Written By: Hussam Haroun
11/09/2024
The Personal Data Protection Law (DPDL), issued by Royal Decree No. M/19 dated 9/2/1443H corresponding to 16/9/2021 is the first comprehensive data protection law in the Kingdom of Saudi Arabia, and was amended in April 2023. The law came into effect from 14 September 2023, with a one-year corrective period from the date of entry into force of the law to ensure compliance with it. The period between 14 September 2023 and 14 September 2024 is a corrective period and no legal action (such as fines) can be taken against institutions during this period if there is non-compliance with the law.
The DPDL, which generally appears to be consistent with the international standards, aims to protect individual privacy by regulating the collection, processing, disclosure and retention of personal data. This law provides a detailed framework that includes data processing standards, data subject rights, obligations of relevant authorities when processing personal data, data sovereignty, and penalties for non-compliance.
However, we need to recognize that this was not the first effort to establish some rules to protect personal data. The Telecommunication law and its Implementing Regulation issued in 2001 provided for the protection of the personal information of the telecom users, and this law has been repealed and replaced by the law issued in 2022 providing for the same principles. Before issuing the law, the Communications, Space and Technology Commission (CST) issued the General Principles for Personal Data Protection, and issued some other rules and guides aiming to protect personal information.
The DPDL includes most of the basic international standards in the field of data protection, including, for example: the rights of data subjects, the legal basis for data processing (subject to and without consent), privacy policy requirements, the duty to report in the event of a data privacy breach, the need to assess the impact before processing personal data, specific provisions regarding health data, credit data, obligations of controllers and due diligence procedures, the establishment of a supervisory body, and penalties in cases of violations; and the list goes on. Many of the features of the DPDL are consistent with the standards and principles contained in other international data protection laws, such as the European General Data Protection Regulation 2016/679 (GDPR), the regulation that provides for the European Union’s law on data protection and privacy in the European Union and the European Economic Area. The GDPR provides the broadest protection for personal data and has a significant impact on laws and regulations outside the European Union, with emerging legislation based on the European Regulation as a “starting point” for the laws it provides.
For the violations of its provisions, the DPDL sets the penalties in Articles 35 to 40, where Anyone who discloses or publishes sensitive data in violation of the provisions of the law shall be punished by imprisonment for a period not exceeding two years or a fine not exceeding three million riyals. Anyone who violates the provisions related to data transfer shall be punished by imprisonment for a period not exceeding one year and a fine not exceeding one million riyals. Anyone who violates other provisions of the Personal Data Protection System shall be punished by a warning or a fine not exceeding five million riyals. In the event of a repeat violation, any of the fines may be doubled, and the court may order the confiscation of funds obtained as a result of committing the violations stipulated in the Law, in addition to publishing the judgment at the expense of the convicted person in a newspaper or by any other means. Anyone who has suffered harm as a result of committing any of the violations shall have the right to claim compensation.
On the other hand, the DPDL mentions that The Saudi Data and Artificial Intelligence Authority (SDAIA) as the competent and responsible authority for 2 years which shall transfer the competence to the National Data Management Office(NDMO), which we could consider similar to a national Data Protection Agency of the GDPR.
The National Cybersecurity Authority (NCA), established on 2017, is yet, another important organ for the protection of data and preserving privacy, where it is mandated to be the national authority in charge of cybersecurity in the Kingdom, and the national reference in all its affairs, by protecting the networks and the systems, and data included therein, against hacking, disruption, modification, unauthorised access, and unlawful exploitation or use.
These developments show that the Kingdom has a strong infrastructure enabling it to face crises, like Covid-19 pandemic, where business and educational continuity and all other life aspects were ensured. These developments were reflected in remarkable achievements as the Kingdom was named the “Top Digital Riser” among the G20 nations, and has secured second place in the global Cybersecurity Index in the World Competitiveness Yearbook (WCY) for 2023 by the Swiss-based International Institute for Management Development (IMD).
