Fresh regs to regulate the sharing of Saudi data outside the Kingdom: The Saudi Data and AI Authority (SDAIA) has launched public consultations on a draft policy to regulate access to and the sharing of Saudi data outside of the Kingdom. The policy and proposed changes to data privacy regulations are now out for comment on the government’s Istitlaa platform.

The rationale: SDAIA is introducing the new regulations against the backdrop of the increasing downside risks that arise with tech advancements. The rules regulate how public and personal data must be handled during its collection, storing, processing, dissemination, and use, with an emphasis on the who, what, when, where, why and how of sharing data with parties outside the Kingdom.

Regulating, not banning: While the draft data sovereignty policy (pdf) aims to protect public data against breach as well as illegal access, utilization, and distribution, the government plans to do so in a manner that follows international best practices and safeguards the principles of data transparency and availability.

Sharing personal data outside the Kingdom:SDAIA aims to enforce additional rules and procedures to regulate the sharing of the personal data (pdf) of Saudi nationals with national and foreign institutions outside the Kingdom. The government will task the relevant authorities to compile a list of countries and foreign organizations that are up to standard in terms of handling and protecting the data shared with them. This list can be edited at any given time, but is periodically reviewed every four years.

So, might Saudi data be shared with parties outside the Kingdom? According to the proposals, it might be allowed when:

  • The transfer of data is between local and foreign public entities that are collaborating on a convention in which Saudi is a party;
  • When primary operations cannot be completed without the transfer of personal data;
  • When the transfer of data is in the interest of the subject citizen;
  • For activities of scientific academic research and studies;
  • If the transfer of non-sensitive data will be infrequent or for a definite period and for a limited number of data owners.

Leave a comment

Your email address will not be published. Required fields are marked *