Date: 12 Nov 2020
Saudi Arabia’s National Data Management Office (NDMO), the entity responsible for data governance in the Kingdom, has recently issued National Data Governance Interim Regulations (Interim Regulations). The Interim Regulations address open data, data classification, data sharing, freedom of information, and – significantly – personal data protection, in anticipation of legislation in this space.
Who does it apply to?
In so far as personal data is concerned, and with limited exceptions, the Interim Regulations apply to all entities in the Kingdom that process personal data, as well as entities outside the Kingdom that process personal data relating to individuals residing in the Kingdom.
Is this a Saudi ‘Personal Data Protection Law’?
Not quite, but it appears to be an interim measure aimed at introducing - amongst other things - data privacy type concepts and associated obligations. The NDMO is the responsible authority, although whether this specific document should be treated more as a ‘guideline’ than a ‘regulation’ is not entirely clear from the document itself.
Is it consistent with GDPR?
No. There are aspects that seem familiar (such as definitions of Controller and Processor, introduction of data protection ‘principles’, and the introduction of data subject rights). There are also aspects that diverge significantly from a GDPR type approach, including a heavy reliance on the consent of the data subject, a very broad data localization requirement, and a restriction on transfers of personal data to places outside the Kingdom without the permission of the NDMO.
Is it a step in the right direction?
The Interim Regulations address a variety of considerations, and personal data protection is only one of them. By seeking to address personal data as part of a document that also addresses issues relating to things like ‘big data’ and ‘open data’, personal data considerations may not have been given as much attention as they require.
Saudi Arabia has the benefit of being able to draw from expertise in other jurisdictions that have recently introduced modern data protection laws, including the Dubai International Financial Centre (which looked to GDPR for guidance). There is no benefit in seeking to ‘reinvent the wheel’ on a topic of this nature, and it would make a lot of sense for any subsequent data protection legislation to seek to be consistent with international best practices.
What is the deadline for compliance? What are the penalties for non-compliance?
The Interim Regulations are silent on both these points. Although it is unclear exactly when they were first made publicly available by the NDMO, it would seem that the Interim Regulations are effective from 1 June 2020. The absence of any clear grace period for implementation appears to be complemented by the absence of any specific penalties for non-compliance. It is our expectation that the administrative mechanisms necessary at a practical level (e.g. for NDMO to give permission for data transfers outside the Kingdom) are also, as yet, unlikely to be in place. Despite this, it would be prudent to be across the details, and to seek to be as compliant as possible in the circumstances.
We recommend that entities in Saudi Arabia that process personal data, as well as entities outside Saudi Arabia that process personal data of individuals in Saudi Arabia, continue to watch this space. We are scrutinising the Interim Regulations, and we will be publishing our thoughts in the next issue of Al Tamimi & Company’s Law Update magazine.