Passed in September 2021, the Personal Data Protection Law (PDPL) is set to become the omnibus legislation regarding personal information in the Kingdom of Saudi Arabia (KSA). The PDPL is Saudi Arabia’s first federal data privacy legislation and will establish one of the strictest data privacy regimes in the world. Originally set to take effect in March of 2022, implementation has been pushed to March 17, 2023 to allow more time for adjustment and clarification.

While it is still unclear how the legislation will be implemented, the Saudi Data and Artificial Intelligence Authority will administer the PDPL for its first two years. At that point, it may transfer regulatory responsibility to the National Data Management Office (NDMO). It’s not yet clear how active these regulators will be, but in the past sector-specific regulators have been very active in enforcing industry data regulations.

Here are the highlights of the PDPL:

The PDPL has an extraterritorial scope

The PDPL applies to any entity that has a presence in Saudi Arabia and is processing the information of residents of the KSA.

Consent is required for most information collection and usage

One notable exception is if data processing is clearly in the interest of the data subject and communication is unsuccessful. Exceptions also apply if the data is anonymized and is used for research or by government entities for security purposes. Implied consent is acceptable if the subject’s actions clearly indicate their consent and explicit consent is an unreasonable burden, but consent for sensitive data must be in writing. 

Data subject rights

Data subjects have the right to access their data, have it corrected, and request the erasure of their information once it is no longer required.

International data transfers may require the approval of the regulatory authority

Generally, controllers may not transfer data outside of Saudi Arabia except if the transfers are required for national security, epidemiological purposes, or to comply with an agreement to which Saudi Arabia is a party. However, data controllers may be exempted by the governing authority if they engage in transfers of non-sensitive data that will be similarly protected outside of Saudi Arabia, for which a whitelist is expected to be published. Exemptions may also be granted for transfers where the data subject has consented in advance. It is not yet clear whether the permission of the governing authority will be required for each of these exempted data transfers.

Some industries impose sector-specific data residency requirements

Under the Insurance Market Code of Conduct Regulation, insurance companies are required to store their data in Saudi Arabia. Additionally, taxpayers’ books must be kept in Saudi Arabia under the Income Tax Law and Saudi Arabia’s Labor Law requires that certain sensitive documents are maintained in the workplace.

Penalties include imprisonment and heavy fines

A breach of the overseas transfer regulations set out in the KSA PDPL will result in a criminal penalty of up to one year imprisonment or a fine of up to 1 million SAR. Any unlawful transfer or disclosure of sensitive personal data will face a criminal penalty of up to two years’ imprisonment or a fine of up to 3 million SAR. Any other violation of the PDPL will face a penalty of up to 5 million SAR.

Takeaways

The PDPL is still evolving, so it is important to continue monitoring developments in the leadup to its implementation

The KSA has released a first draft of the executive regulations that are expected to provide clarification on how the PDPL will be implemented. However, more is expected to follow in the months before its implementation, especially regarding international data transfer regulations which remain unclear. The regulations will be an important resource in interpreting the PDPL and are still open for comment and amendment, so organizations operating in the KSA should monitor additional drafts.

Unless international data transfers are further streamlined, the PDPL will make it difficult to do business in Saudi Arabia

In its current form, the PDPL appears to impose a heavy burden on international organizations operating in the KSA, unless they find that one of the established exemptions is widely applicable. If none of the exemptions to cross-data transfers are applicable, then businesses may need to open local data centers and use service providers that will process data locally to comply with the PDPL.

Organizations operating in the KSA should do a full audit of their personal information records to prepare for implementation

With uncertainty about how the PDPL will be implemented, entities should prepare for every possible situation by taking stock of current practices. Organizations should know where all of their personal information regarding Saudi citizens is stored and how it is being used to assess how severely new restrictions will hamper their operations.