Data Protection & Privacy 2026 Comparisons

Kuwait does not have a single, state-wide data protection statute; instead, privacy and data protection are governed by a mix of e-transaction rules, sectoral telecom rules, cloud guidance, cybercrime provisions and general media/content controls issued by respective data control authorities in Kuwait.

The principal instruments are the Electronic Transactions Law No 20 of 2014 (the “E-Transactions Law”) and its Executive Regulations (Decision No 48 of 2014) governing collection, use, disclosure, security and data subject rights for electronic records handled by public authorities and private entities, including consent and purpose specification for access/disclosure and duties to ensure accuracy and safeguards for personal data in electronic systems. Furthermore, the Cybercrime Law No 63 of 2015 criminalises unauthorised access, alteration, disclosure and destruction of data (including personal and governmental data), with escalating penalties depending on the nature of the systems and data affected.

Telecom-sector privacy is governed by the Kuwait Communication and IT Regulatory Authority (CITRA) Data Privacy Protection Regulation (DPPR), as amended by Decision No 26 of 2024, which now applies exclusively to CITRA-licensed telecom and internet providers (the “Licensees”) and imposes consent, transparency, security, transfer notice and breach notification duties on those Licensees. Additional instruments include CITRA’s Users’ Rights Protection and Regulation of Communications and IT Services (the “User Guidelines”) and CITRA’s Cloud Computing Regulatory Framework (v2.4) (the “Cloud Framework”), which prescribe collection/disclosure practices, security and transparency for Licensees and licensed cloud service providers (CSPs) operating data centres in Kuwait.

Additionally, the CITRA Law No 37 of 2014 (establishing CITRA), the Electronic Media Law No 8 of 2016 (regulating certain online publishers), and content blocking powers under press, cybercrime and telecom statutes interact with privacy by limiting certain data/content uses on public order and security grounds.

In terms of multi-level interaction, Kuwait’s framework is domestic and not tied to supranational regimes like the EU’s GDPR, and overlap occurs horizontally between general e-transaction obligations, criminal cyber provisions and sector-specific telecom/cloud rules, with the E-Transactions Law acting as a general baseline and the DPPR/User Rules applying only to Licensees. That being said, certain rules have extraterritorial reach. For Licensees, the DPPR expressly captures data collection/processing performed inside or outside Kuwait, and requires transparency regarding transfers abroad. For other Kuwait entities, cross-border data handling defaults to the consent, purpose limitation and security duties under the E-Transactions Law.

Kuwait has not enacted a comprehensive AI law, and governance of AI-related personal data is therefore derived from the above instruments. There is no equivalent to the EU’s European Health Data Space or Data Act; however, CSP and telecom rules impose transparency/security requirements, and the Electronic Media Law governs certain online publishing activities with privacy-intersecting content rules.

The E-Transactions Law

Consent

Under Article 4 of the E-Transactions Law, individuals are generally not obliged to deal by electronic means except with their consent, though such consent may be inferred through affirmative conduct indicating approval.

Under Article 32, when collecting data (including personal data and data relating to individuals’ professional affairs, social status, health status or financial status), government authorities, public authorities and institutions, companies, non-governmental entities and their employees (“Entities”) are explicitly mandated to secure individuals’ consent and to state the purpose behind collecting such data.

Under Articles 32 and 35, Entities must also ensure that consent is obtained when conducting any access, disclosure, sharing or processing of the collected data. These activities must be undertaken by lawful means and be limited to the stated purpose provided to data owners. This is a requirement that pertains to personal data or information that is stored in electronic records or processing systems and relates to the professional affairs, social status, health status or financial status of individuals who are registered with the Entities.

Data protection

Under Article 35, Entities are required to regularly verify and update the accuracy of personal data or information stored on their electronic records or processing systems. They must also implement appropriate measures to safeguard the personal data and information collected or stored on their electronic records or processing systems.

