The Kingdom Gets a New Data Passport

What Global Business Leaders Need to Know about Saudi Arabia’s Updated Personal Data Protection Law

Introduction

Saudi Arabia's Personal Data Protection Law (PDPL) was initially published in the Official Gazette in September 2021. The PDPL applies to the processing of the personal data of individuals in the Kingdom and to processing by any entity outside the Kingdom in respect of personal data subjects inside the Kingdom. There were several familiar data protection principles and obligations present which are consistent with the requirements of other international data protection laws, but this article will not offer a line-by-line analysis of the law for privacy professionals but will rather focus on the fact that the PDPL, when initially published, included worrying obligations with respect to data residency. This immediately resulted in concerns from senior business and IT leaders because of the significant potential operational (and legal and compliance) implications created for organizations who would be subject to the PDPL or perhaps exploring a move to the Kingdom. Many would have based this immediate concern on their previous experience of residency requirements imposed by other supervisory authorities in the Kingdom. ?

Data has become a natural resource. As governments around the world have begun to fully comprehend the value of national data and then sought to capture the economic value of that data, it has become the subject of increasing international competition. Combined with a growing public mistrust in Big Tech and concerns with foreign government access, driven by events such as the Edward Snowden revelations and the Facebook Cambridge Analytica data scandal, this has resulted in data residency laws being established in many countries. These laws do what they say on the tin. They require that data, or certain types of data, be stored within a specific geographic or national boundary.

There are some laudable reasons for these national and industry-specific laws, such as the intention of governments to better protect the privacy of their citizens, but also other national, commercial, and even protectionist reasons, such national security agendas, concerns with law enforcement access to data located overseas and support for local cloud providers. It is probably fair to argue that the creation of many of these data residency laws has an origin in the dominance of US hyperscale cloud service providers and other leading technology companies, because they are the principal providers of the services that facilitate the exponential increase in the collection, aggregation, analysis, and storage of data across national borders, including personal data.

Herein lies the problem. For various reasons, not all countries, including the Kingdom of Saudi Arabia, have US hyperscale cloud service provider data centers within their borders. Nor it is financially feasible to build these data centers in every country. This creates the need for cross-border data flows and these data residency laws, whether national or sectoral (industry specific), effectively prevent both local and international organizations from using these cloud services. This has caused major operational and compliance challenges for international companies who outsource their IT or use the services of vendors or partners who do so.?

The Original Personal Data Protection Law

Article 29 of the original version of the PDPL stated that except when it is strictly necessary to protect the life of the data subject outside the Kingdom or his vital interests or to prevent, examine, or treat an infection, the controlling entity could not transfer the personal data outside the Kingdom, or disclose it to an entity outside the Kingdom, unless the transfer or disclosure did not prejudice national security or the Kingdom's vital interests, provide sufficient guarantees for maintaining the confidentiality of the personal data existed and that the competent entity approved the transfer. Simply put, the default setting was no data transfers of personal data overseas. Although the Implementing Regulations were intended to provide further details, the negative implications of this onerous data residency requirement for multinational national organizations seeking to invest and do business in the Kingdom were clear and, in many cases, a real barrier for companies looking to establish themselves in the Kingdom.

?Although we accept that there are certain types of data that any sovereign country has every reason to keep within its borders, the pervasive data residency trend is also arguably at odds with the Kingdom’s Saudi Vision 2030 ambition to unlock opportunities for growth and investment in the Kingdom and to showcase Saudi Arabia to the world. In a digital first world where many GCC countries are competing to build viable knowledge economies, every industry is leveraging the extraordinary computing power of hyperscale cloud services, new technologies like IoT, mobile devices, and AI to transform their industries and accelerate their digital transformations. Cloud computing supports this ambition and offers a range of benefits, but it does put these organizations into conflict with nation states or industry regulators who are imposing these data residency laws, and which create obligations to segment and localize infrastructure and data.?

The Updated Personal Data Protection Law

In a very promising and positive development, the Saudi Data and Artificial Intelligence Authority (SDAIA), with the support of their regulatory arm, the National Data Management Office (NDMO), published an amended version of the PDPL in November 2022 for consultation. This amended PDPL was approved by the cabinet on 21 March 2023 and implemented by Royal Decree on 27 March 2023. The PDPL will come into force 720 days from the original publication of the law on 24 September 2021, namely on 14 September 2023, and controlling entities will have until 13 September 2024 (1 year) to become compliant.

One of the most noteworthy changes introduced by the amended PDPL, the significance of which cannot be overstated from a business perspective, was the removal of the “hard” data residency requirement governing cross border data transfer provisions. The prohibitive language seen in the earlier draft of the PDPL has softened. Rather than starting from a position where the controlling entity cannot transfer personal data outside the Kingdom unless stringent criteria are met, the amended PDPL sets out a wider range of circumstances under which personal data may be transferred lawfully outside of national borders. In a move that could potentially herald a significant policy shift beyond data protection, the default setting is now that you may transfer personal data overseas.

