Data Protection & Privacy 2023 Comparisons

Legislations Enacted Prior to The Establishment of CITRA

Previously, the E-Commerce Law (Law No 20 of 2014) regulated the protection of private and public data of electronic records such as signatures, documents and payments. In addition, the Cybercrime Law (Law No 63 of 2015) was another previously enacted regulation that imposed fines and penalties in relation to the illegal dealing or possession of personal and governmental data.

New Developments and CITRA Establishment

The Data Protection Regulation issued upon Decision No 42 of 2021 by the Communications and Telecommunications Regulatory Authority (CITRA, or “the Authority”) was a new addition to the Kuwaiti regulation of data protection. It created obligations concerning data protection on public and private telecommunications service providers and any other industries engaged in the activities of collecting, processing or storing personal data – as well as the conditions necessary to engage in such activities.

In addition, the regulation widened the definition of ‘‘service provider’’. The scope was broadened in order to extend the traditional category of telecommunications service provider to include anyone operating (or directing a third party to operate) websites or applications. It also encompasses what is considered “cloud computing services” and any other services involved in collecting, storing and processing any personal data in any way.

The Data Protection Regulation applies to all service provided whether the actions involved in data storing, collecting and processing is done inside or outside Kuwait. In addition, the CITRA regulations grant prospective and existing customers the right to withdraw their consent to any form of use of their personal data and, upon the customer’s request, the service providers must accordingly dispose of and destroy all the associated user’s data in their possession.

However, it is important to note that the regulations do not apply to the respective state security authorities that hold data for the sole purpose of monitoring and maintaining peace, controlling existing and prospective crimes, and preventing external and internal threats to public security.

Furthermore, CITRA has issued the Data Classification Policy under Resolution No 95 of 2021. The Data Classification Policy classifies data into four distinct levels in order to provide guidance to entities that process, store and transfer data. It also provides specific guidelines regarding the dealing and storing of said data, depending on its classification level and sensitivity.

The Data Protection Regulation, together with the Data Classification Policy and the series of related CITRA-published guidelines, make up the framework of the Kuwait data protection regime (the “Data Protection Regime”). However, the E-Commerce Law and Cybercrimes Law remain in effect and still apply.

CITRA is the current regulator responsible for oversight of data protection in Kuwait pursuant to the Data Protection Regulation and Data Classification Policy. Further, CITRA’s jurisdiction is confined to its establishment law, Law No 37 of 2014 as amended by Law No 98 of 2015 (“the Law”), and its corresponding Executive Regulations issued under Decision 993 of 2015 (the “Executive Regulations”).

The Central Agency for Information Technology (CAIT) supervises the implementation of the regulations and policies issued by CITRA.

The Electronic and Cyber Crime Combating Department (ECCCD) is a specialised department within the Ministry of Interior in Kuwait that is responsible for enforcing Kuwait’s cybercrime laws and investigating cyber-related crimes. The ECCCD’s main focus is to protect Kuwait’s economy and national security – along with the well-being of its citizens and residents – by combatting cybercrime and enhancing cybersecurity. The ECCCD is responsible for receiving complaints related to cybercrime, conducting investigations, and working with other governmental and non-governmental organisations to combat cyberthreats. The department is also responsible for raising awareness about cyberthreats and providing guidance on how to stay safe online.

Relevant Provisions in Relation to Audits and Investigations

Law 37 of 2014 as amended by Law No 98 of 2015

CITRA is empowered under the law to collect information relevant to the telecommunications and IT sectors and issue any reports, bulletins and guidelines to users. It also prepares the necessary media programmes to increase public awareness of the importance attached to these sectors and the extent of their influence on social and economic development in the state of Kuwait.

Pursuant to Article 15 of the Law, all service providers or licensees who are authorised to own or operate telecommunications networks or use wireless waves must adjust their internal policies and rules to any extent necessary to achieve compliance with the provisions of the Law, no more than one year from the date of publication of CITRA’s Executive Regulations.

Pursuant to Article 49 of the Law, if CITRA receives any complaint about the licensee’s default in the performance of their obligations or a dispute between the licensee and the beneficiary users in relation to the quality and standard of the service being provided or any violations of the licence conditions, CITRA may investigate the complaint reasons and make a decision to either keep the file or notify the licensee to remove the violation within 90 days.

Under Article 52 of the Law, CITRA must decide with the licensee upon the procedures of any investigations into complaints, as well as the procedures for the licensee to follow when complaints are received by them.

Under Article 54 of the Law, CITRA must ensure that the licensee complies with all the provisions of the Law and may take any actions it deems necessary in order to do so, such as:

• conducting physical examination(s) of the network and telecommunications devices;
• examining the licensee’s technical records to ensure invoices and records are accurate;
• assuring the quality of the services and complaint procedures provided to clients; and
• reviewing the maintenance and failure records of the service provider or licensee to ensure the management service is efficient.

Lastly, under the Law, CITRA must also guarantee compliance with any international, regional and bilateral agreements that Kuwait is party to.

Executive Regulations

Under their Executive Regulations, CITRA may refer to other competent authorities if – following investigation(s) – there are reasons to suspect a criminal offence. Employees of CITRA are empowered to monitor the implementation of the Authority’s laws and regulations. To this end, they have the right to enter places in order to inspect and control any unlicensed communications devices where the following are known or suspected to be present: 

• devices or networks;
• communications facilities; and/or
• all or part of the infrastructure used in the communications service.

