Changes to Saudi Arabia’s Personal Data Protection Law

The Saudi Data & AI Authority (“SDAIA“) has recently launched a public consultation on proposed changes to Saudi Arabia’s Personal Data Protection Law (“PDPL“). The public consultation will end on Tuesday, 20 December.

Following this, it is still anticipated that the PDPL will come in force in March 2023 and that controllers will have a one-year grace period to ensure compliance. The proposed changes are significant, and many will be welcomed by business. Some important changes include:

• International data transfers – no prior regulatory approval will be required where personal data is transferred from the Kingdom of Saudi Arabia (“KSA“) to a country which offers at least the same standard of data protection as the KSA.
• Addition of legitimate interests as a legal basis for data processing – consent will no longer be the only primary ground for processing personal data. Processing can also be carried out where it is necessary to achieve a legitimate/lawful interest of the controller or another person and this does not prejudice the data subject’s rights. However, this legal basis will not apply to sensitive personal data.
• New data subject rights – data subjects will have the right to data portability and there are additional protections added in relation to the use of personal data for marketing purposes.
• No requirement for offshore entities to appoint a representative in the KSA – the express requirement for entities outside the KSA that process the personal data of individuals residing in the KSA to appoint a representative in the KSA has been removed. However, the regulator is required to identify ways to monitor how such entities comply with the law and to identify suitable procedures to implement the law outside the KSA.

Other areas addressed by the proposed changes include clarifying the powers and functions of the KSA data protection regulator, modifications to some of the penalties for breach of the law, the definition of sensitive personal data (which no longer includes location data) and amendments that will make it easier for a controller to appoint a data processor. The proposed amendments also tidy up the drafting, address unclear language and cross references in the existing PDPL.

The proposed changes are welcome, but much of the detail underlying these changes will be contained in the as yet unpublished Regulations which will implement the PDPL. Therefore, how these new provisions will operate in practice remains to be seen. Once the consultation period ends, we expect to see both a revised PDPL and a draft of the Regulations in due course.

How can we help?

Our Digital & Data team would be pleased to assist in providing input on the consultation and advising on compliance steps as the privacy landscape in the KSA takes shape.