Overview
The data protection landscape in the Kingdom of Saudi Arabia (“KSA”) is complex and under consultation, and is therefore not definitive, but is primarily regulated by:
- Personal Data Protection Law (“PDPL“) when it comes into force; and
- Interim Personal Data Protection Regulations (“PDPIR“) issued by the National Data Management Office (“NDMO“).
The PDPL was published in the Saudi Arabian Official Gazette on 24 September 2021 and was scheduled to enter into force on 23 March 2022. However, the Saudi Data and Artificial Intelligence Authority (“SDAIA”) announced that the full implementation of the PDPL would be postponed until 17 March 2023 in order to make “necessary changes”, which was confirmed by the publication of Royal Order No. 51627, which states that the implementation of the PDPL will be postponed for a period of 540 days from the date of its publication in the KSA Official Gazette (published on 24 September 2021). Therefore, it is expected that the published version of the PDPL will be replaced by an amended version of the law.
In fact, the long-awaited proposed amendments to the published version of the PDPL were submitted for public consultation on 20 November 2022 and expired on 20 December 2022.
Throughout this article, we have provided a brief explanation of the published PDPL regulations, but due to their non-final nature and the fact that they are subject to public consultation, they may undergo changes in the coming months. The most important points to date are as follows:
- The scope of application is extraterritorial, which is in line with European regulations, which means that it is applicable to all KSA entities that process personal data in whole or in part in that territory, but it is also applicable to entities outside the KSA that process data of citizens resident in the KSA by any means (digital, online, etc.).
- Another important point is that it applies to any data processing that takes place in the KSA by any means, and personal data means any information relating to natural persons.
- There may also be specific regulations applicable to certain industries/sectors, for example in banking, which is regulated by the Saudi Central Bank (formerly known as the Saudi Arabian Monetary Authority).
Privacy concepts
Personal data
The concept of the meaning of personal data becomes very important in the regulation of the right to privacy, which is why, according to the PDPIR, personal data are “Any item of data, whatever its source or form, which, alone or in combination with other available information, could lead to the identification of an individual, including, but not limited to: first and last names, Saudi ID card number, addresses, telephone number, bank account number, credit card number, health data, images or videos of that individual.
According to the PDPL, personal data is defined as “all data – from whatever source or in whatever form – which may lead to the identification of the particular individual or enable that individual to be identified directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account, and credit card numbers, still or moving images of the individual and other personal data”.
Authority
Currently, and in accordance with the PDPL, the SDAIA will be the data regulator for at least two years. During this period, consideration will be given to the possibility of the NDMO overseeing the implementation of the PDPL, but this information is not yet firm and needs to be supplemented with the latest news. Regarding data protection the Saudi Central Bank and the Communications, Space, and Technology Commission seem to maintain their competence to regulate data protection within their competencies.
Registration
Under the PDPL, Data Controllers must register with the SDAIA, and will also be obliged to pay a fixed fee, but there is not yet sufficient information on this.
In addition, it is also stated that the controller will have to make a ROPA, which is already common in other privacy regulations, as a necessary document and which will have to be registered with the SDAIA on a mandatory basis.
DPO
The PDPIR does not set out any specific requirements for organizations to appoint such a representative. However, it does state that
foreign data controllers must appoint a representative in the KSA authorized by the “competent authority” (according to the Data Protection Act, this will be determined by a decision of the Council of Ministers) to fulfill the obligations of the data controller as stipulated in the provisions of the Data Protection Act. The granting of such licenses and the limits of the representative’s relationship with the controller in the processing of foreign data that he or she represents will be regulated in the Executive Regulation.
Technical and organizational measures
The PDPIR and PDPL are not prescriptive about specific technical standards or measures with regard to specific security requirements.
However, the PDPIR does provide that Personal Data should be protected from leakage, damage, loss, theft, misuse, modification, or unauthorized access according to the controls issued by the National Cybersecurity Authority and other relevant authorities.
Similarly, the PDPL provides that the Data Controller must take the necessary organizational, administrative, and technical measures and means to ensure Personal Data is preserved, including when it is transferred, in accordance with the provisions and controls specified in the Executive Regulations.
Breach notification
Under the PDPIR, Data Controllers must notify the Regulatory Authorities immediately, and no later than 72 hours, in the event of any data breach or leakage impacting Personal Data in accordance with the mechanisms and procedures determined by the Regulatory Authorities. In the event Data Controllers are not subject to specific Regulatory Authorities, then the NDMO will exercise the roles and functions of such authorities.
In addition, notification obligations may be triggered in specific contexts/sectors – for example, cloud service providers may be required to report security breaches to the CST depending upon the circumstances.
Enforcement
The PDPIR does not contain any express enforcement mechanism or penalties for non-compliance.
As per the PDPL, there are criminal penalties and fines for the following offenses:
- unlawfully transferring data out of KSA (imprisonment of up to 1 year and/or a fine of up to SAR 1 million); and
- disclosing or publishing Sensitive Data unlawfully with the intent of harming the Data Subject or with the intention of achieving some personal benefit (imprisonment of up to 2 years and/or a fine of up to SAR 3 million).
Separately, SDAIA has the power to issue warnings / administrative fines of up to SAR 5 million for any other violation, which is appealable. This is without prejudice to any more severe penalty stipulated in another law.
