What businesses can expect from PDPL, Saudi Arabia's incoming data law
Al-Monitor Pro Members
Senior Market Research Analyst, Al-Monitor
March 8, 2023
Enforcement of Saudi Arabia’s long-awaited personal data protection law, called the PDPL, is scheduled to begin March 17, 2023, with an expected grace period of one year to reach compliance. This comes after Saudi authorities abruptly postponed enforcement at the original March 2022 deadline. Industry players had chafed at restrictions on how personal data could be collected, used and stored, particularly with regard to limits on transferring data outside the kingdom. Although GCC neighbors have implemented similar laws recently, Saudi Arabia’s potentially daunting data restrictions — combined with its market might — amplify the importance of these new rules, which could have a significant impact on the cost of doing business in the kingdom for multinationals. Despite the fast approaching deadline, there’s still ambiguity around the PDPL’s implementing regulations, which could see several scenarios play out in coming weeks.
- The PDPL’s roots trace to June 2020, when Saudi Arabia’s National Data Management Office issued a document containing “Interim Regulations on Personal Data Protection.” The PDPL then received a Royal Decree in September 2021, with the Saudi Data and Artificial Intelligence Authority (SDAIA) set to regulate it across the first two years before shifting supervision to the National Data Management Office.
- The PDPL applies to personal data processing by all entities in Saudi Arabia, as well as those outside the kingdom that process personal data related to individuals residing in the country using any means, including online personal data processing.
- The law broadly defines personal data as essentially any information that would lead to the specific identification of an individual or make identification possible. Entities handling this information are termed “data controllers” and would have to register with the SDAIA and pay an annual fee of up to about $27,000.
- The PDPL joins several new privacy laws in the GCC. For example, Oman’s PDPL came into effect in February 2023, while the UAE’s arrived in January 2022. Further back, Qatar’s data protection law entered effect in 2017.
- The region certainly has data management issues: the average total cost of a data breach among a sample of 31 companies across Saudi Arabia and the UAE was $7.46 million in 2022, according to IBM Security. That made them the second most costly territories for data breaches after the US, where the rate was $9.44 million.
- GCC data laws broadly align with the EU’s widely emulated General Data Protection Regulation, or GDPR, which launched in 2018. That said, Saudi Arabia’s PDPL as originally published featured key differences from international standards, including certain requirements around overseas data transfers and localization.
- Notably, the law would prohibit entities from transferring personal data outside the country, with exceptions only for very specific circumstances — for instance, if it were necessary to preserve the life of a data subject. Companies could gain exemptions on a case-by-case basis, but it would require written approval from a regulator.
- For example, a multinational couldn’t send personal data collected by its Riyadh office over to Dubai. Other GCC data laws haven’t been as strict. For example, the UAE’s allows personal data transfers to countries approved as having an “adequate level of protection.”
- Saudi Arabia’s PDPL was initially scheduled to come into force on March 23, 2022, with a one year grace period to comply. However, the night before the deadline Saudi authorities postponed the entire law. The SDAIA said the decision was based on responses received from stakeholders during a brief public consultation on the draft of the law’s implementing regulations.
- That included notable pushback: the US Chamber of Commerce — the top lobbying spender in the US — warned Saudi Arabia that the PDPL would raise costs of doing business and complicate efforts to attract foreign investors, reported Bloomberg in March 2022, with tech firms, banks and payment companies all expressing concerns. As noted by the report, the data transfer rule was a key concern, as violators would face criminal sanctions.
- “There are several aspects of this law that pose not only significant problems for the private sector but will be significant barriers to helping the kingdom achieve its goal to become a digital hub,” the Chamber of Commerce wrote in a letter seen by Bloomberg. “It will have a major impact on the cost and ability to do business in the kingdom.”
- The group furthered that data localization requirements would impose substantial costs on all companies doing business in Saudi Arabia without increasing security. That would include higher costs for data storage and cloud-based services in the kingdom and that maintaining separate local servers may not be possible or practical.
- Regarding possible penalties: cross-border data transfer violations carried a potential one year imprisonment and a fine up to about $270,000. Meanwhile, unlawfully disclosing or publishing sensitive personal data included a potential two year prison sentence and a fine up to roughly $800,000. Other violations included fines up to about $1.3 million.
- For comparison, the GDPR imposes fines up to about $21 million or 4% of global revenue, whichever is higher, if online organizations fail to protect personal data in the EU. Regionally, fines for violating Qatar or Oman’s data law can run up to roughly $1.3 million. The UAE hasn’t disclosed penalties yet.
- The PDPL’s postponement was notable, requiring rare last-minute approval from the Council of Ministers, according to analysis from Albright Stonebridge Group, which furthered that changing the PDPL’s basic tenets is complicated, as revisions require new approval from the council and other high-level authorities.
