The Kingdom of Saudia Arabia new has adopted new Personal Data Protection Law (PDPL) to regulate personal data processing and prevent personal data abuse in line with the goals of the Kingdom’s Vision 2030 to develop a digital infrastructure and support innovation to grow a digital economy. PDPL has many similarities with various national and international data protection regulatory sources including the GDPR.
Before adopting the PDPL the Kingdom adopted National Data Governance Interim Regulation (June 2020). NDGIR regulates foundational data protection and security principles. Also, this source serves to design a privacy management framework and shape monitoring systems. NDGIR and PDPL are supplementary sources even though there are some discrepancies between them. In addition, the National Data Management Office has adopted Data Management and Personal Data Protection Standards in January 2021 that complements the overall data protection regulatory framework.
It is worth mentioning that in 2018, the National Cybersecurity Authority (NCA) released Essential Cybersecurity Controls (ECC). They establish the minimum cybersecurity requirements in the KSA by proposing 114 specific technical controls organized into several interrelated domains. This source is also substantially important for the protection of personal data in the Kingdom.
Adoption and implementation of PDPL
PDPL was officially adopted by the announcement of Saudi Arabia Personal Data Protection Law Royal Decree M/19 of 9/2/1443H – officially announced on 16th September 2021. This law is officially enforceable 180 days after its announcement – 23rd March 2022. However, there is a grace period of one year that data controllers can use to modify their arrangements to ensure compliance.
The PDPL will be supplemented by executive regulations that should provide additional clarity on many provisions. The draft version of executive regulations open for public discussion was published on 10th March 2022.
The Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new law for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered.
Scope of application
PDPL covers the processing by businesses or public entities of personal data performed in the Kingdom of Saudia Arabia (KSA) by any means whatsoever, including the processing of the personal data of KSA residents by entities located outside of the Kingdom. In practice, a company could, therefore, be caught by the PDPL even if it is not established in KSA but it sells goods or services to KSA-based customers. PDPL also includes extraterritorial effects, so organizations based outside KSA will still be subject to the law and its requirements if they process the personal data of KSA residents. In this matter, PDPL is quite similar to the territorial application of the GDPR.
The most important definitions
PDPL is designed to protect ‘personal data’. Personal data is defined as ‘Every data – of whatever source or form that would lead to the identification of the individual specifically or make it possible to identify him directly or indirectly, including name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the individual, and other data of personal nature.’
PDPL defines sensitive data as follows: ‘Every Personal Data that includes a reference to an individual’s ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown.’
Notwithstanding the nuance differences, it would not be wrong to claim that PDPL concept of personal data is quite similar to the definition provided by GDPR. The definition of personal data has a broad scope, and its interpretation is not constrained to enumerated types of information or sets of information. It is a word about information that might lead toward direct or indirect identification of a natural person.
Concerning the definition of sensitive data, there are overlapping elements with the GDPR concept of ‘special category of data’. Nevertheless, there are noticeable differences. It comes as no surprise that data related to sex life or sexual orientation is not considered sensitive data in PDPL. However, it is quite surprising that location data got the status of sensitive data and a higher level of protection.
The concept of the data controller is defined similarly to GDPR, – a person, company, or other body that determines the purpose and means of personal data processing.
The lawfulness of data processing
According to the PDPL, the primary basis for processing personal data is the consent of the data subject. Consent is defined as ‘a knowing, voluntary, clear, and specific, expression of consent, whether oral or written, from the Data Subject signifying agreement to the processing of personal data.’ The PDPL allows for processing other than on the basis of consent if:
- the processing achieves a ‘definite interest’ of the data subject, and it is impossible or difficult to contact the data subject;
- if the processing is in accordance with another law, or in the implementation of an earlier agreement to which the data subject is a party;
- and if the data controller is a public entity and such processing is required for security purposes or to meet judicial requirements
Data subjects have the right to withdraw their consent to the processing of their personal data. Importantly, data controllers must also have the prior consent of individuals to send direct marketing and must provide an opt-out mechanism. It is expected from executive regulations to outline the ‘cases in which the consent must be in writing’.
The legal grounds for the lawful processing of personal data are similar to those laid down by the GDPR. Nevertheless, the PDPL does not include a concept of processing for ‘legitimate interests’, and it seems one of the greatest differences between GDPR and PDPL.
Data Protection Principles
Data controllers must adhere to purpose limitation and data minimization principles. These principles are defined in a similar manner as is the case with GDPR. Personal data may only be processed for lawful purposes, and the means of collecting and processing personal data need to be appropriate to the circumstances, bearing in mind the nature of the data subject, and the need for clarity and absence of deception. Also, there is a requirement to process only the minimum scope of personal data for needed purposes. The data controller is obliged to ensure the accuracy, completeness, and relevancy of personal data before processing it.
Lawfulness, transparency and fairness, storage limitation principle, integrity, and confidentiality, as well as accountability, are regulated in PDPL by prescribing specific provisions and particular obligations.
Data controller obligations
- Registration requirements – the data controller is subject to registration via an electronic portal maintained by SDAIA. An annual registration fee is needed, and it will be determined by executive regulations. The registration requirement is one of the most noticeable differences between GDPR and PDPL. The registration requirement is not unknown In the European data protection regulatory framework, but it is outdated.