In the process of doing so, the employees are empowered to:

• request and examine the service provider’s licences, records and documents;
• examine and view any communications equipment related to the provision of the service; and

• view any form of information or documents related to the provision of the services.

Chapter 6 of the Executive Regulations delineates the conditions and processes necessary for the investigation of grievances or disputes submitted to CITRA – by forming a Dispute Resolution Committee.

Formation of the Dispute Resolution Committee

Under Article 33 of the Executive Regulations, the chair of the Authority must form a committee from outside the Authority (“the Committee”) to resolve disputes between service providers and the beneficiaries and decide on the grievances and complaints submitted to the Authority (including those in relation to other service providers). 

Conduct of the Committee

Per Article 34 of the Executive Regulations, the Committee must conduct its activities in accordance with the following rules.

• One registrar must be appointed and designated to record the disputes received by the Authority and another one appointed to record the grievances.
• Grievances must be submitted within 30 days of the date of notification of the action or decision by the service provider that the grievance relates to.
• A grievance/dispute writ must comprise the details of the grievance/dispute, the grievant/claimant, and the respondent.

• The secretary must present the writ on the dispute to the chair of the board to set a hearing date to consider such.

Decision of the Committee

Pursuant to Article 35 of the Executive Regulations, the Authority – following the direction of the Committee – must decide the disputes or grievances presented before it by coming to a reasoned decision within one month of the date of submission of the dispute (if it did not escalate to the Committee) or grievance/dispute writ. The Authority must then notify the concerned parties of its decision within a week of the date of its issue.

Appeal and Referral to Judiciary

Under Article 37 of the Executive Regulations, if the decision(s) of the Authority is challenged before the judiciary, the relevant competent department at the Authority must prepare a technical report on the dispute or grievance to be submitted to the chair of the board of directors for approval before the conclusion of the report.

It is worth noting here that Article 55 of the Law makes the decisions of the Committee binding on the parties involved in the dispute/grievance. In addition, grievances against decisions may be referred to the judiciary, but not before resorting to the Committee first ‒ with the objectionable issues submitted before the judiciary attached to the technical report concluded by the Authority.

GDPR and Impact on Kuwait Companies

By virtue of the Law, CITRA shall also guarantee compliance with any international, regional, and bilateral agreements that Kuwait is party to. This means that companies operating in Kuwait that process or store or collect personal data which is EU-based may also be subject to the General Data Protection Regulations (GDPR).

Besides the above-mentioned overlap between the Data Protection Regime and the GDPR, the authors are not aware of any efforts for the implementation of any relevant multilateral obligations.

Data protection NGOs and industry self-regulatory organisations do not exist in Kuwait. All regulatory authorities in this respect are governmental.

Similarities with the GDPR

It should first be noted that the Data Protection Regime seems to loosely resemble the EU’s GDPR in the following respects:

• transparency in collecting users’ information (PaaS and Saas Regulations located under Article 2 of CITRA’s Cloud Service Providers Regulations and Commitments – sub-section 5.6, in particular – relate to the use of third-party services);
• rectification and erasure of certain information at the request of the subscriber/user (Article 4 of the User Rights and Data Protection Law of CITRA);
• disclosure to users of transfers of personal data to third countries or international organisations (data protection classification and the need to disclose to users the transfer of information to new entities as a result of acquisitions or mergers – Article 4.2 of the Cloud Computing Regulatory Framework);
• rights to lodge complaints with supervisory board (as mentioned in 1.5 Major NGOs and Self-Regulatory Organisations, the Committee in accordance with Chapter 6 of the Executive Regulations);
• penalties for violation(s) of the Law (found in Chapter 10 of the Law).

Users’ Rights and Data Protection Under the Data Protection Regime

The issuance of the Data Protection Regime, which applies to the public and private sectors in Kuwait, has been a much-needed milestone in the area of data protection in relation to service providers. The provisions adopted under the Law use the guidance of internationally approved standards in regulating the relationship between the service provider and the user, which was otherwise non-existent in Kuwait.

Such needed provisions include the regulation and conditions of spam messaging and marketing methods adopted by service providers, dealings, and protection of personal data (in particular, from third parties), the use of cookies, unfair contract terms, and compliant procedures ‒ to name a few.

CITRA Cloud Computing Regulatory Framework

The issuance of this framework was also an important achievement in the field of Kuwaiti data protection. This framework brought about definitions for types of cloud computing service providers, data classification, cybersecurity, and main jurisdiction location(s) of storage of data, among other things.

CITRA Regulations to Protect the Rights of Technology Users

CITRA issued guidelines regarding users’ rights protection and regulation of the communications and IT services in late April 2022. Pursuant to these guidelines, users must give explicit oral, electronic or written consent to receiving messages or communications when subscribing. The service provider must keep a record of the subscriber’s consent to promotional messages and must keep a database to regulate unwanted messages by the subscriber(s) upon request(s) of such.

