Saudi Arabia’s New Personal Data Protection Law: What are the New Regulations

By Victoria Hansen

The importance of protecting one’s personal data is no secret. Many people are aware that a leak of one’s personal data can lead to identity theft as well of a host of other problems. Protecting one’s personal information has always been important, yet the importance of this topic has not always been reflected in the law. Today, most European and North American countries have data protection laws in place to ensure that their citizens are protected.[1] However, the same cannot be said about Middle Eastern countries, most of which do not have any laws regarding personal data protection.[2] For one middle eastern country, this will change this upcoming March.[3] The Kingdom of Saudi Arabia will become one of the first middle eastern countries to adopt a personal data protection law.[4] Before we look ahead at what changes this law will bring about, it is important to take a step back and understand what current privacy practices are in Saudi Arabia.

Background on Saudi Arabia’s Legal System and Personal Data Protection Today

The Kingdom of Saudi Arabia is an Islamic country that follows Shari’ah law.[5] Shari’ah law is a body of Islamic law that serves as a guideline for all legal matters in Saudi Arabia.[6] These laws come primarily from the text of the Holy Qur’an, but they can also be derived from the Sunnah, which depicts the practices and sayings of the Prophet Muhammad during his lifetime.[7] Prior to the adoption of the Personal Data Protection Law, there was no specific law governing the protection of personal privacy.[8] However, that is not to say that personal data was wholly unprotected.

 In Shari’ah law, there are specific acts that are punishable and the penalties for committing those acts are described in the Holy Qu’ran and the Sunnah.[9] In addition to the explicitly stated prohibited acts, Shari’ah law also has specific principles that are to be followed.[10] Included in these principles is an individual’s right to privacy and protection from an invasion of that privacy.[11] If a person violates one of the principles found in Shari’ah law, they can still be punished.[12] However, since invasion of privacy is not a specifically prohibited act with a clear punishment found in the Holy Qu’ran or the Sunnah, the judge has great discretion when determining the correct punishment in these cases.[13]

While there was no specific personal data protection law previously, there were other laws that covered data protection.[14] Those laws included The Anti-Cyber Crime Law, The Telecommunications law, and the Kingdom of Saudi Arabia Health Care Practice code.[15] The Anti-Cyber Crime Law punishes any person that illegally: (1) accesses the computer of another for the purpose of deleting, destroying, altering, or redistributing its information; 2) accesses the bank or credit information of another or information pertaining to its owned securities; and 3) interrupts data that is transmitted through a computer or an information network.[16] The Telecommunications law “restricts the disclosure of information intercepted during transmission” and “restricts distributing data from subscribers to third parties.[17] The Kingdom of Saudi Arabia Health Care Practice code protects patient files.[18] While it is clear that these laws strive to protect some personal data, none of them are as all-encompassing as the law going into effect this March.[19]

The Personal Data Protection Law and The Changes That Come with It

            The new law regulates the collection, processing, and use of personal data and defines personal data as:

[e]very statement - whatever its source or form - that would lead to the identification of the individual specifically, or make it possible to identify him directly indirectly, including: name, person identification number, addresses, contact numbers, and license numbers records, personal property, bank account and credit card numbers, still or moving photos of an individual and other data of a personal nature.[20]

It should be clear from this definition that the type of data being regulated under this law is very broad. Not only does the law cover a broad category of personal data, but the scope of the law is also far reaching. The law applies to the processing of individuals personal data within and outside the boarders of the country and even includes people who are deceased.[21]

