Saudi Arabia has passed a new Personal Data Protection Law (PDPL), bringing its regulations in the sphere of data collection/usage in closer alignment with the Middle Eastern region and international standards, like those set by the European Union (EU)’s General Data Protection Regulation (GDPR). Coming into effect on March 23, 2022, the new law aims to protect the privacy of sensitive personal data, regulate data sharing by businesses, prevent abuse of personal data, and bring all existing data regulations under the umbrella of the Saudi Data & Artificial Intelligence Authority (SDAIA).
“Personal data” is defined as “any data – of whatever source or form – that would lead to the identification of the individual specifically, or make it possible to identify an individual directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit.”
The PDPL covers key international principles in data handling, including:
- Purpose limitation: data collected for a specific purpose should not be used for a new, unrelated purpose.
- Data minimization: collected data should not be held for further use unless necessary for reasons stated in advance, and only the minimum amount of relevant data for a specific purpose should be collected.
- Data controller obligations: a data controller is “a person, company, or other body that determines the purpose and means of personal data processing,” according to the EU’s GDPR.
- Data subject rights: the subject of collected data has the right to know whether a business or other entity holds their data, and has the right to request and receive a copy of the data and the stated purpose for holding that data.
- Penalties for breach of provisions
The new law’s important requirements and policies are summarized as follows:
- Relevancy: the law applies to the personal data of residents (both citizens and non-citizens) living in Saudi Arabia, regardless of where the data is processed. Data transferred outside of the Kingdom is subject to certain conditions under the new law. Sensitive data, including genetic, health, and financial data is covered by this law, but will also be subject to additional regulations.
- Requirements and restrictions: data controllers must register with SDAIA, pay an annual fee, and report on their data processing activities with SDAIA. Consent must be given in writing (except in very limited circumstances) prior to any processing of personal data, and will serve as the primary legal basis for data processing. Any foreign company without a legal presence in the Kingdom that wishes to process the data of Saudi residents must appoint a local, licensed representative to do so. SDAIA has not yet determined when this requirement will come into effect.
- Penalties: breaches, leakages, or other unauthorized access to personal data must be reported “immediately” to SDAIA, as well as to those affected by any data breaches. The law contains criminal penalties, including up to two years’ imprisonment and fines of up to $800,000 (SAR3 million) plus any additional administrative penalties.
The PDPL will be supervised by SDAIA, a recently formed government agency responsible for driving the country’s national data and artificial intelligence (AI) strategy in line with Vision 2030’s goals for digital transformation. SDAIA oversees the transformation of the Saudi government into a data-driven, AI-supported entity that can guide the growing and changing economy with data-informed decisions and digital solutions.
To this end, SDAIA has helped bring over 160 integrated data centers to the country; overseen Riyadh’s ongoing digitalization (currently ranked 53rd worldwide in the IMD Index for Smart Cities); organized a number of hackathons and digital bootcamps; developed data policies for over 130 government offices; and launched e-government platforms such as Estishraf, Absher, Ehsan, and Tawakkalna.