Considering the new Kuwait vision 2035 and recognizing the surging demand to transform Kuwait into a financial and commercial hub that is attractive to international global investors, the Kuwait Communication and Information Technology Regulatory Authority (“CITRA”) has recently introduced amendments to its Data Privacy Protection Regulation No. 42 of 2021 (“Original Regulations”) by virtue of Decision No. 244 of 2023, which came into effect in April 2023 (“Amended Regulations”).

The Amended Regulations:

• Highlight the pressing need for fortified data protection measures, while refining and condensing the existing regulatory frameworks established under the Original Regulations to safeguard personal data and uphold privacy rights; and
• Revoke any previous articles within the Original Regulations which conflict with the provisions of the Amended Regulations.

Interestingly, the Amended Regulations have nearly tackled all the provisions of the Original Regulations, while maintaining intact the provisions governing the following:

• violating content and the liability of the service provider; and
• details on the duty to notify the data owner in the event of infringement of such data.

In this article, we will delve into the significant changes introduced by the Amended Regulations and explore their potential implications on the owner of the personal data and processors of such data.

Overview

The Original Regulations were enacted with the primary objective of addressing specific societal concerns such as data privacy of users in general. Such objective was achieved by the Original Regulations applying a wide ambit over who is considered a “Service Providers” and must therefore abide by the Original Regulations. Further, noteworthy is the unorthodox means of safeguarding the users’ data through CITRA rather than a specific authority to govern and regulate data privacy per se.

The Amended Regulations have taken the above into consideration by drastically narrowing the definition of “Service Providers” which resulted in amending the entire scope of application of the Amended Regulations, yet, build upon the foundation laid by the Original Regulations in light of the need for advanced telecommunications and information technology services growing in Kuwait’s public and private sectors.

Scope of Application

Who are the Service Providers under the Amended Regulations?

While the Original Regulations imposed obligations on any non-telecommunication service providers being engaged in the activities of collecting, processing or storing personal data – as well as the conditions necessary to engage in such activities, the Amended Regulations have narrowed the scope to limit the application to the traditional telecommunications service provider, applying a similar definition to the one provided under Law No. 37 of 2014 which established CITRA. In this regard, the amended definition encompasses telecommunications services and internet services provided to the public, including the provision of information or content through telecommunications networks.

Less protection is more protection.

While on a prima facie basis, narrowing the scope of application may be perceived to leave certain services or providers outside the purview of the regulations, resulting in users of non-telecommunication services being without adequate protection, the Amended Regulations seem to be an additional step for CITRA to focus its resources and which would ultimately enable them to have a more targeted approach in addressing the unique challenges and concerns related to the aforementioned specific services.

Enforcement and Penalties

While the Original Regulations provided CITRA with an authority to issue additional guidelines and regulations and another authority to apply the penalties in the event of violating any applicable regulations, the Amended Regulations have further emphasised and reiterated CITRA’s authorities to issue additional regulations if and when necessary and implement the applicable laws and regulations, inter alia, application of penalties thereunder on violators.

Conclusion

From the face of the Amended Regulations, certain service providers who were previously subject to the regulations may face less regulatory scrutiny which may result in less protection for users, and potential adverse effect on data privacy. In this respect, the answer to the question of whether CITRA assumes authority and supervision on non-telecommunication service providers who operates websites and/or software applications which collects and processes data remains challenging. Our sources within CITRA have promised to issue guidelines in the upcoming months to provide further clarifications on the scope of application amongst other material considerations to be taken by service providers subject to the application of such regulations.

Any legislative gap with respect to data protection and data privacy matter is likely to be considered and addressed by the Parliament to conform with the vision of New Kuwait 2035.

Our team of specialized lawyers in the field would be happy to assist you with any advice or rectification plan during the grace period stipulated under the Amended Regulations (i.e., a year from its issuance, being April 2024).

Authors: Maha El Meihy, Legal Director, Asad Ahmad, Senior Associate, and Liana Rashid, Trainee Lawyer.

For further information, please contact Alex Saleh (Alex.Saleh@glaco.com) and Maha El Meihy (maha.elmeihy@glaco.com).