News

Saudi Arabia: Judicial Costs System to be Implemented From 17 March 2022

Okaz, 16 March 2022: Saudi Arabia’s Justice Ministry has announced the judicial costs system will be implemented from 17 March 2022.

The Implementing Regulations to the Law will specify the details of the criteria for estimating judicial costs for lawsuits and requests.

The system will improve the efficiency of the justice system and enhance the use of alternative methods of dispute resolution.

It will also help reduce malicious and fictitious lawsuits and improve preventive justice and the documentation of contracts.

The system does not apply to general penal cases, disciplinary cases and requests related to them, or  cases and requests which fall within the jurisdiction of the personal status courts, except for cassation requests or re-examination requests. For full story, click here.

To view more news items and other content we have available, visit lexis.ae/demo to book a demo and start your free trial of Lexis® Middle East.

Want to learn more about Lexis® Middle East? Visit, https://www.lexis.ae/lexis-middle-east-law/.

Saudi Arabia: Consultation on Draft Rules and Regulations to Protect Customers of Banks and Other Financial Institutions Launched

Saudi Gazette, 15 March 2022: Saudi Arabia’s Central Bank has launched a consultation on draft rules and regulations to protect the interests of customers of banks and other financial institutions. It will last for 30 days.

The consultation has been launched as part of the Bank’s efforts to protect the rights of consumers in getting fair and transparent treatment in financial services in line with global best practices in this area.

The Bank has identified several principles which banks and other financial institutions must comply with when dealing with customers. They must deal with customers fairly, honestly and equitably, as well as take care of them, especially those on low incomes and education, the elderly and those with special needs.

Financial institutions must also protect the privacy of information and data, as well as customers from fraud. The Bank has asked them to enforce technical and control systems to limit and detect fraud, embezzlement or misuse and take the necessary action if they occur.

Financial institutions must provide the best products, services and prices to meet the customer’s needs and desires as well as address customer’s complaints and set policies which help detect potential conflicts of interest.

The Bank has urged financial institutions to encourage customers to read contracts, their appendices and any other document which requires the customer’s approval or signature to provide information to customers clearly and accurately and avoid misinformation, fraud and deception.

The financial firms must also include all the terms and conditions in the application form for obtaining the product or service, provided the warning statements include the possible consequences when using the product or service other than what was agreed on, as well as informing the customer of any change which occurs at least 30 days from the entry into force of this change.

The Bank has also banned financial institutions from requesting a customer’s signature on any blank document or complete data of the incomplete document. Financial institution must also protect and preserve clients’ documents and signatures.

The general rules of conduct state that financial institutions must not make any change with an increase in fees and commissions which natural customers must pay after obtaining the service or product and signing the contract or agreement or the like.

There will be an exemption in the fees and commissions related to the third party provided it is related to the customer’s use of the financed asset and the customer must be notified of this when concluding the contract. The financial institution must put the list of fees and commissions in a clear place on its building and branches as well as on its websites as well.

Financial institutions must not exceed the fees, commissions and costs of administrative services they obtain from natural customers or the equivalent of 1% of the financing amount or 5,000 Riyals, whichever is less.

It may be deducted only after the contract is signed, with the exception of real estate appraisal fees, which may be deducted after the customer obtains initial approval to grant real estate financing.

The Bank has instructed financial institutions to explain to customers all the information, services and products provided to them clearly and transparently. This will include information regarding prices, commissions, fines, types of risks and benefits and the rights and duties of the customer.

Financial institutions must ensure all electronic channels are available intact and in a safe way. In the event of customers incurring any direct loss as a result of hacking of these channels or because of a security breach, they must be compensated for any resulting losses.

Financial institutions have also committed to apply more than one standard for identity verification when accessing electronic services, taking the necessary measures to reduce electronic fraud and include the purpose for which text messages containing the verification code were sent to customers.

The Bank has stressed financial institution must not benefit from any returned amounts which may arise because of an error or a technical malfunction. It has also advised of the need for amounts to be returned to affected customers without delay and other customers who were exposed to the same error within five working days and without waiting for a claim, in addition to repairing the defect or malfunction.

Financial institutions must also inform the affected customers about the error and the remedial measures taken through one of the documented channels and announce this through all available channels.

Financial institutions should provide multiple channels to receive complaints, inquiries and requests to enable customers to submit complaints according to their preference easily and conveniently. These channels may include toll free numbers, branches or websites, smart phone applications and e-mails. It must also put the complaints handling mechanism in a conspicuous place in the building of the financial institution and its branches.

If the customer is not satisfied with the outcome of the treatment of their complaint and wants to escalate the complaint, they must be provided with the mechanism to approach the higher authorities in the financial institution or be directed to the competent authority in line with their preference.

Financial institutions must also provide a free phone number which customers can use from inside or outside the Kingdom to submit complaints and inquiries. The number must be published on the home page of the financial institution’s website clearly for the client as well as other channels.

Financial institutions should take humanitarian cases into account when dealing with customers who have emergency financial difficulties and find appropriate solutions for them before starting to take legal measures against them.

In addition, financial institutions and their employees must not discriminate between clients in an unfair way based on race, gender, religion, colour, age, disability or marital status.

Banks, money exchanges, payment service companies and firms issuing credit and debit cards have to ensure their business customers don’t pass or impose additional fees on holders of credit cards and Mada cards when paying through point-of-sale devices, operations through payment service providers and e-commerce websites.

Banks, money exchanges and payment service companies must also set the upper limit for transfers, daily withdrawals, point-of-sale operations, online purchases and payment operations. They have to notify customers of this limit when they obtain the service and review it at least once a year.

