The Kingdom of Saudi Arabia has recently issued its first comprehensive national data protection law.  The Personal Data Protection Law will enter into force on March 23, 2022 and regulates the collection, processing and use of personal data in the Kingdom.

Organizations with operations in the Kingdom or those processing data of Saudi residents will have one year to comply with the new requirements.

The Saudi Data & Artificial Intelligence Authority (“SDAIA”), the supervisory authority for the law’s application, will issue implementing regulations supplementing most aspects of the law by March 2022.  There have been no further regulatory developments at this stage – but businesses should note several important requirements contained in the new law:

  • Residency: The law applies to the personal data of all Saudi residents – both citizens and non-citizens.
  • Extraterritoriality: Any processing of Saudi resident data performed in the Kingdom or by entities located outside the Kingdom is subject to the law’s requirements.
  • Restrictions on Cross-Border Transfers: Transfers of data outside of the Kingdom may be made for limited explicit purposes, as set out in the law, or for “other purposes” subject to the forthcoming regulations. Even if the transfer falls into a permitted category, further conditions must be satisfied, including approval by the competent government authority, with exceptions granted on a case-by-case basis only.
  • Registration: Data controllers must register with SDAIA and pay an annual fee.
  • Consent: Consent is the primary legal basis for processing personal data, and must be obtained in writing (subject to further requirements in the forthcoming regulations). Personal data may only be processed without consent in very limited circumstances.
  • Local Representative: Any foreign company without a legal presence in the Kingdom that processes the personal data of Saudi residents must appoint a local representative, licensed for that purpose. SDAIA will determine when this requirement will come into effect.
  • Sensitive Data: All sensitive personal data, which includes genetic, health, and credit and financial data, will now be governed under the new law, but will also be subject to further regulation. The law contemplates a process of “reconciliation” with existing data regimes implemented by other regulators in the Kingdom.
  • Breach Notification: Breaches, leakages, or other unauthorized access to personal data must be notified to SDAIA “immediately,” as well as to data subjects.
  • Records of Processing Activities: Data controllers must prepare and register data processing activities with SDAIA.
  • Criminal Penalties: The law contains criminal penalties, including up to two years’ imprisonment and fines of up to SAR 3 million (approximately USD $800,000). Administrative penalties may be imposed with higher fines.

All businesses operating in the Kingdom or processing the data of Saudi residents should start assessing their activities and security systems in preparation of the law’s implementation.

We are monitoring further developments regarding the new law, and will post updates on Inside Privacy.

Photo of Tarek Khanachet Tarek Khanachet

Tarek Khanachet leads Covington’s Middle East Sovereign Advisory, Regulatory, and Public Policy practice – working with both governments and global businesses on their most complex policy challenges in Saudi Arabia, the Gulf States, Turkey, and the broader MENA region.

Tarek advises regional governments…

Tarek Khanachet leads Covington’s Middle East Sovereign Advisory, Regulatory, and Public Policy practice – working with both governments and global businesses on their most complex policy challenges in Saudi Arabia, the Gulf States, Turkey, and the broader MENA region.

Tarek advises regional governments and government entities on regulatory infrastructure development, policy design, new entity establishment and governance, and economic diversification initiatives.

His private-sector practice is focused on assisting global businesses with regional government affairs matters, including legislative advocacy, Ministry-engagement, regulatory compliance, and market access. This work crosses key highly-regulated sectors, including defense, information technology (including data privacy and cybersecurity), life sciences (including both pharmaceuticals and medical devices) and food and beverage, where global businesses may have to balance competing regulatory challenges between jurisdictions.

Tarek has extensive expertise with government-private transactions, including complex joint-ventures, and sensitive national tendering and procurement processes focused on critical infrastructure development, on-shoring of new industries, and technology transfer.

From 2011-2013 he was embedded in the Economic Cities Authority of the Kingdom of Saudi Arabia, designing and drafting their regulatory framework, and advising on core PPP and outsourcing agreements.

Photo of Julie Teperow Julie Teperow

Julie Teperow advises multinational clients on complex local and international regulatory, public policy, and corporate matters. She advises across a broad range of sectors, including life sciences, technology and consumer products. She has particular experience with regional cross-border compliance issues, helping clients navigate…

Julie Teperow advises multinational clients on complex local and international regulatory, public policy, and corporate matters. She advises across a broad range of sectors, including life sciences, technology and consumer products. She has particular experience with regional cross-border compliance issues, helping clients navigate regulatory frameworks and the practical issues arising when doing business in the Middle East and North Africa region.

Julie also has experience with government affairs in the GCC ‒ advising companies on commercial, trade and market access. She has expertise in advising companies on entering and dealing with issues particular to emerging markets.

In addition to regulatory compliance and government affairs, Julie assists clients with regulatory aspects of corporate and commercial transactions, including employment issues. She also acts as the firm’s representative for the Women’s Forum for the Dubai office.

Photo of Antonio Michaelides Antonio Michaelides

Antonio Michaelides advises clients in heavily regulated sectors on a broad range of cross-border regulatory and compliance matters, with a particular focus on Europe and the Middle East. He has particular expertise in helping clients navigate international HR-legal compliance issues—including labor laws, international…

Antonio Michaelides advises clients in heavily regulated sectors on a broad range of cross-border regulatory and compliance matters, with a particular focus on Europe and the Middle East. He has particular expertise in helping clients navigate international HR-legal compliance issues—including labor laws, international equity compliance and immigration matters—and frequently helps multinationals find solutions to their most complex global employment and benefits challenges.

Antonio is a member of our Global Workforce Solutions team, which brings together various practice areas to provide the employment, employee benefits, tax, immigration and other advice required in these complex situations, and advises clients across a range of industries on both larger strategic projects arising out of company restructures and global mobility arrangements, and day-to-day HR-legal matters.

Antonio has extensive experience with government affairs and regulatory matters in the Middle East—advising government entities, as well as private companies, on a variety of regulatory infrastructure and compliance issues. He previously advised free zone authorities in the Emirate of Dubai on employment and immigration matters, including amendments to the DIFC Employment Law and the application of the DMCC Employment Regulations, and is currently advising on the development of legal and regulatory infrastructure for a number of government-led projects in Saudi Arabia.

Given his EU law expertise, particularly in the areas of free movement of people and establishment, Antonio is a member of the firm’s Brexit Taskforce which is advising a range of clients on the impact and implications of Brexit.

Clients appreciate his responsiveness and business-focused advice, and benefit from his cultural awareness and extensive language skills in the context of managing international projects.

In addition, Antonio has presented, and provided training, to clients and external organizations on the challenges of international assignment management and other common global mobility issues.