Contributed By GLA & Company
Legislations Enacted Prior to The Establishment of CITRA
Previously, the E-Commerce Law (Law No 20 of 2014) regulated the protection of private and public data of electronic records such as signatures, documents and payments. In addition, the Cybercrime Law (Law No 63 of 2015) was another previously enacted regulation that imposed fines and penalties in relation to the illegal dealing or possession of personal and governmental data.
New Developments and CITRA Establishment
The Data Protection Regulation issued upon Decision No 42 of 2021 by the Communications and Telecommunications Regulatory Authority (CITRA, or “the Authority”) was a new addition to the Kuwaiti regulation of data protection. It created obligations concerning data protection on public and private telecommunications service providers and any other industries engaged in the activities of collecting, processing or storing personal data – as well as the conditions necessary to engage in such activities.
In addition, the regulation widened the definition of ‘‘service provider’’. The scope was broadened in order to extend the traditional category of telecommunications service provider to include anyone operating (or directing a third party to operate) websites or applications. It also encompasses what is considered “cloud computing services” and any other services involved in collecting, storing and processing any personal data in any way.
The Data Protection Regulation applies to all service provided whether the actions involved in data storing, collecting and processing is done inside or outside Kuwait. In addition, the CITRA regulations grant prospective and existing customers the right to withdraw their consent to any form of use of their personal data and, upon the customer’s request, the service providers must accordingly dispose of and destroy all the associated user’s data in their possession.
However, it is important to note that the regulations do not apply to the respective state security authorities that hold data for the sole purpose of monitoring and maintaining peace, controlling existing and prospective crimes, and preventing external and internal threats to public security.
Furthermore, CITRA has issued the Data Classification Policy under Resolution No 95 of 2021. The Data Classification Policy classifies data into four distinct levels in order to provide guidance to entities that process, store and transfer data. It also provides specific guidelines regarding the dealing and storing of said data, depending on its classification level and sensitivity.
The Data Protection Regulation, together with the Data Classification Policy and the series of related CITRA-published guidelines, make up the framework of the Kuwait data protection regime (the “Data Protection Regime”). However, the E-Commerce Law and Cybercrimes Law remain in effect and still apply.
CITRA is the current regulator responsible for oversight of data protection in Kuwait pursuant to the Data Protection Regulation and Data Classification Policy. Further, CITRA’s jurisdiction is confined to its establishment law, Law No 37 of 2014 as amended by Law No 98 of 2015 (“the Law”), and its corresponding Executive Regulations issued under Decision 993 of 2015 (the “Executive Regulations”).
The Central Agency for Information Technology (CAIT) supervises the implementation of the regulations and policies issued by CITRA.
The Electronic and Cyber Crime Combating Department (ECCCD) is a specialised department within the Ministry of Interior in Kuwait that is responsible for enforcing Kuwait’s cybercrime laws and investigating cyber-related crimes. The ECCCD’s main focus is to protect Kuwait’s economy and national security – along with the well-being of its citizens and residents – by combatting cybercrime and enhancing cybersecurity. The ECCCD is responsible for receiving complaints related to cybercrime, conducting investigations, and working with other governmental and non-governmental organisations to combat cyberthreats. The department is also responsible for raising awareness about cyberthreats and providing guidance on how to stay safe online.
Relevant Provisions in Relation to Audits and Investigations
Law 37 of 2014 as amended by Law No 98 of 2015
CITRA is empowered under the law to collect information relevant to the telecommunications and IT sectors and issue any reports, bulletins and guidelines to users. It also prepares the necessary media programmes to increase public awareness of the importance attached to these sectors and the extent of their influence on social and economic development in the state of Kuwait.
Pursuant to Article 15 of the Law, all service providers or licensees who are authorised to own or operate telecommunications networks or use wireless waves must adjust their internal policies and rules to any extent necessary to achieve compliance with the provisions of the Law, no more than one year from the date of publication of CITRA’s Executive Regulations.