Kuwait’s Digital Transformation

In early 2023, the Kuwaiti cabinet was briefed on the partnership signed with Google Cloud in anticipation of a digital transformation of the ways in which governmental bodies operate. The deal is seen as highly advantageous, as it will transform the ways in which state-run entities engage in the activities of cybersecurity, data analysis and AI, all as part of Kuwait’s 2035 vision. Google will set up a local office, open multiple data centres that provide organisations the ability to host data/resources within the Google Cloud in Kuwait, and support the government migrating its system onto the cloud.

Google Cloud shall work with CAIT to provide dedicated training programmes for all governmental employees on the inner workings of the programme. This may have implications for the mechanisms and frameworks established for the use and storage of sensitive data in relation to the maintenance of territorial peace and security.

User Rights Protection and Regulation of Communications and IT Services

Collection of data

Under Article 2, the service provider must prepare relevant rules and mechanisms for the sale of its service either through means of electronic transaction or through telephone communication. The Authority must approve the rules and mechanisms or any amendments to existing contracts of sale in advance, which includes the relevant data collection and storage. Pursuant to Article 3.16, in case of any such amendment, before any enforcement can take place:

• the service user must be notified of the amendment(s) 60 days before the amendment enters into force; and
• the subscriber’s written approval or e-signature (using the “Hawyti” application) must be obtained.

Under Article 3.3, the licensee or the authorised distributor of this telecommunications service must verify the validity of the personal information provided by the users of said services, and such proof of information (in the form of civil ID, passport or driving licence) may be certified by competent governmental bodies.

Under Article 3.4, before executing the service contract, the mechanism(s) for cancelling the service and any variation(s) to the contractual terms of service must be clearly stipulated.

Under Article 3.6, the licensee or service provider must open an electronic file in which all the information and documents and complaints pertaining  to any user(s) are safely stored.

Duties of the service provider upon users’ request of cancellation of service

Under Article 4, the service provider must facilitate the mechanisms or procedures for such cancellation of service. Neither the licensee nor the service provider may bind the subscriber with a minimum limit of the service contract term, unless this is approved by the Authority. Upon the subscriber’s request to cancel the service, the licensee or the service provider must verify the identity of the subscriber applying for cancellation.

Dealing with data

Per Article 6, service providers must adhere to:

• no collection, use or disclosure of any personal information related to the user without their official approval;
• not requiring information that is irrelevant in the context of providing services;
• obtaining the approval of the user before disclosing their information to other parties;
• taking all security measures with regard to:
1. protection of the user’s information; and
2. protection against the loss, damage, or disclosure of such information (or its replacement with any untrue data).

Data Classification Policy

Pursuant to the Data Classification Policy, it is the responsibility of public and private sector entities when classifying their data (and the personal data of the individuals in their possession) to – among other requirements – assign a designated employee to communicate and provide CAIT with quarterly reports on the extent to which this internal policy is being implemented.

CITRA Cloud Service Providers and Regulations and Commitments

Types of information collected by cloud service providers

Pursuant to the regulations concerning PaaS and SaaS model providers in Article 2, the types of information that the cloud service providers may obtain from users can include and is not limited to:

• name and email address;
• address;
• payment information;
• internet protocol address (“IP address”); and
• device and browser information.

Obligations in dealing with information

In accordance with the regulations concerning Paas and Saas model providers located in Article 2, the service provider must describe to the user all information that needs to be collected and what information will be collected automatically (and where to access and amend such). Following data collection, the service provider must explain to the user where and how such information may be used.

The service provider may not use this information to locate the identity of the user. The service provider must also inform users of any third-party providers that operate certain services on their behalf – as well as of their privacy policies – for the purpose of always maintaining transparency. The service provider commits to not sharing, disposing of, or selling the user(s)’ information with third parties; however, for purposes of improving the service and customer experience, they may be granted access to the user(s)’ names, address, phone number, and email. In any case, the user must be informed of such.

The user(s) must be notified immediately of any data relocation to new owners as a result of M&A, liquidation or dissolution.

The service provider must be efficient, competent and equipped to detect any fraud, security threats or technical problems.

The subscriber has the right to request amendment or the deletion of their personal data available to third parties or to the service provider. The service provider must also explain to its user(s) clear mechanisms for the communication between both regarding the user(s)’ privacy policy.

With regard to SaaS model providers, they must specify in their privacy policy the targeted age group for the collection of data. If the targeted age group are minors, then the consent of their guardian must be obtained. The service must abide by any relevant child protection laws of the state.

CITRA Cloud Computing Regulatory Framework

Dealing with data

Under Article 4, Tier 3 and Tier 4 data may not be stored outside the state of Kuwait, and service providers may not use a shared or a hybrid cloud to store this type of information unless such is licensed by the Authority. Cloud providers must also notify users within a period of no more than 72 hours of a security breach and, accordingly, must have established safeguard mechanisms in place with regard to disaster recovery and risk management. Under the same provision, the provider must grant its users the technical means through which to access the given information and the process by which to amend such.

Under Article 6, the service contract must clearly stipulate the protocol of action and notification in the event that a security breach occurs.

Cancellation of service

Under Article 6, the service provider must guarantee in their service contracts certain clauses that relate to the cancellation of the user(s)’ service. The user(s) must be provided with a copy of their cloud computing content saved at the time of termination; otherwise, upon the request of the user, their content may be transferred to their other chosen cloud provider. Upon such handover of transferral of content, the cloud provider must delete any and all content or information related to the user present on its own platform(s).

