Royal Decree No. M148, dated 05/09/1444H (27 March 2023) introduced amendments (the “Amendments”) to the Kingdom’s Personal Data Protection Law (“PDPL”) and pushed the effective date of the PDPL to 14 September 2023.[1]
Originally enacted in 2021 pursuant to Royal Decree M/19 of 09/02/1443H (16 September 2021), the PDPL aims to protect the personal data of residents in Saudi Arabia with respect to collecting and processing such data inside or outside the Kingdom.[2] Personal data refers to any information, irrespective of its shape or source, that would lead to identifying a natural person or would make it directly or indirectly possible to identify him or her.[3]
The Amendments ease some of the previous restrictions and align the PDPL more with the EU General Data Protection Regulation of 27 April 2016. The forthcoming regulations and guidelines by the Saudi Data & Artificial Intelligence Authority (“SDAIA”)[4] are expected to provide further guidance on some of the terms of the Amendments. This note considers some of the important changes made to the PDPL and certain actions that entities subject to the PDPL need to consider to ensure compliance.
I. Highlights of the Amendments
- Sensitive information: Memberships in private organizations and credit information are no longer part of the definition of “sensitive information.”[5]
- Data subject: The definition of “data subject” has been narrowed to exclude the personal data of the data subject’s proxy and legal guardian.[6]
- Data subjects’ rights: The Amendments have further streamlined the rights of data subjects. The obligation previously imposed on controllers to grant data subjects access to their collected data at no fee has been removed, which should elevate some of the financial burdens on controllers.[7] Allowing controllers to charge fees for such access also has the advantage of discouraging data subjects from submitting meritless requests to access their data held by controllers. The regulations to be issued are expected to provide guidance on the fees that can be charged by controllers to grant data subjects access to their data.
- Data subjects’ consent: The Amendments have replaced the previous requirement of “written consent” by data subjects to process their personal information or change the purpose of processing with “clear consent.”[8] The forthcoming regulations are expected to address consent conditions. A new exemption from requiring data subjects’ consent has also been added. This provides that controllers do not need data subjects’ consent to conduct the necessary processing of their personal data to satisfy the controllers’ lawful interests, provided that such processing will not contravene the data subjects’ rights or interests and that such information is not “sensitive information,”[9] a defined term under Article 1 of the PDPL. A similar exemption has been added with respect to controllers’ ability to disclose subjects’ data.[10] The forthcoming regulations are also expected to provide further guidance on these two new exemptions. These are important changes to the PDPL and should help entities that need, for instance, to process or disclose personal information as part of a larger exercise of data processing or disclosure in the context of these entities dealing with queries received in investigations launched by government entities, such as the Saudi Arabia General Authority for Competition.
- Collection and processing of personal data: The Amendments have added an exemption to the previous requirement that personal data may not be collected other than directly from the individuals involved (“data subjects”) and that personal data may not be processed except for the purpose for which it was collected.[11] The new exception allows entities to collect personal data from sources other than the data subjects and to process personal information for purposes other than for which it was originally collected, if doing so is necessary to achieve the controller’s lawful interests, provided that it does not contravene the data subjects’ rights or interests. This should provide entities with greater flexibility to collect and process personal data.
- Data breach notification: The Amendments have removed the previous requirement to notify SDAIA “immediately” in the event of leakage of or damage to personal data.[12] The forthcoming regulations will provide further guidance on the timelines for reporting such incidents and the materiality threshold of incidents that need to be reported. The Amendments have also added a new notification requirement. Controllers now have the obligation to notify data subjects if the leakage of their personal information or the damage caused may harm their information or contravene their rights or interests.[13]
- Transfer and disclosure of personal data outside the Kingdom: The Amendments have eased somewhat the prohibition on transfer and/or disclosure of personal data to foreign jurisdictions. Personal data can be transferred or disclosed to a foreign jurisdiction for any of the following reasons:[14]
- to satisfy an obligation pursuant to an agreement to which the Kingdom is a party;
- to serve the Kingdom’s interests;
- to satisfy an obligation to which the data subject is a party; or
- to satisfy other purposes specified in the regulations to be issued.
