Legislation Currently in Place

The Electronic Transactions Law under Law No 20 of 2014 (“E-Transactions Law”) and its Implementing Regulations under Decision No 48 of 2014 (“Regulations”) currently regulate the protection of private and public data of electronic records such as signatures, documents and payments. The E-Transactions Law applies to electronic records, documents and information linked to civil, commercial or administrative transactions conducted via electronic methods, either in part or in full. An electronic record resulting from these transactions comprises data or information that is produced, stored, extracted or copied, either entirely or partially, using electronic means on an electronic medium.

In addition, the Cybercrime Law under Law No 63 of 2015 imposes fines and penalties in relation to the illegal dealing or possession of personal and governmental data.

New Developments Regarding Data Privacy Protection Regulation

The latest amendments to the Data Privacy Protection Regulation (DPPR) Decision No 42 of 2021, introduced by Decision No 244 of 2023, have notably narrowed the legal framework of the DPPR, which now only applies to individuals and entities operating as service providers and licensees in the telecommunications sector (“Licensees”), possessing licences issued by the Kuwait Telecommunications and Information Technology Regulatory Authority (CITRA). The DPPR defines Licensees as entities or individuals that provide telecommunications services to the public, or that manage, establish or operate telecommunications networks or provide internet services for telecommunications purposes. In addition, the DPPR creates data protection obligations for Licensees engaged in the activities of collecting, processing or storing personal data – as well as the conditions necessary to engage in such activities.

Moreover, the DPPR applies to actions involved in data storage, collection and processing performed inside or outside Kuwait. The CITRA regulations grant Licensees' prospective and existing customers the right to withdraw their consent to any form of use of their personal data; upon the customer’s request, the Licensees must accordingly dispose of and destroy all the associated user’s data in their possession.

However, it is important to note that the regulations do not apply to the respective state security authorities that hold data for the sole purpose of monitoring and maintaining peace, controlling existing and prospective crimes, and preventing external and internal threats to public security.

Furthermore, CITRA has issued the Data Classification Policy (“Policy”) under Resolution No 95 of 2021, which classifies data into four distinct levels to provide guidance to entities that process, store and transfer data. It also provides specific guidelines regarding the dealing and storing of said data, depending on its classification level and sensitivity.

CITRA and the Central Agency for Information Technology (CAIT) are the regulators responsible for overseeing data protection in Kuwait pursuant to the E-Transactions Law and the DPPR. CITRA was established under Law No 37 of 2014 (“CITRA Law”) and CAIT was established under Law No 266 of 2006 (“CAIT Law”).

Furthermore, the Electronic and Cyber Crime Combating Department (ECCCD) is a specialised department within the Ministry of Interior in Kuwait that is responsible for enforcing Kuwait’s cybercrime laws and investigating cyber-related crimes. The ECCCD’s main focus is to protect Kuwait’s economy and national security – along with the well-being of its citizens and residents – by combatting cybercrime and enhancing cybersecurity. The ECCCD is responsible for receiving complaints related to cybercrime, conducting investigations and working with other governmental and non-governmental organisations to combat cyberthreats. The department is also responsible for raising awareness about cyberthreats and providing guidance on how to stay safe online.

Relevant Provisions in Relation to Audits and Investigations

CITRA Law

The CITRA Law empowers CITRA to collect information relevant to the telecommunications and IT sectors and to issue any reports, bulletins and guidelines to users. It also prepares the necessary media programmes to increase public awareness of the importance attached to these sectors and the extent of their influence on social and economic development in the state of Kuwait.

Pursuant to Article 15 of the CITRA Law, all Licensees must adjust their internal policies and rules to any extent necessary to achieve compliance with the provisions of the CITRA Law, no more than one year from the date of publication of the CITRA Law's Executive Regulations. However, under CITRA Decision 68 of 2022, the adjustment period was extended for another 24 months from 13 February 2022.

Pursuant to Article 49 of the CITRA Law, if it receives any complaint about a Licensee’s default in the performance of its obligations or a dispute between a Licensee and beneficiary users in relation to the quality and standard of the service being provided or any violations of the licence conditions, CITRA may investigate the complaint and make a decision to either keep the file or notify the Licensee to remove the violation within 90 days.

Under Article 52 of the CITRA Law, CITRA must decide with the Licensee upon the procedures of any investigations into complaints, as well as the procedures for the Licensee to follow when complaints are received about it.

Under Article 54 of the CITRA Law, CITRA must ensure that the Licensee complies with all the provisions of the CITRA Law and may take any actions it deems necessary in order to do so, such as:

• conducting physical examination(s) of the network and telecommunications devices;
• examining the Licensee's technical records to ensure invoices and records are accurate;
• assuring the quality of the services and complaint procedures provided to clients; and
• reviewing the maintenance and failure records of the Licensee to ensure the management service is efficient.

Lastly, under the CITRA Law, CITRA must also guarantee compliance with any international, regional and bilateral agreements to which Kuwait is party.

Executive Regulations of the CITRA Law under Decision No 933 of 2015 (“CITRA Regulations”)

Under the CITRA Regulations, CITRA may refer to other competent authorities if – following investigation(s) – there are reasons to suspect a criminal offence. Employees of CITRA are empowered to monitor the implementation of CITRA's laws and regulations. To this end, they have the right to enter places in order to inspect and control any unlicensed communications devices where the following are known or suspected to be present:

• devices or networks;
• communications facilities; and/or
• all or part of the infrastructure used in the communications service.