Unfair contract terms

Under Article 7, the cloud computing service providers may not exclude any liability (extending to actions by individual employees) in their service contract in relation to the damage, loss or tampering with the user’s information and content – unless stipulated that this may happen unintentionally or in the event of a security breach.

Disclosure of data

Under Article 4.3.4, the service provider may only disclose the user’s content or data by:

• an official request by security or intelligence authorities; or
• by obtaining consent of the user, provided that:
1. the data is not classified as Tier 3 or 4; and
2. the user may in the future withdraw their consent to such disclosure.

The Law and the Executive Regulations

Executive Regulations

Under Article 51, telephone calls and private communications are classed as confidential matters that may not be violated. The only exception to this is by an approval solely granted by a competent judicial authority in the state of Kuwait.

The Law

Under Article 46, the trade, sale or display for sale of bugging devices is strictly prohibited. The only exception to this is that governmental authorities (as defined by a decree) are permitted to own bugging devices for the purpose of maintaining national security and peace. Even in such circumstances, the delegated authorities may only use these devices with consent granted by the public prosecutor’s office in accordance with the terms, conditions and procedures set forth in the Kuwaiti Procedures Law.

Data Classification Policy

The governing regulation is CITRA’s Data Classification Policy, which classifies different types of data according to the sensitivity of its content.

Classification of data and specifics

• The First Tier– “Public Data” refers to unclassified data available to the public or to data that is not subject to protection from public access under any law, regulation or contract. Some examples include, but are not limited to:
1. open data such as policies, regulations and laws published on websites, daily newspapers, magazines or other publications;
2. self-service forms made available to individuals and authorities; and
3. any data and information made publicly available on websites.
• The Second Tier– “Private Insensitive Data” refers to data owned by the public and private sectors or at a personal level. It is data that indicates the identity of the data owner, although unauthorised disclosure does not lead to any damage to the privacy of the person’s data. Examples include, but are not limited to:
1. first or last name;
2. job title, job duties and employer name;
3. email address;
4. civil ID number;
5. gender;
6. age; and
7. academic qualification
• The Third Tier– “Private Sensitive Data” refers to data owned by the public and private sector or at a personal level. It is data indicating the identity of the data owner and may encompass a mix of insensitive and sensitive data. Unauthorised disclosure of such may lead to damaging the privacy of the person’s data. Examples include, but are not limited to:
1. minutes of meetings and business plans;
2. internal project reports;
3. legal notes and opinions issued by legal offices;
4. medical records; and
5. criminal fingerprint and DNA fingerprint.
• The Fourth Tier – “Highly Sensitive Data” refers to private data of a very sensitive nature, where the unauthorised disclosure of this data may result in great damage to the privacy of the person/entity’s data. Such data may be owned by government or private sector entities but relate to highly personal information. This data must have high encryption requirements and requires the highest levels of protection means. Some examples include, but are not limited to:
1. encryption keys;
2. political documents, international negotiations, or international relations; and
3. sensitive information of a military nature or in relation to state security.

Data storing methods

As previously mentioned, under Article 3, the owner of the data must classify such into at least four different levels according to their contents. If a separate classification system is used, it must be unified to match the data classification tier outlined earlier. Governmental entities are exempt from this and may choose to classify data in any manner they see fit.

The data owner is free to choose their data protection methods according to their data classification, retention, collection, and processing schemes. The data owner must also ensure the availability and adoption of certain safeguards and protections necessary for the storage of such data – specifically, data labelled under Tier 3 and Tier 4.

The owner of the data is also mandated with creating a data catalogue that contains standards of data storage in a unified format. The data owner must encrypt all data classified under Tier 3 and Tier 4 when transferring such data from one governmental authority or private entity to the other (or across geographical locations). Classified data under the aforementioned tiers must be transferred or removed before the data server is disposed of.

Obligations of CITRA

Lastly, under Article 3, CITRA has an obligation to ensure private and public entities’ compliance with the policy. It is also empowered to request periodic reports from CAIT. Such reports must contain a catalogue of all the types of data in possession, the approved tier classification system of data and reasons for adopting such, and the locations of the stored data according to the adopted classification tiers.

Regulations and Commitments of Cloud Service Providers

The use of cookies

The service provider must contain in its privacy policy a clause labelled as ‘‘Cookies’’, which determines the mechanisms of usage when it comes to:

• login authentication;
• security inferences;
• advertisements; and
• personal identification.

The cloud service provider may not use this data to locate the identity of the user and must always make available the types of cookies used by it or by external parties on any platform the service operates on.

User Rights Protection and Regulation of Communications and IT Services

Spam messaging

In accordance with Article 12 of the CITRA guideline mentioned in 2.1 Omnibus Laws and General Requirements, the service provider must have a database in which the reception of spam messages is ceased upon the request of the user. Service providers sending messages for commercial purposes must only do so between the hours of 07:00 and 22:00 Kuwait time.

Marketing practice

Pursuant to Article 14 of the above-mentioned CITRA guideline, the marketing practices of service providers must not exploit any consumer or groups on account of their weaknesses, disabilities, ages, or lack of knowledge. They must also not use any means of fraud or deception in the advertisement of their products and services.

