Update on the new Saudi Data Protection Law

After amendments and postponement the new Saudi Personal Data Protection Law Saudi Arabia is scheduled to enter into force later this year. The law seeks to aid in the Kingdom developing a digital infrastructure and a digital economy. The law was initially scheduled to enter into force in March 2022. However, in public consultations substantial concerns were voiced, in particular, concerning restrictive provisions dealing with storage and processing of data outside of Saudi Arabia. The Saudi legislator addressed these concerns in an amendment published on 21 March 2023, which delayed the law’s entry into force. The law will enter into force on 14 September 2023 and organization will have until 13 September 2024 to ensure compliance.

Territorial scope of application

The  Personal Data Protection Law applies to any processing of personal data (1) of persons residing in Saudi Arabia or (2) conducted in the Kingdom. In principle, the scope of application is similar to that of the EU General Data Protection Regulation (GDPR). However, unlike the GDPR the Saudi law does not require that foreign entities collecting data on or processing data of Saudi residents offer goods and service in the Kingdom for the Saudi law to apply. Any foreign entity collecting data on or processing data of Saudi residents—even if they do not engage in business activities in Saudi Arabia—are subject to the Saudi law.

Consent for data collection and processing

Persons or entities collecting data on or processing data of Saudi residents or collecting and processing data in Saudi Arabia may do so only with the prior approval of the data subject. However, there are some exceptions. No consent is required where (1) data collection and processing is in the interest of the data subject and it is impractical or impossible to reach the data subject to obtain consent, (2) a waiver of the consent requirement was given by the data subject (i.e. by declaration or agreement) or is imposed by law, or (3) data is processed or collected by a public entity for security purposes. Where consent is required the data subject may withdraw consent once given at any time.

Registration with authorities

Pursuant the original draft of the law, persons or entities collecting or processing personal data were obligated to register their activities with Saudi Data & AI Authority (SDAIA). This obligation was abolished with the most recent amendment. Still, the law allows for SDAIA to create a national registry in which entities collecting and processing data must register, if it deems it necessary in order to monitor data collection and processing in the Kingdom and of Saudi residents.

Legitimate interest

After the amendments to the law companies now may rely on ‘legitimate interests’ as a legal basis for collecting and processing data. However, this does not apply to ‘sensitive’ personal data or data collection and processing that would contravene rights granted under the Personal Data Protection Law. It remains to be seen how ‘sensitive’ personal data will be defined in the Executive Regulations to the Personal Data Protection Law. Still, the introduction of ‘legitimate interest’ as a basis for collecting and processing data brings the Saudi data protection regime further in line with the  international best practice and the GDPR. In particular.

Data breaches 

Under the original draft of the law data breaches had to be notified immediately to SDAIA. This obligation was eased with the most recent amendments now requiring that notification to SDAIA be made without undue delay. Furthermore—under the current version of the law—data collectors and processors must notify data subjects of a breach, if the breach would cause them harm or contravene their interests. The second element—contravene the data subject’s interests—remains very vague and could be interpreted very broadly. Arguably any leak of personal information is against the data subject’s interest. It remains to be seen whether the executive regulations will provide clarification on this issue.

Transfer of data abroad

One of the major points of critique on the Saudi Personal Data Protection Law in its original draft was the strict requirement that all data had to be stored and processed in Saudi Arabia. Any transfer of personal data abroad required prior approval of SDAIA. This provision was eased with the most recent amendment. The law now allows  personal data to be transferred  to a recipient in a jurisdiction outside of the Kingdom that ensures appropriate data protection. Transfer of data to such jurisdictions now is generally permitted, if the transfer (1) is made in accordance with obligations under international agreements to which Saudi Arabia is a party, (2) is made in accordance with obligations of the data subject (i.e. arising out of agreements to which the data subject is a party), (3) it serves national interests, or (4) any other purposes determined by the executive regulations, which are still pending. Moreover, companies collecting and processing personal data may only transfer data abroad for specific purposes. What purpose would satisfy the law has not yet been defined. We expect further clarification in the executive regulations. Furthermore, it is still somewhat unclear what data protection standards a country has to satisfy to allow data transfer there. It appears that SDAIA has authority to make such determination. We expect that guideposts for how SDAIA would exercise its authority will be included in the executive regulations. Still, jurisdictions with personal data protection regimes granting protection at a level similar to that of Saudi Arabia will likely be considered as offering an appropriate level of data protection.

Penalties for non compliance

Criminal sanctions for violating the Saudi data protection regime, which were introduced with

the original draft of the law, were removed. There remains only one criminal offence relating to unlawful disclosure or publication of sensitive personal data. All other violations may incur an official warning or a fine of up to SAR 5,000,000 (approx. USD 1,333,000). Fines may be doubled in case of repeat offences.

Way forward

Further details relating to among other things conditions for consent, data subject's access requests, procedures for notifying data breaches, definitions of key terms such as 'sensitive personal data' as well as when foreign jurisdictions would be deemed to have adequate data protection for the purposes of transfer of data abroad are still pending. Still, there are steps that organisations may already take now to prepare for the law entering into force. Companies operating in Saudi Arabia or doing business with the Saudi residents should: (1) assess their data processing activities, including whether they transfer or process data on Saudi residents outside of the Kingdom and if so where; (2) assess their internal data collection policies and processes as to whether they comply with requirements of Saudi law; (3) review contracts pertaining to Saudi Arabia that may require amendments to bring them in line with the new Saudi personal data protection regime; and (4) train (local) staff and raise awareness on the new Saudi personal data protection regime.