Pursuant to Article 49 of the Law, if CITRA receives any complaint about the licensee’s default in the performance of their obligations or a dispute between the licensee and the beneficiary users in relation to the quality and standard of the service being provided or any violations of the licence conditions, CITRA may investigate the complaint reasons and make a decision to either keep the file or notify the licensee to remove the violation within 90 days.
Under Article 52 of the Law, CITRA must decide with the licensee upon the procedures of any investigations into complaints, as well as the procedures for the licensee to follow when complaints are received by them.
Under Article 54 of the Law, CITRA must ensure that the licensee complies with all the provisions of the Law and may take any actions it deems necessary in order to do so, such as:
Lastly, under the Law, CITRA must also guarantee compliance with any international, regional and bilateral agreements that Kuwait is party to.
Under their Executive Regulations, CITRA may refer to other competent authorities if – following investigation(s) – there are reasons to suspect a criminal offence. Employees of CITRA are empowered to monitor the implementation of the Authority’s laws and regulations. To this end, they have the right to enter places in order to inspect and control any unlicensed communications devices where the following are known or suspected to be present:
In the process of doing so, the employees are empowered to:
Chapter 6 of the Executive Regulations delineates the conditions and processes necessary for the investigation of grievances or disputes submitted to CITRA – by forming a Dispute Resolution Committee.
Formation of the Dispute Resolution Committee
Under Article 33 of the Executive Regulations, the chair of the Authority must form a committee from outside the Authority (“the Committee”) to resolve disputes between service providers and the beneficiaries and decide on the grievances and complaints submitted to the Authority (including those in relation to other service providers).
Conduct of the Committee
Per Article 34 of the Executive Regulations, the Committee must conduct its activities in accordance with the following rules.
Decision of the Committee
Pursuant to Article 35 of the Executive Regulations, the Authority – following the direction of the Committee – must decide the disputes or grievances presented before it by coming to a reasoned decision within one month of the date of submission of the dispute (if it did not escalate to the Committee) or grievance/dispute writ. The Authority must then notify the concerned parties of its decision within a week of the date of its issue.
Appeal and Referral to Judiciary
Under Article 37 of the Executive Regulations, if the decision(s) of the Authority is challenged before the judiciary, the relevant competent department at the Authority must prepare a technical report on the dispute or grievance to be submitted to the chair of the board of directors for approval before the conclusion of the report.
It is worth noting here that Article 55 of the Law makes the decisions of the Committee binding on the parties involved in the dispute/grievance. In addition, grievances against decisions may be referred to the judiciary, but not before resorting to the Committee first ‒ with the objectionable issues submitted before the judiciary attached to the technical report concluded by the Authority.
GDPR and Impact on Kuwait Companies
By virtue of the Law, CITRA shall also guarantee compliance with any international, regional, and bilateral agreements that Kuwait is party to. This means that companies operating in Kuwait that process or store or collect personal data which is EU-based may also be subject to the General Data Protection Regulations (GDPR).
Besides the above-mentioned overlap between the Data Protection Regime and the GDPR, the authors are not aware of any efforts for the implementation of any relevant multilateral obligations.
Data protection NGOs and industry self-regulatory organisations do not exist in Kuwait. All regulatory authorities in this respect are governmental.
Similarities with the GDPR
It should first be noted that the Data Protection Regime seems to loosely resemble the EU’s GDPR in the following respects:
Users’ Rights and Data Protection Under the Data Protection Regime
The issuance of the Data Protection Regime, which applies to the public and private sectors in Kuwait, has been a much-needed milestone in the area of data protection in relation to service providers. The provisions adopted under the Law use the guidance of internationally approved standards in regulating the relationship between the service provider and the user, which was otherwise non-existent in Kuwait.