When it comes to receiving marketing communications or calls, the service provider or the licensee must have duly verified the identity of the recipient user. At the beginning of the communication/call, the service providermust:

• disclose the sender’s name;
• disclose the cause for such communication/call; and
• give the option to the recipient user of continuing with the communication/call or not.

Regulations and Commitments of Cloud Service Providers

The cloud service provider’s privacy policy must inform the user of the procedures to follow should they wish to cancel marketing communication subscriptions.

There are no special regulations that deal explicitly with workplace privacy. That being said, there are certain aspects of the relationship between data protection and workplace privacy that should be noted.

The responsible authority is the Ministry of Social Affairs and Labour. Please also refer to the Explanatory Memorandum to Law No 6/2010  (Labour in the Private Sector) as amended.

Monitoring of Workplace Communications

Law No 9/2001 Regarding Misuse of Telecommunications and Wire Taps Sets governs the matter in question. However, there is no specific rule applicable to employee monitoring.

Recordings of telephone conversations may be carried out by employers to deal with any grievances from customers or clients in order to ensure that the calls are dealt with professionally and for the purposes of training only. In some situations, such recordings may be carried out and reproduced for legal purposes upon order of the competent court in the event of a situation occurring between third parties and company employees.

There are no applicable laws in place for monitoring employees’ emails in Kuwait. Private life cannot be violated; therefore the monitoring and recording of such information is considered to be an infringement of rights and a violation of confidentiality, which is guaranteed to individuals under the Kuwaiti Constitution. The courts of Kuwait aim to protect citizens and expatriates from all such violations. The employer can draw up a set of rules and regulations that may govern such monitoring for the purpose of safeguarding their interests. However, they should restrict it to the official work areas and not infringe on privacy rights, including the protection of personal emails. Such rules and regulations will need to be drawn up and made available to the employee in a handbook that is often provided to newly joined employees for them to understand and abide by.

The Law

Violations of CITRA rules

Under Article 61 of the Law, if it is found following an inspection by CITRA that a violation – or suspected violation – of its laws was committed, then it must instruct the public prosecutor’s office to adopt the appropriate measures.

However, under Article 63, the board of CITRA may accept reconciliation of the violations of its laws or regulations and accept a cash penalty of no less than twice the amount of the fine(s) stipulated in the Law before a referral to the public prosecutor’s office. Such violations include:

• using bugging devices (punishable by either imprisonment for no more than one year or a fine of no more than KWD5,000 and no less than KWD500); or
• illegally using a private or public telecommunications network (punishable by either two years in prison or a fine of no more than KWD20,000 and no less than KWD500).

Claim for compensation (Article 81)

It should be noted that the above-described penalties do not prejudice any person to claim for direct compensation as a result of such actions. Due to the Data Protection Regime being so new, it has yet to be tested in the courts.

According to Article 32 of the E-Commerce Law, government authorities, public authorities, institutions, companies, and non-governmental entities (or their employees) are prohibited from unlawfully accessing, disclosing or publishing personal data or information registered in records or electronic processing systems – unless there are legal permissions, the approval of the person concerned, or a reasoned court decision. This applies to personal data related to professional affairs, social status, health status, financial disclosure or other personal data registered with the relevant bodies or their employees.

Under Article 70 of the Law, using telecommunications to send threats, immoral or humiliating messages, or made-up events for the purpose of causing panic is punishable either by imprisonment of no more than two years or a fine of no more than KWD5,000. In addition, intentionally defaming anyone by engaging in non-consensual capturing or usage of pictures or videos (or the falsifying of such) is punishable either by a prison term of no more than two years or a fine of no more than KWD5,000 and no less than KWD500. Furthermore, sending immoral or indecent materials by any means (eg, messages, videos or pictures) will be punished by either a prison term of no more than three years or a fine of no more than KWD5,000 and no less than KWD500.

If any of the acts described in the preceding two paragraphs are accompanied by blackmail in relation to the above-mentioned materials, it is punishable by either up to ten years in prison or a fine not exceeding KWD10,000.

Please see 3.1 Laws and Standards for Access to Data for Serious Crimes.

Usually, governmental agencies – in particular, law enforcement agencies – do not require any judicial approvals to access individuals’ data for intelligence, anti-terrorism or other national security purposes. Moreover, most of the data is retained in centralised systems to which the agencies already have access. There are no specific requirements to obtain any judicial approvals for governmental agencies to request data from other governmental agencies. There are no specific laws that govern this particular scenario.

Please note that depending on the sensitivity of the information (ie, Tier 3 and 4), certain approvals may be required.

The laws in Kuwait do not consider a foreign government access request to be a legitimate basis for transferring personal data. The situations in which personal data may be transferred outside Kuwait are discussed in 4 International Considerations. It is generally not permissible for an organisation to invoke a foreign government access request as a legitimate basis upon which to collect and transfer personal data – unless there is a legal basis under the local laws for such transfer.

Kuwait has not participated in any Cloud Act agreements with the USA to date.

Kuwait, like many other countries, faces several conflicts and public debates concerning government access to personal data. The following are among the key issues in relation to privacy.

Civil ID Cards

The Kuwaiti government has mandated the use of a national ID card for all citizens and residents. However, there have been concerns about the amount of personal information collected on the card and the potential for misuse of this information.

Health Data Collection

The Kuwaiti government has also been collecting health data from citizens and residents, particularly during the COVID-19 pandemic. Although this data can be useful for public health purposes, there are concerns about the privacy implications of such data collection.

