New amendments under Saudi Arabia’s Personal Data Protection Law
The Kingdom of Saudi Arabia is introducing new amendments to its as yet unenacted Personal Data Protection Law (Data Protection Law or the Law), a new law that comes into force on 14 September 2023. The amendments broaden the basis on which companies can collect, process and review non-sensitive personal data to include a company’s “legitimate interests” (marking a shift away from excessive reliance on a data subject’s consent). The amendments also make it possible, with the data subject’s agreement, to transfer data to an acceptable jurisdiction outside of Saudi Arabia.
Why do the amendments matter?
Data protection and privacy regulations are important to how Saudi business operates, including how companies monitor employees and carry out internal investigations. The amendments are welcomed because they temper what would otherwise be quite a restrictive data protection regime and give companies greater flexibility to process and transfer personal data where appropriate procedures are in place, like the EU’s General Data Protection Regulation (GDPR). Companies will have 12 months (from when the Law comes into force on 14 September 2023) to comply with the overall Law.
Scope of the Law and amendments
The Law and its amendments apply broadly to the processing of any data collected within Saudi Arabia that make the data subject (or their family, including deceased persons) personally identifiable.
While not unusual, the Law defines “personal data” and “processing” widely:
- “Personal data” refers to any information that could make a person either directly or indirectly identifiable, including a person’s name, image, private property, phone number, or email address; and
- “Processing” is defined as any operation carried out on personal data, including the operation of collection, storage, use, and erasure of personal data.
Furthermore, the Law has a long arm effect: it applies to the processing of personal data collected outside of Saudi Arabia if the personal data is attributable to its residents.
The amendments allow for the processing of non-sensitive personal data which includes “legitimate interests"
The amendments broaden the scope for companies to collect and monitor personal data. Prior to the amendments, companies could process personal data and use it for an appropriate purpose only under limited circumstances – where a law provides a basis for processing data, the data subject consents (excluding consent given under an employment or other service agreement), or where data is collected for research purposes.
Now the amendments allow for the processing of non-sensitive personal data without the data subject’s consent where it is necessary to achieve the “legitimate interests” of the data controller (e.g. the employer). This basis would not be available where there is sensitive personal information involved (e.g. race, ethnic origin, religious/political beliefs, criminal and security history), as sensitive personal information can be processed only with the written consent of the data subject.
The carve out of sensitive personal data raises challenges, as ordinary business data (such as emails or documents) may contain sensitive personal data that will not be apparent to the data controller at the point of collection. In practice, companies will need to make judgement calls about the likelihood of their data containing any sensitive personal data.
Where the “legitimate interests” basis is available, it may be easier to satisfy than obtaining consent from all relevant data subjects and third parties, as consent can be withdrawn under the Law and consent cannot always be obtained from third parties.
Critically, to satisfy the “legitimate interests” basis under the amended Law, the data controller should ensure its use of the relevant data is necessary and does not prejudice the rights of the data subjects. This condition of necessity is also found in the EU’s GDPR. Under the EU’s law, this would involve the consideration and balancing of the reasonable expectations of the data subjects, the extent of the investigations, the nature of the data, as well as an examination of the necessity and proportionality of the data’s use. As Saudi Arabia’s amended Data Protection Law is largely inspired by the EU’s GDPR, it is prudent for companies intending to conduct investigations on a “legitimate interests” basis to document their consideration and balancing of the interests to ensure that no less invasive means exist to achieve their own legitimate interests.
Of course, if a company is concerned it may not satisfy the “legitimate interests” basis for processing non-sensitive personal data, it may consider also obtaining prior written consent from the relevant individuals.
The amendments allow for personal data to be transferred to an acceptable jurisdiction
Data transfer is important to companies, especially multinationals, because they depend on cloud services, intercompany and group teams, and external advisers. Prior to the recent amendments, the Data Protection Law restricted the processing, review and collection of personal data to Saudi Arabia.
The amendments to the Law now permit the cross-border transfer and processing of personal data (via cloud services and globally dispersed teams) if the data subject agrees to the transfer and the transfer is made to an acceptable jurisdiction which provides equal or higher levels of data protection. The Law does not clarify how a data subject must agree to a transfer of data, and presumably this could occur through a collective agreement or an acceptable use policy to which an employee agrees.
Additionally, while civil penalties still apply to all violations of the Law (up to SAR 5 million for non-repeat offences), the amendments to the Law now remove criminal penalties for violations of the transfer restrictions.
The recent amendments to the Law support a regime that strikes a better balance between safeguarding personal data and allowing companies to monitor employees and carry out internal investigations with the benefit of multi-jurisdictional technology and teams. In practice, data-relevant procedures for an internal investigation or employee monitoring with a nexus to Saudi Arabia will likely start to resemble EU investigations governed by the GDPR.
So, what should impacted companies do given the amendments to the Law? It would be prudent to: (i) revisit or implement company standard employment agreements and relevant policies, such as investigation policies, acceptable use policies, and privacy policies in light of the amendments to the Law; (ii) educate staff on those policies (e.g., acceptable use policies) and conduct trainings on the impact of the Law on business practices; (iii) seek to understand, prior to collection, the types of data being collected or processed and articulate a clear purpose to demonstrate “legitimate interests” for that collection or processing; and (iv) review whether there are cross-border personal data transfers within the organisation (e.g. through group reporting on Human Resources matters) and whether these are necessary, in which case, ensure compliance with the amended Law.
The authors would like to thank Hazim Alwazir for his contribution.