The Middle East’s data protection regulatory landscape is complex, and continues to develop with Saudi Arabia’s (KSA) newly published Personal Data Protection Law (PDPL).
While the PDPL contains the main features of a modern data protection law, it cannot be considered a direct analogue of the GDPR. For example, an unlawful transfer of personal data outside of KSA can result in a criminal conviction and imprisonment.
The PDPL is a law that applies on a national level and so, unlike other KSA sector specific laws dealing with privacy laws to date, the PDPL will apply to all sectors (with certain possible exceptions, discussed below). For this reason, the PDPL will also need to be considered in the broader KSA legal and regulatory framework, be considered with other sector specific frameworks such as those issued by Saudi Central Bank, or other technology focused frameworks such as the CITC’s Cloud Computing Regulatory Framework (CCRF), or the CITC’s IOT Regulatory Framework, as well as the existing Personal Data Protection Interim Regulations (PDPIR).
In this article our dedicated data protection team takes a look at the major features of this new law.
The PDPL was published in the Saudi Arabian Official Gazette on 24 September 2021. It becomes fully effective on 23 March 2022. Data Controllers then have another year in which to comply with the PDPL, although this period might be extended. The PDPL will be supplemented by regulations, which should be published by 23 March 2022, and which will very likely provide further colour and guidance to actual application of the PDPL. However, the following issues are the key takeaways for immediate consideration:
The Regulator. The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) will be the regulator for at least 2 years. The Central Bank and the Communications and Information Technology Commission (CITC) both appear to maintain their jurisdiction to regulate data protection within their remit. SDAIA, the Central Bank and CITC are to coordinate on this through MOUs.
Extraterritoriality. The PDPL applies to any processing of personal data related to individuals that takes place in the Kingdom, including the processing of such personal data “by any means by any entity outside the Kingdom”. Foreign data controllers must appoint a representative within KSA to be licensed by SDAIA, to perform the data controller obligations under the PDPL.
Deceased’s data. Unlike most other data protection laws, the processing referred to above includes processing of a deceased’s data, if this would lead to identifying him or one of his family members specifically.
Consent is the primary legal basis for processing. The primary basis for processing is consent of the data subject. The Regulations will outline the “cases in which the consent must be in writing”. This indicates that there may be cases in which consent can be collected by means other than in writing. However the PDPL itself does not refer to a concept of processing for “legitimate interests” in the same manner as the GDPR, and indeed as other data protection frameworks in the region allow for. Rather the PDPL allows for processing other than on the basis of consent if:
- The processing achieves a “definite interest” (not defined) of the data subject and it is impossible or difficult to contact the data subject;
- If the processing is in accordance with another law, or in the implementation of an earlier agreement to which the data subject is a party; and
- If the data controller is a public entity and such processing is required for security purposes or to meet judicial requirements.
Data transfers out of the Kingdom are even more tightly controlled than under existing legislation. Transfers may still require approval by the data regulator. The PDPL seems introduces a data transfer regime, which is consistent with, but possibly even more rigorous than, other existing KSA laws that contain data localization requirements (such as the CCRF, IOT Framework and the existing Personal Data Protection Interim Regulations);
- extreme necessity to preserve the life of a data subject outside of KSA;
- to prevent, examine or treat a disease;
- if the transfer is in implementation of an obligation under which the KSA is a party;
- to serve the interests of the Kingdom; or
- other purposes as determined by the Regulations (yet to be issued).
However the above is still predicated upon complying with the following conditions:
- the transfer or disclosure does not prejudice national security or the vital interests of the Kingdom;
- there are sufficient guarantees for preserving the confidentiality of the personal data to be transferred or disclosed, so that the standards are not less than the standards in the PDPL and the Regulations;
- the transfer or disclosure must be limited to the minimum personal data needed; and
- the competent authority approves the transfer or disclosure, as determined by the Regulations.
Health data access. The regulations are to provide additional controls and procedures around the processing of health data, to ensure the preservation of privacy of its owners. The PDPL requires that the regulations include the following:
- a restriction of the right to access health data, including medical files, to the minimum possible number of employees or works and only to the extent necessary for providing the necessary health services; and
- limiting health data processing procedures and processes to the minimum possible number of employees and works for providing health services or health insurance programs.
Credit data access. Similar to health data, the regulations are to provide rules regarding the processing of credit data in a manner that ensures the preservation of the privacy of its owners and protects their rights in the PDPL and the Credit Information Law. The regulations must include the following:
- There must be necessary actions to verify the availability of the written consent of the data subject to the collection of the data, or change of the purpose of collection of it, its disclosure or publication in accordance with the PDPL and Credit Information Law; and
- The data subject must be notified if a request for disclosure of his credit data is received from any party.
Direct marketing. There are rules around the use of personal data for marketing purposes. This include that data controllers must not use personal means of communications, including postal and electronic addresses, of the data subject in order to sent promotional or awareness materials without first obtaining the consent of the data subject, and providing the data subject with a mechanism to opt out.
