On 10 March, the Saudi Data & AI Authority (SDAIA) published the Draft of the Executive Regulation of Personal Data Protection Law (PDPL) for public consultation.
The draft aims to clarify procedures and the implementation process of the provisions provided in Personal Data Protection Law (PDPL), the first of its kind to be passed in Saudi Arabia. It regulates how businesses collect, process, and store personal data about individuals residing in the country and requires all businesses to comply by 23 March 2022. The overall objective of PDPL is to ensure that all entities process personal data per the principles set out in PDPL.
In terms of data sovereignty, Article 29 of the PDPL prohibits the transfer of personal data outside of the Kingdom unless it is necessary for the protection of an individual’s health, safety, and wellbeing. To supplement the PDPL, Article 28 of the Executive Regulation introduces the application process for obtaining an exemption to the PDPL data localization requirement. Exceptions are granted by the regulatory authority in writing and only after it has liaised with SDAIA (i.e., sector authorities such as the Saudi Central Bank) on a case-by-case basis. A Controller may apply for exemption at least 30 days before starting the transfer of the data outside Saudi Arabia. Despite the reduction of data residency requirements, we are concerned that the Executive Regulation’s proposed case-by-case approval system will be burdensome and costly for businesses operating in the Kingdom.
It is also noteworthy that the licensing requirement listed in Articles 32 and 33 of the PDPL has a potentially serious impact on businesses operating in the Kingdom. It specifies that when a foreign data controller processes data relating to Saudi citizens or residents, the controller must appoint a local representative, who in turn shall obtain a license from the SDAIA and be responsible for completing the controller’s obligations as highlighted in the PDPL. In the Executive Regulation, the matter has been addressed as Article 36 postpones the process by requesting SDAIA to prepare a regulation that will help identify the portal work mechanism, the criteria, procedures, and conditions of registration and related fees. Likewise, Article 37 postpones the licensing process by requesting SDAIA to prepare a regulation for licensing commercial, professional and non-profit activities related to the protection of Personal Data or activities related to the issuance of accreditation certificates.
The Executive Regulation is the final step towards the implementation of the PDPL, private sector’s participation in the final drafting, therefore, is highly recommended to address key challenges summarized above. Interested stakeholders have until 25 March 2022 to provide their response and feedback on the draft. Meanwhile, businesses should start by documenting what personal data they hold, where it comes from, and with whom they share it. This could help them identify the type of services they provide while they wait for further guidance to be issued by SDAIA. Businesses will also need to carefully consider who to appoint as a data protection officer as this employee and the business itself could be held liable for any failure to comply with PDPL.
Access Partnership is closely monitoring developments regarding both the PDPL and the public consultation of the Executive Regulation. For more information regarding the regulations or engagement in Saudi Arabia, please contact Nada Ihab at firstname.lastname@example.org, Hussein Abul-Enein at email@example.com, or Chen-Che Hsu at firstname.lastname@example.org.