Under Article 2 of the Executive Regulations, the storage and maintenance of electronic records, inclusive of personal data, must preserve their original form, encompassing all associated original data, without compromising the quality or standard of the records. In addition, the storage of electronic records, inclusive of personal data, should align with the policies and agreements established between the parties involved in electronic transactions, specifying the duration for retaining and maintaining such records.

Data subject rights

Article 33 of the E-Transactions Law grants specific rights to data subjects concerning their personal data stored in electronic records and processing systems maintained by Entities. Any person with their personal data stored by an Entity has the right to request access to, as well as a record of, such data.

Additionally, under Article 36, the data subject has the right to modify or delete their personal data held by any Entity, and may also update personal information in the event of changes. Requests for the access, modification or deletion of personal data can only be initiated by the individual to whom the data pertains or by their legal representative (Articles 25–26(1) of the Executive Regulations).

Under Article 26(2) of the Executive Regulations, deleting stored personal data or information is only permissible when correction is deemed necessary; in such cases, the previously stored information must be maintained without any use or handling.

The User Guidelines

Collection of data

Under Article 2 of the User Guidelines, a Licensee must prepare relevant rules and mechanisms for the sale of its service, either through means of electronic transaction or through telephone communication. CITRA must approve the rules and mechanisms (or any amendments to existing contracts of sale) in advance, which includes the relevant data collection and storage rules and mechanisms. Pursuant to Article 3.16, in the case of any amendment to an existing contract of sale, the following must occur before execution can take place:

• the service user must be notified of the amendment 60 days before the amendment enters into force; and
• the subscriber’s written approval or e-signature (using the “Hawyti” application) must be obtained.

Under Article 3.3, the Licensee must verify the validity of the personal information provided by the users of said services; such proof (in the form of a civil ID, passport or driving licence) may be certified by competent governmental bodies.

Under Article 3.4, before executing the service contract, the mechanism(s) for cancelling the service and any variation(s) to the contractual terms of service must be clearly stipulated.

Under Article 3.6, the Licensee must open an electronic file in which all the information, documents and complaints pertaining to users are safely stored.

Duties of the Licensee upon a user’s request for cancellation of service

Under Article 4, the Licensee must facilitate the mechanisms or procedures for cancellation of service. The Licensee may bind the subscriber with a minimum limit of the service contract term, unless this is approved by the authority. Upon the subscriber’s request to cancel the service, the Licensee must verify the identity of the subscriber applying for cancellation.

Dealing with data

Under Article 6, Licensees must adhere to the following requirements:

• Making no collection, use or disclosure of any personal information relating to the user without their official approval.
• Not requiring information that is irrelevant in the context of providing services.
• Obtaining the approval of the user before disclosing their information to other parties.
• Taking all security measures with regard to:
1. protection of the user’s information; and
2. protection against the loss, damage or disclosure of such information (or its replacement with any untrue data).

The DPPR

Consent

Under Articles 2 and 4 of the DPPR, Licensees must secure user consent prior to collecting and processing their personal data, and must specify the purpose for data collection and processing both before and during the provision of services, as well as after the termination of services.

Data protection

In accordance with Article 5(1-3), Licensees are required to implement robust measures for safeguarding data from unauthorised access, loss, destruction or damage, with protective measures to include encryption, confidentiality practices and disaster recovery protocols.

Under Article 6, Licensees must inform both the data subject and CITRA in the event of a personal data breach.

Data subject rights

Under Article 4(3), Licensees must disclose their identity, location and contact information to their users, ensuring that users can readily recognise and reach out to them when required.

Under Article 4(10), users must be given the right to withdraw consent or to entirely delete their personal information from a Licensee’s records.

Under Article 4(11), Licensees are obliged to notify data subjects if their personal data is to be transferred outside Kuwait.

Under Article 4(12), Licensees must afford their users the right to access or modify stored personal data that is in their possession and is stored with them.