In the process of doing so, the employees are empowered to:

• request and examine the Licensee's licences, records and documents;
• examine and view any communications equipment related to the provision of the service; and
• view any form of information or documents related to the provision of the services.

Chapter 6 of the CITRA Regulations delineates the conditions and processes necessary for the investigation of grievances or disputes submitted to CITRA, by forming a Dispute Resolution Committee.

Formation of the Dispute Resolution Committee

Under Article 33 of the CITRA Regulations, the chair of the Authority must form a committee from outside the Authority (“Committee”) to resolve disputes between Licensees and beneficiaries and decide on the grievances and complaints submitted to CITRA (including those in relation to other Licensees).

Conduct of the Committee

Under Article 34 of the CITRA Regulations, the Committee must conduct its activities in accordance with the following rules:

• one registrar must be appointed and designated to record the disputes received by CITRA and another one must be appointed to record the grievances;
• grievances must be submitted within 30 days of the date of notification of the action or decision by the Licensee to which the grievance relates;
• a grievance/dispute writ must comprise the details of the grievance/dispute, the grievant/claimant and the respondent; and
• the secretary must present the writ on the dispute to the chair of the board to set a hearing date to consider such.

Decision of the Committee

Pursuant to Article 35 of the CITRA Regulations, CITRA – following the direction of the Committee – must decide on the disputes or grievances presented before it by coming to a reasoned decision within one month of the date of submission of the dispute (if it did not escalate to the Committee) or grievance/dispute writ. The Authority must then notify the parties concerned of its decision within a week of the date of its issue.

Appeal and Referral to Judiciary

Under Article 37 of the CITRA Regulations, if a CITRA decision is challenged before the judiciary, the relevant competent department at CITRA must prepare a technical report on the dispute or grievance to be submitted to the chair of the board of directors for approval before the conclusion of the report.

It is worth noting here that Article 55 of the CITRA Law makes the decisions of the Committee binding on the parties involved in the dispute/grievance. In addition, grievances against decisions may be referred to the judiciary, but not before resorting to the Committee first ‒ with the objectionable issues submitted before the judiciary attached to the technical report concluded by CITRA.

E-Transactions Law

Articles 40–42 of the E-Transactions Law confer exclusive investigative and prosecutorial authority to the Kuwaiti Public Prosecution for all crimes outlined in the E-Transactions Law and related offences.

Designated personnel appointed by CAIT are granted judicial officer status to oversee the enforcement of the E-Transactions Law, the Regulations and associated decisions. They are empowered to compile reports in case of violations and forward them to the Public Prosecution for further action. The Public Prosecution may consider a reconciliation request from a first-time offender of the specified crimes, provided the accused submits the request and pays KWD1,000 to the court treasury before the case is formally referred for prosecution.

Cybercrime Law

Under Article 17 of the Cybercrime Law, the Kuwaiti Public Prosecution has the exclusive authority to investigate, take action and prosecute all crimes outlined in the Cybercrime Law.

Article 12 allows the court to exempt offenders from punishment if they voluntarily report the crime to competent authorities before its execution, with a conditional exemption for a crime that is reported after discovery but before the investigation only if the reporting aids in apprehending other culprits in a case with multiple offenders.

GDPR and Impact on Kuwait Companies

By virtue of the CITRA Law, CITRA shall also guarantee compliance with any international, regional and bilateral agreements to which Kuwait is party. This means that companies operating in Kuwait that process, store or collect personal data that is EU-based may also be subject to the General Data Protection Regulation (GDPR).

Besides the above-mentioned overlap between the DPPR and the GDPR, the authors are not aware of any efforts towards the implementation of any relevant multilateral obligations.

At the time of writing, data protection NGOs and industry self-regulatory organisations are not present in Kuwait; all regulatory authorities in this respect are governmental.

Similarities with the GDPR

It should first be noted that, in most material respects, the E-Transactions Law and the DPPR loosely resemble the EU’s GDPR in the following respects.

• Transparency in collecting users’ information:
1. PaaS and Saas Regulations located under Article 2 of CITRA’s Cloud Service Providers Regulations and Commitments – sub-section 5.6, in particular – relate to the use of third-party services; and
2. Article 32 of the E-Transactions Law.
• Rectification and erasure of certain information at the request of the subscriber/user:
1. Article 4 of the User Rights and Data Protection Law of CITRA; and
2. Article 36 of the E-Transactions Law and Article 25-26(1) of the Regulations.
• Disclosure to users of transfers of personal data to third countries or international organisations (data protection classification and the need to disclose to users the transfer of information to new entities as a result of acquisitions or mergers):
1. Article 4.2 of the Cloud Computing Regulatory Framework (“Framework”); and
2. Article 32 of the E-Transactions Law.
• Rights to lodge complaints with the supervisory board: Chapter 6 of the CITRA Regulations.
• Penalties for violation(s) of the CITRA Law:
1. Chapter 10 of the CITRA Law; and
2. Chapter 8 of the E-Transactions Law.

