On March 19, 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) issued a public consultation via its official X (formerly Twitter) account, soliciting comments on the proposed amendments to the Regulations on Personal Data Transfers.
The key amendments under consideration relate to the following areas:
1. Permissible Purposes for Data Transfers Outside Saudi Arabia
In accordance with Article 29(1)(d) of the Personal Data Protection Law (PDPL), the amendments would authorize personal data transfers for the following additional purposes:
– Performing centralized processing necessary for the data controller to conduct its activities
– Providing services or benefits directly to the data subject
– Facilitating scientific research and studies
2. Assessing Adequate Protection Levels in Foreign Jurisdictions
The amendments outline criteria for evaluating whether a foreign jurisdiction has sufficient personal data protection standards, including:
– Robust regulations guaranteeing data protection and enforceable data subject rights
– An established data protection authority willing to cooperate with Saudi authorities
– Consistency between the foreign jurisdiction’s disclosure rules and Saudi’s PDPL
3. Appropriate Safeguards for Data Transfers
Where adequate protection cannot be established, the amendments allow for data transfers pursuant to “appropriate safeguards” approved by SDAIA to ensure PDPL compliance.
4. Data Transfer Risk Assessments
The amendments would require data controllers to conduct risk assessments for certain international data transfers.