in a nutshell
On 20 November 2022, the Saudi Arabian Data and Artificial Intelligence Authority (SDAIA) held a public consultation on the draft amendments to the Personal Data Protection Act promulgated by Royal Decree No. M/19 dated 2 September 1443 (PDPL). It was started. Previous alerts for PDPL issuance can be accessed here.
Public consultation will be open until December 20, 2022, and all organizations will be invited to submit their comments by that date.
The proposed amendments are intended to address the following key issues in the current version of PDPL:
- Introduction of a regulatory framework for cross-border personal data transfers, in particular the concept of adequacy.
- Introduction of further legal grounds on which an organization can rely on the processing of personal data (i.e. a concept similar to the controller’s legitimate interest in processing).
- Introduction of data subject rights to data portability.
- Clarification of the statutory thresholds that must be met to trigger the need to notify Saudi Arabian regulators of a data breach.
These amendments appear to be aimed at aligning the PDPL more closely with the European General Data Protection Regulation (GDPR) and, if adopted, would allow organizations operating in the Kingdom of Saudi Arabia, or whose business is operated by the PDPL. It will be a welcome development for affected organizations. However, some key differences remain, including the fact that the requirements focus almost entirely on the duties of controllers (similar to GDPR’s predecessor, European Directive 95/46 EC).
*Prepared by legal counsel in partnership with Baker & McKenzie Limited.