January 18, 2022. This article is Part 2 of a series of posts providing an overview of some key legal and regulatory developments that happened in the Middle East during 2021 in the field of data protection and privacy.
Part 1 (United Arab Emirates) is accessible here.
Part 3 (Qatar) is accessible here.
Part 4 (Kuwait) is accessible here.
Kingdom of Saudi Arabia
On September 24 2021, the Personal Data Protection Law (“PDPL”) was published in the Official Gazette for the Kingdom of Saudi Arabia (KSA), and became the first comprehensive national level data protection regime to be enacted in KSA.
As is the case with many new legal frameworks, much of the legislative detail of the PDPL (such as more specific compliance requirements and enforcement measures) will be reflected in Executive Regulations which are pending implementation. It is expected, however, that these Executive Regulations will be promulgated by 23 March 2022, when the PDPL becomes effective. As such, now is an opportune time for organizations that will be captured by the PDPL to begin assessing whether and to what extent their processing activities are implicated and, if so, begin taking steps toward anticipating what will need to be done to ensure compliance.
The PDPL reflects some of the wider internationally recognized principles of data protection and privacy, such as those enunciated in the General Data Protection Regulation (GDPR) – for example, individual rights to be informed of the purposes for which data is collected/processed, purpose-based limitations on collection, rights of access, and rights to request correction of inaccurate data. However, some elements of the PDPL are distinct from what one might be accustomed to seeing in a GDPR or largely GDPR-based framework.
Some of the key features of the PDPL are as follows:
- The primary basis for justifying data processing is the consent of the data subject (which may be withdrawn). It is contemplated that further conditions surrounding consent will be set out in the pending Executive Regulations.
- “Personal Data” is generally defined, very broadly, as data of an identified or identifiable individual (and, interestingly, also expressly includes data of deceased individuals). “Sensitive Data”, which is subject to heightened processing bases and restrictions, is defined as data relating to “ethnic or tribal origin, or religious, intellectual or political belief, or [which] indicates membership in non-governmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown.” The specific reference to location data is likely to be of interest to a growing number of organizations and service providers that rely on this to facilitate functionality on their apps, to track the behaviour of individuals, for marketing purposes, etc.
- The PDPL imposes data breach notification obligations on controllers (both to the data protection authority and to the data subject where, in the case of the latter, it is likely that the breach could cause material harm to the individual or their data).
- Health data and credit data of individuals are specifically referenced in the PDPL, in the context that it expressly contemplates these categories of data being subject to additional and specific pending controls and procedures in the forthcoming Executive Regulations.
- Data controllers will be required to register in an electronic portal to be established by the data protection authority for the purposes of collating a national record of controllers and where they will be required to log their processing activities. This registration will be subject to the payment by the controller of an annual fee to be calculated taking into account the nature of the processing activity (which will be further described in the pending Executive Regulations, but will be no more than 100,000 Saudi Riyals – approximately USD $27,000).
Enforcement measures under the PDPL are also much stricter than what data protection compliance professionals may be accustomed to in other regions. In particular, both (i) unauthorized use of sensitive data (where there is an intent element of causing harm to the data subject or gaining personal benefit); and (ii) a transfer of personal data outside of KSA that is not compliant with the cross-border transfer requirements of the PDPL, have the potential to attract both monetary penalties and terms of imprisonment. The law also expressly reserves the right of any data subject who has been harmed by any violation of the PDLP to seek damages before the courts.
Also noteworthy is the fact that the PDPL purports to have an extra-territorial effect – i.e., it applies to personal data processing taking place inside KSA, but also applies to the processing of personal data of individual data subjects who are resident in KSA by organizations outside of KSA. The PDPL also requires that such non-resident controllers must appoint a representative inside KSA to be licensed by the data protection authority and who will be responsible for compliance with the PDPL in connection with the processing activities.
As noted above, the PDPL will formally come into effect on 23 March 2022. Following this time, controllers will have a one-year compliance grace period to ensure their activities are aligned with the requirements of the PDPL and the Executive Regulations. Although this may seem like a very generous time frame, the requirements of the PDPL are quite extensive, ambitious and (in certain respects) not particularly conventional from a more traditional privacy compliance program standpoint. As such, organizations (both inside and outside KSA) that will be captured by the PDPL’s requirements should be seeking to take steps to assess and plan what is necessary to be in compliance now.