ASG Analysis: Saudi Arabia Publishes National Data Governance Interim Regulations
- On October 20, Saudi Arabia’s Data and Artificial Intelligence Authority published National Data Governance Interim Regulations to govern the collection and use of personal data and the management of data by government entities.
- The publication of the regulations comes as the Kingdom takes significant steps to develop its digital regulatory landscape and one day before the Global AI Summit in Riyadh. Businesses should expect continual change to data regulation in the Kingdom as new policy and regulatory authorities find their feet and become fully operational.
- Among the most notable provisions of the regulations are requirements around obtaining consent from Data Subjects, maintaining data localization within Saudi Arabia, and limiting personal data collection to data that is necessary and relevant to the activities of Data Controllers.
Context and Background
On October 20, the Saudi Data and Artificial Intelligence Authority (SDAIA) published the National Data Governance Interim Regulations to govern the collection, use, processing, and management of data in the Kingdom. The regulations cover five topics: data classification by public entities, protection of personal data, data sharing between public entities, freedom of information requests, and open data. Much of the document, including the regulation on the protection of personal data, draws significantly from international regulations such as the EU’s General Data Protection Regulation (GDPR).
The publication of these regulations comes during a period of significant development for the regulatory landscape around data and digital activities in the Kingdom. SDAIA was only recently established in August 2019 and has spent much of the time since then defining its mandate and developing the entities under its umbrella, including the National Data Management Office (NDMO), which authored these regulations. The past few months have seen increased activity from SDAIA as a policy authority, including the development of a national strategy for data and AI that was approved by the King (but not published) on August 9. That strategy will likely be unveiled during the Kingdom’s Global AI Summit on October 21 and 22 – in fact, it is the first agenda item following the opening remarks.
It is no coincidence that the data regulations, which were officially approved on September 28, were published one day ahead of the Summit. It signals that SDAIA is now ready to take on a more active and public role in defining the Kingdom’s regulation of data and AI. The decision to release these as “interim” regulations indicates that the regulation of data will continue to evolve as SDAIA and NDMO grow more established in their roles. In a further reference to the continuing evolution of the Kingdom’s digital regulations, the document defers in several cases to security requirements to be established by the National Cybersecurity Authority (NCA). Businesses with digital interests in the Kingdom, including cloud service providers (CSPs), e-commerce businesses, and other companies involved in the collection or processing of data, should be ready to comply with these and future regulations from SDAIA, monitor the continuing evolution of the regulatory landscape in the Kingdom, and proactively engage with SDAIA, NDMO, and other relevant entities to ensure a smooth relationship with the organizations and officials that will shape the Kingdom’s digital sector.
Key Highlights of the Regulations
While all five of the topics covered under these regulations are important for the management of data by Saudi government entities, the most important for businesses operating in the Kingdom are those governing the protection of personal data. As stated in those regulations, “the Personal Data Protection Interim Regulations apply to all entities in the Kingdom that process personal data in whole or in part, as well as all entities outside the Kingdom that process personal data related to individuals residing in the Kingdom using any means, including online data processing.” Key provisions of the personal data protection regulations include:
Rights of Data Subjects:
- The right to be informed of the legal basis and purpose for the collection and processing of their personal data. Personal data cannot be collected or processed without the Data Subject’s express consent.
- The right to withdraw consent at any time unless judicial or statutory requirements state otherwise.
- The right to access personal data in possession of the Data Controller, including the right to correct, delete, or update personal data, destroy unnecessary data, and obtain a copy of the data in a clear format.
Obligations of Data Controllers:
- Develop policies and procedures and establish an organizational unit to ensure sustained compliance with these regulations, including periodic verification that Data Processors with which the Data Controller contracts are also in compliance.
- Obtain appropriate consent from Data Subjects, including by notifying the Data Subject of (1) the purpose and legal basis for the collection and use of data, (2) available options for the processing of personal data and mechanisms to exercise preferences and opt in or out of certain data collection activities, and (3) any third-party sources used to indirectly collect data.
- Limit personal data collection to the minimum required for achieving the purpose of collection and limit collection to data that is directly related to the Data Controller’s activity.
- Store and process personal data within Saudi Arabia “in order to ensure preservation of the digital national sovereignty over such data.” Data Controllers may only process or transfer personal data outside the Kingdom after obtaining written approval from the relevant regulatory authority in coordination with NDMO.
- Notify the relevant regulatory authority within 72 hours of any data breach or leak.
Key Considerations for Businesses
While the regulations became official as of their approval on September 28, it will take regulators several months to begin effectively monitoring for compliance by businesses. Businesses covered by the regulations should seek to proactively comply with as many of their provisions as possible in order to establish a strong start to their relationship with SDAIA and NDMO. Saudi officials will also likely take note of organizations that make an effort to comply with the “spirit” of the regulations in addition to the letter of the law – provisions such as that which requires Data Controllers to “launch awareness programs to promote and raise awareness of privacy culture” are good opportunities for businesses to demonstrate to regulators that they are an ally to the Kingdom and a potential resource in the development of a secure and efficient digital sector.
Albright Stonebridge Group (ASG) is the premier global strategy and commercial diplomacy firm. We help clients understand and successfully navigate the intersection of public, private, and social sectors in international markets. ASG’s worldwide team has served clients in more than 120 countries.
ASG's Middle East and North Africa practice has extensive experience helping clients navigate markets across the Middle East and North Africa. For questions or to arrange a follow-up conversation please contact Ben Gordon.