CITRA Cloud Computing Regulatory Framework
The issuance of this framework was also an important achievement in the field of Kuwaiti data protection. This framework brought about definitions for types of cloud computing service providers, data classification, cybersecurity, and main jurisdiction location(s) of storage of data, among other things.
CITRA Regulations to Protect the Rights of Technology Users
CITRA issued guidelines regarding users’ rights protection and regulation of the communications and IT services in late April 2022. Pursuant to these guidelines, users must give explicit oral, electronic or written consent to receiving messages or communications when subscribing. The service provider must keep a record of the subscriber’s consent to promotional messages and must keep a database to regulate unwanted messages by the subscriber(s) upon request(s) of such.
Kuwait’s Digital Transformation
In early 2023, the Kuwaiti cabinet was briefed on the partnership signed with Google Cloud in anticipation of a digital transformation of the ways in which governmental bodies operate. The deal is seen as highly advantageous, as it will transform the ways in which state-run entities engage in the activities of cybersecurity, data analysis and AI, all as part of Kuwait’s 2035 vision. Google will set up a local office, open multiple data centres that provide organisations the ability to host data/resources within the Google Cloud in Kuwait, and support the government migrating its system onto the cloud.
Google Cloud shall work with CAIT to provide dedicated training programmes for all governmental employees on the inner workings of the programme. This may have implications for the mechanisms and frameworks established for the use and storage of sensitive data in relation to the maintenance of territorial peace and security.
User Rights Protection and Regulation of Communications and IT Services
Collection of data
Under Article 2, the service provider must prepare relevant rules and mechanisms for the sale of its service either through means of electronic transaction or through telephone communication. The Authority must approve the rules and mechanisms or any amendments to existing contracts of sale in advance, which includes the relevant data collection and storage. Pursuant to Article 3.16, in case of any such amendment, before any enforcement can take place:
Under Article 3.3, the licensee or the authorised distributor of this telecommunications service must verify the validity of the personal information provided by the users of said services, and such proof of information (in the form of civil ID, passport or driving licence) may be certified by competent governmental bodies.
Under Article 3.4, before executing the service contract, the mechanism(s) for cancelling the service and any variation(s) to the contractual terms of service must be clearly stipulated.
Under Article 3.6, the licensee or service provider must open an electronic file in which all the information and documents and complaints pertaining to any user(s) are safely stored.
Duties of the service provider upon users’ request of cancellation of service
Under Article 4, the service provider must facilitate the mechanisms or procedures for such cancellation of service. Neither the licensee nor the service provider may bind the subscriber with a minimum limit of the service contract term, unless this is approved by the Authority. Upon the subscriber’s request to cancel the service, the licensee or the service provider must verify the identity of the subscriber applying for cancellation.
Dealing with data
Per Article 6, service providers must adhere to:
Data Classification Policy
Pursuant to the Data Classification Policy, it is the responsibility of public and private sector entities when classifying their data (and the personal data of the individuals in their possession) to – among other requirements – assign a designated employee to communicate and provide CAIT with quarterly reports on the extent to which this internal policy is being implemented.
CITRA Cloud Service Providers and Regulations and Commitments
Types of information collected by cloud service providers
Pursuant to the regulations concerning PaaS and SaaS model providers in Article 2, the types of information that the cloud service providers may obtain from users can include and is not limited to:
Obligations in dealing with information
In accordance with the regulations concerning Paas and Saas model providers located in Article 2, the service provider must describe to the user all information that needs to be collected and what information will be collected automatically (and where to access and amend such). Following data collection, the service provider must explain to the user where and how such information may be used.
The service provider may not use this information to locate the identity of the user. The service provider must also inform users of any third-party providers that operate certain services on their behalf – as well as of their privacy policies – for the purpose of always maintaining transparency. The service provider commits to not sharing, disposing of, or selling the user(s)’ information with third parties; however, for purposes of improving the service and customer experience, they may be granted access to the user(s)’ names, address, phone number, and email. In any case, the user must be informed of such.