CITRA Cloud Service Providers: Regulations and Commitments

Types of information collected by CSPs

Pursuant to the regulations concerning Platform as a Service (PaaS) and Software as a Service (SaaS) providers in Article 2, the types of information that a CSP may obtain from a user include (but are not limited to):

• name and email address;
• address;
• payment information;
• internet protocol address (“IP address”); and
• device and browser information.

Obligations in dealing with information

In accordance with the regulations concerning PaaS and SaaS providers in Article 2, the CSP must describe to the user all information that needs to be collected and inform them as to what information will be collected automatically (as well as where to access and amend such information). Following data collection, the CSP must explain to the user where and how such information may be used.

The CSP may not use this information to locate/determine the identity of the user. The CSP must also inform the user of any third-party providers that operate certain services on its behalf – and of its privacy policies – for the purpose of maintaining transparency. The CSP commits to not share, dispose of or sell the user’s information with third parties; however, for purposes of improving the service and customer experience, it may be granted access to the user’s name, address, phone number and email. In any case, the user must be informed of such.

The user must be notified immediately of any relocation of data to new owners as a result of M&A, liquidation or dissolution.

The CSP must be efficient, competent and equipped to detect any fraud, security threats or technical problems.

The subscriber has the right to request the amendment or deletion of their personal data available to the CSP or to third parties. The CSP must also provide clear mechanisms to users for communication regarding the privacy policy.

SaaS providers must specify in their privacy policy the targeted age group for the collection of data. If the targeted age group is minors, the consent of their guardians must be obtained. The service must abide by any relevant child protection laws of the state.

A practical compliance checklist would commonly include:

• map electronic records and personal data flows (including cloud/telecom dependencies);
• implement consent and purpose disclosures;
• deploy access, correction and deletion mechanisms;
• adopt security and retention controls consistent with the E-Transactions Law and DPPR rules;
• enable breach identification and notification procedures (applicable to Licensees with respect to notification of CITRA and users);
• ensure transfer transparency and approvals where required; and
• maintain clear user-facing privacy policies and change-control processes.

Kuwait’s legal instruments do not provide a GDPR-like taxonomy of “special categories”, but the E-Transactions Law does make reference to personal data as data stored in electronic systems relating to an individual’s professional, social, health or financial status, with criminal sanctions for unlawful access/disclosure/use or processing beyond stated purposes.

Processing minors’ data requires guardian consent when SaaS targets minors (under the User Rules). Providers must state any age targeting in their privacy policy and comply with child protection requirements.

There is no standalone regime for criminal conviction data beyond the general prohibitions and criminal penalties for unlawful access, alteration or disclosure under the Cybercrime Law and the E-Transactions Law.

Kuwait has not adopted a dedicated secondary-use regime akin to the EU’s European Health Data Space. Secondary use for product development or research typically relies on processing consent requirements pursuant to the E-Transactions Law and the DPPR principles on data collection and processing purpose specification, lawful means and security outlined in 1.2 Rights and Obligations.

For medical data, written patient consent is generally required for disclosure, and healthcare providers must maintain secure patient records under the Medical Profession Law No 70 of 2020. In practice, life sciences and healthtech companies implement de-identification methods and limit re-identification risks.

There is no dedicated AI statute in Kuwait. Personal data used in AI systems must comply with the E-Transactions Law’s consent, purpose, accuracy and security principles, and with DPPR/Users’ Rights where the entity is a Licensee handling subscriber data.

For Licensees, the DPPR requires notifying both CITRA and affected data subjects in the event of a personal data breach within a time period not exceeding 24 hours from the time of breach, supported by appropriate technical measures and incident response capabilities. The notification must set out the nature of the breach, including the scope of the personal data leakage, the categories of affected individuals, and the security levels impacted, together with the identity of theData Protection Officer and the means of communicating with that officer. It must further address the potential consequences of the breach and outline the measures already taken or proposed by the service provider to mitigate and address the breach. Notification to the affected data subjects is not required where the service provider has implemented appropriate technical and organisational protection measures and such measures have been applied to the personal data affected by the breach.