Data Protection

Kuwait’s Data Protection Regime is not comprehensive in nature, which means that there are weak legal protections for citizens and residents in relation to their personal data. This has led to calls for stronger privacy regulations and protections.

Conflict With Human Rights

The collection and use of personal data by the government in Kuwait has been seen as potentially being in conflict with human rights, including the right to privacy and freedom of expression. The right to privacy is recognised as a fundamental human right under international law and, as such, is protected by numerous human rights treaties and conventions. The UN Human Rights Committee, for example, has stated that “the collection and retention of personal data must be regulated by law” and that “the law must be adequate to provide effective safeguards against arbitrary interference with an individual’s privacy”.

In addition to privacy concerns, the collection and use of personal data by the government can also have an alarming effect on freedom of expression. If individuals believe that their online activity or communications are being monitored by the government, they may be less likely to express themselves freely or engage in political or social activism.

Transfer Restriction on Tier 3 and Tier 4 Classification

There are restrictions on international data transfers of personal information, especially those classified as Tier 3 and Tier 4 under the Data Classification Policy. As stated previously, the Data Protection Regulation applies to public and private service providers who collect, process and store personal data – whether the processing is carried out inside or outside Kuwait.

Article 6 of the Data Protection Regulation states that a service provider must collect and process data during and after providing a service, according to certain conditions. If the service provider intends to transfer a subject’s personal data outside Kuwait, they must notify the data subject in accordance with the Data Classification Policy.

Further, the Data Classification Policy imposes restrictions on the transfer of personal information classified as Tier 3 and Tier 4. Such data must be encrypted during transmission from one government entity to another or when transmitted between different physical geographical locations of government entities – and this applies to the private sector as well. Hence, encrypted data may not be transferred internationally.

The Cloud Computing Regulatory Framework policy (CCRF) issued by CITRA sets out restrictions on international data transfers of personal information. Subscribers to cloud computing services in Kuwait must ensure that certain types of data ‒ such as data classified under Tier 3 and Tier 4, government entity data, and personal data of individuals held with government agencies, private sector companies, or service providers – are not hosted or stored outside Kuwait unless the data classification policy and Chapter 3 of the CCRF on data classification allow for it. However, Chapter 3 of the CCRF permits data transfer outside Kuwait for cloud computing services, provided that the appropriate level of information security is chosen by the cloud computing services’ subscribers and the data being transferred is not classified as Tier 3 and Tier 4 level data.

Private and public sector subscribers have an obligation not to store or host individuals’ personal data or government entities’ data that falls within the Tier 3 and Tier 4 levels of data classification in the data centre and cloud computing environment of cloud computing service providers located outside Kuwait. The only exception is if a hybrid cloud is used and the data classified as Tier 3 is within the borders of Kuwait.

Consent Requirement for Transfer of Tier 1 and Tier 2 Data

Providers of cloud computing services in Kuwait are required to obtain written consent from the subscriber if they want to transfer or copy a subscriber’s data outside Kuwait. However, this consent only applies to data classified as Tier 1 or Tier 2, as data classified as Tier 3 or Tier 4 cannot be transferred or stored outside Kuwait.

Article 5 of the Data Protection Regulation stipulates that data collection and processing is only allowed with the data subject’s consent in order to comply with legal obligations and to protect the data of individuals or legal entities – or if the identification of the data subject is not necessary for the service provider’s purpose. The data subject can withdraw their consent at any time, whereupon the service provider must facilitate this and delete the processed data upon request.

Furthermore, Article 32 of the E-Commerce Law provides that government authorities, public entities or agencies, companies and non-governmental entities or authorities may not access, disclose or publish any personal data or information kept or documented on electronic data processing systems if such data relates to a person or their job, social biography, health condition or financial status – or other personal information kept by or filed with any entity or authority listed in the law. This general restriction may be overcome with the consent of the data owner (or their legal representative) or where disclosure is authorised by a court order.

In summary, personal information may only be transferred internationally if it is classified as Tier 1 or Tier 2 and the data owner gives their written consent for the transfer. However, personal information classified as Tier 3 and Tier 4 must not be transferred internationally. Data processors must comply with the regulations regarding data classification, encryption and disclosure imposed by the Data Protection Regulation and the CCRF policy issued by CITRA.

Kuwait does not have any specific mechanisms or derogations for international data transfers in place that resemble those provided by APEC or other multilateral frameworks. However, under the Data Protection Regulation, service providers are required to obtain the data subject’s consent before disclosing their personal data to any affiliate company or third party for any marketing purposes not directly related to the provision of telecommunications and IT services requested by the person concerned. Additionally, appropriate security measures must be implemented to protect the personal data of any person against loss, damage, disclosure or hacking by an unauthorised third party.

In practice, many companies in Kuwait use standard contractual clauses or binding corporate rules to ensure compliance with data protection requirements when transferring personal data outside of the country. Companies may also rely on the individual’s consent to the transfer, provided that the consent is informed, specific and given freely. However, it is important to note that data protection laws under the Data Protection Regime and the E-Commerce Law may impose certain limitations on the use of consent as a basis for data transfers and, of course, such consent must be given freely and obtained in a manner that is specific and informed.

