Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
The Dubai International Financial Centre (‘DIFC’) issued a new Data Protection Law DIFC Law No. 5 of 2020 (‘DIFC DP Law’), redacting the DIFC Law No. 1 of 2007.
This legislation, modelled on the gold standard General Data Protection Regulation (‘GDPR’), provides enhanced standards and controls for the processing and free movement of personal data by controllers and processors and protects the fundamental rights of data subjects. This includes how such rights apply to the protection of personal data in emerging technologies.
In this article, we focus on the obligations controllers (i.e .entities that control the processing of personal data) and processors (i.e. entities under the direction of a third party to process personal data) have to data subjects (i.e. the individuals from whom personal data is collected) when gathering personal data, and the rights of data subjects to object to the processing of personal data relating to them.
At a high level, there is a global discussion on the importance of an individual’s right to privacy, and to what extent this needs to be protected or even compensated. All around the world, individuals are handing over their precious data (‘the oil of the 21st Century’) to technology companies without exact knowledge of how and why the data is processed. In some cases, companies use the data for direct marketing, and at times, in profiling activities.
Privacy regimes such as the DIFC DP Law attempt to create a framework that understands the importance and value of data to various entities, in their quest for a more innovative world, whilst also protecting an individual’s privacy. Data rights give individuals an autonomy over their data, which effectively, in the 21st Century, means autonomy over their private lives, and the ability for those private lives to be tracked and recorded into the future.
Articles 32 to 38 of DIFC DP Law set out the data subject rights, which include:
These rights are generally comparable to those outlined in the GDPR.
Overall, the DIFC DP Law identifies three bases for what constitutes “lawful processing” which include:
In the same manner as provided in the GDPR, the processing can be justified by a “legitimate interest” only if the interest of data controller is not overridden by the rights or interests of the data subject.
Consent with regards to the subject matter of data protection can be defined as the specific and informed indication of the data subject that is unambiguous in nature, through either a statement or some action that can denote agreement of the processing of personal data.
The right to withdraw consent is the basic right of the data subject to request the termination of processing the data and it is the duty of the Controller to comply with the same.
In order for the right to be enforced:
The right to access is as its name suggests, the right of an individual to obtain information from the controller in regards to the personal data. The information that can be obtained includes:
In order for the data to be accessed, the data subject must make a subject access request. This request is made to a controller, usually in writing, but the same is not a requisite mandated by law and can be done in any form, for example verbally through a telephone call. The controller has a month to respond to the same and may not charge anything in that regard unless in exceptional circumstances, where there may be high administrative or documentation costs involved.
The law provides for the right to object to the processing of personal data, but this is not an absolute right and can be denied.
A data subject can object at any given time on personal data processing relating to him or her. The objection of the same can be raised by the data subject on reasonable grounds. This objection can be raised on the understanding that processing of data is carried out on the grounds that:
Apart from raising an objection, a data subject is conferred with an important right of objection in regards to being informed by the controller:
A data subject also has the right to request to restrict the processing of data by a controller in certain circumstances. Similar to the right of objection, this is not an absolute right. The purpose of such a right is to restrict the way a party can utilise their personal data. This right is considered to be an alternative to the right to erasure or the right to be forgotten.
The circumstances in which such a right can be enforced are as follows:
The data subject also has the right to obtain the information that was provided by him or her to the controller in a structured, commonly used and machine readable format. This is possible when:
The data subject possesses the right to object to decisions that have taken place as a result of any automated processing. This includes profiling or anything that could have serious legal or consequential effects on the data subject.
Like most rights, this is not an absolute right and comes with certain exceptions and they include:
The DIFC DP Law introduced an original data subject right: “Right of Non-Discrimination” under Article 39. As the DIFC DP Law includes the right of non-discrimination against a data subject who exercises his or her privacy rights under the DIFC DP Law (in circumstances where the data subject is denied goods or services, or charged more for them). This Article states a Controller may not discriminate against a data subject who exercises any rights under the DIFC DP Law, including by:
From a global standpoint, the new stance of the DIFC DP Law is different to many around the Gulf, as the Right of Non-Discrimination is still yet to be incorporated into the GDPR. Like The California Consumer Privacy Act (‘CCPA’), the clause allows controllers to offer financial and other incentives to data subjects for their willingness to allow the controller to use personal information about them.
The CCPA provides data subjects with a right to non-discrimination when they exercise other privacy rights under the law, such as the right to access, delete, or opt out of the sale of their personal information. However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.
The new DIFC DP Law includes comprehensive provisions on an entity’s obligations regarding data breach notification. Similar to the GDPR, the legislation distinguishes notifications to be provided to the Commissioner of Data Protection from notification to be provided to the data subjects.
The notification to data subjects is triggered only when the breach “is likely to result in a high risk to the security or rights of a data subject”. In this case, there is also no maximum timeframe for making the notification. It would be “as soon as practicable in the circumstances”, or “promptly” when there is “an immediate risk of damages”.
Like the GDPR, the DIFC DP Law contains provisions which allow for data subjects to make compensation claims in relation to breaches of the DIFC DP Law. Therefore, under the DIFC DP Law, court proceedings can be initiated by the Commissioner of Data Protection as well as by data subjects.
The DIFC DP Law applies to the processing of personal data by a controller or processor incorporated in the DIFC, regardless of whether the processing takes place in the DIFC or not. Entities must ensure they are respecting the rights of data subjects in accordance with the DIFC DP Law, including filling in all gaps between the DIFC DP Law and the GDPR, and the DIFC DP Law and previous DIFC data protection law (DIFC Law No. 1 of 2007) as applicable.