Users’ Rights and Data Protection Under the Data Protection Regime

The issuance of the DPPR, which applies to Licensees in Kuwait, has been a much-needed milestone in the area of data protection in relation to Licensees. The provisions adopted under the CITRA Law use the guidance of internationally approved standards in regulating the relationship between the Licensee and the user, which was otherwise non-existent in Kuwait.

Such needed provisions include the regulation and conditions of spam messaging and marketing methods adopted by Licensees, dealings in and the protection of personal data (particularly from third parties), the use of cookies, unfair contract terms and complaint procedures ‒ to name a few.

Framework

The issuance of the Framework was also an important achievement in the field of Kuwaiti data protection. This Framework brought about definitions for types of cloud computing service providers (CSPs), data classification, cybersecurity and the main jurisdiction location(s) of data storage, among other things.

CITRA Regulations to Protect the Rights of Technology Users

In late April 2022, CITRA issued guidelines regarding the protection of users’ rights and regulation of communications and IT services . Pursuant to these guidelines, users must give explicit oral, electronic or written consent to receiving messages or communications when subscribing. The Licensee must keep a record of the subscriber’s consent to promotional messages, and must keep a database to regulate unwanted messages by the subscriber(s) upon request(s) of such.

Emergence of National Cybersecurity Centre

Decision No 37 of 2022 on the establishment of The National Cybersecurity Centre involves the creation and organisation of a resilient national cybersecurity system to shield the State of Kuwait from cyberthreats. The Centre is dedicated to effectively addressing these threats, ensuring operational sustainability and upholding national cybersecurity. Its scope encompasses safeguarding vital interests in the digital realm, overseeing the development of specialised national capabilities in cybersecurity, nurturing a cybersecurity culture to promote secure electronic space use, and monitoring and protecting critical assets, infrastructure, national information and the state's information network. Furthermore, the Centre facilitates collaboration, co-ordination and the exchange of information among diverse local and international entities within the cybersecurity sphere.

Kuwait’s Digital Transformation

CAIT recently launched the Kuwait Information Network Project. Distributed across multiple centres in Kuwait, the network devices connect 95 government agencies through high-speed fibre-optic cables and prioritise security with firewalls, encryption devices and continuous monitoring services. Security and confidentiality devices equipped with programs to combat cyberthreats are strategically placed to protect information transfer points.

Noteworthy achievements include connecting more than 90 government agencies, implementing hosting environments for business continuity, and linking the network with other countries in the Gulf Cooperation Council (eg, Bahrain, Oman, Qatar, Saudi Arabia and the United Arab Emirates).

The network also facilitates electronic messaging, system activation and continuous development in line with international standards. Preparations are underway to integrate the latest global technologies for data and information transfer.

E-Transactions Law

Consent

Under Article 4, individuals are generally not obliged to deal by electronic means except with their consent, and such consent may be inferred through affirmative conduct indicating approval.

Under Article 32, when collecting data (including personal data and data related to individuals' professional affairs, social status, health status or financial status), government authorities, public authorities and institutions, companies, non-governmental entities or their employees (“Entities”) are explicitly mandated to secure individuals' consent and state the purpose behind collecting such data.

Under Articles 32 and 35, Entities must also ensure that consent is obtained when conducting any access, disclosure, sharing or processing of the collected data. These activities must be undertaken by lawful means and be limited to the stated purpose provided to data owners. This is a requirement that pertains to personal data or information stored in electronic records or processing systems that relates to the professional affairs, social status, health status or financial status of individuals that are registered with the Entities.

Data protection

Under Article 35, Entities are required to regularly verify and update the accuracy of personal data or information stored on their electronic records or processing systems. They must also implement appropriate measures to safeguard the collected or stored personal data and information stored on their electronic records or processing systems.

Under Article 2 of the Regulations, the storage and maintenance of electronic records, inclusive of personal data, must preserve their original form, encompassing all associated original data, without compromising the quality or standard of the records. In addition, the storage of electronic records, inclusive of personal data, should align with the policies and agreements established between the parties involved in electronic transactions, specifying the duration for retaining and maintaining such records.

Data subject rights

Article 33 grants specific rights to data subjects concerning their personal data stored in electronic records and processing systems maintained by Entities. Any person with personal data stored by Entities has the right to request access to, as well as a record of, the data or information maintained by that Entity.

Additionally, under Article 36, the data subject has the right to modify or delete their personal data held by any of the Entities and may also update personal information in the event of changes. Requests for the access, modification or deletion of personal data can only be initiated by the individual to whom the data belongs or by their legal representative (Articles 25–26(1) of the Regulations).

Under Article 26(2) of the Regulations, deleting stored personal data or information is only permissible when correction is deemed necessary; in such cases, the previously stored information must be maintained without any use or handling.

User Right Protection and Regulation of Communications and IT Services (“User Guidelines”)

Collection of data

Under Article 2, the Licensee must prepare relevant rules and mechanisms for the sale of its service either through means of electronic transaction or through telephone communication. CITRA must approve the rules and mechanisms or any amendments to existing contracts of sale in advance, which includes the relevant data collection and storage. Pursuant to Article 3.16, in case of any such amendment, the following must occur before any enforcement can take place:

• the service user must be notified of the amendment(s) 60 days before the amendment enters into force; and
• the subscriber’s written approval or e-signature (using the “Hawyti” application) must be obtained.

