Navigating SDAIA’s updated rules for cross-border data transfer
The Saudi Data and AI Authority (SDAIA) has announced the much-anticipated amended Regulation for Personal Data Transfer outside the Kingdom (ARPDT), published in Umm Al Qura on 1 September 2024. Issued pursuant to the Personal Data Protection Law (PDPL), It came into effect on the same date, but controllers are still under the grace period to comply with the PDPL until 14 September.
Some key points to note from the ARPDT are as follows:
1. Adequacy
Transfer of personal data to an “adequate” jurisdiction is a safe harbor. SDAIA shall publish a list of countries or international organizations that meet this requirement. Under Article 3.1 of the ARPDT, the list shall be published on SDAIA’s official website. At the date of this writing, there is no list published on SDAIA’s website.
2. Exceptions to adequacy
In the absence of a safe harbor in the “adequacy” of the recipient’s jurisdiction, the personal data can still be transferred offshore if the conditions listed in point 3 below are adhered to and the nature of the transfer fits into an exemption category, such as:
- Infrequency: Where the personal data transfers of a limited number of data subjects are intermittent, even if it occurs infrequently over a long period of time.
- Temporality: Where the personal data transfers of a limited number of data subjects occur only for a brief period of time, even if there are frequent transfers occurring over that brief period.
- Central operations: Where the personal data transfer is part of the central operations of a multinational corporation.
- Service or benefit: Where the purpose of the personal data transfer is to provide a service or benefit to the data subject.
3. Conditions to exceptions
Each exception carries one or more conditions, such as:
- Standard contractual clauses: Where the controller ensures that standard contractual clauses published by SDAIA are in place with the recipient of the personal data. SDAIA released v1.0 of its standard contractual clauses as of September 2024.
- Binding common rules: Where the entities involved in the personal data transfer are subject to binding common rules published by SDAIA. SDAIA released v1.0 of its binding common rules as of September 2024.
- Certificate of accreditation: Where the recipient of the personal data is certified by a SDAIA-licensed assessment body. As of this writing, no further information as of the licensing process or assessment bodies has yet been published.
4. Caution
This provides a general, non-specific framework for onshore controllers to transfer personal data offshore. However, caution must still be exercised in each case – for example, risk assessments may be required, or the analysis may change if the personal data is classified as “Sensitive Data” under the PDPL.
Authored by: Jonathan Burns* and Ellen Ray