The user(s) must be notified immediately of any data relocation to new owners as a result of M&A, liquidation or dissolution.
The service provider must be efficient, competent and equipped to detect any fraud, security threats or technical problems.
CITRA Cloud Computing Regulatory Framework
Dealing with data
Under Article 4, Tier 3 and Tier 4 data may not be stored outside the state of Kuwait, and service providers may not use a shared or a hybrid cloud to store this type of information unless such is licensed by the Authority. Cloud providers must also notify users within a period of no more than 72 hours of a security breach and, accordingly, must have established safeguard mechanisms in place with regard to disaster recovery and risk management. Under the same provision, the provider must grant its users the technical means through which to access the given information and the process by which to amend such.
Under Article 6, the service contract must clearly stipulate the protocol of action and notification in the event that a security breach occurs.
Cancellation of service
Under Article 6, the service provider must guarantee in their service contracts certain clauses that relate to the cancellation of the user(s)’ service. The user(s) must be provided with a copy of their cloud computing content saved at the time of termination; otherwise, upon the request of the user, their content may be transferred to their other chosen cloud provider. Upon such handover of transferral of content, the cloud provider must delete any and all content or information related to the user present on its own platform(s).
Unfair contract terms
Under Article 7, the cloud computing service providers may not exclude any liability (extending to actions by individual employees) in their service contract in relation to the damage, loss or tampering with the user’s information and content – unless stipulated that this may happen unintentionally or in the event of a security breach.
Disclosure of data
Under Article 4.3.4, the service provider may only disclose the user’s content or data by:
The Law and the Executive Regulations
Under Article 51, telephone calls and private communications are classed as confidential matters that may not be violated. The only exception to this is by an approval solely granted by a competent judicial authority in the state of Kuwait.
Under Article 46, the trade, sale or display for sale of bugging devices is strictly prohibited. The only exception to this is that governmental authorities (as defined by a decree) are permitted to own bugging devices for the purpose of maintaining national security and peace. Even in such circumstances, the delegated authorities may only use these devices with consent granted by the public prosecutor’s office in accordance with the terms, conditions and procedures set forth in the Kuwaiti Procedures Law.
Data Classification Policy
The governing regulation is CITRA’s Data Classification Policy, which classifies different types of data according to the sensitivity of its content.
Classification of data and specifics
Data storing methods
As previously mentioned, under Article 3, the owner of the data must classify such into at least four different levels according to their contents. If a separate classification system is used, it must be unified to match the data classification tier outlined earlier. Governmental entities are exempt from this and may choose to classify data in any manner they see fit.
The data owner is free to choose their data protection methods according to their data classification, retention, collection, and processing schemes. The data owner must also ensure the availability and adoption of certain safeguards and protections necessary for the storage of such data – specifically, data labelled under Tier 3 and Tier 4.
The owner of the data is also mandated with creating a data catalogue that contains standards of data storage in a unified format. The data owner must encrypt all data classified under Tier 3 and Tier 4 when transferring such data from one governmental authority or private entity to the other (or across geographical locations). Classified data under the aforementioned tiers must be transferred or removed before the data server is disposed of.
Obligations of CITRA
Lastly, under Article 3, CITRA has an obligation to ensure private and public entities’ compliance with the policy. It is also empowered to request periodic reports from CAIT. Such reports must contain a catalogue of all the types of data in possession, the approved tier classification system of data and reasons for adopting such, and the locations of the stored data according to the adopted classification tiers.
Regulations and Commitments of Cloud Service Providers
The cloud service provider may not use this data to locate the identity of the user and must always make available the types of cookies used by it or by external parties on any platform the service operates on.
User Rights Protection and Regulation of Communications and IT Services
In accordance with Article 12 of the CITRA guideline mentioned in 2.1 Omnibus Laws and General Requirements, the service provider must have a database in which the reception of spam messages is ceased upon the request of the user. Service providers sending messages for commercial purposes must only do so between the hours of 07:00 and 22:00 Kuwait time.