Banks and other firms must also inform customers of the cash withdrawal limit and fees for withdrawals through technical devices and systems such as exchange machines and not calculate the annual fees for credit or monthly discount cards until after they are activated by the customer. The card issuer has the right to cancel the card if it is not activated within 90 days of the issued date.

The regulations also state the firm receiving the transfer must ensures the beneficiary’s name matches the IBAN number and the transfer amount will be returned to the issuing authority if there is a difference between them.

All customer data recorded in the transfer form will be verified and the customer notified before agreeing to carry out the transfer process within the expected date of the arrival of the transfer amount to the transferee, as well as the amount of fees and commissions, including fees imposed by the third party, if any, and their details, along with the net amount which will be received by the transferee.

To view more news items and other content we have available, visit lexis.ae/demo to book a demo and start your free trial of Lexis® Middle East.

Want to learn more about Lexis® Middle East? Visit, https://www.lexis.ae/lexis-middle-east-law/.

Saudi Arabia: Consultation on Draft Regulations to Saudi Arabia’s Personal Data Protection Law closes 25 March 2022

SDAIA, the Saudi Data & Artificial Intelligence Authority, has just released draft Regulations to the new Personal Data Protection Law, due to come into effect on 23 March 2022. The draft Regulations provide helpful clarity on many aspects of the PDPL, although ambiguity remains on a variety of topics.

Any business likely to be affected by the Law should scrutinise the draft Regulations, and consider making submissions on any areas of concern. Further information on the consultation process is available here.

The draft Regulations contain a number of significant issues, and we have not sought to address them all here. We do, however, make some observations about transfers of personal data outside the Kingdom. Unless well drafted, with practical considerations in mind, the transfer provisions have significant potential to cause issues for international businesses and for businesses that rely on cloud services hosted outside the Kingdom. This topic caused the most concern when the Law was first published in September 2022.

Do the draft Regulations satisfactorily address these concerns? Probably not, but with some adjustments they might work.

In summary, the potentially bureaucratic requirements around regulatory approvals prior to transfers abroad, as well as the question of whether the consent of the data subject negates the need to obtain such approval, would benefit from further scrutiny by SDAIA.

In Art. 28.1, the draft Regulations restate a basic requirement to host and process personal data in the Kingdom – but they also contemplate personal data being transferred outside. Such transfers would be subject to the controller undertaking a privacy impact assessment and obtaining the written approval of the relevant ‘regulatory authority’ (such as an industry sector regulator) having liaised with the ‘competent authority’ (being SDAIA, initially) on a case by case basis.

Our main concern here is the bureaucratic aspect. If each regulatory authority needs to liaise with SDAIA, and also set up a process by which controllers apply to the regulatory authority for approval, this is unlikely to be efficient in practice. The Law indicates that there will be a registration portal for data controller (presumably operated by SDAIA, as the competent authority); if controllers could obtain general approval were simply by mentioning their proposed transfer activities as part of the registration process, then this would seem practical and effective. This approach is not what is indicated in the draft Regulations, and the ambiguity around reference to a ‘case by case’ approach raises further concerns.

Our recommendation is for SDAIA to reflect on how it anticipates the approval process to roll out at a practical level, and to adjust (i.e. simplify) the requirements of Art. 28.1, accordingly.

In Art. 28.2, the transfer provisions contain a statement that transfers of personal data to recipients outside the Kingdom can occur for public interest purposes (not defined); or where providing services to individuals (not corporates?) and the transfer is subject to the consent of the data subject and not in a manner contrary to what the data subject might expect. Art 28.2 includes reference to Art. 29, which provides for transfers to jurisdictions not assessed as providing an adequate level of data protection. (Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data.) The implication seems to be that, where the recipient is in a jurisdiction assessed as providing adequate protections, then the consent of the data subject will legitimise such transfers.

One question that arises is whether this provision permitting transfers subject to data subject consent can be read independent of Art. 28.1, requiring approval of the regulatory authority. Being able to rely on consent alone would be a practical approach, particularly if the approval of the regulatory authority will be as bureaucratic as it appears in the current draft.

Our recommendation is for SDAIA to clarify whether Art. 28.1 is “subject to” Art.28.2, thus allowing consent-based transfers without needing to obtain approval as contemplated in Art. 28.1. (If Art. 28.1 is streamlined in the manner discussed above, this point may be of less concern.)

As noted above, Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data. For transfers to jurisdictions not assessed as providing an adequate level of protection, and excluding circumstances where the vital interests of the data subject are at stake, Art. 28.3 of the draft regulations contemplate a requirement for controllers to apply to SDAIA, at least 30 days in advance of proposed transfers.  Art. 29 provides further requirements relating to transfers to such jurisdictions, including a requirement for controllers to undertake risk and impact assessments, and to provide appropriate safeguards (such as adoption of standard clauses, BCRs, etc.) .

The need to apply to SDAIA again seems unnecessarily bureaucratic. Elsewhere, a permit from an authority might be one option available to a controller (rather than a universal requirement for such transfers), and not required in circumstances where risks have been assessed and appropriate safeguards put in place.

Our recommendation is for SDAIA to adjust the requirements of Art. 28.3 so that the need to apply to SDAIA for approval is only required where the controller assesses that the risk to the data subject is high and there is uncertainty about whether proposed safeguards are likely to be adequate.

As noted above, the draft Regulations contain a variety of other concerns, and further scrutiny is essential. We will be happy to share further insight on this significant development, and to provide support in the preparation of submissions to the consultation process if required. Please follow our Digital & Data ‘showcase’ page on LinkedIn, and contact email Nick O’Connell directly for any specific support.

To view more news items and other content we have available, visit lexis.ae/demo to book a demo and start your free trial of Lexis® Middle East.

Want to learn more about Lexis® Middle East? Visit, https://www.lexis.ae/lexis-middle-east-law/.