H3 Heading
The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree M/19 on September 16, 2021 and further amended on March 27, 2023 (the PD Law), came into force on September 14, 2023. The one-year transition period will end on September 14, 2024.
H4 Bold Sub Heading
The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree M/19 on September 16, 2021 and further amended on March 27, 2023 (the PD Law), came into force on September 14, 2023. The one-year transition period will end on September 14, 2024.
H5 Italic Sub Heading
The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree M/19 on September 16, 2021 and further amended on March 27, 2023 (the PD Law), came into force on September 14, 2023. The one-year transition period will end on September 14, 2024.
The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree M/19 on September 16, 2021 and further amended on March 27, 2023 (the PD Law), came into force on September 14, 2023. The one-year transition period will end on September 14, 2024.
The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree M/19 on September 16, 2021 and further amended on March 27, 2023 (the PD Law), came into force on September 14, 2023. The one-year transition period will end on September 14, 2024.
Table 1
No class="table-alternating-row-color" - Horizontal lines show
|
|
Current Rate | New Rate |
|
New York City, Westchester County, Long Island |
$16.00/hour |
$16.50/hour |
|
Remainder of New York State |
$15.00/hour |
$15.50/hour |
Table 2
Includes class="table-alternating-row-color" - Horizontal lines do not show, alternating background colors
| Legislation | Affected Organizations/Description | Procedural Status | Potential Impact on Charitable/Nonprofit Organizations |
|
Protecting Federal Funds from Human Trafficking and Smuggling Act (H.R. 1168) Introduced
|
501(c)(3) Organizations To direct the Director of the Office of Management and Budget to require the disclosure of violations of Federal law with respect to human trafficking or alien smuggling, and for other purposes. |
Referred to the Committees on the Judiciary, Oversight and Government Reform, and Ways and Means. |
|
|
Fixing Exemptions for Networks Choosing to Enable Illegal Migration (FENCE) Act (S. 497) Introduced
|
501(c)(3) Organizations To amend the Internal Revenue Code of 1986 to modify eligibility for 501(c)(3) status. |
Referred to the Committee on Finance. |
This block of text does not have any p tags. This provision would amend Section 501(c)(3) to provide, as a requirement for exemption, that the organization does not have a pattern or practice of providing financial assistance, benefits, services, or other material support to individuals that the organization knows or reasonably should know to be unlawfully present in the U.S. It does not define “pattern or practice” or whether that might include grants to organizations that help undocumented persons. |
|
Endowment Accountability Act (H.R. 1128) Introduced
|
Colleges & Universities To amend the Internal Revenue Code of 1986 to increase the rate of the excise tax based on investment income of private colleges and universities and to broaden the definition of applicable educational institution by lowering the threshold with respect to aggregate fair market value per student, and for other purposes. |
Referred to the Committee on Ways and Means. |
This provision would increase the excise tax on university endowment profits from 1.4% to 10% and would expand the application to colleges and universities with endowments valued at $200,000 per student (rather than the current $500,000 per student). |
|
Defending Education Transparency and Ending Rogue Regimes Engaging in Nefarious Transactions (DETERRENT) Act (H.R. 1048) Introduced
|
Colleges & Universities To amend the Higher Education Act of 1965 to strengthen disclosure requirements relating to foreign gifts and contracts, to prohibit contracts between institutions of higher education and certain foreign entities and countries of concern, and for other purposes. |
Ordered to be Reported in the Nature of a Substitute (Amended) by the Yeas and Nays: 20 – 14 in the Committee on Education and Workforce. Current Status |
This provision would require colleges and universities to report annually any foreign gifts and contracts of $50,000 or more (up from the current requirement of $250,000 or more), with a $0 threshold for certain countries and entities of concern. It would prohibit contracts with certain foreign countries or entities of concern without obtaining a waiver from the Department of Education. It would also require certain faculty and staff to report gifts from foreign governments and international organizations if they are at or over the amount reportable by federal employees, and to report certain contracts with foreign sources. Finally, the provision would require institutions to report certain foreign source investments. |
|
Higher Education Accountability Tax (HEAT) Act (H.R. 1006) Introduced
|
Colleges & Universities To amend the Internal Revenue Code of 1986 to modify the excise tax on investment income of private colleges and universities. |
Referred to the Committee on Ways and Means. Current Status |
This provision would increase the excise tax on university endowment profits from 1.4% to 10% and would expand the application to colleges and universities with endowments valued at $250,000 per student (rather than the current $500,000 per student). It would also increase the excise tax to 20% for institutions that increase annual tuition by more than the rate of inflation. |
|
Educational Choice for Children Act (H.R. 833) Introduced
|
Charitable Contributions To amend the Internal Revenue Code of 1986 to allow a credit against tax for charitable donations to nonprofit organizations providing education scholarships to qualified elementary and secondary students. |
