Key takeaways

• Saudi Arabia postponed the implementation of its long-anticipated Personal Data Protection Law (PDPL) by a full year on March 22. The decision, made just hours before the Law was meant to take effect, likely resulted from feedback that the draft PDPL Implementing Regulations received from industry players and key Saudi regulators. 
• The delay is a positive indication that the Kingdom is taking industry input seriously as it advances the PDPL. Companies should use this as an opportunity to position themselves as partners to Saudi officials as they redraft the Implementing Regulations this year. The new deadline for issuing these regulations is March 17, 2023, after which the PDPL will go into effect and companies will have one year to comply.
• However, changing the basic tenets of the PDPL will be more complicated. The Law was already approved and published by the Council of Ministers in September 2021. Saudi authorities may consider revising aspects of the PDPL based on discussions this year, but the process will require strong arguments from companies and Saudi regulators.
• Companies should develop strategic policy recommendations that will inform the development of the PDPL Implementing Regulations and could encourage revisions to the Law. These recommendations should center on the PDPL’s consequences for non-oil industries and investor attraction to the Kingdom and should be presented to a wide range of Saudi stakeholders.  

Recent developments

The Saudi Data and Artificial Intelligence Authority (SDAIA) delayed the implementation of its long-anticipated Personal Data Protection Law (PDPL) by a full year on March 22. The decision required rare last-minute approval from the Council of Ministers, which underscores the PDPL’s importance to the Kingdom. SDAIA did not give a reason for the postponement, but it likely resulted from the flurry of questions and comments that the Law’s draft Implementing Regulations received during their brief public consultation window, held two weeks before the Law’s anticipated implementation. SDAIA may also have needed more time to coordinate the Implementing Regulations with other Saudi data regulators, especially the Communications and Information Technology Commission (CITC). The new deadline for SDAIA to issue revised Implementing Regulations is March 17, 2023, after which the PDPL will go into effect and companies will have one year to comply. 

The decision to postpone the PDPL in order to more closely assess industry input and coordinate policies across Saudi regulators is a positive indication of the Kingdom’s efforts to develop a more favorable policy environment. We recommend that companies acknowledge these efforts in their interactions with Saudi authorities and use this delay as an opportunity to position themselves as partners to officials revising PDPL Implementing Regulations this year. Companies should also align with their respective industry regulators on specific policy concerns, since SDAIA will rely on these regulators to understand the PDPL’s implications for key non-oil industries and multinational corporations operating in the Kingdom. Companies should therefore focus on positioning their respective regulators as industry advocates within the government by equipping regulators with insights on relevant global data standards and strategic considerations for their sector.

However, while these efforts may influence the redrafting of PDPL Implementing Regulations, changing the Law itself will be more complicated. The Council of Ministers outlined and approved the PDPL in an official decree in September 2021, which is set to enter effect once Implementing Regulations are published next spring. The Kingdom could change various aspects of the Law based on discussions this year, though the process would require new approval by the council and other high-level authorities. Companies should therefore develop robust, fact-based arguments that may convince SDAIA and other regulators of the merits of changing the PDPL, while also acknowledging the Kingdom’s national objectives for data protection. Outlining policy options that account for both industry and government priorities will best position companies for promoting productive dialogue with Saudi data authorities.

Data localization

The PDPL’s data localization requirements are a particularly big concern for businesses. According to Article 29 of the PDPL, cross-border data transfers will only be permissible if they: (1) “preserve the life or vital interests of a data owner residing outside the Kingdom;” (2) “serve the Kingdom’s national interests;” or (3) “fulfill an international agreement between the Kingdom and another counterpart.” Companies seeking to transfer data abroad can gain exemptions, but they will only be provided on a case-by-cases basis and with the requirement that companies gain written approval from their respective regulator. For example, a hospitality company would need to request that the Ministry of Tourism gain approval from SDAIA and issue the company a formal exemption before the company can transfer data abroad for a certain purpose.

SDAIA may be receptive to feedback from industry players and other stakeholders on these localization requirements. Companies should therefore continue to outline the regulatory and operational challenges these changes would pose for their operations. At the same time, businesses should also recognize SDAIA’s occasionally conflicting objectives of safeguarding national security and promoting investment in cloud computing and data infrastructure, and should explore ways to address both sets of priorities. While SDAIA may in principle be open to industry feedback, it is unclear to what extent the Kingdom is willing to adjust the localization policies already outlined in the PDPL and the first drafts of the Implementing Regulations. Companies should therefore anticipate some form of a data localization regime to be enacted under the PDPL and begin to develop strategies accordingly.

Other key data regulators

Another key aspect of the PDPL is the requirement that SDAIA consult with other regulators, namely the CITC and the Saudi Arabian Monetary Authority (SAMA), on its proposed Implementing Regulations before enacting the Law. The PDPL underscores that these regulators maintain ultimate autonomy to govern their respective jurisdictions without interference from SDAIA, which is a key consideration for financial or technology companies regulated by either authority. While the Law does not explicitly require that SDAIA harmonize its policy regime with CITC and SAMA, it does require a degree of coordination with these authorities, as well as other key entities, such as the National Cybersecurity Authority, Ministry of Communications and Information Technology, and Saudi Health Council. Companies should support these efforts by comparing existing regulations with proposed PDPL policies and informing relevant officials of any areas of incongruence or confusion that may need to be clarified in revised PDPL Implementing Regulations. 

Recommendations for companies

• Companies should first prioritize engagement and alignment with their respective regulators on the strategic implications of the PDPL for their operations. These regulators could serve as key advocates for their respective industries vis-à-vis Saudi authorities drafting the PDPL Implementing Regulations this year, so companies should focus on equipping their regulators with ample insight on relevant global standards and other key considerations for their sector.
• Companies should also continue to engage in constructive dialogue with SDAIA officials as they revise the Implementing Regulations, and potentially consider changes to the PDPL itself, over the course of this year. Businesses should be specific in their asks, as opposed to calling for major policy reversals, and explore policy options that account for both industry interests as well as Saudi data protection priorities.
• Companies should begin preparations for the next round of public consultation on the revised PDPL Implementing Regulations. SDAIA has not yet set a date, or duration period, for this consultation window, but it may be as brief as the first round of consultations. Industry players should therefore prepare their feedback well ahead of time, as SDAIA will look favorably on responses delivered in a clear, legalistic, and well-structured manner.
• Lastly, companies may consider appointing a local data representative to advocate for company interests on the ground and address technical or operations questions posed by Saudi authorities. Article 30 of the PDPL requires local representation for certain data controllers, so companies may win favor with Saudi officials if they proactively adhere to this provision before its implementation.

_____________________________________________________________________________

About ASG

Albright Stonebridge Group (ASG), part of Dentons Global Advisors, is the premier global strategy and commercial diplomacy firm. We help clients understand and successfully navigate the intersection of public, private, and social sectors in international markets. ASG’s worldwide team has served clients in more than 120 countries.

ASG's Middle East & North Africa practice has extensive experience helping clients navigate markets across the region, especially in Saudi Arabia and the UAE. For questions or to arrange a follow-up conversation please contact Louise Rosenberg.