Since 2022, most countries of the GCC, including Saudi Arabia (“KSA”), and the United Arab Emirates (“UAE”) have adopted personal data protection laws which are largely inspired by the EU General Data Protection Regulation (“GDPR”), reflecting many of its key concepts and the main rights granted by the GDPR to data subjects (“data subject” means the natural person about whom a Data Controller (the “Controller”) holds personal data and who can be identified, directly or indirectly, by reference to that personal data).
As for the other GCC countries, Qatar adopted its data protection law in 2016, Bahrain adopted a personal data protection law that came into force on the 1st of August 2019, Oman adopted a personal data protection law on
9 February 2022 that took effect on the 13th of February 2023, while Kuwait still does not have specific personal data protection laws.
In this analysis, we highlight the main points to be considered by entities collecting, transferring and storing personal data.
Prior to presenting the content of the new laws in the KSA, and the UAE, we first synthetize the essential principles of the GDPR and the main rights it grants to data subjects.
GDPR
The seven principles of the GDPR are the following:
1- Lawfulness, fairness, and transparency: When personal data (“personal data” is any information which is related to a data subject) is collected, the Controller must clarify to the data subjects the reasons why it is being collected and how it is going to be processed and used.
2- Purpose limitation: Personal data can only be collected for “specified, explicit, and legitimate purposes.”
3- Data minimization: Personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.”
4- Accuracy: Controllers should regularly review information held about individuals and delete or amend inaccurate information accordingly.
5- Storage limitation: Personal data kept in a form which permits the identification of the data subjects should be kept for no longer than is necessary for the purpose for which the personal data is processed.
6- Integrity and confidentiality (security): The Controller must ensure that all the appropriate technical or organizational measures are in place to secure and maintain the integrity and confidentiality of the personal data that it holds.
7- Accountability: Controllers must take responsibility for the personal data they hold and demonstrate compliance with the other principles.
The main rights granted by the GDPR to the data subjects are the following: (1) Right of access; (2) Right to rectification; (3) Right to erasure; (4) Right to restriction of processing; (5) Right to be informed; (6) Right to data portability; (7) Right to object; and (8) Right not to be Subject to Automated Decision Making.
The GDPRs principles as summarized above are implemented with some differences depending on each GCC domestic regulation.
KINGDOM OF SAUDI ARABIA
The Personal Data Protection Law (“PDPL”) came into force on September 14, 2023. It is the first data protection law established in the KSA that goes beyond the general principles of privacy outlined under Sharia law. The PDPL closely resembles the GDPR, applies similar principles and grants similar rights to data subjects, while taking into account a number of specificities indicated below:
Territoriality and Scope of PDPL
The PDPL is applicable (i) to the processing of personal data by companies or public entities taking place within the KSA, as well as (ii) to the processing of personal data relating to data subjects residing in KSA by companies located outside of the KSA. A company could therefore be subject to the PDPL even if it is not established in KSA, should it be processing the personal data of KSA-based customers.
The PDPL defines “personal data” as any information, in whatever form, through which a person may be directly or indirectly identified (such as an individual’s name, the personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photographs and video recordings of the person, and any other data of personal nature).
Main Differences with GDPR
The PDPL is more stringent in cross-border personal data transfers: Controllers are not allowed to transfer personal data outside the KSA except if it complies with an agreement to which the KSA is a party, or it serves Saudi interests, or if it is for the purpose of performance of an obligation to which the Data Subject is a party, or for other purposes that are set out in the PDPL. Furthermore, other requirements must be met including (a) that the data transfer or disclosure to a party outside the Kingdom does not impact KSA national security or vital interests or violates any other KSA law, and (b) there is an adequate level of protection for Personal Data in the jurisdiction where the data is transferred, such level of protection being at least equivalent to the level of protection guaranteed by the PDPL, and © the transfer or disclosure of data shall be limited to the minimum amount of Personal Data needed to achieve the purpose of the transfer. To note that these last requirements shall not apply to cases of extreme necessity to preserve the life or vital interests of the Data Subject or to prevent, examine, or treat disease.