For other entities, breach handling is guided by the E-Transactions Law’s security and lawful processing duties, and the Cybercrime Law applies to unlawful access, alteration or disclosure, and the competent authorities may initiate investigations in the event that any complaints or referrals indicate offences.

Kuwait does not currently have a single regulatory authority with overarching jurisdiction over data protection matters.

While CITRA was initially regarded as the principal data protection regulator (given that the Data Privacy Regulation originally imposed obligations on a broad range of entities), subsequent amendments have limited its direct regulatory scope primarily to Licensees. Notwithstanding this narrowing, CITRA continues to play a significant role by overseeing various data protection-related matters, issuing regulations and providing guidance, particularly within the telecommunications sector applicable to Licensees.

In parallel, the Central Agency for Information Technology serves as another key authority in the area of personal data protection, being responsible for the issuance of the E-Transactions Law and its Executive Regulations.

In addition, the National Centre for Cybersecurity, established pursuant to Decree No 37 of 2022, is a recently formed authority with a central regulatory role in cybersecurity matters, particularly in relation to governmental entities.

Regulatory investigations are generally initiated following complaints or through supervisory oversight. In this context, CITRA has the authority to conduct inspections, assess service quality, review relevant records, require corrective measures and, where criminal conduct is suspected, refer matters involving Licensees to the competent authorities.

The CITRA Law

The CITRA Law empowers CITRA to collect information relevant to the telecommunications and IT sectors, and to issue any reports, bulletins and guidelines to users. It also prepares the necessary media programmes to increase public awareness of the importance attached to these sectors and the extent of their influence on social and economic development in the State of Kuwait.

Pursuant to Article 15 of the CITRA Law, all Licensees must adjust their internal policies and rules to any extent necessary to achieve compliance with the provisions of the CITRA Law, no more than one year from the date of publication of the CITRA Regulations (as defined below). However, under CITRA Decision No 68 of 2022, the adjustment period was extended for another 24 months from 13 February 2022.

Pursuant to Article 49 of the CITRA Law, if CITRA receives any complaint about a Licensee’s default in the performance of its obligations, a dispute between a Licensee and beneficiary users in relation to the quality and standard of the service being provided or any violations of the licence conditions, CITRA may investigate the complaint and make a decision to either keep the file or notify the Licensee to remove the violation within 90 days.

Under Article 52 of the CITRA Law, CITRA must decide with the Licensee on the procedures for any investigations into complaints, as well as the procedures for the Licensee to follow when complaints are received about it.

Under Article 54 of the CITRA Law, CITRA must ensure that the Licensee complies with all the provisions of the CITRA Law, and may take any actions it deems necessary in order to do so, such as:

• conducting physical examination(s) of the network and telecommunications devices;
• examining the Licensee’s technical records to ensure invoices and records are accurate;
• assuring the quality of the services andcomplaint procedures provided to clients; and
• reviewing the maintenance and failure records of the Licensee to ensure the management service is efficient.

Lastly, under the CITRA Law, CITRA must also ensure compliance with any international, regional and bilateral agreements to which Kuwait is a party.

Executive Regulations of the CITRA Law Under Decision No 933 of 2015 (the “CITRA Regulations”)

Under the CITRA Regulations, CITRA may refer a matter to other competent authorities if – following investigation(s) – there are reasons to suspect a criminal offence. Employees of CITRA are empowered to monitor the implementation of CITRA’s laws and regulations. To this end, they have the right to enter places in order to inspect and control any unlicensed communications devices where the following are known or suspected to be present:

• devices or networks;
• communications facilities; and/or
• all or part of the infrastructure used in the communications service.

In the process of doing so, the employees are empowered to:

• request and examine the Licensee’s licences, records and documents;
• examine and view any communications equipment related to the provision of the service; and
• view any form of information or documents related to the provision of the services.

