The Saudi Authority for Data and Artificial Intelligence (SDAIA) has opened a public consultation on proposed amendments to the Personal Data Protection Law, which received Royal Decree in September 2021 and became effective in March 2022.
Many minor tweaks have been proposed, but there are also several significant prospective changes that are particularly relevant to international businesses, according to Middle East data protection expert Martin Hayward of Pinsent Masons.
“There are significant additions in relation to legitimate interests and overseas data transfers, for example. Overall, these changes would be helpful to international businesses in Saudi Arabia,” said Hayward
The restrictions on overseas data transfers would be relaxed under the proposed amendments. At present, the transfer of personal data outside of Saudi Arabia or the disclosure of such data to a party outside the country is only permitted under very limited circumstances and conditional, such as when it is in implementation of an obligation under a convention to which Saudi Arabia is a party, or to serve the interests of Saudi Arabia. The clause also gives the competent authority the discretion to make exemptions on a case-by-case basis.
In comparison, the proposed amended version sets out a widened range of circumstances under which the data controller may transfer personal data overseas or disclose data to an entity outside Saudi Arabia, provided the transfer will not adversely affect the national security or vital interests of the nation.
For instance, the data controller in Saudi Arabia would be permitted to transfer personal data to such jurisdictions as the UK or the EU, as these jurisdictions would be considered to have regulations that ensure appropriate protection of personal data and protection of the data subjects’ rights, and their standards of protection are not less than the standards in Saudi Arabia. Additionally, any breach of the overseas data transfers provision would no longer be subject to criminal penalties.
Other proposed new clauses would better enable businesses to process personal data on the basis of their lawful interests, provided that the personal data concerned is not sensitive and the data subject’s rights and interests are not prejudiced. For example, currently consent from the data subject is required to process their personal data or to change the purpose of processing; the new proposals would provide an exemption to the consent requirement if the processing is necessary to achieve a lawful interest of the controller or any other party.
Similarly, other proposed new provisions would allow a data controller to collect personal data from a person other than the data subject or process personal data for a purpose other than that for which the personal data is collected if it is necessary to achieve the lawful interests of the controller or any other party. In addition, the draft new legislation provides scope for controllers to disclose personal data if the disclosure is necessary to achieve a lawful interest.
Another proposed change aims to enhance the protection of the data subject’s rights. Under the existing data protection regime in Saudi Arabia, a person can only request the destruction of his or her personal data held by the data controller when the personal data is no longer needed. Under the proposed amendments, the person would be able to make such a request at any time. Data controllers will need processes in place to manage any such request.
There is greater clarity around when the data controller will be required to provide notice of the leakage, damage of, or illegal access to, personal data. Under the proposal, notification would be required where the leakage, damage or access is capable of causing harm to the data subject or to the rights or interests of the data subject. More details are to be provided in the implementing regulations, once issued, and by SDAIA.
There is also the proposed easing of the broad requirement for data controllers to appoint or designate one or more employees to be responsible for implementing the law. It is proposed that the implementing regulations will set out the cases where a data controller is required to appoint a data protection officer.
Stricter conditions on data processing for marketing purposes are also under consideration. A new clause has been proposed to require marketers to set a clear mechanism that allows the target recipient to request that processing of their personal data for marketing purposes is brought to an end whenever they decide to withdraw their consent.
Another new obligation envisaged would require data controllers to keep records of the personal data processing operations, in addition to the record keeping requirements already set out in the law, and to set rules to restrict access to the personal data.
The proposed amendments also remove the requirement that businesses based outside of Saudi Arabia but processing the personal data of people within the country appoint a local representative to act on their behalf. The current law requires such a representative to be appointed by entities outside of the country and for those representatives to be licensed by the regulator to perform the legal obligations arising in relation to the processing of personal data related to individuals residing in the Kingdom.
The powers of the competent authority would also be expanded under the proposed new legislation. Proposed new powers include powers to seek assistance from other authorities in relation to the data protection law supervision, cooperate with its international counterparts in the cases that require cross-border subversion, and take enforcement action such as carrying out detection and inspection of activities suspected of breaching the law.
The SDAIA’s public consultation on the proposed amendments is open until 20 December 2022.