On 10 March 2022 the National Data Management Office (the “NDMO“) published for consultation a draft of the executive regulations (the “Regulations“) to the Personal Data Protection Law, promulgated by Royal Decree No. M/19, dated 09/02/1443H (the “PDPL“). You can access our previous alert on the publication of the Law here. You can access the consultation and a full draft of the Regulations here. The consultation invites comments on the Regulations and will close on 25 March 2022. The timing suggests that the publication of the final version of the Regulations is likely to occur later than the previously advised date of 23 March 2022.
In more detail
The Regulations seek to address a number of critical matters that were not detailed in the PDPL. The requirements demand detailed review but we have sought to highlight some of our initial key takeaways below.
Cross border personal data transfers
The Regulations reiterate the default position under the PDPL that personal data should be stored and processed in the Kingdom. In addition to the exemptions to this requirement set out in the PDPL, the Regulations provide two further exemptions; namely that:
- the data subject has given consent that satisfies the requirements of the PDPL and where the transfer is for the purpose of providing services to them directly; or
- for public interest purposes.
Unless the transfer falls within one of these exceptions or one of the exceptions in the PDPL, the controller must apply to the competent authority for approval to transfer personal data outside of the Kingdom. The application for approval must be made at least 30 days before the transfer and the regulator will initially have 30 days to review the application and may extend this period at their discretion. Where it is not possible to seek consent directly from data subjects, these time periods have the potential to significantly impact the ability for controllers to implement operational changes quickly and the speed with which they can roll-out new products and services. Until the practice becomes more established, it also introduces a significant degree of doubt as to whether or not the export of personal data or cross-border processing will be approved. The request for approval will be assessed on a case-by-case basis.
The Regulations confirm that the competent authority intends to publish a list of adequate jurisdictions. However, it is unclear at present to what degree this will simplify an organization’s ability to export personal data to that jurisdiction. At present, our understanding is that the approval of the competent authority as detailed above would still be required. However, this may be clarified in the implementation framework.
For those countries not on the adequacy list, the controller must both conduct a privacy impact assessment and implement additional safeguards. The additional safeguards include:
- the adoption of standard contract clauses, approved by the competent authority;
- the adoption of binding corporate rules, approved by the competent authority;
- compliance with a code of conduct approved by a sector regulator or the competent authority; or
- accreditation by an independent third party (i.e., that the safeguards put in place are appropriate).
Additional options exist for public sector entities.
The Regulations introduce two standards for consent, express and implied. Explicit consent must be documented in a manner that can be proven in the future and consent can be implied if it is not possible to obtain explicit consent and provided the data subject has been informed of the processing. In each case, the data subject must clearly and unambiguously affirm that they consent to the processing. However, consent to process sensitive data must be obtained in writing.
Data Security Standards
Controllers are required to adhere to the controls, standards and guidelines and other requirements mandated by the Kingdom’s National Cybersecurity Authority. However, for companies located overseas it is sufficient to reflect international cybersecurity best practice in their processes and procedures.
Data Breach Notification
The controller must notify the regulator promptly of any data breach, and in any case within 72 hours. Notably, the Regulations prescribe that a fairly detailed notification must be provided at this point including a description of the actual or potential risks it poses and the categories and numbers of data subjects affected. In many cases, this information will not be known within the initial 72 hour period and the Regulations acknowledge that in such cases it is acceptable to provide this information at a later date, once it is available.
Thankfully, the Regulations introduce a threshold test for notifying data subjects of a breach; namely where the impact on the data subject is “significantly high“. This is a helpful clarification to the wording in the PDPL, a prima facie reading of which suggested that the data subject would need to be notified in all cases.
The Regulations further detail that the notification threshold will be met if the breach results in ”serious damage (physical or moral) that is difficult to rectify or repair in the short term” and ”may extend further to the family or relatives of the data subject or extent [sic] further to a certain group of the society”. Specific examples provided, among others, include bodily harm such as stalking and assault due to location data of a data subject being leaked and economic or financial damage such as property loss or unexpected financial loss in the case of credit card data.
Additional Requirements Applicable to the Processing of Health Data
The Regulations detail additional measures that controllers must take when processing health data. These include abiding by the policies and requirements implemented by the Saudi Ministry of Health and the Saudi Health Council and reflecting the requirements of the PDPL, the Regulations and all other application requirements into their employee codes of conduct. The applicable requirements must also be incorporated in contracts with data processors.
If you would like any assistance in responding to the consultation on the Regulations or any data and technology related matters, or issues generally, please feel free to contact Kellie Blyth and Zahi Younes.