The E-Transactions Law

Under Article 37 of the E-Transactions Law, individuals who unlawfully access, disclose or publish any personal data registered in records or electronic processing systems of the relevant entities, related to the professional affairs, social status, health or financial status of individuals, whether registered with the entities or their employees, without the consent of the data subject or their legal representative, may face imprisonment for up to three years and a fine ranging from KWD5,000 to KWD20,000. Confiscation of the tools, programs or devices used in the commission of the offence may also be ordered.

Under Article 37, entities that collect, register or process any of the personal data stored with them on their electronic records or processing systems, using unlawful methods or without the consent of the person concerned or theirrepresentative, or that use the stored personal data for reasons other than those for which it was collected, may face imprisonment for up to three years and a fine ranging from KWD5,000 to KWD20,000. Confiscation of the tools, programs or devices used in the commission of the offence may also be ordered.

The Cybercrime Law

The Cybercrime Law addresses various forms of illegal access to electronic systems and data. It applies to individuals who unlawfully gain access to a computer, system, data processing system, automated system or information network. The penalty for such actions is imprisonment for up to six months or a fine ranging from KWD500 to KWD2,000, or both. If the illegal access leads to the deletion, alteration, damage or unauthorised disclosure of data, the punishment increases to up to three years in prison and a fine between KWD3,000 and KWD10,000, especially if the data is personal (Article 2).

The law also applies to those who illegally access government systems to obtain confidential information, whether directly or via the internet or other technological means. The penalty is imprisonment for up to three years or a fine ranging from KWD3,000 to KWD10,000, or both. If the access results in the alteration, deletion or disclosure of the data, the punishment escalates to imprisonment for up to ten years or a fine of between KWD5,000 and KWD20,000, or both. This provision also covers data related to clients’ bank accounts (Article 3).

Additionally, the law applies to individuals who deliberately modify or destroy electronic medical documents related to medical tests, diagnoses, care or treatment, using the internet or other information technology. Those found guilty of such actions face imprisonment for up to three years or a fine of between KWD3,000 and KWD10,000, or both (Article 3).

Two trends stand out in the last 24 months: the narrowing of the DPPR to apply only to telecom Licensees (under Decision No 26 of 2024) and the repeal of the Data Classification Policy (see 5.5 Recent Developments).

Public visibility into administrative proceedings and fines remains limited, as regulators do not generally publish case-level outcomes. Accordingly, organisations (whether characterised as a Licensee or any other entity) should implement preventative controls and provide for clear consent and purpose mechanisms for collected personal data whether provided for under the E-Transactions Law or the DPPR.

Privacy litigation in Kuwait remains limited, with no publicly visible court disputes focused specifically on personal data protection.

Where disputes arise, they more commonly track cybercrime and unlawful access or disclosure obligations and violations handled through criminal channels under the Cybercrime Law and the E-Transactions Law’s penal provisions, rather than standalone civil damagesfor privacy harms. Non-material damages are not addressed as a distinct head of claim in the above-outlined laws and regulations.

Please see 2.1 Privacy Litigation Overview.

There is no specific collective redress regime for privacy claims reported in the above-cited materials, and no recent developments implementing representative action mechanisms akin to the EU framework.

Kuwait does not have a cross-sector “data act”, and regulation relevant to non-personal data largely consists in certain regulations applicable to Licensees. For example, the Cloud Framework applies to CSPs licensed in Kuwait operating data centres domestically and imposes transparency and security obligations on providers and practical commitments that affect subscribers’ data handling across personal and non-personal data.

The DPPR now applies only to Licensees, while the E-Transactions Law applies broadly to entities handling electronic records, providing protections and obligations regarding collection, disclosure, security and record maintenance.

The Electronic Media Law governs certain online publishing services and content, whereby online Kuwait platforms must comply with rules tied to public order and morals catering to Kuwait’s culture and the Islamic faith.

The Electronic Media Law applies to and regulates various online platforms, including:

• electronic publishers;
• electronic journalism;
• news agencies;
• news services;
• websites offering electronic commercial advertisements; and
• the digital presence of print newspapers and satellite channels.

