Consultation on Draft Regulations to Saudi Arabia’s Personal Data Protection Law closes 25 March 2022

SDAIA, the Saudi Data & Artificial Intelligence Authority, has just released draft Regulations to the new Personal Data Protection Law, due to come into effect on 23 March 2022. The draft Regulations provide helpful clarity on many aspects of the PDPL, although ambiguity remains on a variety of topics.

Any business likely to be affected by the Law should scrutinise the draft Regulations, and consider making submissions on any areas of concern. Further information on the consultation process is available here:

https://istitlaa.ncc.gov.sa/en/Transportation/NDMO/PDPL/Pages/default.aspx

The draft Regulations contain a number of significant issues, and we have not sought to address them all here. We do, however, make some observations about transfers of personal data outside the Kingdom. Unless well drafted, with practical considerations in mind, the transfer provisions have significant potential to cause issues for international businesses and for businesses that rely on cloud services hosted outside the Kingdom. This topic caused the most concern when the Law was first published in September 2021.

Do the draft Regulations satisfactorily address these concerns? Probably not, but with some adjustments they might work.

In summary, the potentially bureaucratic requirements around regulatory approvals prior to transfers abroad, as well as the question of whether the consent of the data subject negates the need to obtain such approval, would benefit from further scrutiny by SDAIA.

In Art. 28.1, the draft Regulations restate a basic requirement to host and process personal data in the Kingdom – but they also contemplate personal data being transferred outside. Such transfers would be subject to the controller undertaking a privacy impact assessment and obtaining the written approval of the relevant ‘regulatory authority’ (such as an industry sector regulator) having liaised with the ‘competent authority’ (being SDAIA, initially) on a case by case basis.

• Our main concern here is the bureaucratic aspect. If each regulatory authority needs to liaise with SDAIA, and also set up a process by which controllers apply to the regulatory authority for approval, this is unlikely to be efficient in practice. The Law indicates that there will be a registration portal for data controller (presumably operated by SDAIA, as the competent authority); if controllers could obtain general approval simply by mentioning their proposed transfer activities as part of the registration process, then this would seem practical and effective. This approach is not what is indicated in the draft Regulations, and the ambiguity around reference to a ‘case by case’ approach raises further concerns.
• Our recommendation is for SDAIA to reflect on how it anticipates the approval process to roll out at a practical level, and to adjust (i.e. simplify) the requirements of Art. 28.1, accordingly.

In Art. 28.2, the transfer provisions contain a statement that transfers of personal data to recipients outside the Kingdom can occur for public interest purposes (not defined); or where providing services to individuals (not corporates?) and the transfer is subject to the consent of the data subject and not in a manner contrary to what the data subject might expect. Art 28.2 includes reference to Art. 29, which provides for transfers to jurisdictions not assessed as providing an adequate level of data protection. (Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data.) The implication seems to be that, where the recipient is in a jurisdiction assessed as providing adequate protections, then the consent of the data subject will legitimise such transfers.

• One question that arises is whether Art.28.2 (permitting transfers subject to data subject) consent can be read independent of Art. 28.1 (requiring approval of the regulatory authority). Being able to rely on consent alone would be a practical approach, particularly if the approval of the regulatory authority will be as bureaucratic as it appears in the current draft.
• Our recommendation is for SDAIA to clarify whether Art. 28.1 is “subject to” Art.28.2, thus allowing consent-based transfers without needing to obtain approval as contemplated in Art. 28.1. (If Art. 28.1 is streamlined in the manner discussed above, this point may be of less concern.)

As noted above, Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data. For transfers to jurisdictions not assessed as providing an adequate level of protection, and excluding circumstances where the vital interests of the data subject are at stake, Art. 28.3 of the draft regulations contemplate a requirement for controllers to apply to SDAIA, at least 30 days in advance of proposed transfers.  Art. 29 provides further requirements relating to transfers to such jurisdictions, including a requirement for controllers to undertake risk and impact assessments, and to provide appropriate safeguards (such as adoption of standard clauses, BCRs, etc.) .

• Again, the need to apply to SDAIA seems unnecessarily bureaucratic. In other jurisdictions, a permit from an authority might be one option available to a controller (rather than a universal requirement for such transfers), and not required in circumstances where risks have been assessed and appropriate safeguards put in place.
• Our recommendation is for SDAIA to adjust the requirements of Art. 28.3 so that the need to apply to SDAIA for approval is only required where the controller assesses that the risk to the data subject is high and there is uncertainty about whether proposed safeguards are likely to be adequate.

As noted above, the draft Regulations contain a variety of other concerns, and further scrutiny is essential. We will be happy to share further insight on this significant development, and to provide support in the preparation of submissions to the consultation process if required. Please follow our Digital & Data ‘showcase’ page on LinkedIn, and contact email Nick O’Connell directly for any specific support.