The grounds above are subject to the following conditions:
- the transfer or disclosure of personal information will not result in comprising the Kingdom’s national security or interests;
- the foreign jurisdiction to which the personal information is to be transferred or disclosed should offer a level of personal data protection not less than that mandated under the PDPL and the regulations; and
- the disclosure or transfer should be limited to the minimum amount of personal data needed to be disclosed or transferred (as the case may be).
- Compliance officer and legal representative: The Amendments have removed the requirement that a controller appoint a compliance officer to be responsible for the controller’s compliance with the PDPL. However, the forthcoming regulations will identify the situations in which controllers are required to appoint personnel in charge of protecting personal data.[15] The Amendments also removed the requirement for international processors to appoint a legal representative in the Kingdom licensed by SDAIA when processing the information of residents in the Kingdom.[16]
- Registration of controllers: The Amendments removed SDAIA’s obligation to create an electronic portal and the requirement for controllers to register in this portal.[17]
- The power to investigate and confiscate: The PDPL now explicitly gives SDAIA’s designated personnel the power to investigate violations of the PDPL and initiate confiscation proceedings.[18] The Saudi Arabia public prosecution oversees prosecuting violations of the PDPL.[19]
II. Looking Ahead
We expect SDAIA to enforce the terms of the PDPL strictly, especially now that it has been given the power to investigate controllers and processors, as noted above. Thus, it is imperative for entities subject to the PDPL to ensure their compliance with it carefully, especially when there is a transfer or disclosure of the personal information of residents in the Kingdom to foreign jurisdictions. Below are certain actions that entities subject to the PDPL may wish to consider:
- Understand the extent of personal information that the entity may have and analyze the information privacy policies and procedures that the entity has in place, if any. In carrying out this exercise, the entity may consider seeking input from key business personnel within the entity, retaining an information technical expert, and engaging outside counsel to provide valuable and comprehensive insights.Update the entity’s privacy policies and procedures to conform to the PDPL. Poorly drafted policies and procedures will expose the entity to greater risks under the PDPL. These policies and procedures should take into account, among other things, the following:
- Obligations of keeping records of personal data processing, including the purpose of the processing, descriptions of the data subjects’ classes, the entities to which information is or will be disclosed, and information transferred or disclosed to foreign jurisdictions.
- Obligations to limit access to, for instance, personal health data to personnel who require access.
- Use of personal data for marketing and research purposes.
- Training employees regarding the terms of the PDPL, which will enable compliance and reduction in risk.
- Preparation for any dawn raids by SDAIA, which are on-site investigations conducted at the entity’s premises by SDAIA’s officials without advance notice. Having a dawn raid guide will assist the entity’s personnel in determining how to behave before, during, and after the raid, including how to cooperate with government investigators, respond to officials’ instructions, and handle the entities’ hardcopy and electronic records.
Our lawyers have significant experience advising clients on compliance matters, representing them in investigations launched by government agencies, and challenging fines issued by these agencies.
***
If you have any questions about the issues addressed in this memorandum, or if you would like a copy of any of the materials mentioned, please do not hesitate to contact:
Nasser Alrubayyi
Managing Partner (KSA), Co-Chair Middle East & North Africa Practice
Email: nasseralrubayyi@quinnemanuel.com
Written with the assistance of Hazim Alhazmi and Mohammed Aleissa.
To view more memoranda, please visit www.quinnemanuel.com/the-firm/publications/ To update information or unsubscribe, please email updates@quinnemanuel.com
[1] See Article 27 of the Amendments.
[2] See Article 2 of the PDPL.
[3] See Article 1 of the PDPL.
[4] SDAIA is the government entity in charge of enforcing the PDPL pursuant to the Council of Ministers’ Resolution No. 98, dated 07/02/1443H.
[5] See Article 3 of the Amendments.
[6] See Article 4 of the Amendments.
[7] See Article 5 of the Amendments.
[8] See Article 6 of the Amendments.
[9] See Article 7 of the Amendments.
[10] See Article 14 of the Amendments.
[11] See Article 10 of the Amendments.
[12] See Article 17 of the Amendments.
[13] Id.
[14] See Article 19 of the Amendments.
[15] See Article 20 of the Amendments.
[16] See Article 22 of the Amendments.
[17] See Article 21 of the Amendments.
[18] See Article 25 of the Amendments.
[19] See Article 35 of the PDPL.