Official documents must not be photocopied. It is a common practice in the region for official documents such as passports or ID cards to be photocopied. The PDPL prohibits this unless it is for the implementation of the provisions of a law, or if a competent public authority requests these, in accordance with the PDPL regulations.
Registration requirements. Data Controllers must register with SDAIA. There will be a fixed fee for private entities that are data controllers, which is yet to be published in the Regulations. Records of Processing Activities (ROPA) need to be registered with SDAIA. Like other data protection laws the PDPL appears to require that the Data Controller prepares a ROPA. Unlike other data protection laws, this law indicates that the ROPA must also registered with SDAIA. As ROPAs should be regularly reviewed and updated, when data processing practices change within an entity, presumably this requires the data controller to register amendments to its ROPA as well. This remains to be seen.
Criminal Penalties. There are criminal penalties of imprisonment for:
- unlawfully transferring data out of KSA (imprisonment of up to 1 year and/or a fine of up to SAR 1 million); and
- disclosing sensitive data unlawfully (imprisonment up to 2 years and/or a fine of up to SAR 3 million).
Administrative Fines. Separately SDAIA has the power to issue administrative fines of up to SAR 5 million for any other violation. This is appealable. This would appear to apply to breaches around issues such as failing to obtain appropriate consent, failure to respect data subject rights, failure to provide adequate notice of processing and so on.
Confiscation of funds. A court may order confiscation of funds obtained as a result of committing the violations stipulated in the PDPL.
Compensation. Data subjects may seek compensation for violations of the PDPL for “material or moral damage in proportion to the extent of the damage”.
Ongoing compliance with existing laws and NDMO Personal Data Protection Interim Regulations. The PDPL does not appear to repeal the existing NDMO Personal Data Protection Interim Regulations, and so Data Controllers would appear to still need to comply with those regulations, while developing their compliance with the new PDPL.
What can you do now?
While the PDPL is not effective as law until 23 March 2022, and there is a grace period of up to a year for data controllers, the PDPIR is in effect now. Organisations can take steps now to comply with the PDPIR and at the same time seek to develop a framework that can be readily adapted to comply with the PDPL when it becomes effective. Some of these steps include:
- Conduct a data mapping exercise. This is a process by which an organisation identifies, among other things:
- the personal data that it collects, processes, stores and transfers;
- where the personal data comes from;
- why it is collected;
- where it is stored and transferred; and
- who the data is shared with.
The data mapping exercise will provide an organisation with a snapshot of how its data is collected and managed. It will allow for an honest identification of the gaps that must be closed in order to comply with any applicable data protection law.
- Develop a Record of Processing Activity (ROPA).Whether it’s a legal requirement or not, the ROPA is the backbone of any good data protection compliance framework. After conducting the data mapping exercise, the information will need to be systematised into a format that can be readily accessed by the organisation. Many data protection laws require that data controllers keep such records, and indeed the PDPL requires this as well. ROPAs can take various forms, and can be bespoke to the organisation. At present there is no specified format of a ROPA for either the PDPIR or the PDPL. Although developing a ROPA may sound like an onerous task, the benefits for doing so will pay off in multiple ways. The ROPA will feed directly into developing data protection policies, data subject right processes, data processing agreements, data transfer processes and policies and so forth. It should be borne in mind that the ROPA is not static, and can be built upon and amended as the organisation and its data use profile changes.
- Develop appropriate consent language. Consider the means by which consent is currently obtained, and the language that is used to collect and record this consent. Is it appropriate for the purposes your organisation is collecting and processing that data?
- Develop appropriate personal data protection policies that reflect the organisations approach to personal data management, explaining the data subject’s rights and how your organisation will work with data subjects around these.
- Review your contracts. Review both the contracts from your suppliers and the contracts with your customers to identify what, if any, data protection clauses exist. Amendments may not need to be made at this stage, but conducting an audit such as this early on will assist in a smooth assessment of which contracts need amendment and possible renegotiation at the right time.
- Review and consider existing technical and organisational measures and controls around data security , including the services and technologies used to protect data, and also data access policies for staff and contractors;
- Develop a cyberattack response process. Even if presently there is no legal requirement to notify a regulator of a data breach, has your organisation developed a process to handle a cyberattack or other data breach, such as a ransomware attack? What are the steps the organisation will take? Who within your organisation is responsible? Do you have alternative methods by which you can communicate with that team? Has the process been tested?
- Training. Raise awareness of personal data protection issues within your organisation, including why it is important, how data protection can be a differentiator for your business and the risks when it goes wrong.
As well as KSA’s PDPL (and the existing PDPIR) the market is also expecting the United Arab Emirates to publish its data protection law in the very near future. What the UAE law contains and how it will work alongside the Saudi Arabian PDPL, as well as other UAE data related laws, remains to be seen, however taking the steps referred to above now, will allow organisations to leverage these instruments into their both their KSA and UAE compliance frameworks, if required.