Search for:
Author

Maher Ghalloussi

Browsing
Maher Ghalloussi is an associate in the Firm's Dubai office. He is qualified in France and has worked in Paris and Dubai.

On 1 September 2024, the Saudi Data and AI Authority (SDAIA) published the Regulation on Personal Data Transfer Outside the Kingdom (“Data Transfer Regulations”), which amended the previous Transfer Regulations under the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH (“PDPL”). SDAIA also published additional information on Standard Contractual Clauses and Binding Common Rules, two of the appropriate safeguards for transferring data outside of the Kingdom, as well as a number of PDPL-related rules and guidelines. A summary of our initial takeaways can be found below.

On 14 September 2023, the Personal Data Protection Law (PDPL) promulgated by Royal Decree No. M/19, dated 09/02/1443H, amended pursuant to Royal Decree No. M/148, dated 05/09/1444H, officially entered into force in the Kingdom of Saudi Arabia. While the PDPL came into force on 14 September 2023, organizations were afforded a further 12 Hijri months’ period from the date of entry into force to bring themselves into compliance with the PDPL (i.e., on or around 2 September 2024). There should have been no enforcement action during the intervening period.

On 13 September 2023, the Communication Space & Technology Commission of Saudi Arabia proposed a draft law on Global Digital Content Safe Harbor. The proposed law is aimed at providing a legal framework for intermediary service providers hosting and transiting global digital content in Saudi Arabia in a way that ensures no objection, deletion or modification of content hosted in and accessible within the Kingdom. If adopted, the effect of the draft law may be significant as it seeks to create a more favorable environment for investment in the Kingdom’s digital economy, and it would align the local legal framework with the international best practices.

On 18 April 2023, the Dubai International Financial Centre (DIFC) launched a 30-day public consultation on the proposed amendments to the Personal Data Protection Regulations to establish additional areas of regulation that would support the strong implementation of the DIFC Data Protection Law No. 5 of 2020. The proposed amendments are aimed at enhancing the current data protection framework in the DIFC and addressing the means for better, safer and more ethical management of personal data processing and operations.

The Personal Data Protection Law of Saudi Arabia (“KSA”) was recently amended pursuant to Royal Decree No. M/148, dated 05/09/1444H (corresponding to 27 March 2023G) (“Amended PDPL”). These amendments were preceded by a public consultation launched by the Saudi Data and Artificial Intelligence Authority in late 2022.
The Amended PDPL expands the scope under which Controllers could collect personal data from third parties, and process it for purposes other than that for which it was originally collected. It also provides additional grounds for Controllers to disclose personal data, and introduces an updated regime for personal data transfers outside of KSA.

On 30 June 2022, the Government of Abu Dhabi Department of Health (DoH) issued Circular No. 147 of 2022 requiring health and pharmaceutical facilities licensed by the DoH (“Licensed Entities”) to obtain a “secure” or “safe” certificate that certifies they operate in full compliance with the requirements of the Abu Dhabi Standard for Health Information Security and Cyber Security Standards (“Standards”). Licensed Entities have until the end of this year (i.e., by 31 December 2022) to complete an audit process to verify their self-certification with the Standards.
The Circular also states that Licensed Entities are urged to apply stricter cybersecurity controls, including to ensure health data is not transmitted outside of the UAE and to discontinue the use of any cloud-based services that store or utilize health data, irrespective of whether that solution is hosted within or outside the UAE.