The amendment proposes business-friendly changes regarding data localization and legitimate interests.
On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft contains significant changes which are largely business friendly, including a relaxation of strict data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing.
Background to the PDPL
The PDPL is the first comprehensive generally applicable data protection law in the KSA. It was issued pursuant to Cabinet Resolution No. 98 of 7/2/1443H and Royal Decree M/19 of 9/2/1443H, and published in the Official Gazette in September 2021. The PDPL delegates a number of specific compliance requirements to Implementing Regulations. In March 2022, SDAIA published an initial consultation version of these Implementing Regulations and also announced that full enforcement of the PDPL would be postponed until March 2023. However, since the Implementing Regulations were not issued in final form, we expect that SDAIA will publish an updated version following amendments to the PDPL.
The PDPL has wide extra-territorial effect and applies to:
- any processing of personal data that takes place in the Kingdom; and
- the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.
This approach is very broad; unlike the territorial scope test in the EU General Data Protection Regulation (GDPR), the PDPL does not require an organization outside of the Kingdom to be specifically offering goods or services to, or monitoring the behavior of, data subjects in the Kingdom.
The PDPL appears to have been influenced by the GDPR in a number of areas. While the Amended Draft further aligns the PDPL with GDPR concepts, it also features important areas of divergence.
The PDPL joins a wave of new Middle East privacy laws, including the introduction of the first comprehensive federal data protection law in the United Arab Emirates.
Key Changes in the Amended Draft
- Data transfers: Article 28 of the Amended Draft introduces the concept of adequacy, allowing personal data to be transferred to a recipient in a jurisdiction which ensures appropriate protection of personal data and the rights of individuals. The Amended Draft also introduces a number of other grounds for transferring personal data outside the Kingdom, notably if the transfer is carried out in performance of an obligation of the data subject, which appears similar to contractual necessity under the GDPR. However, other commonly relied-upon transfer mechanisms/derogations under international privacy laws, such as standard contractual clauses and data subject consent are not included. The transfer provisions in the Amended Draft represent the most significant change to the PDPL. The existing PDPL imposes strict data localization which requires Competent Authority approval to transfer personal data in the vast majority of cases, and allows possible imprisonment for non-compliance with transfer restrictions. Alongside the updated transfer provisions, the Amended Draft excludes possible imprisonment for non-compliance with transfer restrictions.
- Legitimate interests: Article 6 of the Amended Draft introduces a form of legitimate interests as a legal basis for processing non-sensitive personal data. Under the GDPR, this is a business-friendly, and frequently relied-upon, legal basis which allows controllers to balance their interests against the rights and freedoms of data subjects. However, the Amended Draft does not contain specific balancing or overriding wording, so the application of this legal basis remains uncertain.
- Data breach: Article 20 of the Amended Draft introduces a risk threshold for breach notifications (where a breach is capable of causing harm to a data subject or is detrimental to their rights and interests). However whether this standard applies to both notifications to the Competent Authority and to impacted data subjects is unclear. The breach notifications still lack a specific time period and further details on breach notification requirements will be included in the Implementing Regulations.
- Data portability: Article 4(5) of the Amended Draft introduces a right to data portability, which allows data subjects to request the transfer of their personal data from one controller to another (e.g., to a competitor) if this is technically possible. Unlike the GDPR, the right to portability has not been limited to specific legal basis for processing or to personal data provided by the data subject, however further rules and conditions will be included in the Implementing Regulations.
- Direct marketing: Article 26 of the Amended Draft appears to allow marketing (involving the processing of non-sensitive personal data) to take place on an opt-out basis, rather than requiring opt-in consent in all cases. Further rules will be included in the Implementing Regulations.
- Location data: Under Article 1(11) of the Amended Draft, location data no longer features in the list of sensitive personal data, which aligns with the GDPR. Therefore:
- location data can be processed under the newly introduced legitimate interests legal basis;
- compliance requirements are reduced when it comes to processing location data for marketing purposes; and
- the specific penalty of possible imprisonment for disclosing sensitive data (in certain cases) will not apply to location data.
- Registration and local representative requirements: Article 31 of the Amended Draft removes specific provisions requiring controllers to register with the Competent Authority (and pay a related fee) and for organizations outside of the Kingdom to appoint a local representative. However, the competent authority may still impose these requirements based on its broader powers for identifying tools and mechanisms for monitoring compliance.
- Powers of the Competent Authority: Article 31 of the Amended Draft grants many supervision powers to the Competent Authority, which include monitoring compliance, requesting documents and information from organizations, issuing guidelines, issuing decisions and instructions relating to enforcement, and cooperating with international counterparts.
Some other areas also diverge from the GDPR or otherwise contain uncertainties, including:
- restrictions on disclosing personal data (which do not mirror the legal basis available for processing);
- a requirement to keep records of the processing operations performed on personal data;
- no specific contractual requirements between controllers and processors; and
- possible imprisonment of up to two years for disclosing sensitive personal data with the intent to harm the data subject or for personal benefit.
SDAIA invites comments on the Amended Draft by December 20, 2022. Assuming SDAIA progresses with the Amended Draft, the amended PDPL will come into force 180 days after it is published in the Official Gazette, which will likely postpone the existing March 2023 compliance deadline.