Access Alert | Introducing Saudi Arabia’s Executive Regulation of Personal Data Protection Law

Access Alert | Introducing Saudi Arabia’s Executive Regulation of Personal Data Protection Law

On 10 March, the Saudi Data & AI Authority (SDAIA) published the Draft of the Executive Regulation of Personal Data Protection Law (PDPL) for public consultation.   

The draft aims to clarify procedures and the implementation process of the provisions provided in Personal Data Protection Law (PDPL), the first of its kind to be passed in Saudi Arabia. It regulates how businesses collect, process, and store personal data about individuals residing in the country and requires all businesses to comply by 23 March 2022. The overall objective of PDPL is to ensure that all entities process personal data per the principles set out in PDPL.   

In terms of data sovereignty, Article 29 of the PDPL prohibits the transfer of personal data outside of the Kingdom unless it is necessary for the protection of an individual’s health, safety, and wellbeing. To supplement the PDPL, Article 28 of the Executive Regulation introduces the application process for obtaining an exemption to the PDPL data localization requirement. Exceptions are granted by the regulatory authority in writing and only after it has liaised with SDAIA (i.e., sector authorities such as the Saudi Central Bank) on a case-by-case basis. A Controller may apply for exemption at least 30 days before starting the transfer of the data outside Saudi Arabia. Despite the reduction of data residency requirements, we are concerned that the Executive Regulation’s proposed case-by-case approval system will be burdensome and costly for businesses operating in the Kingdom.   

It is also noteworthy that the licensing requirement listed in Articles 32 and 33 of the PDPL has a potentially serious impact on businesses operating in the Kingdom. It specifies that when a foreign data controller processes data relating to Saudi citizens or residents, the controller must appoint a local representative, who in turn shall obtain a license from the SDAIA and be responsible for completing the controller’s obligations as highlighted in the PDPL. In the Executive Regulation, the matter has been addressed as Article 36 postpones the process by requesting SDAIA to prepare a regulation that will help identify the portal work mechanism, the criteria, procedures, and conditions of registration and related fees. Likewise, Article 37 postpones the licensing process by requesting SDAIA to prepare a regulation for licensing commercial, professional and non-profit activities related to the protection of Personal Data or activities related to the issuance of accreditation certificates.  

The Executive Regulation is the final step towards the implementation of the PDPL, private sector’s participation in the final drafting, therefore, is highly recommended to address key challenges summarized above. Interested stakeholders have until 25 March 2022 to provide their response and feedback on the draft. Meanwhile, businesses should start by documenting what personal data they hold, where it comes from, and with whom they share it. This could help them identify the type of services they provide while they wait for further guidance to be issued by SDAIA. Businesses will also need to carefully consider who to appoint as a data protection officer as this employee and the business itself could be held liable for any failure to comply with PDPL.   

Access Partnership is closely monitoring developments regarding both the PDPL and the public consultation of the Executive Regulation. For more information regarding the regulations or engagement in Saudi Arabia, please contact Nada Ihab at [email protected], Hussein Abul-Enein at [email protected], or Chen-Che Hsu at [email protected]. 

Related Articles

AI for All in Thailand: Building an AI-ready economy with Google

AI for All in Thailand: Building an AI-ready economy with Google

อ่านบทความนี้เป็นภาษาไทย A doctor in Bangkok analyzes medical images with AI, leading to a faster, more accurate diagnosis for her patient....

19 Dec 2024 AI Policy Lab
The Role of Earth Observation in Combating Desertification in Middle Eastern Countries

The Role of Earth Observation in Combating Desertification in Middle Eastern Countries

This month’s UNCCD COP16 in Riyadh marked a pivotal moment in combating global land degradation and drought, with outcomes including...

13 Dec 2024 Opinion
Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

A recent panel discussion at the Bengaluru Tech Summit 2024 on 20 November 2024 focused on the transformative role of...

29 Nov 2024 Opinion
Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

The rise of deepfakes – AI-generated content that manipulates audio, video, or images to create realistic but false representations –...

29 Nov 2024 Opinion