On 20 November 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a public consultation on proposed amendments to the Personal Data Protection Law, promulgated by Royal Decree No. M/19, dated 09/02/1443H (PDPL), which was originally published on 24 September 2021. You can access our previous alert on the publication of the PDPL here.
The public consultation will remain open up until 20 December 2022 and all organizations are invited to submit their comments by that date.
The proposed amendments seek to address a number of critical issues in the current version of the PDPL, including:
- The regulatory framework for cross-border personal data transfers and in particular the introduction of the concept of adequacy.
- The introduction of a further legal basis on which organizations can rely on for the processing of personal data (i.e., a similar concept to the controller’s legitimate interest for processing is introduced).
- The introduction of a right for data subjects to data portability.
- Clarification of the statutory threshold that must be met to trigger the need to notify a data breach to the Saudi regulator.
These amendments appear to be intended to align the PDPL more closely with the European General Data Protection Regulation (GDPR) and, if adopted, will represent a welcome development for organizations operating in the Kingdom of Saudi Arabia or whose operations are otherwise impacted by the PDPL. However, there remain some key differences, including the fact that its requirements are focused almost entirely on the obligations of controllers (similar to the predecessor to the GDPR, European Directive 95/46 EC).
* Content prepared by Legal Advisors in association with Baker & McKenzie Limited.