There are no express government notifications or approvals required to transfer data internationally. However, please see 4.1 Restrictions on International Data Issues for further detail.

As mentioned in 4.1 Restrictions on International Data Issues, there are data localisation requirements for certain types of data. The following types of data must not be hosted or stored outside Kuwait–

• data classified under the Tier 3 and Tier 4 levels of data classification;
• government entity data falling within the Tier 4 level of data classification; and
• individuals’ personal data held by government agencies, private sector companies, or service providers.

Data classified as Tier 3 or 4 must be hosted and stored within Kuwait. In order to comply with these requirements, Section 4.2 of the CCRF policy outlines several obligations for subscribers and providers of cloud computing services in Kuwait. Subscribers must ensure that certain types of data are not hosted or stored outside Kuwait and providers must disclose the location and technical information of their data centres in Kuwait (and in other countries where they process or transmit data of subscribers in Kuwait).

Registered service providers who are licensed by CITRA must obtain written consent from subscribers before transferring or copying data outside of Kuwait. However, this requirement only applies to data that does not fall within the Tier 3 and Tier 4 level of data classification. Hence, only data classified as Tier 1 or 2 can be transferred or stored outside of Kuwait with the consent of the data owner.

Additionally, the Data Protection Regulation lists the following very specific conditions for public and private service providers during their collection and processing of data–

• practices and policies – deliver clear and accessible information on their personal data practices and policies to ensure that collection and processing are transparently provided;
• purpose and grounds for processing – determine the purpose of data collection, the legal grounds for data processing and the retention period (if any);
• third-party disclosure – determine the agencies to which personal data may be disclosed;
• service provider information – identify the location and identity of the service provider, including contact information and information on their practices and processing of personal information;
• data storage form – retain personal data in a form that allows the data holder to be identified for the purposes of processing the personal data;
• standard data processing and storage – process data in a way that ensures personal data is protected against unauthorised or illegal processing, accidental loss and destruction or damage by using appropriate technical and regulatory measures for safety and confidentiality;
• standard user access software – in order for individuals to use appropriate technology that enables them to exercise their right to access, review and correct personal data directly, the service provider shall grant its IT users all necessary and regulatory licences to use any software or other IP protected by the system;
• duration and location of data storage – provide information on the period during which personal data shall be stored and the storage location, if possible;
• standard data change procedure – determine the procedure for obtaining, correcting, deleting, restricting access or processing of personal data, for objecting to the processing of personal data, or for requesting for transfer of personal data;
• notice of data transfer outside Kuwait – notify the data holder if the service provider intends to transfer their personal data outside Kuwait, in accordance with the Data Classification policy issued by CITRA;
• notice of change of collection purpose – inform the data holder in the event that the service provider processes personal data for purposes other than the purposes for which personal data have been collected;
• data destruction requirement – destruction of personal data in the possession of the service provider once the contractual relationship with the data holder expires (or during the contract term, if requested by the data holder);
• consent – no personal information may be collected, used, processed or disclosed to any person without the prior consent from the person or the representative of the duly concerned person;
• prohibition on requesting irrelevant personal information – the data holder is not required to provide personal information that does not relate to the provision of the requested product or service and, as a requirement for the provision of a product or service, the user may not be asked to agree to the collection, use or disclosure of personal information required to provide this product or service;
• purpose of data collection disclosure – before collecting personal information, the purpose for which the personal information is collected by the service provider must be made be clear;
• data use limited to purpose of collection – collected personal information must only be used for the purposes specified by the service provider;
• consent required before third-party disclosure – obtain the data holder’s consent before disclosing their personal data to any subsidiary or a third party for any marketing purposes that are not directly related to the provision of communications or IT service requested by the concerned person;
• standard security measures – take appropriate security measures, which are suited to the nature and scope of the activities and the sensitivity of any collected and stored personal information, in order to protect the personal data of any person against:
1. loss, damage, disclosure or hacking by an unauthorised third party; and
2. replacing data or information with other false information (or adding incorrect information); and
• consent withdrawal – a person who previously agrees to the collection, use, processing or disclosure of their personal data may withdraw this consent at any time and, as such, every licensee who provides public communications and IT services must provide an easy-to-use, practical and accessible method through which the person may withdraw their consent or disable the method of collecting, using, processing or disclosing personal data.

Currently, there are no legal requirements to share any software code, algorithms or similar technical details with the government.

There are express limitations or considerations with regard to foreign government data requests or foreign litigation proceedings or internal investigations. The limitations or considerations concerning international transfer of personal data are discussed in 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

Kuwait has several laws and regulations related to blocking or censoring web content, some of which concern privacy and data protection. The following are among the key examples.

• The Press and Publications Law (Law No 3/2006) regulates the publication of printed and electronic media in Kuwait. It includes provisions related to blocking content that violates public order, morals, or national security. The law grants the government the power to block websites or other media that violate these provisions.
• The Cybercrime Law criminalises a wide range of online activities, including hacking and online fraud. The law grants the government the power to block websites or other online content that violates its provisions.
• The Law regulates the telecommunications sector in Kuwait and includes provisions related to blocking or intercepting communications that violate public order, morals, or national security. The law grants the government the power to block websites or other online content that violate these provisions.
• The E-Commerce Law regulates electronic transactions in Kuwait and includes provisions related to data protection and privacy. The law requires businesses and individuals to take appropriate measures to protect personal data from unauthorised access and includes penalties for those who violate these provisions.
• The Data Protection Regulation regulates the collection, processing and storage of personal data. It does not explicitly include provisions for blocking web content; however, it outlines the responsibilities of service providers in relation to content that violates the system or IP rights of third parties. Service providers are not liable for such content unless they are aware of it and do not take appropriate action. Service providers must remove such content and report any violation of cybercrime laws to the relevant authorities. Third parties with complaints against such content must be referred to the appropriate entities in Kuwait.

