On 10 March 2022, the National Data Management Office (NDMO) published for consultation a draft of the executive regulations (“Regulations“) to the Personal Data Protection Law, promulgated by Royal Decree No. M/19, dated 09/02/1443H (PDPL). You can access our previous alert on the publication of the Law here. You can access the consultation and a full draft of the Regulations here. The consultation invites comments on the Regulations and will close on 25 March 2022. The timing suggests that the publication of the final version of the Regulations is likely to occur later than the previously advised date of 23 March 2022. 

The Regulations seek to address a number of critical matters that were not detailed in the PDPL. The requirements demand detailed review, but we have sought to highlight some of our initial key takeaways below.

Cross border personal data transfers 

The Regulations reiterate the default position under the PDPL that personal data should be stored and processed in the Kingdom. In addition to the exemptions to this requirement set out in the PDPL, the Regulations provide two further exemptions; namely:

  1. The data subject has given consent that satisfies the requirements of the PDPL and where the transfer is for the purpose of providing services to them directly.
  2. For public interest purposes.

Unless the transfer falls within one of these exceptions or one of the exceptions in the PDPL, the controller must apply to the competent authority for approval to transfer personal data outside of the Kingdom. The application for approval must be made at least 30 days before the transfer and the regulator will initially have 30 days to review the application and may extend this period at their discretion. Where it is not possible to seek consent directly from data subjects, these time periods have the potential to significantly impact the ability of controllers to implement operational changes quickly and the speed with which they can roll out new products and services. Until the practice becomes more established, it also introduces a significant degree of doubt as to whether or not the export of personal data or cross-border processing will be approved. The request for approval will be assessed on a case-by-case basis.

The Regulations confirm that the competent authority intends to publish a list of adequate jurisdictions. However, it is unclear at present to what degree this will simplify an organization’s ability to export personal data to that jurisdiction. At present, our understanding is that the approval of the competent authority, as detailed above, would still be required. However, this may be clarified in the implementation framework.

For those countries not on the adequacy list, the controller must both conduct a privacy impact assessment and implement additional safeguards. The additional safeguards include:

  1. The adoption of standard contract clauses, approved by the competent authority.
  2. The adoption of binding corporate rules, approved by the competent authority.
  3. Compliance with a code of conduct approved by a sector regulator or the competent authority.
  4. Accreditation by an independent third party (i.e., that the safeguards put in place are appropriate).

Additional options exist for public sector entities.

Consent

The Regulations introduce two standards for consent, express and implied. Explicit consent must be documented in a manner that can be proven in the future and consent can be implied if it is not possible to obtain explicit consent and provided the data subject has been informed of the processing. In each case, the data subject must clearly and unambiguously affirm that they consent to the processing. However, consent to process sensitive data must be obtained in writing.

Data security standards

Controllers are required to adhere to the controls, standards and guidelines and other requirements mandated by the Kingdom’s National Cybersecurity Authority. However, for companies located overseas, it is sufficient to reflect international cybersecurity best practices in their processes and procedures.

Data breach notification

The controller must notify the regulator promptly of any data breach, and in any case, within 72 hours. Notably, the Regulations prescribe that a fairly detailed notification must be provided at this point, including a description of the actual or potential risks it poses and the categories and numbers of data subjects affected. In many cases, this information will not be known within the initial 72 hour period and the Regulations acknowledge that in such cases, it is acceptable to provide this information at a later date, once it is available.

Thankfully, the Regulations introduce a threshold test for notifying data subjects of a breach, namely where the impact on the data subject is “significantly high”. This is a helpful clarification to the wording in the PDPL, a prima facie reading of which suggested that the data subject would need to be notified in all cases.

The Regulations further detail that the notification threshold will be met if the breach results in ”serious damage (physical or moral) that is difficult to rectify or repair in the short term” and ”may extend further to the family or relatives of the data subject or extent [sic] further to a certain group of the society”. Specific examples provided, among others, include bodily harm such as stalking and assault due to location data of a data subject being leaked and economic or financial damage such as property loss or unexpected financial loss in the case of credit card data.

Additional requirements applicable to the processing of health data

The Regulations detail additional measures that controllers must take when processing health data. These include abiding by the policies and requirements implemented by the Saudi Ministry of Health and the Saudi Health Council and reflecting the requirements of the PDPL, the Regulations and all other application requirements into their employee codes of conduct. The applicable requirements must also be incorporated in contracts with data processors.

If you would like any assistance in responding to the consultation on the Regulations or any data and technology related matters, or issues generally, please feel free to contact Kellie Blyth and Zahi Younes.

Author

Kellie is a Counsel based in Baker McKenzie Habib Al Mulla's Dubai office. An experienced technology and privacy lawyer, her main focus is advising private sector clients on their strategic IT projects. She also advises clients how to develop, commercialise and implement digital and technology solutions whilst managing legal and regulatory risk.

Author

Abdulrahman has 16 years of litigation and commercial experience. He represents clients at the Sharia Courts, the Board of Grievance, the SAMA Committee, Labor Committee, Committee for Negotiable Instruments and all other courts and tribunals. He has extensive arbitration experience, both as an arbitrator and also representing clients in arbitration proceedings.

Author

Zahi specialises in the areas of cross-border and domestic mergers and acquisitions, divestitures, international and domestic joint ventures, global corporate reorganizations, securities and capital markets. He also has a focus on the Telecommunications and Information Technology, Healthcare and Pharmaceutical and Retail and Consumer Goods sectors. Zahi has 21 years of experience in the Middle East.

Author

Yousef joined Legal Advisors in 2020 and is actively involved in advising both Saudi Arabian and foreign clients on a wide range of corporate and commercial transactions, litigation, general matters and advisory work including M&A issues.