Pursuant to Article 14 of the above-mentioned CITRA guideline, the marketing practices of service providers must not exploit any consumer or groups on account of their weaknesses, disabilities, ages, or lack of knowledge. They must also not use any means of fraud or deception in the advertisement of their products and services.
When it comes to receiving marketing communications or calls, the service provider or the licensee must have duly verified the identity of the recipient user. At the beginning of the communication/call, the service providermust:
Regulations and Commitments of Cloud Service Providers
There are no special regulations that deal explicitly with workplace privacy. That being said, there are certain aspects of the relationship between data protection and workplace privacy that should be noted.
The responsible authority is the Ministry of Social Affairs and Labour. Please also refer to the Explanatory Memorandum to Law No 6/2010 (Labour in the Private Sector) as amended.
Monitoring of Workplace Communications
Law No 9/2001 Regarding Misuse of Telecommunications and Wire Taps Sets governs the matter in question. However, there is no specific rule applicable to employee monitoring.
Recordings of telephone conversations may be carried out by employers to deal with any grievances from customers or clients in order to ensure that the calls are dealt with professionally and for the purposes of training only. In some situations, such recordings may be carried out and reproduced for legal purposes upon order of the competent court in the event of a situation occurring between third parties and company employees.
There are no applicable laws in place for monitoring employees’ emails in Kuwait. Private life cannot be violated; therefore the monitoring and recording of such information is considered to be an infringement of rights and a violation of confidentiality, which is guaranteed to individuals under the Kuwaiti Constitution. The courts of Kuwait aim to protect citizens and expatriates from all such violations. The employer can draw up a set of rules and regulations that may govern such monitoring for the purpose of safeguarding their interests. However, they should restrict it to the official work areas and not infringe on privacy rights, including the protection of personal emails. Such rules and regulations will need to be drawn up and made available to the employee in a handbook that is often provided to newly joined employees for them to understand and abide by.
Violations of CITRA rules
Under Article 61 of the Law, if it is found following an inspection by CITRA that a violation – or suspected violation – of its laws was committed, then it must instruct the public prosecutor’s office to adopt the appropriate measures.
However, under Article 63, the board of CITRA may accept reconciliation of the violations of its laws or regulations and accept a cash penalty of no less than twice the amount of the fine(s) stipulated in the Law before a referral to the public prosecutor’s office. Such violations include:
Claim for compensation (Article 81)
It should be noted that the above-described penalties do not prejudice any person to claim for direct compensation as a result of such actions. Due to the Data Protection Regime being so new, it has yet to be tested in the courts.
According to Article 32 of the E-Commerce Law, government authorities, public authorities, institutions, companies, and non-governmental entities (or their employees) are prohibited from unlawfully accessing, disclosing or publishing personal data or information registered in records or electronic processing systems – unless there are legal permissions, the approval of the person concerned, or a reasoned court decision. This applies to personal data related to professional affairs, social status, health status, financial disclosure or other personal data registered with the relevant bodies or their employees.
Under Article 70 of the Law, using telecommunications to send threats, immoral or humiliating messages, or made-up events for the purpose of causing panic is punishable either by imprisonment of no more than two years or a fine of no more than KWD5,000. In addition, intentionally defaming anyone by engaging in non-consensual capturing or usage of pictures or videos (or the falsifying of such) is punishable either by a prison term of no more than two years or a fine of no more than KWD5,000 and no less than KWD500. Furthermore, sending immoral or indecent materials by any means (eg, messages, videos or pictures) will be punished by either a prison term of no more than three years or a fine of no more than KWD5,000 and no less than KWD500.
If any of the acts described in the preceding two paragraphs are accompanied by blackmail in relation to the above-mentioned materials, it is punishable by either up to ten years in prison or a fine not exceeding KWD10,000.
Please see 3.1 Laws and Standards for Access to Data for Serious Crimes.