Under Article 3.3, the Licensee must verify the validity of the personal information provided by the users of said services; such proof of information (in the form of civil ID, passport or driving licence) may be certified by competent governmental bodies.

Under Article 3.4, before executing the service contract, the mechanism(s) for cancelling the service and any variation(s) to the contractual terms of service must be clearly stipulated.

Under Article 3.6, the Licensee must open an electronic file in which all the information, documents and complaints pertaining to any user(s) are safely stored.

Duties of the Licensee upon users’ request of cancellation of service

Under Article 4, the Licensee must facilitate the mechanisms or procedures for such cancellation of service. The Licensee may bind the subscriber with a minimum limit of the service contract term, unless this is approved by the Authority. Upon the subscriber’s request to cancel the service, the Licensee must verify the identity of the subscriber applying for cancellation.

Dealing with data

Under Article 6, Licensees must adhere to the following requirements:

• making no collection, use or disclosure of any personal information related to the user without their official approval;
• not requiring information that is irrelevant in the context of providing services;
• obtaining the approval of the user before disclosing their information to other parties; and
• taking all security measures with regard to:
1. protection of the user’s information; and
2. protection against the loss, damage or disclosure of such information (or its replacement with any untrue data).

Policy

Pursuant to the Policy, guidance is provided to public and private sector entities to classify their data in accordance with its sensitivity, including any personal data of any individuals in their possession.

DPPR

Consent

Under Articles 2 and 4 of the DPPR, Licensees must secure user consent prior to collecting and processing their personal data, and must specify the purpose for data collection and processing both before and during the provision of services, as well as after the termination of services.

Data protection

In accordance with Article 5(1-3) of the DPPR, Licensees are required to implement robust measures for safeguarding data from unauthorised access, loss, destruction or damage, with protective measures to include encryption, confidentiality practices and disaster recovery protocols.

Under Article 6 of the DPPR, Licensees must inform both the data subject and CITRA in case of a personal data breach.

Data subject rights

Under Article 4(3), Licensees must disclose their identity, location and contact information to their users, ensuring users can readily recognise and reach out to them when required.

Under Article 4(10), users must also be given the right to withdraw consent or to entirely delete their personal information from the Licensee's records.

Under Article 4(11), Licensees are also obliged to notify data subjects if their personal data is to be transferred outside Kuwait.

Under Article 4(12), Licensees must afford their users the right to access or modify stored personal data that is in their possession and is stored with them.

CITRA Cloud Service Providers and Regulations and Commitments

Types of information collected by CSPs

Pursuant to the regulations concerning PaaS and SaaS model providers in Article 2, the types of information that a CSP may obtain from users can include and is not limited to:

• name and email address;
• address;
• payment information;
• internet protocol address (“IP address”); and
• device and browser information.

Obligations in dealing with information

In accordance with the regulations concerning PaaS and SaaS model providers located in Article 2, the CSP must describe to the user all information that needs to be collected and inform them as to what information will be collected automatically (and where to access and amend such information). Following data collection, the CSP must explain to the user where and how such information may be used.

The CSP may not use this information to locate the identity of the user. The CSP must also inform users of any third-party providers that operate certain services on their behalf – and of their privacy policies – for the purpose of maintaining transparency. The CSP commits to not share, dispose of or sell the user's information with third parties; however, for purposes of improving the service and customer experience, they may be granted access to the user's names, address, phone number and email. In any case, the user must be informed of such.

The user must be notified immediately of any data relocation to new owners as a result of M&A, liquidation or dissolution.

The CSP must be efficient, competent and equipped to detect any fraud, security threats or technical problems.

The subscriber has the right to request the amendment or deletion of their personal data available to third parties or to the CSP. The CSP must also provide clear mechanisms to users for communication regarding the privacy policy.

SaaS model providers must specify in their privacy policy the targeted age group for the collection of data. If the targeted age group is minors, then the consent of their guardian must be obtained. The service must abide by any relevant child protection laws of the state.

Framework

Dealing with data

Under Article 4, Tier 3 and Tier 4 data may not be stored outside the state of Kuwait, and CSPs may not use a shared or hybrid cloud to store this type of information, unless such is licensed by the Authority. CSPs must also notify users of a security breach within no more than 72 hours and, accordingly, must have established safeguard mechanisms in place with regard to disaster recovery and risk management. Under the same provision, the CSP must give its users the technical means through which to access the given information and the process by which to amend such.

Under Article 6, the service contract must clearly stipulate the protocol of action and notification in the event that a security breach occurs.

Cancellation of service

Under Article 6, the CSP must include certain clauses in its service contracts that relate to the cancellation of the user's service. The user must be provided with a copy of their cloud computing content saved at the time of termination; otherwise, upon the request of the user, their content may be transferred to their other chosen CSP. Upon such handover of the transferral of content, the CSP must delete any and all content or information related to the user present on its own platform(s).

Unfair contract terms

Under Article 7, CSPs may not exclude any liability (extending to actions by individual employees) in their service contract in relation to the damage or loss of, or tampering with, the user’s information and content – unless it is stipulated that this may happen unintentionally or in the event of a security breach.