However, the Electronic Media Law does not apply to personal domains, websites, outlets or electronic accounts that are not operated by individuals with specialised professional expertise. Notably, the Electronic Media Law specifies that the name of the website or media outlet must not violate public order or morals or be identical to an existing site. Thus, media regulation under Kuwaiti law seems to be restricted to media channels that are not privately owned. On the other hand, the data protection requirements under the E-Transactions Law or the DPPR would apply to both private companies and entities offering services to the public.

Under the E-Transactions Law, individuals have rights to access, correction and deletion of personal data in electronic records, while entities must ensure accuracy, purpose limitation and security, with retention aligned to policies and agreements.

The DPPR and Users’ Rights impose Licensee-specific obligations on consent, transparency, breach notifications to CITRA/users, and transfer notifications for data leaving Kuwait.

The Cloud Framework requires privacy policies to cover categories of data collected, use and disclosure practices (including third-party processors), cookie usage, marketing unsubscribe mechanisms and user correction/deletion pathways, with alerts on data relocation due to M&A or ownership changes. There is no statutory data portability right, and organisations should instead enable reasonable access on a contractual and transparency basis.

For action items, please also see 1.2 Rights and Obligations.

Please see 1.7 Regulators.

Pursuant to the Cloud Framework, the privacy policy of a CSP must contain a clause labelled “Cookies”, which determines the mechanisms of usage when it comes to:

• log-in authentication;
• security inferences;
• advertisements; and
• personal identification.

The CSP may not use this data to locate/determine the identity of the user and must always make available the types of cookies used by it or by external parties on any platform on which the service operates.

Spam Messaging

In accordance with Article 12 of the CITRA Regulations, the Licensee must have a database used to ensure that the receipt of spam messages is ceased upon the request of the user. Licensees sending messages for commercial purposes must only do so between the hours of 7am and 10pm Kuwait time.

Marketing Practice

Pursuant to Article 14 of the User Guidelines, the marketing practices of Licensees must not exploit any consumer or group of consumers on account of their weaknesses, disabilities, ages or lack of knowledge. They must also not use any means of fraud or deception in the advertising of their products and services.

When it comes to sending a marketing communication/call, the Licensees must have duly verified the identity of the recipient user. At the beginning of the communication/call, the Licensee must:

• disclose the sender’s name;
• disclose the cause for such communication/call; and
• give the recipient user the option to continue with the communication/call or not.

Regulations and Commitments of CSPs

The CSP’s privacy policy must inform users of the procedures to follow should they wish to cancel marketing communication subscriptions.

Law No 9 of 2001 Regarding Misuse of Telecommunications and Wiretap Sets governs privacy in an employment context, but there is no specific rule applicable to employee monitoring.

Telephone conversations may be recorded by employers to deal with any grievances from customers or clients, in order to ensure that the calls are dealt with professionally and for the purposes of training only. In some situations, such recordings may be carried out and reproduced for legal purposes upon an order of the competent court in a situation occurring between third parties and company employees.

No applicable laws are in place for monitoring employees’ emails in Kuwait. Private life cannot be violated, so the monitoring and recording of such information is considered to be an infringement of rights and a violation of confidentiality, which is guaranteed to individuals under the Kuwaiti Constitution. The courts of Kuwait aim to protect citizens and expatriates from all such violations. The employer can draw up a set of rules and regulations that may govern such monitoring for the purpose of safeguarding their interests. However, they should restrict it to the official work areas and not infringe on privacy rights, including the protection of personal emails. Such rules and regulations will need to be drawn up and made available to employees in a handbook that is provided to newly joined employees for them to understand and abide by.

The E-Transactions Law

Under Articles 32 and 35 of the E-Transactions Law, Entities and their employees are expressly required to:

• obtain individuals’ consent before accessing, disclosing or sharing personal data; and
• specify the purpose for collecting and processing such personal data, including processing activities for data transfers.

