On 20 November 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a public consultation on proposed amendements to the Personal Data Protection Law, promulgated by Royal Decree No. M/19, dated 09/02/1443H (“PDPL“), which was orginally published on promulgated on 24 September 2021. You can acces our previous alert on the publication of the PDPL here.
The public consultation will remain open up until 20 December 2022 and all organisations are invited to submit their comments by that date.
The proposed amendments seek to address a number of critical issues in the current version of the PDPL, including:
- the regulatory framework for cross-border personal data transfers and in particular the introduction of the concept of adequacy;
- the introduction of a further legal basis on which organisations can rely on for the processing of personal data (i.e., a similar concept to the controller’s legitimate interest for processing is introduced);
- the introduction of a right for data subjects to data portability; and
- clarification of the statutory threshold that must be met to trigger the need to notify a data breach to the Saudi regulator.
These amendments appear to be inteded to align the PDPL more closely with the European General Data Protection Regulation (GDPR) and, if adopted, will represent a welcome development for organisations operating in the Kingdom of Saudi Arabia or whose operations are otherwise impacted by the PDPL. However, there remain some key differences, including the fact that its requirements are focused almost entirely on the obligations of controllers (similar to the predecessor to the GDPR, European Directive 95/46 EC).
Abdulrahman AlAjlan has 16 years of litigation and commercial experience in Saudi Arabia. He represents clients at the Sharia Courts, the Board of Grievance, the SAMA Committee, Labor Committee, Committee for Negotiable Instruments and all other courts and tribunals. Abdulrahman has extensive arbitration experience, both as an arbitrator and also representing clients in arbitration proceedings.
Zahi Younes has 21 years of experience in the Middle East, specializing in the areas of cross-border and domestic mergers and acquisitions, divestitures, international and domestic joint ventures, global corporate reorganizations, securities and capital markets. He also has a focus on the Telecommunications and Information Technology, Healthcare and Pharmaceuticals, and Retail and Consumer Goods sectors.
Yousef joined Legal Advisors Abdulaziz Alajlan & Partners in 2020. He is actively involved in advising both Saudi Arabian and foreign clients on a wide range of corporate and commercial transactions, litigation, general matters and advisory work including M&A issues.
Kellie Blyth is a partner based in Baker McKenzie's Dubai office. An experienced technology and privacy lawyer, she has been advising multi-national businesses and public institutions in the UAE and Saudi Arabia since 2012. Kellie's main focus is advising private sector clients on their strategic IT projects and on their information compliance. She also advises clients how to develop, commercialise and implement digital and technology solutions whilst managing regulatory risks. Kellie acts as a trusted advisor to some of the world's best known and most innovative technology companies.
Lucrezia is an associate based in the Dubai office of Baker McKenzie. Lucrezia advises on technology and privacy matters for clients, including national and multinational businesses, based in the UAE and all free zones. Lucrezia's main focus is advising private sector clients on their IT projects facing regulatory and compliance issues. She also provides support on drafting, negotiating, and executing technology agreements concerning the implementation of digital and technology solutions, focusing on data protection law.
Maher Ghalloussi is a junior associate in the Firm's Dubai office. Maher advises on technology and privacy matters for clients, including national and multinational businesses and global providers of ICT services. Maher also provides support on drafting, negotiating, and executing technology agreements concerning the implementation of digital and technology solutions, focusing on data protection law.