Disclosure of data

Under Article 4.3.4, the CSP may only disclose the user’s content or data by:

• responding to an official request by security or intelligence authorities; or
• obtaining consent of the user, provided that:
1. the data is not classified as Tier 3 or 4; and
2. the user may withdraw their consent to such disclosure in the future.

The CITRA Law and the CITRA Regulations

Regulations

Under Article 51, telephone calls and private communications are classed as confidential matters that may not be violated. The only exception to this is by an approval solely granted by a competent judicial authority in the state of Kuwait.

The CITRA Law

Under Article 46, the trade, sale or display for sale of bugging devices is strictly prohibited. The only exception to this is that governmental authorities (as defined by a decree) are permitted to own bugging devices for the purpose of maintaining national security and peace. Even in such circumstances, the delegated authorities may only use these devices if consent has been granted by the public prosecutor’s office in accordance with the terms, conditions and procedures set forth in the Kuwaiti Procedures Law.

Policy

The governing regulation is CITRA’s Policy, which classifies different types of data according to the sensitivity of its content.

Classification of data and specifics

The First Tier

“Public Data” refers to unclassified data that is available to the public or to data that is not subject to protection from public access under any law, regulation or contract. Examples include:

• open data such as policies, regulations and laws published on websites, daily newspapers, magazines or other publications;
• self-service forms made available to individuals and authorities; and
• any data and information made publicly available on websites.

The Second Tier

“Private Insensitive Data” refers to data owned by the public and private sectors, or at a personal level. It is data that indicates the identity of the data owner, although unauthorised disclosure does not lead to any damage to the privacy of the person’s data. Examples include:

• first or last name;
• job title, job duties and employer name;
• email address;
• civil ID number;
• gender;
• age; and
• academic qualification.

The Third Tier

“Private Sensitive Data” refers to data owned by the public and private sectors, or at a personal level. It is data indicating the identity of the data owner and may encompass a mix of sensitive and insensitive data. The unauthorised disclosure of such data may damage the privacy of the person’s data. Examples include:

• the minutes of meetings and business plans;
• internal project reports;
• legal notes and opinions issued by legal offices;
• medical records; and
• criminal fingerprints and DNA fingerprints.

The Fourth Tier

“Highly Sensitive Data” refers to private data of a very sensitive nature, the unauthorised disclosure of which may result in great damage to the privacy of the person/entity’s data. Such data may be owned by government or private sector entities but relate to highly personal information. This data must have high encryption requirements and requires the highest levels of protection means. Examples include:

• encryption keys;
• political documents, international negotiations or international relations; and
• sensitive information of a military nature or in relation to state security.

Data storing methods

As previously mentioned, under Article 3, the owner of the data is encouraged to classify such data into at least four different levels, according to its contents. If a separate classification system is used, it must be unified to match the data classification tier outlined earlier. Governmental entities are exempt from this and may choose to classify data in any manner they see fit.

The data owner is free to choose their data protection methods according to their data classification, retention, collection and processing schemes. The data owner must also ensure the availability and adoption of certain safeguards and protections necessary for the storage of such data – specifically, data labelled under Tier 3 and Tier 4.

The owner of the data is also encouraged to create a data catalogue that contains standards of data storage in a unified format. However, the data owner must encrypt all data classified under Tier 3 and Tier 4 when transferring such data from one governmental authority or private entity to another (or across geographical locations). Classified data under the aforementioned tiers must be transferred or removed before the data server is disposed of.

Obligations of CITRA

Lastly, under Article 3, CITRA is obliged to encourage and provide guidance for private and public entities’ compliance with the Policy. It is also empowered to request periodic reports from CAIT. Such reports must contain a catalogue of all the types of data in its possession, the approved tier classification system of data and reasons for adopting such, and the locations of the stored data according to the adopted classification tiers.

Regulations and Commitments of Cloud Service Providers

The use of cookies

The CSP must contain a clause labelled “Cookies” in its privacy policy, which determines the mechanisms of usage when it comes to:

• log-in authentication;
• security inferences;
• advertisements; and
• personal identification.

The CSP may not use this data to locate the identity of the user and must always make available the types of cookies used by it or by external parties on any platform on which the service operates.

User Guidelines

Spam messaging

In accordance with Article 12 of the CITRA Regulations, the Licensee must have a database in which the receipt of spam messages is ceased upon the request of the user. Licensees sending messages for commercial purposes must only do so between the hours of 07:00 and 22:00 Kuwait time.

Marketing practice

Pursuant to Article 14 of the User Guidelines, the marketing practices of Licensees must not exploit any consumer or groups on account of their weaknesses, disabilities, ages or lack of knowledge. They must also not use any means of fraud or deception in the advertisement of their products and services.

When it comes to receiving marketing communications or calls, the Licensees must have duly verified the identity of the recipient user. At the beginning of the communication/call, the Licensee must:

• disclose the sender’s name;
• disclose the cause for such communication/call; and
• give the recipient user the option to continue with the communication/call or not.

Regulations and Commitments of Cloud Service Providers

The CSP's privacy policy must inform the user of the procedures to follow should they wish to cancel marketing communication subscriptions.

Please see 2.1 Omnibus Laws and General Requirements (E-Transactions Law: Consent).

Monitoring of Workplace Communications

Law No 9/2001 Regarding Misuse of Telecommunications and Wiretap Sets governs the matter in question, but there is no specific rule applicable to employee monitoring.

