The Saudi Data and Artificial Intelligence Authority, or SDAIA, on Sunday published a revised version of the country's Personal Data Protection Law (PDPL) for public consultation via the government's Public Consultation Platform. This is the second round of public consultation for the PDPL, following a public consultation in March this year, which led to the SDAIA postponing enforcement of the new law until 17 March 2023.
The PDPL is Saudi Arabia's first comprehensive national data protection law to regulate the collection and processing of personal information and was approved by the Cabinet Resolution No. 98 of 7/2/1443H (14 September 2021) and subsequently issued by Royal Decree M/19 of 9/2/1443H, equivalent to 16 September 2021.
No public consultation was initially announced, but it was widely expected that the new law would be opened for public comment before it was due to come into effect on 23 March 2022. As it happened, the public consultation was only launched on 10 March, cutting it a little too fine to take into account feedback before enforcement. So, it came as no surprise that the full implementation of the law was postponed until March next year.
In common with personal data protection regulations in other countries, Saudi's PDPL aims to ensure user consent before any personal data is processed, regulate data sharing and, obviously, ensure personal privacy and prevent the misuse of personal data. The law covers all data that might be used to identify individual users directly or indirectly, including contact details, personal records, financial data, images, videos or any other personal data.
One area of concern in the original draft PDPL was the regulation required that organisations host and process all personal data of residents inside the country. With so many different cloud services in use, hosted both within Saudi Arabia and in many other countries, this was regarded by some as too restrictive. Whilst the March 2022 draft of the law effectively prohibited the transfer of a resident's data outside the Kingdom, this month's version seems to permit external data transfers, but for a limited number of exceptions. Furthermore, under the revised regulations, organisations must receive approval by the relevant government authority before transfering data under one of those exceptions.
I'll leave the analysis of the new Personal Data Protection Law to the legal experts. However, it's worth noting that, despite the delay, the PDPL is not unduly late in global terms. For example, the enforcement of Europe's General Data Protection Regulation, or GDPR, was also postponed for an additional year to allow an extended grace period for organisations to prepare.
What remains unclear about the Saudi PDPL, is whether there will be a grace period for companies to make the necessary preparations following the full implementation of the new law in March 2023. Many would like to know.
Here's a timeline showing key milestones in Saudi Arabia'a data protection regulation:
📅 𝗠𝗮𝗿-𝟭𝟴 - Saudi Arabia's Cloud Computing Regulatory Framework (CCRF) comes into force. Issued by the Saudi Communications and Information Technology Commission (recently renamed the Communications, Space and Technology Commission), the new regulations include a number of provisions governing data protection and data privacy.
📅 𝗔𝘂𝗴-𝟭𝟵 - The Saudi Data and AI Authority (SDAIA) is formed by royal decree No. (74167) on 29/12/1440 AH (30 August 2019)
📅 𝗢𝗰𝘁-𝟮𝟬 - The National Strategy for Data and AI (NSDAI) is published by the SDAIA, proposiing a strong regulatory framework for data protection and AI.
📅 𝗢𝗰𝘁-𝟮𝟬 - The SDAIA publishes National Data Governance Interim Regulations to govern the management of data, plus the collection and use of personal data by government entities. These include Personal Data Protection Interim Regulations.
📅 𝗦𝗲𝗽-𝟮𝟭- Saudi Cabinet approves the draft Personal Data Protection Law (PDPL) via Resolution No. 98 dated 7/2/1443H (14 September 2021).
📅 𝗦𝗲𝗽-𝟮𝟭- The Personal Data Protection Law (PDPL) was issued by Royal Decree M/19 of 9/2/1443H (16 September 2021). According to standard procedure, the new law will come into effect 180 days later (23-Mar-22).
📅 𝗠𝗮𝗿-𝟮𝟮 - SDAIA and the National Data Management Office (NDMO) issue draft regulations of the Personal Data Protection Law for public consultation on 10 March 2022, opening the draft for public comments and recommendations with a deadline of 25 March 2022.
📅 𝗠𝗮𝗿-𝟮𝟮 - SDAIA announces that the enforcement of the Saudi Personal Data Protection Law is postponed until 17 March 2023, in light of the feedback received from public and private sector stakeholders.
📅 𝗡𝗼𝘃-𝟮𝟮 - SDAIA launches a second public consultatation on the PDPL via the Saudi government Public Consultation Platform, inviting comments on a new draft version of the law, which includes significant revisions to the original.
📅 𝗠𝗮𝗿-𝟮𝟯 - The Personal Data Protection Law (PDPL) is scheduled to come into full effect on Friday 17 March 2023.
Download an infographic of the timeline here: https://lnkd.in/dxyA48WV (PDF)
Find out more about the Saudi PDPL:
Read more about the changes to the PDPL on Data Guidance.
See the government PDPL consultation page.
Proposed amendments to the PDPL (PDF)
See my Linkedin post about the postponement of the law earlier this year.
Read Middle East AI News 17-Mar-22: https://lnkd.in/eU-d7Ccg (Linkedin version)
This article first appeared on Linkedin.