February 6th, 2023 Legal Updates

Data Protection in Kuwait governed by a dedicated set of regulations issued by CITRA

To date, Kuwait does not have a specific personal data protection law.  Previously, legislation such as that of Law No. 20 of 2014 (the “E-Commerce Law”) regulated privacy and data protection of private and public electronic records, signatures, documents, and payments, while Law No. 63 of 2015 (“Cybercrime Law”) imposed heavy penalties for the illegal tampering or acquisition of personal or governmental data or information.   

In 2021, the issuance of Decision No. 42 of 2021 (“Data Protection Regulation”) by the Communications and Telecommunications Regulatory Authority (“CITRA”) introduced dedicated regulation on data protection, creating obligations in relation to data protection on telecommunication service providers and related industry sectors who collect, process, or store personal data.  The Data Protection Regulation describes the conditions for collecting, possessing, storing and disposing of personal data.

The introduction of the Data Protection Regulation has been a huge milestone since there was no dedicated data protection laws or regulations, and thus, reliance was placed on limited relevant legal provisions found under different legislations such as the E-Commerce Law and Cybercrime Law.  The Data Protection Regulation applies to all service providers irrespective of whether the data processing is undertaken inside or outside Kuwait, which requires that service providers inform users about how their data is collected, processed, and stored.

The Data Protection Regulation provides a wider ambit of the definition of “service provider” which ranges from traditional telecommunications service providers to anyone who operates, or directs a third party to operate, a website, smart application or cloud computing service, or who collects or processes personal data through information centers owned or used by them directly or indirectly.  Furthermore, the Data Protection Regulation indicates that users have a right to withdraw their consent and, consequently, the service provider must destroy the information in its possession that was provided by the user.  However, the provisions of the Data Protection Regulation do not apply to natural persons who collect and process personal and family data, or to security authorities for the purposes of controlling crimes and the prevention of threats related to public security.

Thus, the introduction of the Data Protection Regulation marks a significant milestone towards recognizing the importance that has been given to personal data in relation to Kuwait’s legal scene.  The Data Protection Regulation has brought a wide range of entities/sectors who are technically not TSP’s, to the extent that they are related to the field of telecommunication services, but own a website, an application, or provide cloud computing services, et cetera, for which they collect data in some way from their users or customers.

Furthermore, CITRA has also issued the Data Classification Policy (“DCP”), whereby entities dealing with large amounts of data can use as a guidance for data protection.  The DCP classifies data into four separate categories to help in better decision making, regarding data access and processing in line with the data classification levels.

Authors: Ahmad Saleh, Senior Associate and Deemah Zaghmout, Associate

For further information, please contact Alex Saleh (alex.saleh@glaco.com) and Ahmad Saleh (ahmad.saleh@glaco.com).