Related Authors: Marc Saroufim, Managing Partner | Noura Al Goblan, Trainee Lawyer — Al Akeel & Partners
Further to the Council of Ministers approving the Saudi Data Protection Law (the "DPL") amendments in March 2023, the new amendments have been recently implemented via Royal Decree No. M147 of 5/9/1444H (corresponding to March 27, 2023). The effective date of the DPL is now September 2023. The amendments provide further alignment of the Saudi DPL with the GDPR. We are still waiting on the issuance of the DPL's executive regulations which will provide further clarity on the different aspects of the DPL. The proposed executive regulations have been out for the public to provide feedback, but nothing has yet been approved in its final form.
The following are the key updates on the amended Saudi DPL:
- Less restrictions on personal data transfers: The strict prohibition on transfers of personal data outside the Kingdom has been amended. International transfers no longer require exceptional approval from the Saudi Authority for Data and Artificial Intelligence (SDAIA). International transfers are now generally permitted if: (i) they are in implementation of obligations under international agreements to which Saudi Arabia is a party, (ii) it serves national interests, (iii) they are in implementation of any obligations to which the data subject is a party, or (iv) any other purposes determined by the executive regulations (once they are issued). Controllers will need a specific purpose to transfer or disclose data outside the Kingdom and transfers appear to be limited to territories that SDAIA determines as having an appropriate level of protection for personal data. The executive regulations are expect to provide the cases where controllers may be exempt from this condition.
- Personal data processing: The previous version of the DPL mainly provided for the processing of personal data on the basis of the data subject’s consent. Controllers may now rely on “legitimate interests” as a lawful basis to process and disclose personal data. This does not apply to sensitive personal data, or processing that contravenes with the rights granted under the DPL and its executive regulations.
- Removal of registration requirement for controllers and SDAIA powers: The amended DPL no longer refers to the requirement of creating an electronic portal or any requirement for a controller to register their processing activities. However, SDAIA has been authorized to issue the requirements for practicing activities related to data protection, in cooperation with any other relevant authorities. SDAIA also has the mandate to license auditors and accreditation entities and create a national register if it determines that it would be an appropriate tool and mechanism for monitoring the compliance of controllers.
- Less restricted data breach notification timeline: Notifications of a personal data breach to SDAIA are no longer required to be made “immediately.” Further details on the specific deadlines are expected to be provided in the executive regulations. A new requirement has been added for controllers to notify data subjects where a breach would cause damage to personal data or contravenes the data subject’s rights or interests.
Controllers will have a period not exceeding one (1) year to comply with the Saudi DPL from the date it comes into force. Accordingly, organizations within the scope of the DPL will have until September 2024 to adjust their status in accordance with the provisions of the DPL.
SDAIA will be the competent authority, for a period of two years, during which it is considered, in view of what results from the application of the provisions of the DPL and its implementing regulations and the level of maturity in the data sector to transfer the competence to supervise the implementation of the provisions of the law and its implementing regulations to the Kingdom’s National Data Management Office (NDMO).
Our team is keeping an eye on any further developments. Please feel free to contact us if you have any questions.