?Although it appears as though controllers will require a specific purpose to transfer data beyond the Kingdom’s border, in a move that will also empower local organizations to participate in the global digital economy, the amended PDPL has introduced a concept that appears to be similar to that of “adequacy” which is common in many data protection regimes. This will allow controlling entities to transfer personal data outside of the Kingdom to recipients in jurisdictions that ensure the protection of personal data and the safeguarding of individual rights to a standard no less than that mandated by the PDPL, provided such transfer will not adversely affect the national security or vital interests of the Kingdom and the data subject, and the transfer is limited to only that necessary to achieve the intended purpose. SDAIA (and the NDMO), as the competent authority in the Kingdom, has not yet confirmed the list of adequate jurisdictions, or the evaluation criteria to determine adequacy. These are expected to be confirmed in the Implementing Regulations, which are due to be published on or before 14 September 2023.

?One of the limitations of declaring specific adequate jurisdictions is that the number of those locations is typically very limited. For example, the European Union (EU) currently only recognizes 15 adequate jurisdictions under the GDPR. Knowing the limitations of adequacy as a primary enabler of cross border data transfers, it is worth calling out that the amended PDPL does not explicitly mention what global best practices refer to as supplementary measures that controlling entities may rely upon to safeguard data transfers to jurisdictions that do not benefit from adequate data protection regimes. Supplementary measures are additional safeguards that can be implemented by controlling entities, to ensure any personal data transferred to recipients in “non-adequate” jurisdictions is afforded a sufficiently equivalent level of protection to that provided by local data protection laws. We will need to await the release of the Implementing Regulations for further clarity and details. ?

?To illustrate this concept of adequacy and supplementary measures, you may find the following analogy useful. These measures are a bit like passports and visas, in the context of international travel, However, in this case, it’s the data jetting off overseas on holiday. If you happen to be a citizen of a country that is party to a visa-free (or on arrival) agreement, whilst you’ll still require that “adequate” passport as a mechanism for travel, your travel will essentially be hassle free and pre-authorized, allowing you to travel and breeze through the airport at your destination. This pre-authorization is akin to an adequacy decision.

?However, if you happen to hold a passport from a country that doesn’t benefit from the same level of international trust and global mobility, then you’ll need to supplement your passport with a pre-authorized visa to be able to travel to most countries. This adds a significant layer of cost and complexity to your travel, demanding additional time and effort to facilitate. ?It will likely involve a detailed visa application, sharing of personal information such as your personal financial circumstances, an embassy appointment which might need to be months in advance, and an interview. In this scenario, the visa is a supplementary measure.

?When you take cross border data transfers for granted, suddenly having to undertake additional processes to continue conducting business as usual, may seem like a daunting task. However, by proactively identifying those business processes that involve cross-border transfers, understanding applicable legal requirements, and implementing appropriate safeguards where necessary, organizations can achieve legal compliance and ensure a hassle free, secure journey for their data.

Conclusion

The Kingdom’s Saudi Vision 2030 vision seeks to establish a vibrant society and thriving economy. A strong data economy predicated on the effective use and re-use of data is central to the Kingdom’s strategic objective of diversifying the economy away from an overreliance on oil and gas.

The World Economic Forum argues that the technologies of the Fourth Industrial Revolution (4IR), including AI, IoT and blockchain, are reliant on accessing and processing data and the ability to move, store and process that data across national borders is foundational to the modern international data economy. Data residency laws or policies typically act as barriers to international data sharing and threaten global trade. The World Bank also advises that trust, value, and equity have become crucial themes for any sustainable data economy.

The trust equation in relation to free flows of data acknowledges that individuals - as global citizens - are much more likely to share their personal data in a jurisdiction where that data is lawfully gathered, used, shared, and appropriately protected and deleted. Trust is paramount. The Kingdom’s updated PDPL supports these aspirations by creating a regulatory framework that generally aligns with global best practices and facilitates the responsible cross-border transfers of personal data required for a commercially vibrant data economy. SDAIA should be acknowledged for their leadership. It may also indicate an adjustment in national data policy in relation to data residency and that could have a positive impact in future beyond the realms of personal data and privacy.

Please reach out to us if you would like any additional information about the PDPL, or assistance with the creation of a pragmatic and efficient privacy programme.

Dale Waterman, Managing Director, Secretariat

Jess Bujaroski, Associate Director, Secretariat

About Secretariat

Secretariat Advisors is an international expert advisory services firm.?Secretariat specializes in international arbitration, general commercial arbitration and litigation, forensic accounting, economic damages, data analytics and data privacy, construction, and government contracting. Secretariat’s experts maintain integrity, quality, and objectivity when solving complex disputes, delivering detailed analyses, and articulating meaningful results in a clear and concise manner.