On 20 November 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a public consultation on proposed amendements to the Personal Data Protection Law, promulgated by Royal Decree No. M/19, dated 09/02/1443H (“PDPL“), which was orginally published on promulgated on 24 September 2021. You can acces our previous alert on the publication of the PDPL here.
The public consultation will remain open up until 20 December 2022 and all organisations are invited to submit their comments by that date.
The proposed amendments seek to address a number of critical issues in the current version of the PDPL, including:
- the regulatory framework for cross-border personal data transfers and in particular the introduction of the concept of adequacy;
- the introduction of a further legal basis on which organisations can rely on for the processing of personal data (i.e., a similar concept to the controller’s legitimate interest for processing is introduced);
- the introduction of a right for data subjects to data portability; and
- clarification of the statutory threshold that must be met to trigger the need to notify a data breach to the Saudi regulator.
These amendments appear to be inteded to align the PDPL more closely with the European General Data Protection Regulation (GDPR) and, if adopted, will represent a welcome development for organisations operating in the Kingdom of Saudi Arabia or whose operations are otherwise impacted by the PDPL. However, there remain some key differences, including the fact that its requirements are focused almost entirely on the obligations of controllers (similar to the predecessor to the GDPR, European Directive 95/46 EC).