Kuwait’s Data Privacy Protection Regulation

Kuwait has established a comprehensive framework for data privacy through its Data Privacy Protection Regulation (DPPR). The initial regulation, No. 42 of 2021, was introduced by the Communication and Information Technology Regulatory Authority (CITRA) in April 2021. This regulation applied to all public and private sector service providers involved in the collection, processing, and storage of personal data, aiming to align Kuwait’s data protection standards with international norms.

In February 2024, CITRA updated this framework by issuing Regulation No. 26 of 2024, which came into effect on 19 February 2024. This new regulation supersedes the previous one and continues to provide guidelines for the lawful, fair, and transparent processing of personal data by telecommunications and information technology service providers. Its objectives include protecting individual rights and freedoms concerning personal data processing and ensuring compliance with applicable legal and regulatory frameworks.

Key provisions of the DPPR:

• Scope and applicability: The regulation applies to all entities processing personal data within Kuwait, encompassing both data controllers and processors across various sectors. It also addresses cross-border data processing, requiring that any transfer of personal data outside Kuwait ensures the receiving country provides an adequate level of data protection.
• Consent requirements: Service providers must obtain explicit consent from individuals before collecting or processing their personal data. For minors under 18, consent must be secured from a legal guardian. Individuals retain the right to withdraw consent at any time, and service providers are obligated to facilitate such withdrawals.
• Data subject rights: Individuals are granted several rights under the regulation, including:
  • Right to Access
  • Right to Rectification
  • Right to Erasure (‘Right to be Forgotten’)
  • Right to Restriction of Processing
  • Right to Data Portability
  • Right to Object to Data Processing
  • Right to Not be Subject to Automated Individual Decision-Making, Including Profiling.
• Data breach notification: In the event of a personal data breach, service providers are required to notify CITRA within 72 hours of becoming aware of the incident. If the breach poses a high risk to individuals’ rights and freedoms, the affected individuals must also be informed without undue delay.
• Data security measures: Service providers must implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, loss, or destruction. This includes regular assessments of data processing activities and adherence to CITRA’s data classification policies.
• Record-keeping and accountability: Entities are obligated to maintain comprehensive records of all personal data processing activities. These records should be readily available for review by CITRA upon request, demonstrating the entity’s commitment to compliance and accountability.

Non-compliance with the DPPR can result in administrative fines, the specifics of which are determined based on the severity and duration of the infringement. While the regulation outlines the possibility of fines reaching a percentage of the total worldwide annual turnover or a specific amount in local currency, exact figures are not detailed within the law.