Riyadh Al Habshan > Technology

Lamisse Bajunaid and Amna Usman of Dr Qaisar H Metawea Law Firm explain the main recent developments in Saudi Data Protection Law and what changes are expected when the Executive Regulations are issued.

Data Protection Laws plays a significant role in supporting Saudi Arabia’s Vision 2030, which sets a pathway for developing a leading digital economy through innovation which will attract foreign investment and improve the country’s competitive economic environment. As a result, the legal landscape on data protection has been developing rapidly here in recent years, and more changes in the form of Executive Regulations are expected.

Prior to the introduction of the Saudi Data Protection Law (Saudi Arabia Cabinet Decision No. 98/1443) in 2021 there was no unified Saudi data protection law, and this area was instead regulated on a sectoral level and in line with general Sharia Principles. In 2020, the National Data Management Office (NDMO), issued National Data Governance Interim Regulations (NDGIR) to outline general data protection principles in Saudi until a unified law could be issued. Saudi Arabia Cabinet Decision No. 98/1443 was initially scheduled to come into force and effect 180 days from publication, but its enforcement has since been delayed to 17 March 2023. Until that happens, NDGIR remains in force.

However, there have also been further developments which are expected to change the law in this area. In March 2022, a draft of the Executive Regulations which will provide further details on how the law will operate in practice were issued for consultation. In addition, a public consultation ran from 20 November 2022 to 20 December 2022, detailing further proposed changes to the law itself.

These included the addition of birth dates to personal data definition as an explicit form of identifying data owners. A relaxation of the duty to notify the competent authority of any data breach under Article 20 of Saudi Arabia Cabinet Decision No. 98/1443 has also been proposed and that the Executive Regulations will outline cases where a controller becomes obliged to serve notices of data breaches only when they harm the data owner or contravene with their rights and interest. It has also been proposed to limit the requirement to evaluate consequences of data processing to cases where the controller provides services or goods that depend on processing personal data.

However, it should be noted that Article 22 of Saudi Cabinet Decision No. 98/1443 currently vaguely requires this evaluation ‘depending on the nature of the activity’.

Another proposed change is explicitly requiring prior consent for processing sensitive data for marketing purposes. It is also proposed to remove Saudi Arabia Cabinet Decision No. 98/1443, which prohibits photocopying identification documents except in certain circumstances.

There are proposals too, to ease the stringent restrictions on international data transfers under Article 29 of Saudi Arabia

Cabinet Decision No. 98/1443, which generally prohibits international data transfers except in very limited circumstances, unless the competent authority grants exemption. It is also Lamisse Bajunaid suggested that Article 28 of Saudi Arabia Cabinet Decision No.

Senior Associate, 98/1443 be changed so it takes a two-pronged approach on Dr Qaisar H Metawea international data transfers, with a general rule permitting these Law Firm transfers to jurisdictions that grant equal or better protection to data owners, and certain cases where transfers can be made in an alternative manner, such as transfers preserving public interest or performance of obligations under international agreements. Many parts of Saudi Arabia Cabinet Decision No. 98/1443 explicitly refer to details which will be set out in the Executive Regulations, so it is expected that many practical details, requirements, and criteria will be clarified in these. Currently it is expected these will include details of the statutory impact assessments for risk and adverse effects of data processing, statutory periods for exercising data owner’s access rights; the conditions and form of required consents for processing personal data; and minimum criteria for privacy policies. It is also expected the regulations will have further information on the reporting obligations in the case of data breach events; will clarify the restrictions and conditions governing international data transfers; and provide further details on the competent authority’s rights to issue licenses and certifications. Those wishing to ensure compliance with Saudi Data Protection law must be clear on whether they will be deemed a ‘Controller’ or a ‘Processor’, and that they understand the relevant obligations in each case. It should also be noted that under Article 3 of Saudi Arabia Cabinet Decision No. 98/1443. The law does not intend to prejudice the position under sector specific regulations or international agreements which may offer data owners more stringent protection. Therefore, in the internet sector, service providers should specifically ensure compliance with the Communication and Information Technology Commission’s data protection and other regulations, as well as any other laws that may apply to their activities. Due to the continuous reform happening in this area in Saudi Arabia it is advisable to appoint a data protection officer and give them responsibility for the implementation of the new Law, monitoring and supervising procedures which are related to it, and to liaise with the competent authorities in this respect. Service providers should also regularly review their terms of use and privacy policies for compliance, and any update in these policies should be notified to data subjects. Finally, any international data transfers should be compliant with the relevant provisions in force at the time. Associate Amna Usman was the joint author of this article.

Jameson Legal is an international legal recruitment company founded in 2010, with specialist divisions for private practice, in-house, interim, and legal tech. We act for client law firms and companies and advise qualified lawyers from NQ to equity partner level, as well as paralegals, compliance professionals, and legal tech professionals.

We are delighted to announce the launch of the 2023 Jameson Legal Salary Guide & Market Updates. To obtain a copy, please register at https://www.jamesonlegal.com/salary-guide

Trading and Marketing Senior Counsel, 10+ PQE, O&G Producer A leading O&G producer are looking to recruit a Senior Counsel to join their Trading & Marketing department. The role will involve supporting the trading of physical LNG, commodity derivatives, petrochemicals, and fertilisers. Applicants must have a minimum of 10 years PQE, and be qualified in the UK, US, Australia, New Zealand, or an EU jurisdiction. Ref: IJR-IM-13208

In-House Lawyer, 3+ PQE, IP Focus We are working on an exciting opportunity at a key UAE entity for a lawyer with an IP and commercial skillset, with experience in commercial agreements, patents, or technology licensing. Applicants will require a minimum of 3 years PQE gained within well-regarded international firms or in-house teams. Arabic language skills and experience working in the GCC are of particular interest. Ref: SSK-IM-13434

Legal Director, 15+ PQE, Media This is an exceptional opportunity for a lawyer to head the legal function within the growing media division of one of the world's most dynamic and innovative projects. Applicants need a minimum of 15 years PQE, with experience gained in a well-reputed media organisation and within the field of media production. Previous work experience in the Middle East would be ideal. JRS-IM-13372

Senior In-House Lawyer, 5+ PQE, Corporate & Commercial Focus Our client is offering an excellent opportunity for an experienced lawyer to join their team to advise on the corporate and commercial legal matters of an innovative and unique project. Applicants should be Saudi qualified, preferably with an international LLM, with a minimum of 5 years legal experience gained within international law firms or in-house teams. Ref: JRS-IM-13342

Senior In-House Lawyer, 15+ PQE, Government Sector Our client is seeking to recruit a senior lawyer with experience in corporate/commercial, IP, procurement, or export control matters and policies. Applicants will need a minimum of 15 years of experience working at well-regarded law firms, or within high-quality in-house teams. Arabic language skills and experience working in the GCC are desirable but not required. Ref: IJR-IM-13216

Legal Director, 12+ PQE, Food Production/Farming Our client is looking to recruit a lawyer with a minimum of 12 years PQE with a background in well-reputed organisations focusing on agricultural production or aquaculture. Previous experience of working in the Middle East would be ideal, but is not a necessity. Ref: SSK-PM-13411

For more information or to discuss any of these roles please contact Iain Rainey at iain.rainey@jamesonlegal.com, or Jeremy Small at jeremy.small@jamesonlegal.com.