- Crucially, the SDAIA also must consult with other regulators before enacting the law, for instance with the central bank. As Albright Stonebridge Group noted, other regulators would maintain ultimate autonomy to govern their respective jurisdictions without SDAIA interference.
- The SDAIA released a revised draft for public feedback during December 2022. Although largely similar to the original, it featured some changes: notably, restrictions around overseas data transfers would be relaxed. For instance, a company could now potentially transfer personal data to the EU, as the GDPR ensures a reasonable enforcement standard.
- Some other key proposed changes, as explained by the law firm Al Tamimi in December 2022, include: “legitimate interest” would now be included as a legal basis for data processing, with a person’s consent no longer the only primary ground for processing their data. Also, offshore entities would no longer be required to appoint a representative in the kingdom in order to process local data.
- In February 2023, the US Chamber of Commerce’s vice president of Middle East Affairs, Steve Lutes, applauded Saudi ministries for welcoming feedback from US counterparts on policy drafts. “We’ve been very focused on the PDPL,” Lutes told a local publication. “There have been great advances from prior drafts.”
- Currently, the PDPL is being amended before being re-issued. An industry source, who spoke with senior people at a relevant Saudi authority in late February 2023, tells Al-Monitor they got the impression the goal is still to have the new law issued by March 17, but it seems there will be extensive changes to the version most recently circulated publicly — possibly including more liberal requirements around personal data transfers.
Scenario 1: The PDPL comes into force on March 17 without substantial changes
Despite efforts to steer business-friendly changes, the SDAIA lacks wiggle room to radically reshape the regulations and advances a law that still contains potentially onerous data transfer rules.
Still, the initial postponement indicated the SDAIA is serious about developing more favorable policies and absorbing feedback. It would be a surprise if it completely spurned industry concerns, which could undermine the kingdom’s efforts to attract foreign business and investment.
Scenario 2: The PDPL is delayed another year
The deadline arrives without the SDAIA publishing implementing regulations, leading to another postponement followed by additional public consultations.
That said, signs indicate that SDAIA is likely to move the ball forward in March 2023, making another significant postponement unlikely. Plus, Saudi Arabia is courting multinationals through its regional headquarters law, scheduled to enter effect in 2024, and further delays could hurt the cause.
The SDAIA attempts to meet its deadline, but with caveats. The required implementing regulations seem unlikely to arrive before March 17 and it’s also possible the SDAIA will solicit further public consultation. That said, expect key business-friendly policies to emerge in the PDPL’s revised draft alongside a generous grace period catering to multinationals. Still, those hoping for a radical overhaul may be disappointed — industry stakeholders should still prepare to adjust to significant changes and monitor how these regulations come into force. Also: watch for potential regulatory disharmony, as the SDAIA could get caught between various authorities with competing priorities. That could undermine the SDAIA and add more ambiguity to enforcement.
Samuel Wendel is a senior market research analyst with Al-Monitor covering economic, tech and business trends across the Middle East. He has previously served as a journalist with Forbes Middle East and Wamda, where he reported on key industry developments spanning a range of sectors in the region.
We're glad you're interested in this memo.
Memos are one of several features available only to PRO Expert members. Become a member to read the full memos and get access to all exclusive PRO content.
Already a Member? Sign in
The Middle East's Best Newsletters
Join over 50,000 readers who access our journalists dedicated newsletters, covering the top political, security, business and tech issues across the region each week.
Delivered straight to your inbox.
Free newsletters available:
- The Takeaway & Week in Review
- Middle East Minute (AM)
- Daily Briefing (PM)
- Business & Tech Briefing
- Security Briefing
- Gulf Briefing
- Israel Briefing
- Palestine Briefing
- Turkey Briefing
- Iraq Briefing
Join the Middle East's most notable experts for premium memos, trend reports, live video Q&A, and intimate in-person events, each detailing exclusive insights on business and geopolitical trends shaping the region.
$25.00 / month
$31.00 / month
Memos - premium analytical writing: actionable insights on markets and geopolitics.
Live Video Q&A - Hear from our top journalists and regional experts.
Special Events - Intimate in-person events with business & political VIPs.
Trend Reports - Deep dive analysis on market updates.
Text Alerts - Be the first to get breaking news, exclusives, and PRO content.
All premium Industry Newsletters - Monitor the Middle East's most important industries. Prioritize your target industries for weekly review:
- Capital Markets & Private Equity
- Venture Capital & Startups
- Green Energy
- Supply Chain
- Sustainable Development
- Leading Edge Technology
- Oil & Gas
- Real Estate & Construction
We also offer team plans. Please send an email to firstname.lastname@example.org and we'll onboard your team.
Already a Member? Sign in