This article was originally published in Arab News on 11 April 2022.
Saudi Arabia’s proposed Personal Data Protection Law is set to be the first of its kind in the Kingdom, and last month tech firms were given a year to provide further feedback on the legislation before it comes into force.
The overall objective of the law — now set to take effect on March 17, 2023 — is to ensure that firms and any related entities process personal data according to its principles. This includes ensuring that there is a legal basis for processing personal data transparently and securely. In addition, safeguards should be put in place to protect this data from loss, damage, or destruction.
The Saudi Data and Artificial Intelligence Authority will oversee the initial implementation and enforcement of the law for two years, after which the government’s National Data Management Office will take over as the supervisory authority. The Saudi Central Bank and the Communications and Information Technology Commission both appear to maintain their jurisdiction to regulate data protection within their remit.
Although the legislation’s executive regulation reduces the law’s tough data residency requirements, the proposed case-by-case approval system will prove to be burdensome and costly for firms operating in the Kingdom. Localization will raise the cost of data storage and cloud-based services in Saudi Arabia, while maintaining separate local servers may not be possible in practice due to data duplication.
Given the serious penalties and onerous obligations under the legislation, firms should begin engaging in feedback now. The grace period allows businesses to prepare and provide alternative solutions, which means companies also need to implement significant measures to ensure compliance, which can take time to embed within departments. KSA has no prior history of a federal data protection law of this nature, which will make compliance and enforcement an even bigger challenge for firms and regulators.
In short, the law introduces several requirements that could significantly impact how companies operate in the Kingdom. The most notable include — registration and data localization requirements as well as consent and heft penalties.
Businesses must make several key changes to prepare for the law. They must have a clear understanding of the nature of the data they hold. Establish how this data will be governed and create policies and procedures for handling it. Firms should also implement and test what happens if this information is breached, and identify how data should be transferred internationally. Finally, companies must train relevant staff and install appropriate management.
Firms should start by documenting what personal data they hold, where it comes from and with whom they share it. This could help them identify the type of services they provide and what kind of internal policies and procedures they need, while they wait for further guidance to be issued by SDAIA. They should then create and test breach of data plans as soon as possible. Businesses will also need to carefully consider who to appoint as a data protection officer, as this employee, as well as the business itself, could be held liable for any failure to comply with the law.
Article 29 of the legislation prohibits the transfer of personal data outside the Kingdom unless it is absolutely necessary for the protection of an individual’s health, safety, and wellbeing. Or, in accordance with the implementation of an international treaty or agreement in the Kingdom’s interest.
The conditions for the transfer of data outside the Kingdom are based on similar principles to the EU’s General Data Protection Regulation, such as purpose limitation, data minimization, integrity and confidentiality. However, the Saudi legislation presents clear restrictions on the transborder transfer of data of quite a large proportion of information.
That said, Article 28 of the law’s executive regulation introduces an application process for obtaining exemptions, while Articles 29 and 30 mandate SDAIA with the preparation of a list of countries that provide an adequate level of protection.
The licensing requirement in Article 32 and Article 33 of the law, will have a larger potential impact on businesses operating in the Kingdom. These rules specify that when a foreign data controller processes data relating to Saudi citizens or residents, the controller must appoint a local representative, who in turn must obtain a license from the SDAIA and be responsible for completing the controller’s obligations as highlighted in the legislation.
However, Article 36 of the executive regulation postpones this process by requesting SDAIA to prepare regulations that will help identify the portal work mechanism, criteria, procedures and conditions of registration and related fees. Private sector involvement in the drafting of this regulation is highly recommended to ensure that the new laws are forward-thinking and support individual data protection.
Finally, although not mentioned in its executive regulation, the law includes tough criminal penalties and fines for two key offenses. The unlawful transfer of data out of KSA — punishable by imprisonment of up to one year and/or a fine of up to SR1 million. As well as disclosing or publishing sensitive data unlawfully, with the intent of harming the data subject, or for personal gain — punishable by imprisonment up to two years and/or a fine of up to SR3 million.
Subscribe to our news alerts here.