On 7 Sept., the Saudi Data and Artificial Intelligence Authority formally released the Kingdom of Saudi Arabia Personal Data Protection Law. Enforcement of the law will begin 14 Sept. 2024, which gives organizations one year to prepare for compliance.

This law is the first privacy law in the KSA that aligns the kingdom with international privacy laws, in particular, the EU General Data Protection Regulation, along with some localization that addresses the Middle Eastern culture and adopts the latest guidelines and mechanisms toward the proper implementation of the law through its published regulations.

Personal data cross-border transfer regulation

Although the final wording of Cross-Border Data Transfer Article 29 in the final KSA PDPL was complicated, the regulation outlines the corresponding mandates to Article 29 in a simple and organized manner in line with the GDPR, where it allows the transfer of data on three grounds.

ADVERTISEMENT

Cassie IAPP Leaderboard - AI Checklist-041024-WP

The transfer of data is allowed on:

  1. The adequacy decision for countries, other sectors and international organizations (Articles 3 and 4) shall be determined and issued by the competent authority and concerned entities, along with explaining the adequacy process, highlighting the assessment criteria and frequency or revision mandates.
  2. Transfers are subject to appropriate safeguards (Article 5) if there is no adequacy decision for the destination country, along with listing the different types of approved safeguards from the competent authority, e.g., binding corporate rules, standard contractual clauses, compliance certification mechanism, and the use of enforceable code of conduct.
  3. Derogations for specific situations (Article 6) where there is no adequacy decision meanwhile infeasibility to rely on appropriate safeguards per Article 5, different scenarios of derogations have been listed in line with Article 49 of the GDPR except for not explicitly requiring the data subject's consent. 

There are four scenarios when a transfer should be stopped or prohibited: if it impacts national security or the kingdom's interests, the results of a transfer impact assessment show a high risk to the privacy of data subjects, the invalidity of appropriate safeguards adopted by data controllers, or inability of data controllers to comply with the adopted appropriate safeguards. If one of those scenarios occurs, the transfer will need to be stopped, and the TIA must be redone. The regulation has considered the latest mechanisms introduced after the "Schrems II" decision, i.e., mandating a TIA to transfer data to countries without adequate decisions (Article 8).

PDPL implementing regulation

The PDPL implementing regulation is considered the main regulation besides the Cross-Border Data Transfer Regulation. It clarifies and adds further requirements in the law separate from Article 29 of data transfer.

Data subject rights

The regulation has included verbal requests to data subject request's under the authentication mandate. This is believed to be a burden on data controllers to comply with, especially regarding the operational and accountability aspects. Under the implementing regulation, there is no guidance on the definition of data scope under any of the rights that used to be one of the challenges faced with GDPR that may lead to data controllers receiving an infeasible amount of requests or complaints. Finally, there is no allowance under the new regulation for data controllers to charge data subjects for DSRs deemed excessive or repetitive. However, they can reject requests with justification.

The lawfulness of processing data

Article 16 of the implementing regulation provides guidance on the processing of data under legitimate interest, where it is now introduced with restrictions and precise criteria for using it as a lawful basis. Additionally, data controllers must conduct legitimate interest assessments before processing data in line with Articles 6 and 35 of the GDPR. 

Sub-processing

Under the PDPL, data controllers are required to periodically conduct compliance assessments of selected data processors to ensure they are in compliance with the law. This may create a burden on data controllers as they will assume sole accountability for all data processing activities conducted by the data processor before the competent authority and the data subject.

Information security

Article 23 identifies the mandates of securing personal data by referring to National Cybersecurity Authority measures, standards, controls, or best cybersecurity international standards if the NCA does not regulate the data controller. Additionally, the regulations added a significant word to point (a) of the article not stated in the law — necessary. "Data Controllers to implement the necessary security and technical measures to mitigate potential risks on personal data." The addition is impactful as data controllers are mandated to implement information security controls defined by the NCA on all personal data processing activities equally, regardless of scope. Without the ability to prioritize, this may place undue cost and time implications for data controllers.

Data breach notification 

The regulation introduced almost equal criteria that organizations must notify the competent authority and data subject that a data breach has occurred within 72 hours and immediate notification, respectively. This may be a cause for concern with regards to notifying the data subject mandate as it would have been more relevant to be in case of confirmed impact or potentially high impact on the data subject to avoid the possible reputational effect on data controllers.

Privacy impact assessments

The implementing regulation mandates data controllers conduct documented privacy impact assessment in nine different scenarios of personal data processing including, whenever data processing involves anonymization, sensitive personal data, use of new technologies, etc. This is in line with Article 35 of the GDPR. 

Processing health and credit data 

Articles 26 and 27 add more restrictive and specific measures for processing health and credit data. For example, organizations must adopt a restrictive and limited "need to know basis" approach to minimize accessibility, documentation of all processing stages with specifying an owner for each stage when processing health data.

However, more challenging requirements require data controllers to adopt all relevant measures and standards issued by other competent authorities in the health and financial sectors when processing health and credit data. It is an additional responsibility for data controllers to cross-check data protection requirements from different laws and regulations from other authorities than the data protection competent authority.

Processing data for promotional awareness; direct marketing purposes 

Article 28 of the implementing regulation requires data controllers to collect consent from data subjects before processing their data for promotional and awareness purposes. Under the article, there is an important indirect exemption for data controllers if there was a previous interaction between the data controller and data subject. This is similar to Article 21 of the GDPR, allowing data controllers to rely on legitimate interest with the right to object for profiling and direct marketing purposes when data controllers promote their products and services.

On the other hand, Article 29 of the implementing regulation introduced similarities with Article 28 of the Implementing Regulation, which covers the processing of direct marketing purposes, including sending promotional communications to data subjects. However, Article 29 mandates data controllers collect consent from data subjects before processing data without including the indirect exemption mentioned in Article 28.

If Article 29 requires consent collection in direct marketing processing in terms of profiling and analytics, i.e., not for sending promotional communications to the data subject, then this is a more significant challenge as sending them will be allowed for the mass audience, while targeted audience won't be permitted without consent. Hence, this would require further clarification and guidance from the competent authority.

What is next? 

It is important to note the consequences of noncompliance per the law are intolerable in two instances: In the event of the deliberate unlawful disclosure of sensitive personal data, an individual could receive up to two years in prison and/or a fine of SAR3 million. An organization that violates the law could receive a warning or a fine of SAR5 million. If it receives a fine, the court or competent authority could require the organization's data controller to publish it in one or more local newsletters at their expense.

Organizations must design their privacy programs carefully to ensure compliance within the first year, while planning for advanced maturity levels in the following years. They should implement foundational principles and, when applicable, incorporate those requirements into their operational processes at the bare minimum to prove compliance before the competent authority. Finally, instead of prioritizing tooling and automation in the first year of compliance, they should become part of the maturity roadmap to achieve standardization and efficiency in subsequent years.