Related Authors: Marc Saroufim, Managing Partner | Noura Al Goblan, Trainee Lawyer — Al Akeel & Partners

Further to the Council of Ministers approving the Saudi Data Protection Law (the "DPL") amendments in March 2023, the new amendments have been recently implemented via Royal Decree No. M147 of 5/9/1444H (corresponding to March 27, 2023). The effective date of the DPL is now September 2023. The amendments provide further alignment of the Saudi DPL with the GDPR. We are still waiting on the issuance of the DPL's executive regulations which will provide further clarity on the different aspects of the DPL. The proposed executive regulations have been out for the public to provide feedback, but nothing has yet been approved in its final form.

The following are the key updates on the amended Saudi DPL:

  1. Less restrictions on personal data transfers: The strict prohibition on transfers of personal data outside the Kingdom has been amended. International transfers no longer require exceptional approval from the Saudi Authority for Data and Artificial Intelligence (SDAIA). International transfers are now generally permitted if: (i) they are in implementation of obligations under international agreements to which Saudi Arabia is a party, (ii) it serves national interests, (iii) they are in implementation of any obligations to which the data subject is a party, or (iv) any other purposes determined by the executive regulations (once they are issued). Controllers will need a specific purpose to transfer or disclose data outside the Kingdom and transfers appear to be limited to territories that SDAIA determines as having an appropriate level of protection for personal data. The executive regulations are expect to provide the cases where controllers may be exempt from this condition.

  2. Personal data processing: The previous version of the DPL mainly provided for the processing of personal data on the basis of the data subject's consent. Controllers may now rely on "legitimate interests" as a lawful basis to process and disclose personal data. This does not apply to sensitive personal data, or processing that contravenes with the rights granted under the DPL and its executive regulations.

  3. Removal of registration requirement for controllers and SDAIA powers: The amended DPL no longer refers to the requirement of creating an electronic portal or any requirement for a controller to register their processing activities. However, SDAIA has been authorized to issue the requirements for practicing activities related to data protection, in cooperation with any other relevant authorities. SDAIA also has the mandate to license auditors and accreditation entities and create a national register if it determines that it would be an appropriate tool and mechanism for monitoring the compliance of controllers.

  4. Less restricted data breach notification timeline: Notifications of a personal data breach to SDAIA are no longer required to be made "immediately." Further details on the specific deadlines are expected to be provided in the executive regulations. A new requirement has been added for controllers to notify data subjects where a breach would cause damage to personal data or contravenes the data subject's rights or interests.

Controllers will have a period not exceeding one (1) year to comply with the Saudi DPL from the date it comes into force. Accordingly, organizations within the scope of the DPL will have until September 2024 to adjust their status in accordance with the provisions of the DPL.

SDAIA will be the competent authority, for a period of two years, during which it is considered, in view of what results from the application of the provisions of the DPL and its implementing regulations and the level of maturity in the data sector to transfer the competence to supervise the implementation of the provisions of the law and its implementing regulations to the Kingdom's National Data Management Office (NDMO).

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.