Using and protecting customer data in Saudi Arabia

May 2022  |  EXPERT BRIEFING  | DATA PRIVACY

financierworldwide.com

 

As our lives have become ever more digitally integrated, people are becoming aware and demanding legislative protection to prevent the theft or use of personal data without consent. This has lead governments and supra-national bodies to act. In September 2021, the Kingdom of Saudi Arabia (KSA) followed suit with the Personal Data Protection Law (PDPL).

Previously, there was no standalone data protection law in the KSA. Citizens relied on a patchwork of Shari’ah principles, supplemented with rights drawn from outdated and unspecific legislation. This article will highlight how businesses can use customer data while complying with their obligations.

Background to global trends in data protection law

The European Union’s (EU’s) General Data Protection Regulation (GDPR) took effect in 2018 and quickly became the gold standard in data protection legislation, with multiple jurisdictions around the world promulgating very similar provisions. The US has a patchwork of laws across various states. Nevertheless, the overall protection offered in the US was to such a standard that agreement was formed between the EU and the US and transferring data was permitted without issue. In 2021, the European Court of Justice (CJEU) shook the industry by declaring the agreement invalid on the basis that US authorities could access data secretly and without sufficient remedies available for EU citizens.

As the world wakes up to the reality that governments are taking data protection seriously, the KSA released the PDPL to join the developed markets. A move that is necessary for the KSA to achieve its ‘Vision 2030’ objective of becoming a leader in future industries and hyperscale data centre hub.

The modernisation of the KSA legal regime and data protection

‘Vision 2030’ seeks to transform the KSA into a world leading economy which can compete in the markets of tomorrow. Particular focus is placed on technology, specifically, integrating tech into the public sector offering and creating a hospitable private sector environment for inward investment and growth. The legal regime has been overhauled to meet the requirements of modern society.

Cloud computing, public procurement, franchising and the general companies’ law have all seen significant reform in recent years, as well as the court system, arbitration and law of evidence. Nevertheless, following public consultation in response to the draft implementing regulations, the enforcement date has been delayed until 17 March 2023.

The Saudi Data and Artificial Intelligence Authority

The newly formed Saudi Data and Artificial Intelligence Authority (SDAIA) will be the competent authority to oversee the PDPL for the first two years of its enforcement. The SDAIA has been clear that it will closely monitor the market response to the PDPL and will continuously assess sector compliance, progression and development. They are yet to issue the final implementing regulations which will contain further detail, but the SDAIA clearly considers data protection to be a priority with penalties ranging up to 5m Riyals and potential custodial sentences.

Scope of the new law

The obligations of the PDPL fall upon all entities that are within the KSA or which process the personal data of KSA citizens (other than personal and non-commercial), which are known as ‘data controllers’. A data controller may only collect personal data in accordance with the provisions of the PDPL and must ensure that all processing of personal data, whether undertaken internally or via a third-party processor, complies with the PDPL. Controllers must register with the SDAIA.

Personal data is defined as any data, regardless of its form or source, that could lead to specifically identifying an individual or render its identification possible, either directly or indirectly. Clearly, name, contact details and address are personal data. Nevertheless, the scope of the PDPL is broad enough to include IP address, cookie ID and location data of a device if it can lead to the identification of an individual.

Processing is equally broad, being defined as any act applied to personal data, whether manual or automated. Accordingly, the PDPL applies to any processing of personal data taking place in KSA, as well as the processing of personal data related to data subjects residing in the KSA by any foreign entity.

The key benefactors of the PDPL are Saudi residents from whom the personal data is derived, known as ‘data subjects’.

Data protection obligations

Data collection and processing requires a lawful basis. Companies are no longer permitted to collect data without a lawful reason. We expect that “obtaining freely given and fully informed consent from an individual” will be the legal route most frequently relied upon. Seemingly simple. Nevertheless, the individual must be cognisant of the identity and address of the controller, the entities to which their data will be disclosed, and the purpose of collection. Using data collected without consent is severely restricted and the lawful basis will be restricted in its duration.

Privacy policy. The privacy policy must be presented to individuals prior to obtaining consent or collecting data and is required to contain the purpose of collection, the nature of the personal data to be collected, the collection and storage method, the means of processing, method of disposal of the personal data processed or collected, the rights of data subjects and methods to exercise such rights. Failure to present a duly drafted privacy policy will be a breach of the PDPL.

Security measures. Controllers must implement security measures to protect personal data. The level of protection must be proportionate to the nature of the data collected, for example the quantity or sensitivity of the data. If controllers become aware of a data breach, they must notify the SDAIA and the data subjects without delay.

Marketing, promoting and advertising

Companies may only use personal data to engage in marketing if the data subject has given prior approval and consent to receive such marketing. The advertisement communication must also provide a clear mechanism for revoking consent and to cease receiving marketing. The market trend is to include an ‘opt out’ button whereby customers can revoke consent with one-click.

Transferring data outside the KSA

There is currently no general mechanism for transferring personal data outside of the KSA. This aspect of the PDPL is misaligned with the global trends in data protection where we would expect to see global transfers permitted, subject to the requirement that the foreign jurisdiction has sufficient level of protection, the foreign third-party warrants to protecting the personal data, and the domestic controller maintains liability for the third-party actions. The final implementing regulations are thus far to be issued and we await to see if such a mechanism is included.

Currently, no such means of lawful international transfer exists. This includes intra-group transfers and conglomerates must be aware that if their KSA vehicle collects data, transferring this to international group companies will likely cause a breach of the PDPL. Data is a vital asset for organisations and the regulations of the PDPL may appear daunting. However, there are potential routes for lawfully utilising personal data.

First, anonymous data is not personal data. By applying techniques such a bundling, encrypting, generalisation, or any other procedure whereby the data can no longer be traced back to an individual, the data will likely fall outside the definition of personal data and the restrictions of the PDPL will be relaxed. For example, by deleting the names of individual accounts and reorganising them into regional groups, personal data collected may become sufficiently anonymous to fall outside the scope of the PDPL.

Second, corporate information is not personal data. Data collected about corporations or any entity that is not an individual is outside the scope of personal data. Therefore, if you collect data on markets, organisations or general trends, it is likely outside the PDPL restrictions.

Third, data security as a unique selling point (USP). In many ways the PDPL merely transcribes the expectations of the modern consumer. Perhaps providing some organisations with a rude awakening. While for other companies, data security has been a USP for years thereby building trust with their consumers and going above and beyond the levels set by the PDPL.

High-profile breaches and fines have severely tarnished consumer confidence in many brands and there is growing demand and value attached to companies that are perceived as protecting the integrity of their customers. For this reason, we recommend that as companies look to the future, data security forms an essential consideration when determining corporate strategy.

 

Wissam Hachem is a partner and Harry Taylor is an associate at EKP Legal Counsel. Mr Hachem can be contacted on +966 (11) 276 7372 or by email: wissam.hachem@ekplegal.com. Mr Taylor can be contacted on +966 (11) 276 7372 or by email: harry.taylor@ekplegal.com.

© Financier Worldwide

BY

Wissam Hachem and Harry Taylor

EKP Legal Counsel

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.