Additionally, among other prohibited content, CITRA receives requests to block web content in Kuwait that violates the public interest (including public morals, Islamic faith teachings, and public order). If CITRA receives a request to block or unblock web content, it will take the necessary actions to block web content that contains any prohibited content or unblock web content in case of an error in classifying the content as prohibited.

Artificial Intelligence

In Kuwait, domestic entities in regulated industries are beginning to use AI, while multinational targeted advertising companies have been using it for some time. However, there are two primary legal risks and compliance issues for entities in Kuwait looking to incorporate AI into their businesses. The first issue is that using AI for business purposes requires the use of large amounts of data, which often needs to be outsourced to foreign entities, leading to potential data breaches and cybersecurity risks. The second issue is that Kuwait does not have a comprehensive data protection law and is therefore exposed to cybersecurity risks.

Another issue is the limitation on data transfers, as described in 4.1 Restrictons on International Data Issues, 4.3 Government Notifications and Approvals and 4.4 Data Localisation Requirements, whereby certain tiers of data cannot be transferred internationally.

Unmanned Aircraft Systems

The Directorate General of Civil Aviation (DGCA) is the regulatory body concerning registration of unmanned aircraft systems (UAS)/drones in Kuwait. The DGCA registers the following three types of users of UAS/drones:

• recreational (toy, sport, advanced sport activity);
• professional (commercial and non-commercial); and
• special.

Prior permission must be obtained from the DGCA to operate drones for commercial purposes. The following activities are strictly prohibited:

• using drones to carry dangerous goods;
• dropping any object from the drone; or
• using the drone to capture images or videos of private property without obtaining prior consent.

Although there are no specific laws or regulations in Kuwait that require organisations to establish protocols for digital governance or fair data practice review boards or committees, some companies in Kuwait have voluntarily established such protocols as part of their corporate governance practices.

With the increasing importance of data privacy and security, companies in Kuwait have begun to recognise the importance of having a framework in place for managing digital technologies and data practices. Some companies have established internal committees or review boards in order to oversee data privacy and security and to ensure compliance with local laws and regulations. These committees are often responsible for reviewing the company’s policies and procedures related to data collection, storage, processing and sharing, as well as assessing the risks associated with emerging or disruptive digital technologies.

There are no publicly available details available concerning any regulatory enforcement. Furthermore, as the Data Protection Regime is so new, it has yet to be tested in the courts. Please see 2.5 Enforcement and Litigation and 3.1 Laws and Standards for Access to Data for Serious Crimes.

It is worth noting that there is a growing focus on privacy and data protection in several countries in the Middle East. It is possible that Kuwait may follow suit in the future and introduce more robust legislation in this area.

In Kuwait, conducting due diligence is an essential part of corporate transactions, as it helps to identify and assess risks and potential liabilities associated with a company. The process involves a comprehensive review of the target company’s financial, legal and operational records, as well as its contracts, IP, and relationships with customers, suppliers and other stakeholders. The parties in a transaction typically execute a Letter of Intent that would include a confidentiality provision and other restrictive covenants. Thereafter, a virtual data room is established where the target would upload the documents requested by the buyers.

The following issues are typically relevant when conducting due diligence in corporate transactions in Kuwait:

• legal and regulatory compliance;
• corporate governance;
• financial statements;
• material contracts;
• IP;
• management and employment; and
• litigation.

There is no requirement for making public disclosure regarding an organisation’s cybersecurity risk profile or experience.

There have been no developments or trends regarding the convergence of privacy, competition, and consumer protection in connection with the regulation of tech companies, digital technology or data practices in Kuwait. Although there is a growing awareness of the importance of these issues in Kuwait and throughout the Middle East, Kuwait has yet to implement any laws or policies specifically addressing these issues and is not considering (or subject to) any new laws or policies along the lines of the EU’s Digital Markets Act, Digital Services Act, or Data Act.

The following are among the significant issues faced by Kuwait in relation to data protection.

• Lack of comprehensive data protection laws – the existing laws and regulations that touch on data the collection, processing and sharing of personal data (by both public and private entities) are scattered across different pieces of legislation, making it challenging to enforce data protection standards in Kuwait.
• Limited privacy rights – although Kuwaiti law provides some protections for personal data, there is limited protection for privacy rights, and this can create challenges in cases where personal data is shared or accessed without the consent of the individual concerned.
• Inadequate data security measures – many organisations in Kuwait do not have adequate data security measures in place to protect personal data from unauthorised access, theft or other forms of data breaches, thereby leaving personal data vulnerable to misuse and abuse.
• Lack of oversight and enforcement – there is a lack of effective oversight and enforcement mechanisms for data protection in Kuwait, which can make it difficult to hold organisations accountable for data breaches and other violations of data protection standards.