Following the global trend of codifying data protection rules, the Kingdom of Saudi Arabia (“KSA”) has published the Personal Data Protection Law (“PDPL”) which is KSA’s first national general data protection law. The PDPL builds upon KSA’s existing sectoral framework for data governance and protection, which touches the telecommunications and cloud computing, e-commerce, IoT, finance and government sectors. Much of the PDPL will be recognisable to those familiar with the European General Data Protection Regulation (“GDPR”). For example, the PDPL uses GDPR-inspired terminology such as “personal data”, “processing”, “controlling entity” and “processing entity”. However, important nuances exist between the PDPL and GDPR and we advise all businesses to start getting their compliance house in order to avoid the sanctions, including potential criminal prosecution and fines, introduced by the PDPL. Businesses have been given a grace period of one year from the effective date of the PDPL (23 March 2022) to get compliant. This means enforcement will commence on 23 March 2023. One learning from the GDPR, however, was that data compliance programmes in large organisations which are left late in the day are rarely completed on time.
It is important to note that the law anticipates further implementing regulations to be published in advance of the effective date, so this article is based on the law as written in the absence of such regulations. The regulations may provide further clarity or nuance which impacts the analysis slightly. Nevertheless, in the absence of the regulations, the framework for data protection is still clear.
The authority responsible for overseeing and enforcing the PDPL will be the Saudi Data and Artificial Intelligence Authority (“SDAIA”) for the initial two years of the law. The PDPL anticipates that responsibility will be transferred to the National Data Management Office (“NDMO”) in due course, but does not commit to this happening. In this article we refer to whichever happens to be the competent authority generically as, the “Authority”.
This article sets out some similarities and differences between GDPR and the PDPL. It does not comprehensively cover every aspect of the PDPL. One clear similarity between the laws is that they impose compliance obligations which are not necessarily easy, cost-free or quick to comply with and if large organisations are to successfully implement the requirements of the law then they will need to ensure that they do not just rely on their legal team, but rather obtain buy-in from a range of business functions and ensure board-level support is provided.
Similarities to GDPR
Data Protection Rights: The PDPL confers new data rights on data owners similar to those contained under GDPR. These rights include the right to be informed about how personal data are processed, obtain access to personal data and the right to request correction and deletion of personal data.
Data Protection Principles: Similar to Article 5 of the GDPR, the PDPL introduces data protection principles for controlling entities to follow. For example, personal data must be appropriate and limited to what is necessary to achieve the processing purpose.
Legal Basis: As with GDPR, personal data can only be processed where there is a lawful basis to do so. However, the potential legal bases under the PDPL appear to be more narrow than GDPR (there is no “controller’s legitimate interest” basis, for example, in PDPL).
Extra-territoriality: Like GDPR, PDPL recognises that entities outside the territory in question may process personal data related to data subjects within the territory. The extra-territoriality provisions of PDPL are arguably broader reaching than those in GDPR, although routes to enforcement against overseas businesses are not clear.
Breach notification: The Authority must be notified of data breaches. Unlike GDPR, this must be done immediately and there is no qualitative threshold in relation to the seriousness of the breach. The implementing regulations will define in what circumstances data subjects will need to be notified of the breach.
Differences from GDPR
No “directing services” or “monitoring” test for foreign business
The PDPL applies to any entity located outside of KSA who is processing the personal data of individuals residing in KSA. No particular quantitative threshold or qualitative tests are set out. This is a broader territorial scope than the GDPR which only applies to non-EU established entities who are engaged in targeting, offering goods or services to or monitoring EU individuals.
One slightly alarmist response to GDPR by certain non-European businesses was to implement measures to restrict European customers or restrict access to websites from European IP addresses. Reading the PDPL literally, this approach would be the only way a non-KSA online business could avoid being considered to be subject to the PDPL and it is unclear how, for example, a cloud hyperscale business could ever satisfy itself that it is not processing some personal data related to individuals residing in KSA. A similar approach was taken in the KSA E-Commerce law. We are aware of the E-Commerce law being enforced domestically, but not against overseas businesses.
