Personal Data Protection: Does the current legal framework correctly balance the competing interests of data controllers and subjects, especially as regards the use of the ‘legitimate interest’ justification? With a special focus on the EU & UK GDRP and the Saudi PDPL

Abstract

With the speed of technological development, data has become a commercial, high-value product. In general, the value and control of a product belongs to its owner, the data subject. However, non-consensual external use of our personal data is exposing us to potential threats. Different countries have adopted laws to protect citizens' data, such as the UK General Data Protection Regulation (GDPR), the EU GDPR and the very recently implemented Personal Data Protection Law (PDLP) in the Kingdom of Saudi Arabia (KSA) However, these laws also grant considerable freedom to data controllers, allowing the use of personal data, without the data owner's permission, under certain provisions. One of the most controversial is the grounds of ‘legitimate interest’. This requires finding the right balance between the interests of the data controllers and the data owners. As such, this research studies the balancing exercise that needs to be delicately handled. This dissertation will mix different methodologies, namely the doctrinal methodology in terminologies and the international approach and descriptive analysis to examine the legal texts. A comparative methodology will be used to compare the GDPR transcripts with the new Saudi regulation. This study finds similarities and differences in the legitimate interest concept in the EU, the UK, and the Kingdom of Saudi Arabia, with a broad uncertainty in how legitimate interest should be defined. The role of data subject expectation is analysed. However, the research highlights that public entities should not use the legitimate interest base while it has already a public interest as a legal ground. Also, the importance of data ownership even after death, as under Saudi law, receive special attention. Finally, Saudi law also leads the way in an important focus, namely that direct marketing is purely a commercial activity and should not be prioritized over the private individual interest.