The Council of Ministers in Saudi Arabia has recently authorized a set of amendments to the Personal Data Protection Law (PDPL), which was initially issued in 2021. The latest changes have been enacted through Royal Decree No. M147 of 5/9/1444H, corresponding to 27 March 2023, and have rescheduled the PDPL’s effective date to September 2023. The new amendments aim to align the PDPL with international standards, particularly the European Union’s General Data Protection Regulation (GDPR), by introducing several concepts. These changes reflect the Kingdom’s commitment to enhancing the protection of personal data and promoting data privacy, in line with global best practices.
Key Changes and Highlights
The amendments have been designed to create a more business-friendly environment and are largely in line with the consultation draft that was circulated last year. Some noteworthy changes and key highlights of the revised regulations are as follows:
1. Significant shift towards facilitating data transfers in line with global best practices while safeguarding the privacy rights of individuals.
The newly amended regulations reflect a more business-friendly approach towards data transfers, as the strict prohibition on transferring personal data outside of Saudi Arabia has been lifted. Previously, international transfers required exceptional approval from the Saudi Data and Artificial Intelligence Authority (SDAIA), but under the revised framework, such transfers are generally permitted under specific circumstances. Controllers seeking to transfer or disclose data outside of the Kingdom must have a specific purpose and are limited to territories that SDAIA determines to have appropriate levels of personal data protection. Criteria for such determinations will be clarified in the forthcoming evaluation guidelines. However, the executive regulations may provide exemptions from this condition in certain cases.
2. “Legitimate interests” as a lawful basis to process and disclose personal data.
Controllers are now permitted to rely on “legitimate interests” as a lawful basis to process and disclose personal data. It is important to note that this provision does not apply to sensitive personal data or processing that violates the rights granted under the PDPL and its executive regulations.
3. Removal of the criminal offence for data transfer violation.
Criminal sanctions for violating the PDPL’s data transfer restrictions have been eliminated, leaving only one criminal offence in relation to the disclosure or publication of sensitive personal data in violation of the law.
4. Electronic Portal.
The article referring to the establishment of an electronic portal for the purpose of building a national register of the controlling authorities has been cancelled and no longer requires the creation of an electronic portal or imposes any obligation upon controllers to register their processing activities. Nonetheless, the Saudi Data and Artificial Intelligence Authority (SDAIA) has been granted the authorization to establish and issue requirements for the practice of data protection-related activities in collaboration with relevant authorities. Furthermore, SDAIA has been bestowed with the mandate to license auditors and accreditation entities and, if deemed necessary, to establish a national register to monitor controller compliance. These measures serve to enhance the overall efficacy and robustness of the data protection regime in Saudi Arabia.
5. Timelines in data breach notifications.
The previous requirement to “immediately” notify the Saudi Data and Artificial Intelligence Authority (SDAIA) of personal data breaches has been removed. It is suggested that forthcoming regulations will clarify the timelines for data breach notifications.
6. Notifying data subjects in a data breach incident.
A recent amendment to the regulations now requires Controllers to notify data subjects in cases where a data breach may cause damage to personal data or infringe upon the data subject’s rights or interests. This new requirement imposes an additional obligation on controllers to inform affected data subjects about the breach and its potential consequences.
According to the Personal Data Protection Law (PDPL), it will become formally effective on September 14, 2023, which is 720 days after its publication in the Official Gazette. Prior to this date, executive regulations supplementing the PDPL should be issued.
It is worth noting that the PDPL’s preamble stipulates that controllers will be granted a one-year grace period to comply with the PDPL from the date it becomes effective. Thus, organizations that fall under the scope of the law will have until September 14, 2024, to align their status with the provisions of the PDPL. It is advisable for organizations to take the necessary steps to ensure compliance with the PDPL within the given timeline.
There is no yet official English translation but you can read the official press release with the amendments here: