Saudi privacy rules evolve

Ksenia Andreeva and Karolina Lewicki talk about how Saudi Arabia’s data protection regime is entering a new phase as proposed amendments to the PDPL offer clearer compliance guidance, stricter consent rules and expanded oversight.

The Kingdom of Saudi Arabia (KSA) continues to shape the regional data protection landscape with its proposal of the draft amendments[1] to the Implementing Regulations of the Personal Data Protection Law (PDPL). The PDPL itself, which came into full effect in September 2024, is one of the most comprehensive privacy laws in the Middle East. However, its practical application remains largely untested as enforcement actions and supervisory practices by the Saudi Data and Artificial Intelligence Authority (SDAIA) are still awaited. In this transitional period, organisations have been navigating uncertainty around how to implement the PDPL in practice.

Against this backdrop, the draft amendments released by SDAIA for public consultation in April 2025 mark a significant step forward. They aim to provide greater clarity, operational guidance, and alignment with international best practices. Stakeholders were invited to submit feedback on the proposed amendments – the consultation closed on May 27, 2025, and the publication of the results by SDAIA is still pending (as of the date of this article). If accepted, the amendments are expected to recalibrate compliance obligations and sharpen regulatory expectations in the KSA.

WHAT’S CHANGING?

The proposed amendments to the PDPL seek to introduce both minor clarifications and substantive changes. While many of the revisions appear intended to streamline the law’s text and remove ambiguity, several updates will have practical consequences for organisations handling personal data in the KSA. The key points are explained below.

Privacy notices

One notable shift is the emphasis on clear and accessible privacy notices. Under the draft amendments, controllers must ensure that privacy notices are written in plain, straightforward language and are tailored to the level of understanding of the audience. Crucially, such notices must also be provided in the language ordinarily used in delivering the relevant services or products.

This change would resolve an open question under the existing regime – whether controllers are expected to translate policies into Arabic or other languages to cater to users. The new wording suggests a more pragmatic approach, requiring consistency with the service language rather than a blanket translation rule. For multinational companies, this could mean greater flexibility in harmonising privacy communications.

Advertising

The proposed amendments reinforce the need for obtaining valid (freely given and specific) consent before personal data can be used in an advertising context. However, on the basis of the draft amendments, controllers would have to secure prior consent in all circumstances, even where they have had a prior interaction with the targeted recipient. Previously, a limited exception allowed advertising messages to be sent without the need for separate consent. Arguably, this adjustment would effectively establish an “opt-in” and “opt-out” model across the board, raising the compliance bar for businesses engaged in customer outreach.

Marketing

The treatment of marketing consent has also been adjusted. Under the existing regulations, organisations must obtain consent for any form of “Direct Marketing”, broadly defined to include all direct physical or electronic marketing communications, advertising and promotional activity. The proposed amendments remove the definition of “Direct Marketing” entirely and replace it with a more general requirement to obtain consent for “Marketing”. The absence of a definition for “Marketing” creates new uncertainty. It remains to be seen whether the scope will be interpreted more narrowly or more broadly than the previous definition.

Data Protection Officers (DPOs)

The role of the DPO is expanded and clarified. The proposed amendments specify more detail around the DPO’s responsibilities, which include monitoring compliance, advising on obligations, and acting as a contact point with SDAIA.

In addition, controllers would be required to register the contact details of their DPO on the National Data Governance Platform – a central system managed by SDAIA. This measure aims to formalise the DPO function and enhances regulatory visibility, signaling that the KSA expects organisations to treat the DPO role as a cornerstone of compliance, rather than a nominal appointment.

Controller registration

The draft amendments also consolidate and expand registration requirements, more generally. Currently, controller registration is governed by separate rules relating to the National Register of Controllers, but the proposed changes would – at least to some extent – bring those obligations directly into the Implementing Regulations of the PDPL.

Controllers (i) who are public entities, (ii) whose primary activity is processing of personal data, (iii) who transfer personal data outside of the KSA, (iv) process sensitive data, or (v) who process personal data of individuals lacking legal capacity, are all captured by the draft amendments for such registration purposes.

Records of Processing Activities (RoPA)

Another notable shift is related to RoPAs – internal records that detail an organisation’s data processing activities. Whereas organisations currently only need to provide a RoPA to SDAIA upon request, the proposed amendments stipulate that each controller should maintain a dedicated register within the National Data Governance Platform.

This move effectively creates a centralised repository of processing information, enhancing oversight and allowing SDAIA to monitor compliance more proactively. Organisations would have to ensure their recordkeeping is both accurate and up to date, as inconsistencies could quickly draw regulatory attention.

Responding to SDAIA requests

Further, the draft amendments introduce a tightened timeline for responding to regulatory inquiries. Controllers will be required to respond within 10 business days to requests from SDAIA regarding compliance with the PDPL. This short timeframe emphasises the need for organisations to maintain efficient processes, documented compliance programs, and readiness to demonstrate accountability at a short notice.

Complaints by data subjects

In a move that strengthens individual rights, the proposed amendments remove the 90-day limit previously imposed on data subjects for submitting complaints. This means that complaints could be filed at any time, creating a more open-ended right of redress.

From a business perspective, this change would increase long-term exposure to potential data subject grievances, underscoring the importance of not only building robust processes for handling and resolving complaints, but also making best efforts to maintain compliance.

Breach notifications

Interestingly, the draft amendments also remove the definition of “Personal Data Breach.” While the rationale is not explicitly stated, this omission suggests that SDAIA may be considering a restructured breach notification regime, potentially to be addressed in a separate guidance document or framework. Organisations should anticipate additional clarification of this point in the near future.

WHY IT MATTERS

The KSA’s regulatory framework is fast becoming a regional benchmark in data protection. The PDPL is generally stricter in several respects compared to other regional laws in the Middle East, and SDAIA’s evolving guidance can be expected to influence approaches in neighboring jurisdictions.

The KSA’s regulatory privacy structure combines the PDPL, its Implementing Regulations, and certain formal interpretations and relevant commentary by SDAIA. This layered model can be difficult to interpret in practice – particularly with enforcement yet to commence. These new draft amendments, once finalised, are expected to bridge the gap by shining light on how the law should be applied day-to-day and should be closely monitored by organisations that are in scope.

LOOKING AHEAD

As the consultation period has now closed, attention turns to how SDAIA will refine the text of the PDPL’s Implementing Regulations. Businesses should be preparing for the likelihood that many of the proposed changes will survive in some form, even if certain minor adjustments are made in response to stakeholder feedback.

For multinational organisations already operating under the GDPR or similar frameworks, the KSA’s regime may feel familiar, albeit with its own unique characteristics. Nonetheless, for all organisations active in the KSA (or otherwise handling the personal data of KSA data subjects), it is advisable to take certain steps in preparation for the anticipated changes:

• Review and update privacy policies to ensure clarity, accessibility, and linguistic appropriateness.
• Revisit marketing strategies, ensuring consent mechanisms are robust and unambiguous.
• Prepare for increased registration obligations and regulatory scrutiny.
• Enhance RoPA processes so that records are accurate, complete, and easily uploaded to the designated platform.
• Implement rapid-response procedures for regulatory inquiries and strengthen complaint-handling mechanisms.

Ultimately, the PDPL’s evolution underscores the KSA’s commitment to data protection as a pillar of its digital transformation agency. By embedding higher standards and closer oversight, the KSA is signaling that it takes privacy seriously.

The message is clear – compliance is not optional, and preparation should not be delayed.

Text by:

1. Ksenia Andreeva, partner, Morgan, Lewis & Bockius LLP
2. Karolina Lewicki, associate, Morgan, Lewis & Bockius LLP

Footnotes:

[1] https://istitlaa.ncc.gov.sa/en/Transportation/NDMO/IRofPDPLAmendments/Pages/default.aspx