Usually, governmental agencies – in particular, law enforcement agencies – do not require any judicial approvals to access individuals’ data for intelligence, anti-terrorism or other national security purposes. Moreover, most of the data is retained in centralised systems to which the agencies already have access. There are no specific requirements to obtain any judicial approvals for governmental agencies to request data from other governmental agencies. There are no specific laws that govern this particular scenario.
Please note that depending on the sensitivity of the information (ie, Tier 3 and 4), certain approvals may be required.
The laws in Kuwait do not consider a foreign government access request to be a legitimate basis for transferring personal data. The situations in which personal data may be transferred outside Kuwait are discussed in 4 International Considerations. It is generally not permissible for an organisation to invoke a foreign government access request as a legitimate basis upon which to collect and transfer personal data – unless there is a legal basis under the local laws for such transfer.
Kuwait has not participated in any Cloud Act agreements with the USA to date.
Kuwait, like many other countries, faces several conflicts and public debates concerning government access to personal data. The following are among the key issues in relation to privacy.
Civil ID Cards
The Kuwaiti government has mandated the use of a national ID card for all citizens and residents. However, there have been concerns about the amount of personal information collected on the card and the potential for misuse of this information.
Health Data Collection
The Kuwaiti government has also been collecting health data from citizens and residents, particularly during the COVID-19 pandemic. Although this data can be useful for public health purposes, there are concerns about the privacy implications of such data collection.
Kuwait’s Data Protection Regime is not comprehensive in nature, which means that there are weak legal protections for citizens and residents in relation to their personal data. This has led to calls for stronger privacy regulations and protections.
Conflict With Human Rights
The collection and use of personal data by the government in Kuwait has been seen as potentially being in conflict with human rights, including the right to privacy and freedom of expression. The right to privacy is recognised as a fundamental human right under international law and, as such, is protected by numerous human rights treaties and conventions. The UN Human Rights Committee, for example, has stated that “the collection and retention of personal data must be regulated by law” and that “the law must be adequate to provide effective safeguards against arbitrary interference with an individual’s privacy”.
In addition to privacy concerns, the collection and use of personal data by the government can also have an alarming effect on freedom of expression. If individuals believe that their online activity or communications are being monitored by the government, they may be less likely to express themselves freely or engage in political or social activism.
Transfer Restriction on Tier 3 and Tier 4 Classification
There are restrictions on international data transfers of personal information, especially those classified as Tier 3 and Tier 4 under the Data Classification Policy. As stated previously, the Data Protection Regulation applies to public and private service providers who collect, process and store personal data – whether the processing is carried out inside or outside Kuwait.
Article 6 of the Data Protection Regulation states that a service provider must collect and process data during and after providing a service, according to certain conditions. If the service provider intends to transfer a subject’s personal data outside Kuwait, they must notify the data subject in accordance with the Data Classification Policy.
Further, the Data Classification Policy imposes restrictions on the transfer of personal information classified as Tier 3 and Tier 4. Such data must be encrypted during transmission from one government entity to another or when transmitted between different physical geographical locations of government entities – and this applies to the private sector as well. Hence, encrypted data may not be transferred internationally.
The Cloud Computing Regulatory Framework policy (CCRF) issued by CITRA sets out restrictions on international data transfers of personal information. Subscribers to cloud computing services in Kuwait must ensure that certain types of data ‒ such as data classified under Tier 3 and Tier 4, government entity data, and personal data of individuals held with government agencies, private sector companies, or service providers – are not hosted or stored outside Kuwait unless the data classification policy and Chapter 3 of the CCRF on data classification allow for it. However, Chapter 3 of the CCRF permits data transfer outside Kuwait for cloud computing services, provided that the appropriate level of information security is chosen by the cloud computing services’ subscribers and the data being transferred is not classified as Tier 3 and Tier 4 level data.