Telephone conversations may be recorded by employers to deal with any grievances from customers or clients in order to ensure that the calls are dealt with professionally and for the purposes of training only. In some situations, such recordings may be carried out and reproduced for legal purposes upon an order of the competent court in the event of a situation occurring between third parties and company employees.

There are no applicable laws in place for monitoring employees’ emails in Kuwait. Private life cannot be violate, so the monitoring and recording of such information is considered to be an infringement of rights and a violation of confidentiality, which is guaranteed to individuals under the Kuwaiti Constitution. The courts of Kuwait aim to protect citizens and expatriates from all such violations. The employer can draw up a set of rules and regulations that may govern such monitoring for the purpose of safeguarding their interests. However, they should restrict it to the official work areas and not infringe on privacy rights, including the protection of personal emails. Such rules and regulations will need to be drawn up and made available to the employee in a handbook that is often provided to newly joined employees for them to understand and abide by.

The E-Transactions Law

Under Article 37, individuals who unlawfully access, disclose or publish any personal data registered in records or electronic processing systems of the Entities, related to the professional affairs, social status, health or financial status of individuals, whether registered with the Entities or their employees, without the consent of the data subject or their legal representative, may face imprisonment for up to three years and a fine ranging from KWD5,000 to KWD20,000. Confiscation of the tools, programs or devices used in the commission of the offence may also be ordered.

Under Article 37, Entities that collect, register or process any of the personal data stored with them on their electronic records or processing systems, using unlawful methods or without the consent of the person concerned or their representative, or that use the stored personal data for reasons other than those for which it was collected, may face imprisonment for up to three years and a fine ranging from KWD5,000 to KWD20,000. Confiscation of the tools, programs or devices used in the commission of the offence may also be ordered.

The CITRA Law

Violations of CITRA Law and Regulations

Under Article 61 of the CITRA Law, if a CITRA inspection determines that a violation – or suspected violation – of its laws has been committed, then CITRA must instruct the public prosecutor’s office to adopt the appropriate measures.

However, under Article 63, the board of CITRA may accept reconciliation of the violations of its laws or regulations and accept a cash penalty of no less than twice the amount of the fine(s) stipulated in the CITRA Law before a referral to the public prosecutor’s office. Such violations include:

• using bugging devices (punishable by either imprisonment for no more than one year or a fine of no more than KWD5,000 and no less than KWD500); and
• illegally using a private or public telecommunications network (punishable by either two years in prison or a fine of no more than KWD20,000 and no less than KWD500).

Claim for compensation (Article 81)

It should be noted that the above-described penalties do not prejudice any person to claim for direct compensation as a result of such actions. Due to the CITRA Law and CITRA Regulations being so new, the procedure has yet to be tested in the courts.

Under Article 70 of the E-Transactions Law, using telecommunications to send threats, immoral or humiliating messages, or made-up events for the purpose of causing panic is punishable either by imprisonment of no more than two years or by a fine of no more than KWD5,000. In addition, intentionally defaming anyone by engaging in non-consensual capturing or usage of pictures or videos (or the falsifying of such) is punishable either by a prison term of no more than two years or by a fine of no more than KWD5,000 and no less than KWD500. Furthermore, sending immoral or indecent materials by any means (eg, messages, videos or pictures) will be punished by either a prison term of no more than three years or a fine of no more than KWD5,000 and no less than KWD500.

If any such acts are accompanied by blackmail in relation to the above-mentioned materials, it is punishable by either up to ten years in prison or a fine not exceeding KWD10,000.

Please see 3.1 Laws and Standards for Access to Data for Serious Crimes.

Usually, governmental agencies – in particular, law enforcement agencies – do not require any judicial approvals to access individuals’ data for intelligence, anti-terrorism or other national security purposes. Moreover, most of the data is retained in centralised systems to which the agencies already have access. There are no specific requirements to obtain any judicial approvals for governmental agencies to request data from other governmental agencies. There are no specific laws that govern this particular scenario.

Please note that, depending on the sensitivity of the information (ie, Tier 3 and Tier 4), certain approvals may be required.

The laws in Kuwait do not consider a foreign government access request to be a legitimate basis for transferring personal data. The situations in which personal data may be transferred outside Kuwait are discussed in 4. International Considerations. It is generally not permissible for an organisation to invoke a foreign government access request as a legitimate basis upon which to collect and transfer personal data – unless there is a legal basis under the local laws for such transfer.

Kuwait has not participated in any Cloud Act agreements with the USA to date.

Like many other countries, Kuwait faces several conflicts and public debates concerning government access to personal data. The key issues in relation to privacy include the following.

Civil ID Cards

The Kuwaiti government has mandated the use of a national ID card for all citizens and residents. However, there have been concerns about the amount of personal information collected on the card and the potential for misuse of this information.

Health Data Collection

The collection of health data is generally governed by Kuwait Law No 70 of 2020 On the Practice of the Medical and Paramedical Professions, the Rights of Patients and Health Facilities (“Health Data Law”), which applies to the Kuwait Ministry of Health and its personnel, and to any individual possessing a university degree granted by a medical or dental faculty accredited and endorsed by the relevant authorities in the State of Kuwait.

