Establishing the needed foundations for the new laws
https://arab.news/jt9fj
Each new law that is approved must pass through several stages that must be clarified before implementation, such as the competent authority that will supervise it and the parties involved in this supervision process. In addition, what the new law exactly needs in terms of adoption and training processes for the sector it targets should be included along with the participating sectors. With the adoption of the Personal Data Protection Law for the first time in Saudi Arabia, the text of the approved law included several clarifications regarding its application mechanisms, which we will address in today’s article.
The text of the law that was shared specifies the authority that will be responsible for implementing the new Personal Data Protection Law, which is the Saudi Data and Artificial Intelligence Authority, for a period of two years. The results of implementing the provisions of the new law will be studied and compared to the level of development witnessed by the Saudi data sector. Then, the supervisory role and competence to monitor the application of this law will be transferred from the Saudi Data and Artificial Intelligence Authority to the National Data Management Office.
In addition to the foregoing, the law stipulates that the implementation of its provisions will start after 180 days from the date of its publication in Umm Al-Qura, the official gazette of the Kingdom. However, in preparation for the establishment of the proper application, the competent authority’s approval on commercial, professional, or non-profit activities related to the protection of personal data in Saudi Arabia has been postponed.
The appointment of the external parties located outside the Kingdom that process the data of residents and representatives inside the country for a period to be determined by the head of the competent authority. It can not exceed five years and will be calculated from the date of entry into force of the law.
Moreover, it is worth noting that the establishment of the applications of this law does not include only the supervisory authorities, but even the control authorities that process the data that are the subject of this law. They were given a period of no more than a year from the date of entry into force to amend their conditions, systems, policies, and applications, bearing in mind that this authority may be public, or with a natural or private legal personality such as companies.
Furthermore, because of the confusion that may occur between the tasks of the Data and Artificial Intelligence Authority and the tasks of the National Cybersecurity Authority, the law confirmed that their tasks are separated where the tasks of the Data and Artificial Intelligence Authority do not affect the competencies of the National Cybersecurity Authority.
The law also states that coordination between the competent authority and the Communications and Information Technology Commission must take place through a signed memorandum of understanding. This will regulate the common aspects and areas that are related to the application of the provisions of the new law that are subject to the regulation of the Communications and Information Technology Commission.
Finally, due to the active role and impact of the data sector, the new law states a period not exceeding a year from the date of its entry into force for the competent authority, and in coordination with the relevant authorities, to review the provisions of the various related laws, decisions, and regulations. This includes provisions related to the protection of personal data discussed in a previous article and a proposal to amend such provisions in line with the directions of the new law.
• Dimah Talal Alsharif is a Saudi lawyer and legal consultant. Twitter: @dimah_alsharif
