The processing of data is a long-standing debate among governments, businesses, and tech giants alike. Major corporations are identifying data privacy violations and sharing how personal data should be handled and shared ethically. Government entities have framed their own laws on data protection and privacy to protect the personal data of their residents. Examples include the GDPR, developed by legislative branches of the European Union, and the CCPA, developed by the state legislature to protect residents of California in the United States.

Now, Saudi Arabia is joining the list of around 80 countries that have data protection laws.

The Personal Data Protection Law (PDPL) was published in the Official Gazette by Saudi Arabian government on September 24, 2021 and will come into effect on March 23, 2022. The PDPL law applies to all businesses in Saudi Arabia across all industries, unlike other Saudi Arabian privacy laws.

 The PDPL protects personally identifiable information (PII) that includes an individual’s name, identification number, addresses and contact numbers, photographs, and video recordings of the residents of Saudi Arabia. It applies to any business or public establishment that processes personal data in Saudi Arabia through any data collection mode. It also includes processing of personal data of residents of Saudi Arabia by establishments outside of Saudi Arabia.

 Data privacy conversations revolve around consent. The PDPL requires consent from individuals for any entity to process their personal information and data.

 The PDPL requires that organizations processing personal data provide the details of their privacy policy and explain how the individual’s data is processed. These organizations are also required to delete the obtained personally identifiable information “if it becomes clear that it is no longer necessary for achieving the purpose of its collection.”

 Reporting any data leaks, data breach, or unauthorized access to its highest authorities is required under the PDPL, and if these actions cause material damage, the law then requires organizations to inform the individual whose personal data has been compromised.

What happens if an organization fails to adhere to any of the provisions in the PDPL?

If personal data is disclosed or published by any entity without adhering to the PDPL, the penalty may be imprisonment for up to two years or a fine of up to SAR 3,000,000 (USD 800,000).

If personal data is transferred in violation of the PDPL, it could result in imprisonment for up to one year and a fine of up to SAR 1,000,000 (USD 266,600).

 For violations related to other provisions in the PDPL, the penalties are limited to a warning notice or a fine of up to SAR 5,000,000 (USD 1,333,000).

If an organization commits repeat offenses, then fines can be increased up to double the maximum, and data subjects affected by the non-compliance could also file for compensation.

The changing landscape in digital technology requires transparent laws that protect the user’s privacy to forbid organizations from unethically monetizing their personal data. The PDPL, that becomes law next year in Saudi Arabia, enforces that by holding organizations accountable for violating a user’s personal data.