New Saudi Arabia's Law for the Protection of Whistleblowers, Witnesses, and Experts is crucial in bolstering the country's anti-corruption efforts. This law seeks to protect individuals who report crimes from threats and retaliation.
This move also complements the recently intensified anti-corruption measures, including financial rewards for reporting unauthorized endowments. However, balancing whistleblower protections with personal data privacy, particularly in cross-border data transfers, presents significant legal and ethical challenges.
Adhering to local and international data protection laws, anonymizing sensitive information, and securing data handling practices are pivotal strategies to ensure the integrity and confidentiality of whistleblowing processes in Saudi Arabia.
On February 13, 2024, the Saudi Council of Ministers, chaired by King Salman, approved the Law for the Protection of Whistleblowers, Witnesses, Experts, and Victims. This law, first proposed by the Shoura Council, aims to safeguard individuals who provide information on crimes, ensuring their security against potential threats, including assault and intimidation. The law comprises 39 articles designed to facilitate information sharing and protect informants from any form of retaliation, enhancing the country’s ability to combat crime.
Saudi Arabia has intensified its anti-corruption initiatives to attract foreign investment and bolster its comprehensive economic reform program. On February 13, the Saudi cabinet approved a new law to protect whistleblowers. This decision came a week after the General Authority for Endowments announced rewards of up to 5 per cent of the value of unauthorized endowments for those who report via an online portal.
This legislative action follows the high-profile arrest of Amr bin Saleh bin Abdelrahman Al-Madani, head of the Royal Commission for AlUla, by the Oversight and Anti-Corruption Authority, Nazaha. Al-Madani was detained for “abuse of influence and money laundering,” based on an anonymous tip. A Gulf-based diplomat commended the government's renewed vigour, noting a zero-tolerance approach to corruption.
Crown Prince Mohammed bin Salman initiated a significant anti-corruption campaign in 2017, detaining numerous officials, princes, and businessmen. This effort recovered SAR 400 billion ($107 billion) in assets, including real estate, businesses, and cash. Historically plagued by kickbacks, the construction sector has seen increased transparency through the government's Etimad platform, requiring previously favoured contractors to compete fairly.
Public Prosecutor Saud bin Abdullah Al-Mujib emphasized that the new whistleblower law would foster a sense of “national responsibility” by protecting informants and their families.
Amr bin Saleh bin Abdelrahman Al-Madani, CEO of the Royal Commission for AlUla, was arrested on corruption charges, marking a significant action since the 2017 anti-graft crackdown. Nazaha disclosed on X (formerly Twitter) that Al-Madani was detained for leveraging family connections to secure contracts worth SAR 206.6 million ($55 million) for National Talents Company, which he owns, from the King Abdullah City for Atomic and Renewable Energy. Despite claiming to have divested from the company, Al-Madani facilitated further contracts worth SAR 1.3 million from the Royal Commission. Additionally, he allegedly received kickbacks through a relative, Mohammed bin Suleiman bin Mohammed Al-Harby, who was also arrested.
The General Authority of Endowments has introduced a new strategy offering financial rewards to whistleblowers who report unauthorized endowments exceeding SR 9 million ($2.4 million). These reports, which must be submitted online with proper documentation, could yield a reward of up to 5 percent of the seized value, capped at SR 1 million. This initiative aims to encourage public participation in identifying unauthorized endowments, thereby supporting the development of the endowment industry and improving public services.
The balance between personal data protection and whistleblowing in Saudi Arabia, especially concerning the cross-border transfer of reported messages, requires careful consideration of both legal and ethical aspects. Here are key strategies and considerations to address this complex issue:
Adhere to Local Data Protection Laws: Saudi Arabia's Personal Data Protection Law (PDPL) emphasizes safeguarding personal data. Ensure that whistleblowing mechanisms comply with these regulations, particularly regarding data collection, processing, and transfer.
Whistleblower Protection Laws: The new whistleblower protection law should be integrated with data protection regulations to provide a cohesive framework that protects both whistleblowers and personal data.
Obtain Necessary Permissions: Ensure compliance with any legal requirements for transferring data out of Saudi Arabia. This may involve obtaining explicit consent from the data subjects or approvals from relevant authorities.
Data Transfer Agreements: Implement robust data transfer agreements that specify the protection measures in place when data is transferred across borders, ensuring they meet both Saudi and international standards.
Data Anonymization: Before transferring whistleblowing reports across borders, anonymize data to remove personally identifiable information (PII). This reduces privacy risks while retaining the report's essential information.
Data substitution: Where full anonymization is not feasible, Data substitution techniques can protect individual identities while allowing necessary data transfer.
Encryption: Utilize strong encryption protocols for data in transit and at rest to protect the confidentiality and integrity of whistleblowing reports.
Access Controls: Restrict access to sensitive information to authorized personnel only, both within Saudi Arabia and in the destination country.
Audits and Monitoring: Regularly audit and monitor data handling practices to ensure compliance with data protection standards and identify potential security vulnerabilities.
Align with Global Standards: Adopt internationally recognized data protection standards such as the EU General Data Protection Regulation (GDPR) for cross-border transfers. This helps in ensuring that transferred data receives an adequate level of protection.
Bilateral Agreements: Establish bilateral agreements with countries to facilitate safe and legal data transfers, ensuring mutual recognition of data protection measures.
Clear Policies: Develop and communicate clear policies regarding the handling and transfer of whistleblowing data, ensuring that all stakeholders understand their rights and responsibilities.
Whistleblower Consent: When possible, obtain informed consent from whistleblowers regarding the handling and transfer of their data, explaining the measures in place to protect their privacy.
Risk Assessment: Conduct thorough risk assessments to weigh the benefits of whistleblowing against potential privacy risks. This can help in making informed decisions about whether and how to proceed with cross-border transfers.
Case-by-Case Basis: Consider handling sensitive whistleblowing reports on a case-by-case basis, tailoring data protection measures to the specific circumstances of each case.
By implementing these strategies, Saudi Arabia can effectively balance the need for robust whistleblowing mechanisms with the imperative of protecting personal data, ensuring that cross-border transfers of reported messages are handled securely and legally.