The regional real estate, construction and hospitality sectors have been turned upside down over the last two years, with Covid-19 bringing these sectors to a halt. The impact of the pandemic remains, however, the resurrection of these vital sectors across the region is a welcome relief because they support the development of modern cities, which in turn have attracted commerce and tourism to the Middle East and North Africa.
This latest edition of Law Update, provides vital insights, updates and commentary on the latest trends taking shape across the real estate, construction, hotels and leisure sectors. The articles within this edition cover a broad range of topics, from what’s next for real estate in Dubai, to commentary on Saudi real estate, a market that is set to become the main bedrock of the region for years ahead. You will find articles on reforming real estate laws in Qatar, foreign investment and ownership in Oman, and mitigating risks on hotel construction projects and the lessons learnt from Covid.Read the full report
SDAIA, the Saudi Data & Artificial Intelligence Authority, has just released draft Regulations to the new Personal Data Protection Law, due to come into effect on 23 March 2022. The draft Regulations provide helpful clarity on many aspects of the PDPL, although ambiguity remains on a variety of topics.
Any business likely to be affected by the Law should scrutinise the draft Regulations, and consider making submissions on any areas of concern. Further information on the consultation process is available here:
The draft Regulations contain a number of significant issues, and we have not sought to address them all here. We do, however, make some observations about transfers of personal data outside the Kingdom. Unless well drafted, with practical considerations in mind, the transfer provisions have significant potential to cause issues for international businesses and for businesses that rely on cloud services hosted outside the Kingdom. This topic caused the most concern when the Law was first published in September 2021.
Do the draft Regulations satisfactorily address these concerns? Probably not, but with some adjustments they might work.
In summary, the potentially bureaucratic requirements around regulatory approvals prior to transfers abroad, as well as the question of whether the consent of the data subject negates the need to obtain such approval, would benefit from further scrutiny by SDAIA.
In Art. 28.1, the draft Regulations restate a basic requirement to host and process personal data in the Kingdom – but they also contemplate personal data being transferred outside. Such transfers would be subject to the controller undertaking a privacy impact assessment and obtaining the written approval of the relevant ‘regulatory authority’ (such as an industry sector regulator) having liaised with the ‘competent authority’ (being SDAIA, initially) on a case by case basis.
In Art. 28.2, the transfer provisions contain a statement that transfers of personal data to recipients outside the Kingdom can occur for public interest purposes (not defined); or where providing services to individuals (not corporates?) and the transfer is subject to the consent of the data subject and not in a manner contrary to what the data subject might expect. Art 28.2 includes reference to Art. 29, which provides for transfers to jurisdictions not assessed as providing an adequate level of data protection. (Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data.) The implication seems to be that, where the recipient is in a jurisdiction assessed as providing adequate protections, then the consent of the data subject will legitimise such transfers.
As noted above, Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data. For transfers to jurisdictions not assessed as providing an adequate level of protection, and excluding circumstances where the vital interests of the data subject are at stake, Art. 28.3 of the draft regulations contemplate a requirement for controllers to apply to SDAIA, at least 30 days in advance of proposed transfers. Art. 29 provides further requirements relating to transfers to such jurisdictions, including a requirement for controllers to undertake risk and impact assessments, and to provide appropriate safeguards (such as adoption of standard clauses, BCRs, etc.) .
As noted above, the draft Regulations contain a variety of other concerns, and further scrutiny is essential. We will be happy to share further insight on this significant development, and to provide support in the preparation of submissions to the consultation process if required. Please follow our Digital & Data ‘showcase’ page on LinkedIn, and contact email Nick O’Connell directly for any specific support.