Under Article 60 of the Health Data Law, every Healthcare Facility (defined in Article 1 as every place specifically designated to offer medical or healthcare services to individuals for purposes such as disease diagnosis, treatment, prevention, health enhancement, rehabilitation or convalescence) must establish a register and database to record all patient information in either written or electronic form. The management of the Healthcare Facility is responsible for maintaining and safeguarding these files to prevent damage or loss. If the Healthcare Facility ceases operations or undergoes a change in activity, it is obliged to deliver the patient files or copies upon request to the patient or their family. In addition, under Article 13(5), written consent is required from a patient before disclosing their secrets and health information, and patients have a right to request a detailed summary or report of their health files (Article 28 of the Health Data Law).

The Kuwaiti government has also been collecting health data from citizens and residents, particularly during the COVID-19 pandemic. Although this data can be useful for public health purposes, there are concerns about the privacy implications of such data collection.

Conflict With Human Rights

The collection and use of personal data by the government in Kuwait has been seen as potentially being in conflict with human rights, including the right to privacy and freedom of expression. The right to privacy is recognised as a fundamental human right under international law and, as such, is protected by numerous human rights treaties and conventions. The UN Human Rights Committee, for example, has stated that “the collection and retention of personal data must be regulated by law” and that “the law must be adequate to provide effective safeguards against arbitrary interference with an individual’s privacy”.

In addition to privacy concerns, the collection and use of personal data by the government can also have an alarming effect on freedom of expression. If individuals believe that their online activity or communications are being monitored by the government, they may be less likely to express themselves freely or engage in political or social activism.

There are restrictions on international data transfers of personal information, especially those classified as Tier 3 and Tier 4 under the Policy.

The DPPR states that a Licensee must collect and process data during and after providing a service, according to certain conditions. If the Licensee intends to transfer a subject’s personal data outside Kuwait, it must notify the data subject.

Furthermore, the Policy imposes restrictions on the transfer of personal information classified as Tier 3 and Tier 4. Such data must be encrypted during transmission from one government entity to another or when transmitted between different physical geographical locations of government entities – and this applies to the private sector as well. Therefore, encrypted data may not be transferred internationally.

Subscribers from the private sector and the public sector are explicitly prohibited from storing or hosting Tier 3 and 4 data as classified under the Policy, whether on a temporary or permanent basis, on data centres and cloud computing infrastructure provided by CSPs located outside Kuwait. However, the use of hybrid clouds is allowed for third-level data within Kuwait.

In addition, subscribers engaging CSPs for Tiers 3 and 4 data are prohibited from transferring, storing or processing data unless the CSP is appropriately registered and licensed by CITRA. Compliance with this requirement mandates that the CSP itself is physically located within Kuwait.

As for less sensitive data, the CSP must obtain written consent from the subscriber before transferring or copying its stored Tiers 1 and 2 data outside the State of Kuwait. CSPs must also ensure that they explain the reasons for the transfer and disclose the party to which the data will be transferred.

In addition, there may be restrictions imposed by the government on the transfer of data for national security and/or public interest concerns.

Kuwait does not have any specific mechanisms or derogations for international data transfers in place that resemble those provided by APEC or other multilateral frameworks. However, under the DPPR, Licensees are required to obtain the data subject’s consent before disclosing their personal data to any affiliate company or third party for any marketing purposes not directly related to the provision of telecommunications and IT services requested by the person concerned. In addition, appropriate security measures must be implemented to protect the personal data of any person against loss, damage, disclosure or hacking by an unauthorised third party.

In practice, many companies in Kuwait use standard contractual clauses or binding corporate rules to ensure compliance with data protection requirements when transferring personal data outside of the country. Companies may also rely on the individual’s consent to the transfer, provided that the consent is informed, specific and given freely. However, it is important to note that data protection laws under the DPPR and the E-Transactions Law may impose certain limitations on the use of consent as a basis for data transfers and, of course, such consent must be given freely and obtained in a manner that is specific and informed.

At the time of writing, there are no express government notifications or approvals required to transfer data internationally. However, please see 4.1 Restrictions on International Data Issues for further detail.

As mentioned in 4.1 Restrictions on International Data Issues, there are data localisation requirements for certain types of data. The following types of data must not be hosted or stored outside Kuwait:

• data classified under the Tier 3 and Tier 4 levels of data classification; and
• government entity data falling within the Tier 4 level of data classification.

In order to comply with these requirements, Section 4.2 of the Framework outlines several obligations for subscribers and providers of CSPs in Kuwait. Subscribers must ensure that certain types of data are not hosted or stored outside Kuwait, and providers must disclose the location and technical information of their data centres in Kuwait (and in other countries where they process or transmit the data of subscribers in Kuwait).

Licensees must obtain written consent from their subscribers before transferring or copying data outside of Kuwait. However, this requirement only applies to data that does not fall within the Tier 3 and Tier 4 levels of data classification. Therefore, only data classified as Tier 1 or Tier 2 can be transferred or stored outside of Kuwait with the notification of the data owner.

Currently, there are no legal requirements to share any software code, algorithms or similar technical details with the government.

There are express limitations or considerations with regard to foreign government data requests or foreign litigation proceedings or internal investigations; please see4.1 Restrictions on International Data Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers regarding the limitations or considerations concerning the international transfer of personal data.

