Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
The Egyptian Cabinet of Ministers has recently approved a draft data protection law in Egypt (the ‘Draft Law’) which is currently being reviewed by Parliament. While the Draft Law may witness changes in Parliament, it is likely that many of its core tenets will not change. The Draft Law attempts to mimic the EU’s General Data Protection Regulation (‘GDPR’) in more ways than one. The reason for that is twofold: the first reason being that the GDPR offers a good regulatory framework to apply; while the second reason is that it is much easier to interact with the EU on a technological level when data protection is comparable to that of the EU. One of the many ways in which the Draft Law is similar to the GDPR is in the former’s definition of personal data.
The Draft Law defines personal data as “any data relating to an identifiable natural person, or is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, voice, picture, an identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.” (‘Personal Data’) This definition is taken almost verbatim from the GDPR.
The Draft Law further identifies sensitive personal data, similarly to the GDPR, as “data which reveal the mental health, physical health, genetic health, biometric data, financial data, religious beliefs, political opinions, security status relating to the natural person. In all cases, data relating to children are considered sensitive personal data.” (‘Sensitive Personal Data’).
The Draft Law applies to partially or fully electronically processed data with any holder, controller, and processer of data related to all natural Egyptian persons as well as non-Egyptians residing in Egypt.
The crimes committed under the Draft Law can also apply to non-Egyptians if the act committed is punishable where it occurred and relates to the data of Egyptians or non-Egyptian residents.
The Draft Law does not apply to the following:
The Personal Data Protection Centre (as defined below) must, upon the request of the national security entities, notify the controller or processer to amend, delete, not show, make available, or circulate Personal Data for a defined period of time. Controllers and processers are obliged to execute the request.
The Draft Law will become effective three months from the date of publication and relevant parties will be required to reconcile their status within one year from the issuance of the executive regulations, which should be issued within six months from the date of promulgation of the Draft Law.
The Draft Law establishes a personal data protection centre which is tasked with regulating data protection, issuing licences, creating regulations and mechanisms to ensure data protection, and receiving complaints (‘Personal Data Protection Centre’ or ’Centre’)
Licences and Permits
The Centre is tasked with issuing licences or permits for: controllers, processers, consultants, direct marketing activities, organisations, unions, or clubs; controlling and processing sensitive Personal Data; visual surveillance of public spaces as well as cross-border transfers.
It is worth noting that an entity may hold more than one licence or permit.
The Draft Law grants a set of rights to the data subject, who is any natural person whose Personal Data is processed (‘Data Subject’), in order to protect their data from controllers and processors.
Most importantly, Personal Data may not be collected, processed or disclosed, without the explicit and rescindable consent of the Data Subject.
The Data Subject also has the right to know, inspect, access, correct, and determine the degree of processing of their Personal Data possessed by any holder, controller or processer. Though the aforementioned rights can be exercised in exchange for a fee not exceeding EGP 20,000, the right to know of any breach of Personal Data is free of charge. Such access requests must be met or rejected within six working days, provided that, in the case of rejection, the decision indicates the reasons for rejection.
In order to collect and process data, the Personal Data must be
The Data Subject is also entitled to lodge a complaint to the Personal Data Protection Centre against the controller of the processer for a breach of data protection and for the denial of access to Personal Data. Such complaints must be decided upon within 30 working days and the controller or processer of data must comply with the Centre’s decision within seven working days.
The Draft Law imposes a number of obligations on the controller and processer of Personal Data in order to protect the Data Subject and ensure compliance with the Draft Law.
The controller of Personal Data is obliged to:
The processer of Personal Data is obliged to:
Processing Personal Data is considered legitimate in any of the following cases:
The controller and processer are required to notify the Centre of any breach of Personal Data within 24 hours from the time of the breach. They are also required to submit a detailed report of the breach within 72 hours. The Centre, in turn, shall immediately notify national security entities. The controller and/or processer is also required to notify the Data Subject of the breach within 10 working days from notifying the Centre.
Data Protection Officer
According to the Draft Law, the controller and/or processer of Personal Data is required to appoint a data protection officer who shall be placed in charge of complying with the Draft Law, conducting regular inspections, receiving and responding to requests from Data Subjects and the Centre.
The Draft Law also stipulates that transferring or sharing Personal Data abroad shall only occur by obtaining a permit from Centre, provided that the state to which the Personal Data is being transferred has equal or greater data protection regulations. The processer or controller may provide access to Personal Data to another controller or processer provided the objectives are similar or in case of a legitimate benefit to the controller, processer or Data Subject.
Provided explicit consent from the Data Subject is obtained, Personal Data can be transferred to a state with lesser degrees of data protection in the following cases:
The Draft Law sets out conditions for direct marketing to Data Subjects which includes obtaining a licence, prior consent from the Data Subject, stating the sender, and creating a clear opt-out mechanism
Sanctions for violating any of the provisions of the Draft Law range from administrative penalties such as warnings and suspension or revocation of licences to fines not exceeding EGP 2 million and/or jail sentences.
However, the Draft Law does permit reconciliation or settlements outside of court with the Data Subjects or the Centre.
The Draft Law helps regulate an area of law that had thus far remained woefully unregulated by the government. Provisions governing data protection have been scattered across several laws and regulations with no clear or definitive protection. In order to keep in line with global data protection trends as well as the internal need for a regulatory framework, it became clear that a comprehensive data protection law was necessary. Most importantly, the GDPR has created a framework to which we aspire.
Al Tamimi & Company’s Corporate Structuring team regularly advises on Data Protection issues in Egypt. For further information please contact Ayman Nour (email@example.com) or Mohamed Khodeir (firstname.lastname@example.org).