New Saudi data protection regime takes effect

Amendments to the Personal Data Protection Law (PDPL) were finalised earlier this year, but the provisions only began to apply on 14 September 2023. Implementing regulations, which provide the detail behind some of the new requirements, were issued on 6 September 2023. The PDPL applies to the processing of personal data taking place in the Kingdom including processing undertaken by foreign businesses in relation to individuals residing in the Kingdom – so, in this sense, also has an extraterritorial effect.

Data controllers have a one-year ‘grace’ period, until 14 September 2024, to align their processing activities with the requirements of the PDPL and its implementing regulations. Once this period expires the Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to actively monitor and enforce compliance.

While consent-based data processing was the focus of the previous legislation, businesses operating in Saudi Arabia now have scope to process personal data if it is necessary to achieve their ‘legitimate interests’ – unless doing so prejudices or conflicts with the rights or interests of the data subject, and provided the data is not classed as ‘sensitive data’, such as health data, or information that concerns an individual’s ethnicity or religious or political beliefs.

The implementing regulations define ‘legitimate interests’ as “any necessary interest of the controller that requires the processing of personal data for a specific purpose, provided it does not adversely affect the rights and interests of the data subject”.

The regulations provide for legitimate interests-based processing where controllers are able to satisfy a number of conditions. Those conditions include that the purpose of the processing does not violate Saudi law; that the data concerned is not ‘sensitive’ data; that the controller carries out a test to ensure the balance of interests is in its favour; and that the proposed processing is “within the reasonable expectations of the data subject”.

The regulations set out a series of assessment and record-keeping obligations relating to the balancing test. Among other things, these require controllers to check their purpose is legitimate and compliant; verify the processing is necessary; and evaluate the harm it may cause to data subjects – and whether and how those harms can be mitigated.

The regulations cite two specific, but non-exhaustive, examples of ‘legitimate interests’ that may drive personal data processing by businesses – the disclosure of fraud operations, and the protection of network and information security. Other industry standard legitimate interests adopted by businesses globally are expected to be acceptable under the new Saudi data protection regime as long as they fulfil the prescribed requirements.

For businesses processing personal data, ‘legitimate interests’ is the most flexible lawful basis to rely on for their processing activities, however, businesses should consider that it will not always be the most appropriate lawful basis. When relying on legitimate interests for processing, businesses are taking on the additional responsibility of considering and protecting the rights and interests of data subjects.

The new rules also set out the circumstances in which businesses can export personal data outside of Saudi Arabia. Those ‘data transfer’ rules are like those provided for under the EU’s General Data Protection Regulation (EU GDPR).

For example, the regulations empower the Saudi authorities to designate other jurisdictions as suitable places for businesses to transfer personal data to under a procedure that provides for those authorities to evaluate the level of protection for personal data in those other geographies and determine whether it is ‘adequate’ – in a similar way as the European Commission is empowered to do under the EU GDPR. A list of jurisdictions considered ‘adequate’ under the Saudi data protection regime has not yet published so far.

The rules, however, also provide for data transfers outside the scope of so-called ‘adequacy decisions. ‘Appropriate safeguards’ that businesses may be able to put in place to underpin data transfer arrangements and ensure their compliance include standard contractual clauses issued by the Saudi authorities or ‘binding common rules’ approved by those authorities. The new rules also provide scope for the development of new certification schemes and codes of conduct to facilitate international data transfers. Further rules provide exceptions to the requirements for ‘appropriate safeguards’ – and also stipulate where the exceptions will not be granted – in respect of data transfers.

Businesses are expected to undertake data transfer risk assessments in relation to their data transfer arrangements, under the new rules. Risk assessment will be required where transfers are being undertaken based on appropriate safeguards; in cases where the transfers are allowed without the need for appropriate safeguards; or where there is continuous or large-scale transfer of sensitive data outside the Kingdom.

Some overarching requirements, over and above the transfer-related considerations, must be met before a business can transfer data to jurisdictions considered ’adequate‘; where adopting appropriate safeguards where jurisdictions are not considered ’adequate’; or otherwise when transferring based on the exceptions to appropriate safeguards. Most importantly, data can only be transferred where the purpose of the transfer falls within one of the permitted purposes prescribed under the PDPL and its implementing regulations. The most relevant of these for businesses conducting data transfers in the context of normal business processing activities include where the transfer results in providing a service or benefit to the data subject; or where the transfer is related to conducting processing operations that enable the controller to carry out its activities including central management.

Also included in the new implementing regulations are provisions specifying when Saudi businesses are expected to appoint a data protection officer, what they need to do in respect of reporting personal data breaches, and what their record-keeping duties are in relation to personal data processing.