Referred to the Committees on Ways and Means and Education and Workforce. Current Status |
This provision would allow a tax credit equal to the greater of 10% of adjusted gross income or $5,000 for donations to Section 501(c)(3) “scholarship granting organizations” to fund scholarships for students in grades K-12. The tax credit is subject to an overall $10 billion volume cap, allocated on a state-by-state basis. Scholarships must be awarded to families with income that is at or below 300% of area median gross income and cannot be earmarked for a particular student. |
|
Charitable Act (H.R. 801/S. 317) Introduced House Cosponsors: 20 (R: 12, D: 8) Senate Cosponsors: 18 (R: 9, D: 9)
|
Charitable Contributions To amend the Internal Revenue Code of 1986 to modify and extend the deduction for charitable contributions for individuals not itemizing deductions. |
Referred to the Committee on Ways and Means. Referred to the Committee on Finance. Current Status - Senate |
This provision would increase the charitable contribution deduction for non-itemizers to one-third of the standard deduction, effective only for 2026 and 2027. |
|
Veterans Collaboration Act (H.R. 552) Introduced Cosponsors: 0
|
All Tax-Exempt Organizations To direct the Secretary of Veterans Affairs to carry out a pilot program to promote and encourage collaboration between the Department of Veterans Affairs and nonprofit organizations and institutions of higher learning that provide administrative assistance to veterans. |
Referred to the Committee on Veterans' Affairs. Current Status |
This provision would require the Department of Veterans Affairs to carry out a two-year pilot program with veterans service organizations and law schools that provide assistance to veterans seeking disability compensation or other pro bono legal services. |
|
Permanent Tax Cuts for America Families Act (H.R. 523) Introduced Cosponsors: 13 (R: 13, D: 0)
|
Charitable Contributions To amend the Internal Revenue Code of 1986 to permanently increase the standard deduction. |
Referred to the Committee on Ways and Means. |
This provision would make permanent the standard deduction increase scheduled to expire after 2025. |
|
Endowment Tax Fairness Act (H.R. 446) Introduced Cosponsors: 1 (R: 1, D: 0)
|
Colleges & Universities To amend the Internal Revenue Code of 1986 to increase the rate of the excise tax on investment income of private colleges and universities. |
Referred to the Committee on Ways and Means. Current Status |
This provision would apply only to colleges and universities subject to the 1.4% excise tax under Section 4968(a). The provision would increase the excise tax to 21%. |
|
Empowering Nonprofits Act (H.R. 314) Introduced
|
Section 501(c)(3) organizations located in high poverty states To require executive agencies to reduce cost-sharing requirements for certain grants with certain nonprofit organizations 25 percent, and for other purposes. |
Referred to the Committee on Oversight and Government Reform. Current Status |
This provision would apply only to Section 501(c)(3) organizations located in states with more than 20% of the population living below the federal poverty line. The provision requires federal agencies making grants to such organizations to reduce by 25% any cost-sharing requirements for such grants. |
|
Freedom to Petition the Government Act (H.R. 69) Introduced Rep. Biggs (R-AZ) Cosponsors: 2 (R: 2, D: 0)
|
All Tax-Exempt Organizations To amend title 29, District of Columbia Official Code, to treat meetings held by nonprofit organizations with officials of the Federal Government which are held in the District of Columbia at locations owned or leased by the Federal Government as activities not constituting doing business in the District of Columbia for purposes of determining whether such organizations are required to register with the District of Columbia. |
Referred to the Committee on Oversight and Government Reform. Current Status |
This provision would make it clear that the definition of “doing business” in D.C. does not, in the case of organizations exempt under Section 501(a), include holding meetings with employees of Congress or the federal government at government offices. |
REGULATORY FRAMEWORK
To assess the applicability of the PD Law to commercial activities, as well as the scope of requirements and steps necessary for compliance, businesses should familiarize themselves with the data protection framework developed by the Saudi Data & Artificial Intelligence Authority (SDAIA). This framework is centered around the PD Law.
The PD Law has extraterritorial effect, applying not only to controllers located within Saudi Arabia but also those processing the personal data of Saudi Arabia residents. The PD Law differentiates between personal data and sensitive personal data, the latter of which includes health, genetic, and biometric information. It imposes additional requirements for processing sensitive personal data, such as prohibiting its use for marketing purposes.
Double Rich Text Button
Second Line
The PD Law establishes principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimization, and confidentiality. To uphold these principles, it mandates that controllers (and by extension data processors) implement organizational, administrative, and technical measures to safeguard processed personal data.
These measures include registering as a controller, appointing a data protection officer (DPO) where necessary, adopting a clear and comprehensive privacy policy, conducting impact assessments on data processing (such as data transfer impact assessments or legitimate interest assessments), entering into appropriate data processing agreements with data processors, ensuring proper cross-border transfers, and notifying SDAIA of personal data breaches.
