On November 20, 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a public consultation (which is open until December 20, 2022) on its proposed amendments to the Personal Data Protection Law (PDPL). Previously, on September 24, 2021, the Kingdom of Saudi Arabia published the long-anticipated PDPL pursuant to Royal Decree M/19 of 9/2/1443H, constituting the country’s first comprehensive national data protection legislation; although the PDPL was due to become effective on March 23, 2022, on March 22, 2022, SDAIA announced that it had decided to postpone the full enforcement of the PDPL to March 17, 2023, and, in collaboration with the National Data Management Office, further issued the Draft Executive Regulations supplementing the PDPL. The issuance of these draft regulations on March 10, 2022, was followed by a period of inactivity (and it is likely such regulations will be updated once the amendments to the PDPL are finalized) such that the launch of the public consultation now revives focus on the PDPL. The proposed amendments (the “Amendments”) contain significant changes to the prior version of the PDPL, including:
(i) Data Transfers: In a relaxation of the current narrow data transfer provisions, the Amendments introduce additional grounds on which personal data may be lawfully transferred outside of Saudi Arabia (including where the transfer is carried out in performance of an obligation of a data subject and where the jurisdiction to which the data is transferred ensures appropriate protection of personal data, the protection of data subject rights and has a sufficient supervisory authority such that the standard of protection is not less than the standard afforded under the PDPL and its implementing regulations) and further remove the potential penalty of imprisonment for non-compliance with the data transfer restrictions.
(ii) Lawful Interests: The Amendments incorporate the novel concept of “lawful interest” as (a) a legal basis for processing non-sensitive personal data; (b) a basis on which a data controller may collect non-sensitive personal data from a person other than a data subject or process such data for a purpose other than that for which it was collected (i.e., if the collection/processing is necessary to achieve the lawful interests of the controller or another party, without prejudice to the rights of the data subject and in accordance with the provisions of the implementing regulations); and (c) an exception to the prima facie prohibition on data controller’s disclosing personal data (i.e., disclosure of non-sensitive personal data by the data controller is permissible if it is necessary to achieve the lawful interests of the data controller or another party, without prejudice to the rights of the data subject and in accordance with the provisions of the implementing regulations).
(iii) Data Portability: The rights of data subjects have been extended to include the right to data portability (enabling data subjects to obtain their personal data in a clear, legible format and to request the transfer of their personal data to another controller where technically possible).
(iv) Data Breach Notification: The Amendments establish a risk threshold for data breach notifications, requiring the data controller to carry out the requisite notification where the leak, damage or access to personal data is capable of causing harm to the data subject or is detrimental to their rights or interests (although it is presently unclear whether such a standard applies in respect of notifications to both the Competent Authority and data subjects).
(v) Direct Marketing: The Amendments provide for the processing of personal data for marketing purposes on an opt-out basis (previously permitting such processing if the data was collected directly from the data subject who consented to the processing for marketing purposes) and further permit the processing of sensitive data for marketing purposes in certain prescribed circumstances (whereas this was previously prohibited outright).
(vi) Registration and Local Representative Requirements: Although the Amendments further clarify the powers of the Competent Authority, the Amendments remove certain provisions of the former version of the PDPL, including the obligation on controllers to register with the Competent Authority and for organizations outside of Saudi Arabia to appoint a local representative in Saudi Arabia.
The Amendments, particularly with regard to the broader data transfer provisions and lawful interests basis, are significant developments to the previously published PDPL. If the Amendments are finalized, the amended PDPL will enter into force 180 days after publication in the Saudi Official Gazette, thereby likely postponing the existing March 2023 enforcement deadline. More details are expected in the implementing regulations supplementing the PDPL.
We continue to monitor developments in this area.