Private and public sector subscribers have an obligation not to store or host individuals’ personal data or government entities’ data that falls within the Tier 3 and Tier 4 levels of data classification in the data centre and cloud computing environment of cloud computing service providers located outside Kuwait. The only exception is if a hybrid cloud is used and the data classified as Tier 3 is within the borders of Kuwait.
Consent Requirement for Transfer of Tier 1 and Tier 2 Data
Providers of cloud computing services in Kuwait are required to obtain written consent from the subscriber if they want to transfer or copy a subscriber’s data outside Kuwait. However, this consent only applies to data classified as Tier 1 or Tier 2, as data classified as Tier 3 or Tier 4 cannot be transferred or stored outside Kuwait.
Article 5 of the Data Protection Regulation stipulates that data collection and processing is only allowed with the data subject’s consent in order to comply with legal obligations and to protect the data of individuals or legal entities – or if the identification of the data subject is not necessary for the service provider’s purpose. The data subject can withdraw their consent at any time, whereupon the service provider must facilitate this and delete the processed data upon request.
Furthermore, Article 32 of the E-Commerce Law provides that government authorities, public entities or agencies, companies and non-governmental entities or authorities may not access, disclose or publish any personal data or information kept or documented on electronic data processing systems if such data relates to a person or their job, social biography, health condition or financial status – or other personal information kept by or filed with any entity or authority listed in the law. This general restriction may be overcome with the consent of the data owner (or their legal representative) or where disclosure is authorised by a court order.
In summary, personal information may only be transferred internationally if it is classified as Tier 1 or Tier 2 and the data owner gives their written consent for the transfer. However, personal information classified as Tier 3 and Tier 4 must not be transferred internationally. Data processors must comply with the regulations regarding data classification, encryption and disclosure imposed by the Data Protection Regulation and the CCRF policy issued by CITRA.
Kuwait does not have any specific mechanisms or derogations for international data transfers in place that resemble those provided by APEC or other multilateral frameworks. However, under the Data Protection Regulation, service providers are required to obtain the data subject’s consent before disclosing their personal data to any affiliate company or third party for any marketing purposes not directly related to the provision of telecommunications and IT services requested by the person concerned. Additionally, appropriate security measures must be implemented to protect the personal data of any person against loss, damage, disclosure or hacking by an unauthorised third party.
In practice, many companies in Kuwait use standard contractual clauses or binding corporate rules to ensure compliance with data protection requirements when transferring personal data outside of the country. Companies may also rely on the individual’s consent to the transfer, provided that the consent is informed, specific and given freely. However, it is important to note that data protection laws under the Data Protection Regime and the E-Commerce Law may impose certain limitations on the use of consent as a basis for data transfers and, of course, such consent must be given freely and obtained in a manner that is specific and informed.
There are no express government notifications or approvals required to transfer data internationally. However, please see 4.1 Restrictions on International Data Issues for further detail.
As mentioned in 4.1 Restrictions on International Data Issues, there are data localisation requirements for certain types of data. The following types of data must not be hosted or stored outside Kuwait–
Data classified as Tier 3 or 4 must be hosted and stored within Kuwait. In order to comply with these requirements, Section 4.2 of the CCRF policy outlines several obligations for subscribers and providers of cloud computing services in Kuwait. Subscribers must ensure that certain types of data are not hosted or stored outside Kuwait and providers must disclose the location and technical information of their data centres in Kuwait (and in other countries where they process or transmit data of subscribers in Kuwait).
Registered service providers who are licensed by CITRA must obtain written consent from subscribers before transferring or copying data outside of Kuwait. However, this requirement only applies to data that does not fall within the Tier 3 and Tier 4 level of data classification. Hence, only data classified as Tier 1 or 2 can be transferred or stored outside of Kuwait with the consent of the data owner.
Additionally, the Data Protection Regulation lists the following very specific conditions for public and private service providers during their collection and processing of data–
Currently, there are no legal requirements to share any software code, algorithms or similar technical details with the government.
