In brief

The Personal Data Protection Law (“PDPL“) of Saudi Arabia (“KSA“) was recently amended pursuant to Royal Decree No. M/148, dated 05/09/1444H (corresponding to 27 March 2023G) (“Amended PDPL”). These amendments were preceded by a public consultation launched by the Saudi Data and Artificial Intelligence Authority (“SDAIA“) in late 2022.

The Amended PDPL expands the scope under which Controllers could collect personal data from third parties, and process it for purposes other than that for which it was originally collected. It also provides additional grounds for Controllers to disclose personal data, and introduces an updated regime for personal data transfers outside of KSA.

Key takeaways

The Amended PDPL settled an ongoing uncertainty regarding its date of entry into force, which was most recently set for 17 March 2023G after being postponed from the original date of 23 March 2022G. Article 43 of the Amended PDPL specifies that it will come into force 720 days from the date of the original publication of the PDPL in the Official Gazette (i.e., 24 September 2021G). Thus, the Amended PDPL is expected to enter into force on 14 September 2023G, and its implementing regulations should be published no later than that date.

Controllers (“Controllers“), entities subject to the Amended PDPL, will have a one-year grace period (per the Hijri calendar) from the date of its entry into force (i.e., until 2 September 2024G) to comply with its requirements. Please see the table below for a more detailed overview of the timeline.

The Amended PDPL addresses critical concerns that key stakeholders had with the PDPL, some of which were raised in the public consultation. The Amended PDPL includes, among others, the following changes:

1. a broader regulatory framework for cross-border personal data transfers and, in particular, the introduction of the concept of adequacy. This concept requires a minimum level of adequate safety standards (no less than the national standard) for the transfer of data outside of KSA;
2. the addition of Controllers’ legitimate interests as legal grounds for processing personal data unless the data collected is sensitive, violates the rights of personal data owner, or goes against the data owners’ interests;
3. the removal of the national registry and, by extension, the obligation of Controllers to register in the national registry; and
4. the removal of the requirement on foreign Controllers to appoint a KSA representative to be licensed by the competent authority to perform the Controller’s obligations.

The Amended PDPL is a positive step towards harmonising KSA’s data privacy framework with the European General Data Protection Regulation (“GDPR“). This represents a welcome development for organisations operating within the scope of the Amended PDPL. Nonetheless, there remains to be some material differences between the Amended PDPL and the GDPR. Specifically, the Amended PDPL places more emphasis on the responsibilities of Controllers, much like GDPR’s predecessor (the European Directive 95/46 EC).

Order of events of the KSA PDPL entry into force

We are continuing to closely monitor developments related to the data privacy framework in KSA. Should you require further assistance regarding the Amended PDPL, or any data and technology-related matters, please feel free to contact us.

* * * * *

* Content prepared by Legal Advisors in association with Baker & McKenzie Limited.