In the context of legal grounds for processing personal data, similarly to the General Data Protection Regulation (GDPR), the PD Law provides the following grounds:
- Consent
- Actual interests of data subjects when communication is difficult or impossible
- Public interest (security purposes or judicial requirements)
- Legal obligations
- Contractual arrangement with a data subject
- Legitimate interest (though no sensitive data can be processed based on this ground)
Just recently, the PD Law has been supplemented by the following regulations, which expand and detail its provisions:
Executive Regulations
The Executive Regulations specify requirements for (1) appointment of DPOs and their responsibilities, (2) management of data subject requests, (3) different legal grounds such as consent and legitimate interest, and (4) data impact assessments and records of processing activities.
Regulation on Personal Data Transfer Outside of Saudi Arabia, Along with Approved SCCs and BCRs
On September 1, 2024, the regulator amended the previous requirements on data transfers and published the updated Data Transfer Regulation. Similar to the GDPR, the current Data Transfer Regulation allows cross-border data transfers (1) to recipients in jurisdictions that provide an adequate level of data protection (the list of such countries is still pending but the approach of SDAIA is reasonably expected to be similar to the EU approach) or (2) if appropriate safeguards are implemented.
The number of available safeguards has now been reduced, with codes of conduct removed from the list. The remaining safeguards are as follows:
- Standard Contractual Clauses (SCCs)
- Binding Common Rules (BCRs)
- Certificate of Accreditation
The regulator has also published guidelines and templates for both SCCs and BCRs to encourage controllers to adopt these measures where appropriate.
Notably, the Data Transfer Regulation specifies that the PD Law and the Executive Regulations will continue to apply to any subsequent transfers of personal data once it has been transferred outside Saudi Arabia.
Rules for Appointing Personal Data Protection Officer
Under the PD Law, a controller must appoint a DPO in any of the following cases:
- The controller is a public entity that provides services involving the processing of personal data on a large scale, determined by the number and categories of individuals, the volume and type of data, and the geographical scope of processing.
- The controller’s primary activities involve processing operations that require regular and systematic monitoring of individuals (e.g., through tracking, other technological means, or as part of a data collection strategy conducted at specific intervals or periodically). The regulation specifies that location tracking, the use of cookies, and surveillance cameras are considered regular and systematic monitoring, so in practice the number of businesses that are falling under this requirement is significant.
- The controller’s core activities involve processing sensitive personal data (e.g., health institutions).
The recently published rules require that the DPO have appropriate academic qualifications, knowledge of risk management practices and data protection requirements, experience in the field of personal data protection, and no convictions for dishonesty or breach of trust offenses. The controller may appoint either an employee or an external contractor as the DPO. Once appointed, the DPO’s details must be submitted through the National Data Governance Platform (the Platform).
Rules Governing the National Register of Controllers within Saudi Arabia
Initially, the draft rules published for consultation sparked debates on whether registration on the Platform as a controller is mandatory for all controllers without exception. The recently published criteria is broad enough that many controllers will likely need to be registered.
In particular, a controller must be registered on the Platform if such controller
- is a public entity,
- processes personal data as it main activity, or
- processes sensitive data. (Note that the PD Law does not differentiate between controllers that systematically process sensitive data and those that do not as seen in many other jurisdictions. Instead, it requires all data controllers that process sensitive data to be registered.)
NONBINDING GUIDELINES
In addition to the above rules and regulations, SDAIA prepared several guidelines to assist entities with building a compliant system for data protection in Saudi Arabia, namely:
- Elaboration and Developing Privacy Policy Guidelines
- Minimum Personal Data Determination Guidelines
- Personal Data Destruction, Anonymization and Pseudonymization Guidelines
- Personal Data Disclosure Cases Guidelines
- Personal Data Processing Activities Records Guidelines
KEY STEPS FOR COMPLIANCE
Businesses should follow a consistent and structured approach to identify the applicability of the PD Law and the scope of applicable legal requirements. Some of the key practical steps businesses should take including the following:
- Evaluate the geographical scope of commercial activities and customers’ location. It is essential to determine whether the PD Law applies, considering its extraterritorial reach, and assess the extent of its applicability.
- Review commercial and data processing activities. Businesses should assess a list of their commercial activities, mainly focusing on those that involve data processing as a core, inherent, and necessary part of operations. This step will help determine if the business qualifies as a controller and requires registration on the Platform, if a DPO must be appointed, and what, if any, data protection impact assessments are required.
- Define the scope of processing activities. Businesses should define the categories of data subjects, types of personal data processed, and purposes for which personal data is processed. This will enable them to select appropriate legal grounds for data processing (e.g., consent, legitimate interest) and draft a clear privacy policy.
- Map data processing flows. Mapping out how personal data is obtained, the sources from which it is collected, and the means through which it is processed or transferred is crucial to determine appropriate transfer mechanisms (e.g., SCCs or BCRs). Businesses should also identify third-party data processors and evaluate whether data processing agreements include the necessary data protection clauses.
By thoroughly evaluating all these elements, businesses can define a comprehensive set of organizational, administrative, and technical measures that need to be implemented to safeguard personal data. Additionally, it will aid in creating and maintaining a detailed record of processing activities as required by the PD Law.