In practice, we assume that incidental or very limited processing of personal data of KSA residents by non-KSA businesses is not of particular interest to the authorities and that the territoriality test is included to prevent businesses from simply finding ways to “offshore” their compliance obligations. Nevertheless, further clarity in the implementing regulations or regulatory guidance on this point would be very welcome.
Consent as a go-to basis for lawful processing
With very limited exceptions, personal data cannot be processed, or the purpose of the processing be changed, without the consent of the data owner. Data owner consent is not required where the processing:
achieves a definite or certain interest for the data owner and it is impossible or difficult to contact them;
is required by law or in application of a prior agreement to which the data owner is a party [we interpret this latter condition to be akin to the “performance of a contract” basis under GDPR]; or
is done by a public entity and such processing is required for security purposes or to meet judicial requirements [the corollary of this is that the public sector is, generally, subject to the law, and by implication this would include agencies such as the police, unless the processing is being conducted for security or judicial purposes; the implementing regulations might provide further guidance on any exemptions available to public bodies].
In most day-to-day business operations, the two bases that appear to be available can therefore be summarised as:
For any pre-contractual processing or processing which is not in application of an agreement with the data subject, consent will therefore be the go-to. It will be very important for businesses to consider what processing activities they undertake which will require consent and consider how to implement a process for obtaining consent.
Other than the general basis of “required by law” (which might apply to data which needs to be processed for visa applications, mandatory health insurance and so on) there are no specific exceptions available in relation to the processing of personal data in the context of an employment relationship. This implies that employee consent is required for any non-legally mandated or non-contractual processing of personal data; this could be quite problematic in practice (for example, if some employees refuse to consent to the use of a third party processor and such processing is not strictly necessary for the performance of the employment contract – even if the purpose of processing is necessary, perhaps such processing could be done in-house, for example). Conceptually, there is a gap here between the PDPL and the GDPR; jurisprudence and supervisory body guidance related to GDPR confirms that an employee cannot freely give consent to his or her employer and that consent is not a suitable basis for processing personal data under such a relationship.
One route out of the difficulty may be if the phrase “in application of a prior agreement” is intended to have a much broader scope for interpretation than the GDPR equivalent of “necessary” to perform an agreement. What is necessary is often quite limited, but it may be that the concept of “application” is intended to provide the controller with more discretion to rely on this legal basis in order to implement processing which is not strictly necessary to achieve contractual performance, but which is consistent with the purpose of the contract.
It will be interesting to see if the implementing regulations provide further guidance to employers and further guidance as to how “in application of a prior agreement” is to be understood. If not, it may be that employers need to build robust consent mechanisms into their onboarding processes, although whether such consents will meet the requirements for consent that the implementing regulations are due to define is also not yet clear.
With little option in many circumstances but to use consent, controlling entities should be aware that the PDPL sets conditions for valid consent similar to those contained in the GDPR. Those using consent as a legal basis for processing in the KSA will have to ensure consent can be withdrawn and consent is not a condition for the provision of a service or benefit (unless the service or benefit is related to the processing of personal data for which the consent is issued).
The law states that the implementing regulations will set out the conditions for valid consent and whether there are any conditions to the data owner right to withdraw consent.
Limited ability to transfer or disclose personal data outside of KSA
The PDPL, in Article 29, prohibits the transfer or disclosure of personal data outside of KSA except in very limited circumstances. These limited circumstances include where the transfer or disclosure is:
absolutely necessary to preserve the life or vital interest of the data owner outside KSA or to prevent, diagnose or treat infections; or
in implementation of an obligation under a convention to which KSA is party, or for serving the best interest of KSA; or
for other purposes that may be determined by the implementing regulations.
It seems that only the third of the above routes will be available in day-to-day business operations, so businesses which use overseas processors (such as certain cloud service providers) will need to watch for the implementing regulations with interest.
Even where one of the circumstances applies, there are further provisos that must be satisfied which are:
the transfer does not affect the national security or vital interests of KSA;
sufficient guarantees for protection and confidentiality of the personal data must be provided to at least the standard required by the PDPL and the implementing regulations;
the transfer must be restricted to the minimum personal data required;
the Authority must approve the transfer, according to the implementing regulations.
