Proposed changes to Saudi personal data transfer rules

The Saudi Data and Artificial Intelligence Authority (“SDAIA“) recently published proposed changes to the Transfer Regulations to the Personal Data Protection Law (“PDPL“). The proposed changes are open for public consultation until 18 April 2024. (Further details of the public consultation, along with a copy of the proposed amendments, are available here on the Istitlaa website.) In this article we provide a brief overview of the proposed changes, concluding that they generally enhance clarity and seem to be a positive development.

The proposed Transfer Regulation seems to be directed primarily at providing a more concise and coherent approach than that found in the Transfer Regulation. The following comments provide a general overview of changes, and more detailed information on material aspects, using the numbering and section headings found in the proposed Transfer Regulation as a reference.

Article 3. Procedures and Standards for Assessing Protection Level for Personal Data outside KSA

Article 3 of the proposed Transfer Regulations makes clear that the Competent Authority will publish, on its website, a list of countries and international organisations that it has assessed as providing an adequate level of protection for personal data. As before, it also provides for the list to be reviewed every four years (or when required); and sets out amended criteria for a country or international organisation to be added to that list.

The amended criteria constitute a refined list of the considerations found in Art. 3.1 of the Transfer Regulations. Edited out of the new version are:

• references to the Competent Authority engaging with other concerned authorities as per their jurisdictions;
• reference to adequacy assessments based on ‘sectors’ (rather than, simply, countries and international organisations); and
• references to Art. 3.1.b and c. of the Transfer Regulations, which referred to somewhat general considerations (relating to rule of law and effectiveness of implementation of privacy laws), that can be viewed as falling within the remaining considerations.

Article 3.1 of the proposed Transfer Regulations includes what seems to be a new reference to obligations resulting from binding international treaties or conventions, the implementation of which may require the transfer of personal data.

Article 4 of the Transfer Regulations were prescriptive in terms of the Competent Authority’s assessment of the level of personal data protection outside the Kingdom, and the associated processes. Thankfully, this level of detail is not reflected in the proposed Transfer Regulations.

Article 4. Cases of Exempting Controller from Compliance with Appropriate Protection Level and Minimum Limit of Personal Data Transfer

Article 4 of the proposed Transfer Regulation reflects the most significant changes. Art.5 of the Transfer Regulation essentially comprises two pages of unnecessary detail, including a list of different types of ‘appropriate safeguards’, as well as a lot of information on a ‘binding corporate rules’ type mechanism. The proposed Transfer Regulation helpfully strips out much of this detail.

The term “Appropriate Safeguards”, now appearing in the definitions section (Article 1), is used in Article 4 of the proposed Transfer Regulation. The definition itself could be refined, but it is otherwise quite helpful in terms of providing a general term (rather than too much specific information) on which the Competent Authority and Controllers can rely.

The opening wording of Article 4 of the proposed Transfer Regulation would benefit from revision, as it seems to provide a stand-alone exception – which is surely not the intention. Properly, we would assume that the desired outcome is that, in the cases set out in Article 4.1 of the proposed Transfer Regulation, there shall be no requirement to comply with Article 29.2.b (adequacy decision) or Article 29.2.d (minimisation) of the PDPL, subject to the adoption of Appropriate Safeguards.

In terms of the relevant cases set out in Article 4.1.a to Article 4.1.e of the proposed Transfer Regulations, these do not generally raise any material concerns. In some instances, they allude to standard contractual clauses and binding corporate rules, as well as exceptions relating to sensitive personal data and requirements relating to data controllers being certified by an entity licensed by the Competent Authority. (There would seem to be opportunities here for licensed data protection consultancies.)

This indicates that a certification will be required to rely on the relevant exemptions. This is likely to add to the compliance burden and cost, and potentially cause delays.

Article 5. Subsequent Transfers of Personal Data

Article 5 of the proposed Transfer Regulations seems to be entirely new. It introduces the requirements relating to onward transfers of personal data – that the PDPL and the Implementing Regulations shall apply to personal data that is previously transferred or disclosed to an entity outside Saudi Arabia. This would seem to be consistent with the approach to onward transfers under GDPR, although there are arguments against this approach. (The key one being that if the initial transfer outside the Kingdom was compliant with adequacy decisions or appropriate safeguards then onward transfers should also adequately protect the data subject.)

Article 6. Withdrawal of Exemption

Article 6 of the proposed Transfer Regulations reads as a simplified version of Art. 7 of the Transfer Regulation. The changes include a reference to Article 4 of the proposed Transfer Regulation (which essentially replaces Art. 5 and Art. 6 of the Transfer Regulation). While specific references have essentially been edited out, their absence is not material to the scope of the scenarios in which exemption granted under Article 4 of the proposed Transfer Regulation may be withdrawn. The new wording is general, and sets clear, basic rules.

Article 7. Risk Assessment of Transferring or Disclosing Personal Data to an Entity Outside KSA

Article 7 of the proposed Transfer Regulations reads as a simplified version of Art. 8 of the Transfer Regulation. The changes include a reference to Article 4 of the proposed Transfer Regulation (which essentially replaces Art. 5 and Art. 6 of the Transfer Regulation). There are some minor changes to the criteria relating to risk assessments for data transfer, but these seem to be in the nature of clarifications and of no material concern.

How can we help?

Our Digital & Data (Tech | Media | Telecoms) team regularly assist with data protection matters in Saudi Arabia and across the broader region.

If you are concerned with any of the proposed changes to Saudi Arabia’s Personal Data Protection Law, consider participating in the public consultation which closes on 18 April 2024.