Kuwait has several laws and regulations related to blocking or censoring web content, some of which concern privacy and data protection. Key examples include the following.

• The Press and Publications Law under Law No 3 of 2006 regulates the publication of printed and electronic media in Kuwait. It includes provisions related to blocking content that violates public order, morals or national security. This law gives the government the power to block websites or other media that violate these provisions.
• The Cybercrime Law criminalises a wide range of online activities, including hacking and online fraud. This law gives the government the power to block websites or other online content that violates its provisions.
• The CITRA Law regulates the telecommunications sector in Kuwait and includes provisions related to blocking or intercepting communications that violate public order, morals or national security. This law gives the government the power to block websites or other online content that violates these provisions.

Among other prohibited content, CITRA receives requests to block web content in Kuwait that violates the public interest (including public morals, Islamic faith teachings and public order). If CITRA receives a request to block or unblock web content, it will take the necessary actions to block web content that contains any prohibited content or to unblock web content in case of an error in classifying the content as prohibited.

Artificial Intelligence

In Kuwait, domestic entities in regulated industries are beginning to use AI, while multinational targeted advertising companies have been using it for some time. However, there are two primary legal risks and compliance issues for entities in Kuwait looking to incorporate AI into their businesses. The first issue is that using AI for business purposes requires the use of large amounts of data, which often needs to be outsourced to foreign entities, leading to potential data breaches and cybersecurity risks. The second issue is that Kuwait does not have a comprehensive data protection law and is therefore exposed to cybersecurity risks.

Another issue is the limitation on data transfers, as described in 4.1 Restrictions on International Data Issues, 4.3 Government Notifications and Approvals and 4.4 Data Localisation Requirements, whereby certain tiers of data cannot be transferred internationally.

Unmanned Aircraft Systems

The Directorate General of Civil Aviation (DGCA) is the regulatory body in the State of Kuwait governing the registration of unmanned aircraft systems (UAS)/drones in Kuwait. The DGCA registers the following three types of uses of UAS/drones:

• recreational (toy, sport, advanced sport activity);
• professional (commercial and non-commercial); and
• special.

Prior permission must be obtained from the DGCA to operate drones for commercial purposes. The following activities are strictly prohibited:

• using drones to carry dangerous goods;
• dropping any object from the drone; and
• using the drone to capture images or videos of private property without obtaining prior consent.

Although there are no specific laws or regulations in Kuwait that require organisations to establish protocols for digital governance or fair data practice review boards or committees, some companies in Kuwait have voluntarily established such protocols as part of their corporate governance practices.

With the increasing importance of data privacy and security, companies in Kuwait have begun to recognise the importance of having a framework in place for managing digital technologies and data practices. Some companies have established internal committees or review boards in order to oversee data privacy and security, and to ensure compliance with local laws and regulations. These committees are often responsible for reviewing the company’s policies and procedures related to data collection, storage, processing and sharing, and for assessing the risks associated with emerging or disruptive digital technologies.

There are no publicly available details concerning any regulatory enforcement. Furthermore, as the Data Protection Regime is so new, it has yet to be tested in the courts. Please see 2.5 Enforcement and Litigation and 3.1 Laws and Standards for Access to Data for Serious Crimes.

It is worth noting that there is a growing focus on privacy and data protection in several countries in the Middle East. It is possible that Kuwait may follow suit in the future and introduce more robust legislation in this area.

In Kuwait, conducting due diligence is an essential part of corporate transactions, as it helps to identify and assess risks and potential liabilities associated with a company.

The process involves a comprehensive review of the target company’s financial, legal and operational records, as well as its contracts, IP and relationships with customers, suppliers and other stakeholders. The parties in a transaction typically execute a Letter of Intent that would include a confidentiality provision and other restrictive covenants. Thereafter, a virtual data room is established where the target would upload the documents requested by the buyers.

The following issues are typically relevant when conducting due diligence in corporate transactions in Kuwait:

• legal and regulatory compliance;
• corporate governance;
• financial statements;
• material contracts;
• IP;
• management and employment; and
• litigation.

There is no requirement to make a public disclosure regarding an organisation’s cybersecurity risk profile or experience.

There have been no developments or trends regarding the convergence of privacy, competition and consumer protection in connection with the regulation of tech companies, digital technology or data practices in Kuwait. Although there is a growing awareness of the importance of these issues in Kuwait and throughout the Middle East, Kuwait has yet to implement any laws or policies specifically addressing these issues and is not considering (or subject to) any new laws or policies along the lines of the EU’s Digital Markets Act, Digital Services Act or Data Act.

Significant issues faced by Kuwait in relation to data protection include the following:

• lack of comprehensive data protection laws – the existing laws and regulations that touch on the collection, processing and sharing of personal data (by both public and private entities) are scattered across different pieces of legislation, making it challenging to enforce data protection standards in Kuwait;
• inadequate data security measures – many organisations in Kuwait do not have adequate data security measures in place to protect personal data from unauthorised access, theft or other forms of data breaches, thereby leaving personal data vulnerable to misuse and abuse; and
• lack of oversight and enforcement – there is a lack of effective oversight and enforcement mechanisms for data protection in Kuwait, which can make it difficult to hold organisations accountable for data breaches and other violations of data protection standards.