The Personal Data Protection Law (“PDPL”) of Saudi Arabia (“KSA”) was recently amended pursuant to Royal Decree No. M/148, dated 05/09/1444H (corresponding to 27 March 2023G) (“Amended PDPL“). These amendments were preceded by a public consultation launched by the Saudi Data and Artificial Intelligence Authority (“SDAIA“) in late 2022.
The Amended PDPL expands the scope under which Controllers could collect personal data from third parties and process it for purposes other than that for which it was originally collected. It also provides additional grounds for Controllers to disclose personal data and introduces an updated regime for personal data transfers outside of KSA.
The Amended PDPL settled an ongoing uncertainty regarding its date of entry into force, which was most recently set for 17 March 2023G after being postponed from the original date of 23 March 2022G. Article 43 of the Amended PDPL specifies that it will come into force 720 days from the date of the original publication of the PDPL in the Official Gazette (i.e., 24 September 2021G). Thus, the Amended PDPL is expected to enter into force on 14 September 2023G, and its implementing regulations should be published no later than that date.
Controllers, entities subject to the Amended PDPL, will have a one-year grace period (per the Hijri calendar) from the date of its entry into force (i.e., until 2 September 2024G) to comply with its requirements. Please see the table below for a more detailed overview of the timeline.
The Amended PDPL addresses critical concerns that key stakeholders had with the PDPL, some of which were raised in the public consultation. The Amended PDPL includes, among others, the following changes:
- A broader regulatory framework for cross-border personal data transfers and, in particular, the introduction of the concept of adequacy. This concept requires a minimum level of adequate safety standards (no less than the national standard) for the transfer of data outside of KSA.
- The addition of Controllers’ legitimate interests as legal grounds for processing personal data unless the data collected is sensitive, violates the rights of personal data owner, or goes against the data owners’ interests
- The removal of the national registry and, by extension, the obligation of Controllers to register in the national registry
- The removal of the requirement on foreign Controllers to appoint a KSA representative to be licensed by the competent authority to perform the Controller’s obligations
The Amended PDPL is a positive step towards harmonising KSA’s data privacy framework with the European General Data Protection Regulation (“GDPR“). This represents a welcome development for organisations operating within the scope of the Amended PDPL. Nonetheless, there remains to be some material differences between the Amended PDPL and the GDPR. Specifically, the Amended PDPL places more emphasis on the responsibilities of Controllers, much like GDPR’s predecessor (the European Directive 95/46 EC).
Order of events of the KSA PDPL entry into force
|16 September 2021G||The PDPL is promulgated by Royal Decree No. M/19 dated 09/02/1443H.||The PDPL stated that it shall enforce 180 days after its publication in the Official Gazette.|
|24 September 2021G||The PDPL is published in Official Gazette.||The effective date of the PDPL was originally set for 23 March 2022G.|
|11 March 2022G||Royal Order No. 51627 dated 18/08/1443H is issued.||The effective date of the PDPL was postponed 540 days after its original publication in the Official Gazette, falling on 17 March 2023G.|
|27 March 2023G||Royal Decree No. M/148 dated 05/09/1444H is issued.||The Amended PDPL states that it shall enter into force 720 days after its original publication in the Official Gazette, falling on 14 September 2023G. Controllers will still have a one Hijri year grace period from the date of entry into force (ending on 02 September 2024G), to comply with its requirements, including its implementing regulations which have not been published yet.|
We are continuing to closely monitor developments related to the data privacy framework in KSA. Should you require further assistance regarding the Amended PDPL, or any data and technology-related matters, please feel free to contact us.