- Records of processing activities (RoPA) – the data controller must create and maintain RopA of how they process personal data, and it must be registered with the SDAIA. RoPA shall contain the purpose of the processing, entities to which the personal data was or will be disclosed, whether the personal data was or will be transferred outside of KSA, and the expected retention period. The duration of retaining the records will be prescribed by the executive regulations.
- Impact assessments – the data controller must assess projects, products and services to identify data protection risks posed to individuals. This concept could not be considered as equal to data protection impact assessment regulated by the GDPR. However, the main difference is a data controller’s obligation according to the PDPL to assess any project, product, or service and not only those that might provoke certain impact to individuals (as it is the case with data protection impact assessment).
- The legal basis or practical justification for the proposed personal data processing;
- The purpose of the proposed personal data processing;
- The identity and address of the data controller;
- Data subject rights
- The identity of any entities to which the personal data will be disclosed, and in what capacity;
- Whether the Personal Data will be transferred, disclosed, or processed outside Saudi Arabia;
- The implications of not processing personal data in the manner contemplated;
- The data subject rights as contemplated in the Law; and
- Other considerations (to be specified in the Regulations), depending on the nature of the data controller’s activity.
In the matter of providing information to individuals regarding the practice of processing their data PDPL is consistent with GDPR. From the perspective of the European data protection regulatory framework, PDLP covers to a large extent what should be addressed to data subjects to properly inform them.
- Breach notification – The data controller will be expected to report data breaches to the regulatory authority as soon as they become aware of an incident. Executive regulations will specify circumstances in which the data controller will have to notify the data subject about the breach. Therefore, we need to wait for additional regulation to assess the level of consistency of the PDPL with GDPR in this matter.
- Training – The data controller will be obliged to ensure that staff are suitably trained in the PDPL and data protection principles. This explicit requirement does not exist in the GDPR, but it is quite a regular demand of data protection programs.
Data subjects’ rights
Data subjects are provided with the following rights:
- to get information about how their data is processed;
- to access copies of their data;
- to request corrections of their data;
- to withdraw consent for processing their data;
- to lodge complaints with the regulatory authority.
Data controllers are required to respond to data subject requests for exercising the rights within the period that will be specified in the Executive Regulation.
There is a restriction on the use of personal data, such as email addresses and postal addresses, to send promotional materials. This restriction does not apply to awareness-raising materials issued by government entities, or where the contact details are collected directly from the data subject and the consent of the data subject has been obtained in advance, or where there is a clear opt-out mechanism for such communications. Concerning this restriction, the PDPL contains specific regulatory provisions that do not exist in the GDPR (at least not in a sector-specific manner).
Data governance and security
Any foreign company operating in the KSA and processing personal data of KSA residents must appoint a local representative. More guidance regarding when this requirement will become effective is expected in forthcoming executive regulations. Organizations will also be expected to appoint data officers to manage compliance with the law.
PDPL establishes a requirement for entities outside Saudi Arabia, that are processing personal data of data subjects in Saudi Arabia, to appoint a representative in Saudi Arabia to fulfill their obligations under relevant regulations. However, this should be done in five years from the law coming into effect.
PDPL enshrines that the data controller must take the necessary organizational, administrative and technical measures and means to ensure personal data is preserved, including when it is transferred, in accordance with the provisions and controls that will be specified in the executive regulations. It is obvious that the formulation of the provision sounds as Art. 32 of the GDPR. However, we will have to wait for additional regulations and then assess similarities with GDPR.
PDPL prohibits data controllers from transferring personal data to an entity outside of KSA. It is permitted only in limited circumstances (to comply with an agreement to which the Kingdom is a party, to serve KSA interests or for other purposes that will be set out in the executive regulations). However, even if the transfer meets one of the permitted exceptions, the data controller must receive approval from an appropriate government authority, among other conditions.
There are strict data localization requirements under PDPL, meaning that personal data of KSA residents must be physically stored within the Kingdom with a few limited exceptions, for instance, when so is required by law or when the transfer is required under the extreme necessity to prevent serious bodily injury or death.
The restriction of transferring data across borders is the crucial difference between GDPR and PDPL. The GDPR does not prohibit data transfer but requires several conditions to be met when a transfer is carried out in countries with a non-adequate level of protection. PDPL imposes a general prohibition of cross-border data transfer by allowing that only in extremely limited conditions. Nevertheless, executive regulation should give a better explanation of what those conditions will be.
Penalties and sanctions
Administrative penalties for violations of PDPL may go up to 5 million SAR (approx. 1,3 million USD), while serious violations may be criminally prosecuted and carry out the sentence of imprisonment for up to one year (actually, two for recidivism). PDPL introduces criminal offenses for failure to comply with the requirements relating to transfers of personal data. Any financial proceedings gained from unlawful data processing may also be confiscated. In addition, data subjects will also have the right to claim compensation for any material or moral damage stemming from the misuse or mishandling of their personal data. Therefore, there are obvious differences in sentencing unlawful data protection practices between the GDPR and PDPL.
The adoption of PDPL seems to be a significant step in the right direction toward global data protection. A general overview of the law demonstrates similarities with GDPR but also considerable differences in several fields. Nevertheless, further details will be set out in the associated regulations, hence so far conclusions should be taken with caution. For more certainty, we will have to wait for the executive regulations to be published.