These activities must be conducted using lawful means and limited to the stated purpose. This applies to personal data or information in electronic records or processing systems concerning the professional, social, health or financial status of individuals registered with these Entities. Consent may be obtained or inferred from affirmative actions indicating approval, as outlined in Article 4 of the E-Transactions Law.

DPPR and the User Guidelines

Licensees have notification obligations, including informing data subjects about personal data transfers outside Kuwait, pursuant to Article 4 of the DPPR. In addition, Licensees are required to establish and uphold a written privacy policy that elaborates extensively on their procedures concerning the collection and processing of personal data, including transfers as part of the processing activities. This policy should be publicly accessible on their websites and provided to users and data subjects when entering into service contracts.

For entities operating under the E-Transactions Law, cross-border disclosures must align with consent, purpose limitation and security duties for electronic records.

For Licensees, the DPPR requires informing users of transfers of data outside Kuwait to any foreign country and theirrepresentative in such foreign country.

Please also see 4.4 Data Protection in M&A.

Private entities covered by the E-Transactions Law typically do not need official approval for international data transfers, unless the data involves state or government-related information in Kuwait.

Licensees may require approval from CITRA to transfer user data internationally, as indicated through consultations with CITRA. However, there is a lack of specific regulations detailing the mechanisms or conditions for such data transfers.

Kuwaiti law does not generally address data localisation requirements, especially after the repeal of the Data Classification Policy (see 5.5 Recent Developments). However, certain sector-specific examples, such as a healthcare facility, must maintain a register and database to document patient information in either written or electronic form. The facility’s management is responsible for ensuring the safety of these records, and, if the facility ceases operations or changes activities, it must provide patient files or copies upon request (Article 60 of Law No 70 of 2020 on the Medical Profession). While the law does not provide specific mechanisms for data transfers, it is understood from the E-Transactions Law that patient consent is required.

Another example of data localisation is found in Article 80 of Law No 6 of 2010 on Labour in the Private Sector, which mandates that employers must maintain a dedicated file for each employee, containing essential documents such as the work permit, employment contract, civil ID, and records of leave, overtime, work injuries and penalties. Similar to healthcare facilities, this law does not address mechanisms for data transfers but also implies that consent may be required under the E-Transactions Law.

Kuwait has several laws and regulations relating to blocking or censoring web content, some of which concern privacy and data protection. Key examples include the following:

• The Press and Publications Law No 3 of 2006 regulates the publication of printed and electronic media in Kuwait. It includes provisions relating to blocking content that violates public order, morals or national security. This law gives the government the power to block websites or other media that violate these provisions.
• The Cybercrime Law criminalises a wide range of online activities, including hacking and online fraud. This law gives the government the power to block websites or other online content that violates its provisions.
• The CITRA Law regulates the telecommunications sector in Kuwait and includes provisions relating to blocking or intercepting communications that violate public order, morals or national security. This law gives the government the power to block websites or other online content that violates these provisions.

Among other prohibited content, CITRA receives requests to block web content in Kuwait that violates the public interest (including public morals, Islamic faith teachings and public order). If CITRA receives a request to block or unblock web content, it will take the necessary actions to block prohibited web content or to unblock web content in the case of an error in classifying the content as prohibited.

Following the repeal of the Data Classification Policy in February 2024, which previously classified sensitive data into different tiers, the regulatory framework for data storage and transfers has become less clear. Under the former policy, Tier 3 data (private sensitive data) included information such as business plans, internal reports, litigation files, medical records and criminal fingerprints, which, if disclosed without authorisation, could damage individual privacy. Tier 4 data, considered highly sensitive, included information of a national or governmental nature, and unauthorised disclosure of such data could cause significant harm to privacy.

The Data Classification Policy required that Tier 4 data be stored within Kuwait, while Tier 3 data could be stored in hybrid clouds, both inside and outside Kuwait. Due to the repeal of the Data Classification Policy, the legislative framework surrounding the storage and transfer of sensitive data is now governed primarily by the consent provisions in the E-Transactions Law.