Sanctions
Penalties for failure to comply with the PDPL include up to two years’ imprisonment and fines of up to SAR 5 million (circa USD 1,333,000). Higher fines may be imposed in case of repeat offenses. Furthermore, Parties affected by the offences may be able to claim compensation.
It is expected that the PDPL will continue to evolve.
UNITED ARAB EMIRATES
The Federal Decree №45 of 2021 regarding the protection of personal data (the “PPD”) came into force in the UAE on January 2, 2022. The PPD broadly mirrors the GDPR, with a few exceptions. The Executive Regulations were stated to be issued by March 20, 2022, however, there has been a delay in the issuance of the Executive Regulations.
Territoriality and Scope of PPD
The PPD applies to (i) data subjects who reside or have a place of business in the UAE, (ii) Controllers and processors located in the UAE who carries out the activities of processing personal data of data subjects inside or outside the UAE, and (iii) Controllers and processors located outside the UAE that process personal data of data subjects residing inside the UAE.
A particular exception to the PPD scope is the existence of specific data protection legislation applicable in certain free zones in the UAE (such as the Dubai International Financial Center (DIFC) and the Abu Dhabi Global
Market (ADGM)). The companies established in such free zones do not have to comply with the PPD as they need to abide by the data protection legislation in force in these free zones.
Specific categories of data are exempted from the PPD: (i) UAE government data; (ii) UAE government entities that control or process personal data; (iii) Personal Data held with security and judicial authorities; (iv) a Data Subject who processes his/her data for personal purposes; (v) health, banking, and credit personal data and information that are subject to specific data protection legislation, and to the extent that is already governed by such specific UAE legislation.
Main Differences with GDPR
- Processing of personal data. The PPD default position is that the data subject’s consent must be obtained to conduct processing, subject to certain exemptions similar to those provided for under the GDPR. However, while the GDPR allows for the processing of a data subject’s personal data without obtaining the data subject’s consent on the basis of the Controller’s legitimate interests to do so, the PPD does not allow for such processing.
- Sensitive personal data: Although the definition of sensitive personal data is comparable with the GDPR’s definition of special categories of personal data, there are some differences: the PPD’s definition includes data revealing an individual’s family and criminal record data.
- Data breaches or leakages: any data breach or leakage impacting personal data must immediately be notified to the UAE Data Office and where necessary, to data subjects.
- Data subject rights: These rights do not completely align with the GDPR through certain nuances: (1) the Controller may only reject a data subject’s request for access to its data in limited circumstances, (2) the information requested by the data subject (as defined by the PPD) from the Controller needs to be provided without charge, and (3) the PPD does not set out a timeline for a Controller to respond to a data subject access request, although this is expected to be covered in the PPD Executive Regulations.
- Cross-border transfer of data: Without obtaining the data subject’s prior consent, Controllers may not transfer Personal data outside the UAE to jurisdictions that do not offer an adequate level of protection. Certain exceptions apply to this prohibition, such as the transfers necessary for the performance of contracts, or to protect the data subject’s vital interests, or for preparing, pursuing or defending a legal claim. All data transfers to foreign jurisdictions must not conflict with the public and security interest of the UAE.
Sanctions
At present, the PPD does not specify the sanctions to be applied in case of non-compliance with its provisions. The PPD Executive Regulations are expected to clarify this. It is expected that the PPD will evolve through the issuance of its Executive Regulations, that are projected to set out a lot of the practical and operational details of the PPD.
IN SHORT
The GDPR is currently the gold standard for data privacy regulations. More and more jurisdictions are aligning with it, the GCC countries included. Companies operating in the GCC however need to consider the particularities of the personal data protection laws of the different jurisdictions, as more stringent protection measures may be required from them. The Data Privacy Practice of Bakhache & Hijazi Law Firm, led by Partner Youssef Bakhache, supports clients in all legal issues, in association with Potech — Paths of Technology covering all technical and technological support related to data privacy and data security in, among other jurisdictions, the GCC.