There are express limitations or considerations with regard to foreign government data requests or foreign litigation proceedings or internal investigations. The limitations or considerations concerning international transfer of personal data are discussed in 4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers.
Kuwait has several laws and regulations related to blocking or censoring web content, some of which concern privacy and data protection. The following are among the key examples.
Additionally, among other prohibited content, CITRA receives requests to block web content in Kuwait that violates the public interest (including public morals, Islamic faith teachings, and public order). If CITRA receives a request to block or unblock web content, it will take the necessary actions to block web content that contains any prohibited content or unblock web content in case of an error in classifying the content as prohibited.
In Kuwait, domestic entities in regulated industries are beginning to use AI, while multinational targeted advertising companies have been using it for some time. However, there are two primary legal risks and compliance issues for entities in Kuwait looking to incorporate AI into their businesses. The first issue is that using AI for business purposes requires the use of large amounts of data, which often needs to be outsourced to foreign entities, leading to potential data breaches and cybersecurity risks. The second issue is that Kuwait does not have a comprehensive data protection law and is therefore exposed to cybersecurity risks.
Another issue is the limitation on data transfers, as described in 4.1 Restrictons on International Data Issues, 4.3 Government Notifications and Approvals and 4.4 Data Localisation Requirements, whereby certain tiers of data cannot be transferred internationally.
Unmanned Aircraft Systems
The Directorate General of Civil Aviation (DGCA) is the regulatory body concerning registration of unmanned aircraft systems (UAS)/drones in Kuwait. The DGCA registers the following three types of users of UAS/drones:
Prior permission must be obtained from the DGCA to operate drones for commercial purposes. The following activities are strictly prohibited:
Although there are no specific laws or regulations in Kuwait that require organisations to establish protocols for digital governance or fair data practice review boards or committees, some companies in Kuwait have voluntarily established such protocols as part of their corporate governance practices.
With the increasing importance of data privacy and security, companies in Kuwait have begun to recognise the importance of having a framework in place for managing digital technologies and data practices. Some companies have established internal committees or review boards in order to oversee data privacy and security and to ensure compliance with local laws and regulations. These committees are often responsible for reviewing the company’s policies and procedures related to data collection, storage, processing and sharing, as well as assessing the risks associated with emerging or disruptive digital technologies.
There are no publicly available details available concerning any regulatory enforcement. Furthermore, as the Data Protection Regime is so new, it has yet to be tested in the courts. Please see 2.5 Enforcement and Litigation and 3.1 Laws and Standards for Access to Data for Serious Crimes.
It is worth noting that there is a growing focus on privacy and data protection in several countries in the Middle East. It is possible that Kuwait may follow suit in the future and introduce more robust legislation in this area.
In Kuwait, conducting due diligence is an essential part of corporate transactions, as it helps to identify and assess risks and potential liabilities associated with a company. The process involves a comprehensive review of the target company’s financial, legal and operational records, as well as its contracts, IP, and relationships with customers, suppliers and other stakeholders. The parties in a transaction typically execute a Letter of Intent that would include a confidentiality provision and other restrictive covenants. Thereafter, a virtual data room is established where the target would upload the documents requested by the buyers.
The following issues are typically relevant when conducting due diligence in corporate transactions in Kuwait:
There is no requirement for making public disclosure regarding an organisation’s cybersecurity risk profile or experience.
There have been no developments or trends regarding the convergence of privacy, competition, and consumer protection in connection with the regulation of tech companies, digital technology or data practices in Kuwait. Although there is a growing awareness of the importance of these issues in Kuwait and throughout the Middle East, Kuwait has yet to implement any laws or policies specifically addressing these issues and is not considering (or subject to) any new laws or policies along the lines of the EU’s Digital Markets Act, Digital Services Act, or Data Act.
The following are among the significant issues faced by Kuwait in relation to data protection.