The Kingdom of Saudi Arabia (KSA) has released the Royal Decree M/19 of September 2021 on the Protection of Personal Data (KSA PDPL) with an effective date of 23 March 2022.
The KSA PDPL has extra-territorial scope, applying to any entity established in KSA and processing personal data overseas, or any entity established outside of KSA and processing personal data of residents inside the territory of KSA. However, the KSA PDPL does not apply to governmental bodies and government data.
Data processing controls and disclosure
The KSA PDPL provides a list of controls that govern how personal data shall be processed. These controls are similar to the data protection principles set out in other best practice data protection regimes, for example the GDPR. The processing of personal data must be consented, transparent, lawful, and for a specific and clear purpose. Data controllers are required by the KSA PDPL to only collect personal data directly from the data subject, although there are set exceptions outlined, such as data collected from a readily available public source. Data controllers must ensure that personal data processed is factual, accurate, up-to-date, and specifically related to the purpose of which processing is required. With reference to accuracy, this imposes an implementation concern as data controllers will have to ensure that certain technical and organisational measures are put in place to correct or erase incorrect personal data, whilst keeping the data secure and protected from any breach or unauthorised processing. The use of email and postal addresses for the purpose of advertisements is prohibited unless consent is obtained and data subjects are given an opportunity to opt-out, or it is used by a governmental entity for the purposes of awareness. In addition, personal data must not be retained after the purpose of processing has been fulfilled, unless the data subject remains anonymised.
Consent and data subject rights
The KSA PDPL makes it illegal to process personal data without the consent of the data subject unless certain specific exclusions apply. If the data processor is processing the data for a different purpose than the one when the data was originally obtained, they must obtain consent from the data subject for the new specific purpose. The requirements for valid consent and circumstances in which written consent must be obtained will be set out in the executive regulations.
There are exceptions to the requirements of consent. Firstly, if the processing of personal data is in the interest of the data subject, and contacting them is difficult or impossible. Secondly, if the processing of data is pursuant to another law, or to implement a prior agreement to which the data subject is a party to. Thirdly, if processing is required for national security or for the administration of justice by a public entity. The exception of 'data subject interest' can be interpreted broadly and it could be very difficult to implement any penalties in the instances of violation. Determining what may be in the interest of the data subject gives huge discretion to data controllers and processors. This could very much be open to misuse. Consent in all circumstances can be withdrawn by the data subject.
Under the KSA PDPL, data subjects will have a number of rights including: (i) the right to be informed of the legal basis of data collecting, which includes not having their data processed for a different purpose than which it was collected; (ii) the right to access, review and obtain a copy of their data free of charge (with the exception of credit information); (iii) the right to have their personal data accurate, corrected and updated; (iv) the right to have their personal data destroyed when it is no longer required.
The data processor must only transfer personal data outside KSA with the consent of the data subject. With the exception of sensitive data, the processor or controller may transfer the personal data outside KSA, provided that the transfer is in the interest of the public or judicial authorities, or it is governed by an agreement. Where the transfer is governed by an agreement, this agreement must provide an adequate level of protection, concerning the most important provisions of privacy and confidentiality of the data subject. A further requirement is the approval of the competent authority, Saudi Data & Artificial Intelligence Authority (SDAIA), that an adequate level of protection regarding the data subjects and their ability to exercise their rights will be granted.
Data controllers are required to inform any entity to which data has been transferred to, of any changes, corrections or updates of the personal data transferred. This may be challenging and impractical as entities would be required to keep track of all data transfers that have been made, ensuring they contact the data receiving entity to provide any updates.
Any entity found in breach of the overseas transfer regulations set out in the KSA PDPL, will either face a criminal penalty of up to one year imprisonment and/or a fine of up to 1 million SAR (approximately USD$270,000). Any unlawful transfer or disclosure of sensitive personal data will face a criminal penalty of up to two years imprisonment and/or a fine of up to 3 million SAR (approximately USD$800,000). Any other violation of the KSA PDPL which is not set out in the specifications above, will face a penalty of up to 5 million SAR (approximately USD$1.35 million).
The imprisonment penalty may be difficult to enforce in practice, especially in regards to overseas entities. However, as each entity will be obliged to have a legal representative in KSA, the legal representative may face legal proceedings, although this is could be clarified by the executive regulations when they are released. In such cases, monetary fines are more realistic and easier to implement and could act as a more effective deterrent.
Next steps for your business
Companies in KSA will now need to audit their data-related activities, processes and internal frameworks in order to develop a compliance program which reflects the standards put forward by SDAIA. Any entity outside KSA that is processing personal data of any Saudi resident will have to appoint a legal representative within KSA. They will also be required to register on a platform which tracks data processing activities, which will be subsequently established. There will be an annual fee of up to 100,000 SAR (approximately USD$27,000) to subscribe to the platform.
We also expect that many of our clients doing business across the GCC will need to look closely at the different data protection frameworks of each jurisdiction, which are rapidly evolving and may require specific considerations on how they differ, especially in respect of data transfers across borders.
This article was co-authored by Narjis Alshabeeb and Majed Alzaben from AlGhazzawi and Partners, our strategic partner law firm in Saudi Arabia.
Please reach out to a member of our Technology and Data Protection team in KSA and UAE for further information or if you require any advice/assistance with these matters.