
Saudi Arabia Focus
Nick O’ConnellPartner, Head of Digital & Data - Saudi Arabia
The Saudi Data and Artificial Intelligence Authority (SDAIA) recently published proposed changes to the Transfer Regulations to the Personal Data Protection Law (PDPL). The proposed changes were open for public consultation until 18 April 2024. (Further details of the public consultation, along with a copy of the proposed amendments, are available here on the Istitlaa website.) In this article we provide a brief overview of the proposed changes, concluding that they generally enhance clarity and seem to be a positive development.
The proposed Transfer Regulation seems to be directed primarily at providing a more concise and coherent approach than that found in the Transfer Regulation. The following comments provide a general overview of changes, and more detailed information on material aspects, using the numbering and section headings found in the proposed Transfer Regulation as a reference.
Article 3 of the proposed Transfer Regulations makes clear that the Competent Authority will publish, on its website, a list of countries and international organisations that it has assessed as providing an adequate level of protection for personal data. As before, it also provides for the list to be reviewed every four years (or when required); and sets out amended criteria for a country or international organisation to be added to that list.
The amended criteria constitute a refined list of the considerations found in Art. 3.1 of the Transfer Regulations. Edited out of the new version are:
references to the Competent Authority engaging with other concerned authorities as per their jurisdictions;
reference to adequacy assessments based on ‘sectors’ (rather than, simply, countries and international organisations); and
references to Art. 3.1.b and c. of the Transfer Regulations, which referred to somewhat general considerations (relating to rule of law and effectiveness of implementation of privacy laws), that can be viewed as falling within the remaining considerations.
Article 3.1 of the proposed Transfer Regulations includes what seems to be a new reference to obligations resulting from binding international treaties or conventions, the implementation of which may require the transfer of personal data.
Art. 4 of the Transfer Regulations were prescriptive in terms of the Competent Authority’s assessment of the level of personal data protection outside the Kingdom, and the associated processes. Thankfully, this level of detail is not reflected in the proposed Transfer Regulations.
Article 4 of the proposed Transfer Regulation reflects the most significant changes. Art.5 of the Transfer Regulation essentially comprises two pages of unnecessary detail, including a list of different types of ‘appropriate safeguards’, as well as a lot of information on a ‘binding corporate rules’ type mechanism. The proposed Transfer Regulation helpfully strips out much of this detail.
The term “Appropriate Safeguards”, now appearing in the definitions section (Article 1), is used in Article 4 of the proposed Transfer Regulation. The definition itself could be refined, but it is otherwise quite helpful in terms of providing a general term (rather than too much specific information) on which the Competent Authority and Controllers can rely.
The opening wording of Article 4 of the proposed Transfer Regulation would benefit from revision, as it seems to provide a stand-alone exception – which is surely not the intention. Properly, we would assume that the desired outcome is that, in the cases set out in Article 4.1 of the proposed Transfer Regulation, there shall be no requirement to comply with Article 29.2.b (adequacy decision) or Article 29.2.d (minimisation) of the PDPL, subject to the adoption of Appropriate Safeguards.
In terms of the relevant cases set out in Article 4.1.a to Article 4.1.e of the proposed Transfer Regulations, these do not generally raise any material concerns. In some instances, they allude to standard contractual clauses and binding corporate rules, as well as exceptions relating to sensitive personal data and requirements relating to data controllers being certified by an entity licensed by the Competent Authority. (There would seem to be opportunities here for licensed data protection consultancies.)
This indicates that a certification will be required to rely on the relevant exemptions. This is likely to add to the compliance burden and cost, and potentially cause delays.
Article 5 of the proposed Transfer Regulations seems to be entirely new. It introduces the requirements relating to onward transfers of personal data – that the PDPL and the Implementing Regulations shall apply to personal data that is previously transferred or disclosed to an entity outside Saudi Arabia. This would seem to be consistent with the approach to onward transfers under GDPR, although there are arguments against this approach. (The key one being that if the initial transfer outside the Kingdom was compliant with adequacy decisions or appropriate safeguards then onward transfers should also adequately protect the data subject.)
Article 6 of the proposed Transfer Regulations reads as a simplified version of Art. 7 of the Transfer Regulation. The changes include a reference to Article 4 of the proposed Transfer Regulation (which essentially replaces Art. 5 and Art. 6 of the Transfer Regulation). While specific references have essentially been edited out, their absence is not material to the scope of the scenarios in which exemption granted under Article 4 of the proposed Transfer Regulation may be withdrawn. The new wording is general, and sets clear, basic rules.
Article 7 of the proposed Transfer Regulations reads as a simplified version of Art. 8 of the Transfer Regulation. The changes include a reference to Article 4 of the proposed Transfer Regulation (which essentially replaces Art. 5 and Art. 6 of the Transfer Regulation). There are some minor changes to the criteria relating to risk assessments for data transfer, but these seem to be in the nature of clarifications and of no material concern.
The following table broadly ‘maps’ the provisions in the Transfer Regulations against the proposed Transfer Regulations.
Proposed Transfer Regulation
Current Transfer Regulation
Comment
1. Definitions
Art. 1
Article 1 of the proposed Transfer Regulation is substantially the same as Article 1 of the Transfer Regulation, except ‘Transfer of Personal Data’ has been removed as a definition; and a definition of ‘Appropriate Safeguards’ has been added.
2. Other purposes of Transfer or Disclosure of Personal Data to Entities outside KSA
Art. 2.4
Article 2 of the proposed Transfer Regulation is substantially the same as Article 2.4 of the Transfer Regulation.
3. Procedures and Standards for Assessing Protection Level for Personal Data outside KSA
Art. 3.1
Art. 4
Articles 3.1 of the proposed Transfer Regulation can be mapped to some of the provisions in Article 3.1 of the Transfer Regulation.
Articles 3.2 and 3.4 of the proposed Transfer Regulation largely correspond to Articles 4.3 and 4.4 of the Transfer Regulation.
4. Cases of Exempting Controller from Compliance with Appropriate Protection Level and Minimum Limit of Personal Data Transfer
Art. 5
Article 4 of the proposed Transfer Regulation relates to Article 5 of the Transfer Regulation, but with material changes that seem aimed at simplifying/consolidating the original provision.
5. Subsequent Transfers of Personal Data*
N/A
Article 5 of the proposed Transfer Regulation seems to be entirely new.
6. Withdrawal of Exemption
Art. 7
Article 6 of the proposed Transfer Regulation relates to Article 7 of the Transfer Regulation, but with modest changes that seem aimed at simplifying/consolidating the original provision.
7. Risk Assessment of Transferring or Disclosing Personal Data to an Entity Outside KSA
Art. 8
Article 7 of the proposed Transfer Regulation largely corresponds to Article 8 of the Transfer Regulation, but with modest changes that seem aimed at clarifying the original provision.
8. Manuals and Guidelines
Art. 9
Article 8 of the proposed Transfer Regulation is substantially the same as Article 9 of the Transfer Regulation.
9. Enforcement
Art. 10
Article 9 of the proposed Transfer Regulation is substantially the same as Article 10 of the Transfer Regulation. (There is a slight difference in that the amended version will come into force following publication in the official gazette.)
Data controllers concerned with any aspects of the proposed changes to the transfer regulations should consider submitting a proposal in advance on the 18 April 2024 consultation deadline.
For further information,please contact Nick O’Connell.
Published in April 2024