Communications and Information Technology Regulatory Authority has issued new data privacy regulations

The Communications and Information Technology Regulatory Authority (“CITRA”) has issued Resolution No. 26 of 2024 regulating the privacy of data collected by telecommunications and information technology service providers.

This new regulation supersedes the former regulation, Resolution No. 42 of 2021 and its amendments.

Background

Demand for telecommunications and information technology services is increasing in both the public and private sectors in Kuwait. Such services are provided by service providers using advanced technologies, such as cloud computing, which rely on certain software provided and operated by telecommunications and information technology service providers. These service providers collect and process data and user content.

CITRA recognizes the necessity for providers of telecommunications and information technology services to adhere to data protection rights and fundamental freedoms related to the confidentiality of collected personal data,

Additionally, CITRA is committed to developing a robust industry based on providing the best telecommunications and information technology services to support governmental entities, businesses, and individuals within the State of Kuwait. This supports the operations of governmental, commercial, and industrial activities, which attracts investors interested in this field, and enhances the competitive foundations to achieve Kuwait’s vision towards establishing a new financial and commercial center (New Kuwait 2035).

Resolution No. 26 of 2024 includes guidelines related to organizing the practices of managing and processing data by providers of telecommunications and information technology services. This resolution provides further nuance to existing laws and regulations in Kuwait.

Applicability of Resolution No. 26 of 2024

Resolution No. 26 of 2024 applies to all service providers licensed by CITRA who engage in the collection, processing, and storage of personal data and user content, whether wholly or partially, permanently, or temporarily, by mechanical means or any other means, constituting part of a data storage system, whether processed inside or outside the state of Kuwait.

Key Obligations on the Service Provider

1. Provide all information and terms of service, including the request to change or delete data, clearly and in simple terms, available in both English and Arabic.
2. Obtain the consent of the service requester to collect or process personal data, ensuring that they are informed and agree to all terms, commitments, and provisions regarding data collection and processing.
3. Clearly state the purpose of collecting the user’s personal data and the necessity thereof to provide the service and explain how the data will be utilized.

Data Breach Notification

In the event of a breach of personal data, the service provider must, within 24 hours of becoming aware of it, send a notification of the breach to CITRA. Service providers must follow the steps specified in the resolution in order to avoid potential penalties.

How can we help?

Resolution No. 26 of 2024 provides updated requirements and nuances to data privacy and security in Kuwait.

Al Tamimi & Company’s Kuwait office is well-versed in advising clients on all corporate, commercial and regulatory law issues. We are adept at supporting clients in meeting compliance and regulatory obligations in Kuwait.

We are available to offer additional information on this recent development and can assist your organization in navigating the new regulatory landscape.

To learn more about the details of this alert, please reach out to one of our key contacts.