There are several key components that can be found within the Personal Data Protection law. The first of which is its consent provision. The new law states that consent for disclosure of personal data must be in writing unless the situation falls under the limited category of exceptions.[22] The next key component involves data transfers. The Personal Data Protection Law makes clear that the transfer of personal data outside the county is only allowed in the following situations: “necessity to preserve an individuals health or life; combatting disease; the disclosing party is satisfying an obligation by way of the transfer; it serves the Kingdom’s interest; [and] for purposes yet to be identified by the regulation.”[23] Additionally, the new law adds additional controls for health data.[24] The additional controls regarding health data restrict the number of employees with access to the information and limits the processing procedures of the information so that the fewest number of employees come in contact with the information.[25] Furthermore, the Personal Data Protection law prohibits data controllers from marketing personal data to third parties.[26] Moreover, the law prohibits photocopying of official documents; gives individuals the right to access, rectify, and destroy or delete their own data; and requires all data controllers to register with the Saudi Data & Artificial Intelligence Authority (SDAIA).[27] Finally, the law imposes penalties for failing to comply with the law which, depending on the infraction, can lead to up to two years of imprisonment and fines of more than one million US dollars.[28]

The new law will go into effect on March 23rd, 2022 and because the Personal Data Protection Law puts in place so many new regulations, the Kingdom of Saudi Arabia is giving organizations with operations within its country or those processing data of Saudi Arabian residents one year to comply with the new law.[29] In addition to the key provisions laid out above, if a data controller is a foreign entity, then per the new law, the company will be required to appoint a local representative to continue processing personal data of Saudi Arabian residents.[30] It will be interesting to watch and see how companies change their procedures to implement these new requirements.

[1] Christopher Williams, Ibrahim Skiddiki, & Amelia Bowring, Updates to Saudi Arabia’s Data Protection Law, The Nat’l L. Rev. (Nov. 2, 2021), https://www.natlawreview.com/article/updates-to-saudi-arabia-s-data-protection-law.

[2] Id.

[3] Saudi Arabia, OneTrust DataGuidance, https://www.dataguidance.com/jurisdiction/saudi-arabia (last visited Jan. 16, 2022).

[4] Williams, Skiddiki, & Bowring, supra note 1.

[5] Data Protection in the Kingdom of Saudi Arabia: A Primer, Latham & Watkins LLP, https://www.lw.com/presentations/Data-Protection-in-the-Kingdom-of-Saudi-Arabia (last visited Jan. 16, 2022).

[6] Legal and Judicial Structure, The Embassy of the Kingdom of Saudi Arabia, https://www.saudiembassy.net/legal-and-judicial-structure-0#:~:text=Since%20Saudi%20Arabia%20is%20an,as%20a%20source%20of%20pardon (last visited Jan. 16, 2022).

[7]  Id.

[8]  Data Protection in the Kingdom of Saudi Arabia, supra note 5.

[9]  Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Saudi Arabia, supra note 3.

[15] Data Protection in the Kingdom of Saudi Arabia, supra note 5.

[16] Id.

[17] Id.

[18] Id.

[19]Saudi Arabia, supra note 3; Williams, Skiddiki, & Bowring, supra note 1.

[20] Tarek Khanachet, Julie Teperow, & Antonio Michaelides, Saudi Arabia Issues New Personal Data Protection Law,  Covington (Dec. 9, 2021), https://www.insideprivacy.com/privacy-and-data-security/saudi-arabia-issues-new-personal-data-protection-law/#:~:text=The%20Kingdom%20of%20Saudi%20Arabia,personal%20data%20in%20the%20Kingdom; Personal Data Protection Systems, Bureau of Experts at the Council of Ministers, https://laws.boe.gov.sa/BoeLaws/Laws/LawDetails/b7cfae89-828e-4994-b167-adaa00e37188/1 (last visited Jan. 16, 2022).

[21] Williams, Skiddiki, & Bowring, supra note 1.

[22] Khanachet, Teperow, & Michaelides, supra note 20.

[23] Williams, Skiddiki, & Bowring, supra note 1.

[24] Khanachet, Teperow, & Michaelides, supra note 20.

[25] Saudi Arabia, supra note 3; Williams, Skiddiki, & Bowring, supra note 1.

[26]  Williams, Skiddiki, & Bowring, supra note 1.

[27] Id.; Khanachet, Teperow, & Michaelides, supra note 20.

[28] Williams, Skiddiki, & Bowring, supra note 1.

[29] Khanachet, Teperow, & Michaelides, supra note 20.

[30] Id.