The Saudi Data and Artificial Intelligence Authority (SDAIA) has released proposed updates to the Personal Data Protection Law’s Transfer Regulations for public review until 18 April 2024. This post provides a snapshot of the proposed changes, helping you understand how they may:

  • impact your data protection practices,
  • reduce compliance burdens, and
  • facilitate international data transfers.

I’ll also discuss opportunities for licensed data protection consultancies and what these updates might mean for ongoing and future data management strategies.

Overview of the proposed changes

In essence, the changes aim to streamline the existing regulations, offering a clearer, more cohesive framework. Notably, the new draft simplifies the criteria for assessing which countries and international organisations provide adequate data protection. It also removes overly general criteria and now includes considerations for compliance with binding international treaties.

Significant updates in the proposed regulations

  • Article 3 | Revised data protection assessment criteria: Updated criteria for assessing adequate protection levels for personal data outside Saudi Arabia, with updates published every four years or as needed.
  • Article 4 | Data controller compliance exemptions: A new article outlining cases where data controllers might be exempt from strict compliance, provided they use appropriate safeguards.
  • Article 5 | Onward personal data transfer rules: The introduction of regulations for onward transfers of personal data, aligning with practices under the GDPR but simplified to ensure clarity and ease of understanding.
  • Article 6 | Exemption withdrawal procedures: A streamlined process for withdrawing exemptions, making the criteria and implications clearer than in previous versions.
  • Article 7 | Risk assessment for international data transfers: Minor updates to the risk assessment procedures for transferring personal data to entities outside of Saudi Arabia, focusing on clarifications rather than substantial changes.

Ultimately, these proposed changes aim to enhance clarity in the regulation of personal data transfers, potentially reducing compliance burdens and facilitating smoother international operations.

Actions to take next

  • Make your voice heard by considering providing public comment on the proposed updates via the Istitlaa website.