How the Middle East is catching up

The Middle East is fast catching up with Europe when it comes to data protection law. The Kingdom of Saudi Arabia (KSA) has enacted its first comprehensive national data protection law to regulate the processing of personal data. This important development will be of interest to lawyers advising businesses that have an interest in the Middle East. It also opens up business development opportunities for those specialising in data protection law, as the new law is closely aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

The KSA Personal Data Protection Law (PDPL) was passed by Royal Decree M/19 of 9/2/1443H on 16 September 2021, approving Resolution No. 98 dated 7/2/1443H (14 September 2021). The Executive Regulations are expected to be published soon and will give more details about the new law. It will be effective from 23 March 2022 following which there will be a one-year implementation period.

Enforcement

PDPL will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA).The Executive Regulations will set out the administrate penalties that can be imposed on organisations for breaches. Expect large fines for non-compliance alongside other sanctions. The fines could mirror the GDPR; up to €20m or 4% of gross annual turnover, whichever is higher. PDPL also contains criminal offences which carry a term of imprisonment of up to two years and/or a fine of up to 3m Saudi Royals (about £566,000). Affected parties may also be able to claim compensation.

Territorial scope

PDPL applies to all organisations that are processing personal data in the KSA irrespective of whether the data relates to data subjects living in the KSA. It also has an ‘extra-territorial’ reach by applying to organisations based abroad who are processing personal data of data subjects resident in the KSA. Interestingly, unlike other data protection laws in the Middle East, PDPL does not exempt government authorities from its application, although there are various exemptions from certain obligations where the data processing relates to national security, crime detection, statutory purposes and so on.

Notable provisions

PDPL mirrors GDPR’s underlying principles of transparency and accountability and empowers data subjects by giving them rights in relation to their personal data. The notable provisions are set out below, although the precise detail will be included in the forthcoming Executive Regulations.

• Personal data – PDPL applies to the processing of personal data which is defined very broadly to include any data which identifies a living individual. However, unlike GDPR, Article 2 of PDPL includes within its scope the data of a deceased person if it identifies them or a family member.
• Registration – Article 23 requires data controllers (organisations that collect personal data and determine the purpose for which it is used and the method of processing) to register on an electronic portal that will form a national record of controllers.
• Lawful bases – Like the UAE Federal DP law, PDPL makes consent the primary legal basis for processing personal data. There are exceptions including, among others, if the processing achieves a ‘definite interest’ of the data subject and it is impossible or difficult to contact the data subject.
• Rights – Data subjects are granted various rights in Articles 4, 5 and 7 of the PDPL which will be familiar to GDPR practitioners. These include the right to information (similar to Article 13 of GDPR), rectification, erasure and subject access. All of these rights are subject to similar exemptions found in Article 23 of GDPR.
• Impact assessments – Article 22 requires (what GDPR practitioners call) ‘DPIAs’ to be undertaken in relation to any new high-risk data processing operations. This will involve assessing the impact of the processing on the risks to the rights of data subjects, especially their privacy and confidentiality.
• Breach notification – Article 20 requires organisations to notify the regulator, as well as data subjects, if they suffer a personal data breach which compromises data subjects’ confidentiality, security or privacy. The timeframe for notifying will be set by the Executive Regulations.
• Records management – Organisations will have to demonstrate compliance with PDPL by keeping records. There is a specific requirement in Article 3 to keep records similar to a Record of Processing Activities (ROPA) under GDPR.
• International transfers – Like other data protection regimes, PDPL imposes limitations on the international transfer of personal data outside the KSA. There are exceptions; further details will be set out in the Executive Regulations.
• Data protection officers – Organisations (both controllers and processors) will need to appoint at least one officer to be responsible for compliance with PDPL. The DPO can be an employee or an independent service provider and does not need to be located in the KSA.
• Employee seminars – After 23 March 2022, data controllers will be required to hold seminars for their employees to familiarise them with the new law.

Organisations operating in the KSA, as well as those processing the personal data of KSA residents, need to assess the impact of PDPL on their data processing activities. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.

Ibrahim Hasan is a solicitor and director of Act Now Training