The PDPL goes on to say that controllers who can demonstrate that an acceptable level of protection for personal data will be achieved may be granted exemptions to the basic prohibition on transfer. This seems conceptually similar to the GDPR’s binding corporate rules mechanism for data transfer, which permit cross-border intra-group transfers, where regulatory approval has been obtained.
Infringement of Article 29 is a criminal offence. Given this, and given that the exceptions permitting data transfer are presently very limited and require a number of conditions to be satisfied, KSA businesses looking to procure third-party services will need to ensure they ask their suppliers for details of where personal data processing will take place (this could include where servers are based, where support staff are based, where subcontractors are operating). Existing arrangements will also need to be reviewed to see if they are compliant, including insuring that appropriate safeguards in place, if they are to survive the end of the implementation period, post-March 2023.
Records of processing activities must be uploaded to electronic portal of the Authority
Similar to the GDPR, controlling entities will have to register with, and pay a fee to, the Authority. However, in stark contrast to the GDPR, controlling entities under the PDPL are required to upload their record of data processing activities and other necessary documents or information related to the processing of personal data to an electronic portal maintained by the Authority. It would make sense for a form of processing record to be prescribed by the Authority for such purposes, otherwise the uploaded information will come in a variety of not-easily readable formats.
No customer exception rule for marketing
[Technically not a “GDPR” point….]
Controlling entities require the data owner’s consent to send or e-mail promotional or awareness materials. Those familiar with the ePrivacy Directive framework in Europe (which governs sending of direct electronic marketing material) will note that there is no “customer exception rule” under the PDPL which negates the need for consent where the marketed product or service is similar to that previously purchased by the customer. Businesses would do well to remember this in developing their marketing strategy for KSA and will need to ensure that appropriate consents are built into their data ingestion processes for customers and prospective customers.
Sensitive personal data may not be processed for marketing purposes. Under the PDPL, “sensitive” data is data which refers to ethnic or tribal origin, religious, intellectual or political beliefs, membership of societies or non-governmental organisations, criminal record, biometric data, genetic data, credit data, health data, location data and data that reveal that the person has unknown parents. The prohibition on use of location data for marketing purposes would seem to render unlawful the use of marketing push notifications by location-enabled apps.
Need to obtain a licence or appoint licensed representative
Article 33 of the PDPL provides that the Authority shall be responsible for issuing licences to commercial, professional or non-profit businesses under the PDPL, however it does not expressly state what, if any, additional licences a business will need to obtain in order to process personal data.
Similar to the requirement under GDPR for non-European established businesses which are subject to GDPR to appoint a representative in the union, non-KSA based data processing entities which process personal data related to individuals residing in KSA will have to appoint a representative in KSA, licensed by the Authority, to carry out its obligations under the law. Given that representatives will need to be licensed for this purpose, the status and function of the representative may be more closely regulated and scrutinised than under GDPR.
Importantly, the Council of Ministers resolution which promulgates the PDPL allows the Authority to delay the implementation of Article 33 for up to five years, so it is possible that we will have to wait some time yet to see how this licensing regime develops.
Data protection officer
Perhaps surprisingly, the PDPL does not require that organisations appoint anyone to a role of data protection officer, or analogous position.
Criminal sanctions for non-compliance
Along with introducing fines of up to SAR 3m (approx. GBP 590,000) for disclosure or publication of sensitive data in breach of PDPL and of up to SAR 1m (approx. GBP 200,000) for breaches of data transfer rules, offenders under the PDPL can be criminally prosecuted for a prison term not exceeding 2 years where sensitive data is disclosed or published contrary to the PDPL. The PDPL also introduces a general fine of SAR 5m (approx. GBP 1,000,000) for any violation of the PDPL.
There are lots of conceptual similarities but lots of practical differences. A “copy paste” of a GDPR data protection framework will be better than no action, but will still leave serious compliance gaps, including in relation to provisions of the PDPL which carry criminal sanction.
All businesses should start planning for an implementation programme sooner rather than later and ensure that appropriate resource is earmarked to manage and deliver the programme.
CMS is privileged to advise a huge number of businesses, globally, on data protection compliance programmes and would be very happy to discuss the PDPL further with any interested business.