The final Law Update of 2022 is here, and it’s packed full of articles. The double edition features two focus areas, first is a spotlight on Energy and Resources and second we feature a collection of articles on Transport and Logistics. The developments occurring in these sectors in the MENA region are unprecedented and our lawyers cover vast themes for you.
The Energy and Resources focus features topics such as diversifying energy resources, solar PV, mining in the Middle East, renewable energy and green hydrogen. From a transport perspective, we draw attention to the Bahrain metro project, discuss the challenges and remedies associated with the repossession of an aircraft, and there is advice on what to consider should a party vary the terms of a shipping contract.
This edition navigates you through updates from across jurisdictions such as, Oman, Jordan, Saudi Arabia, Egypt, Iraq, Qatar, and the UAE. Each article is timely and provides insights into legal issues and cases that are affecting these sectors across the region.Read the full edition
SDAIA, the Saudi Data & Artificial Intelligence Authority, has just released draft Regulations to the new Personal Data Protection Law, due to come into effect on 23 March 2022. The draft Regulations provide helpful clarity on many aspects of the PDPL, although ambiguity remains on a variety of topics.
Any business likely to be affected by the Law should scrutinise the draft Regulations, and consider making submissions on any areas of concern. Further information on the consultation process is available here:
The draft Regulations contain a number of significant issues, and we have not sought to address them all here. We do, however, make some observations about transfers of personal data outside the Kingdom. Unless well drafted, with practical considerations in mind, the transfer provisions have significant potential to cause issues for international businesses and for businesses that rely on cloud services hosted outside the Kingdom. This topic caused the most concern when the Law was first published in September 2021.
Do the draft Regulations satisfactorily address these concerns? Probably not, but with some adjustments they might work.
In summary, the potentially bureaucratic requirements around regulatory approvals prior to transfers abroad, as well as the question of whether the consent of the data subject negates the need to obtain such approval, would benefit from further scrutiny by SDAIA.
In Art. 28.1, the draft Regulations restate a basic requirement to host and process personal data in the Kingdom – but they also contemplate personal data being transferred outside. Such transfers would be subject to the controller undertaking a privacy impact assessment and obtaining the written approval of the relevant ‘regulatory authority’ (such as an industry sector regulator) having liaised with the ‘competent authority’ (being SDAIA, initially) on a case by case basis.
In Art. 28.2, the transfer provisions contain a statement that transfers of personal data to recipients outside the Kingdom can occur for public interest purposes (not defined); or where providing services to individuals (not corporates?) and the transfer is subject to the consent of the data subject and not in a manner contrary to what the data subject might expect. Art 28.2 includes reference to Art. 29, which provides for transfers to jurisdictions not assessed as providing an adequate level of data protection. (Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data.) The implication seems to be that, where the recipient is in a jurisdiction assessed as providing adequate protections, then the consent of the data subject will legitimise such transfers.
As noted above, Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data. For transfers to jurisdictions not assessed as providing an adequate level of protection, and excluding circumstances where the vital interests of the data subject are at stake, Art. 28.3 of the draft regulations contemplate a requirement for controllers to apply to SDAIA, at least 30 days in advance of proposed transfers. Art. 29 provides further requirements relating to transfers to such jurisdictions, including a requirement for controllers to undertake risk and impact assessments, and to provide appropriate safeguards (such as adoption of standard clauses, BCRs, etc.) .
As noted above, the draft Regulations contain a variety of other concerns, and further scrutiny is essential. We will be happy to share further insight on this significant development, and to provide support in the preparation of submissions to the consultation process if required. Please follow our Digital & Data ‘showcase’ page on LinkedIn, and contact email Nick O’Connell directly for any specific support.