Kuwait’s Communication and Information Technology Regulator issues Data Protection Regulation for Service Providers

Kuwait’s Communication and Information Technology Regulatory Authority (“CITRA”) has issued Resolution No. 42 of 2021, Concerning Data Privacy Protection Regulation (“Data Privacy Protection Regulations” or the “Regulations”). The Regulations are effective as of their publication date, which was on 4 April 2021, and affect both public and private sectors.

The Regulations apply to all Service Providers who provide Communication and Information Technology Service (“CIT Service”) in the State of Kuwait. CIT Service can include the establishment of any kind of public telecommunications network, operation of a website, smart application, or cloud computing services, by any natural or legal person. Specifically, the Regulations govern the collection and processing of personal data.

The Data Privacy Protection Regulations follow the increased use of advanced technologies such as IoT, Blockchain, and cloud computing technologies in Kuwait, and demonstrate CITRA’s willingness to protect fundamental rights and freedoms of transfer relating to the privacy of personal data collected.

Whilst they are less comprehensive than other data protection regimes, such as the GDPR, and is directed at Service Providers only, the Regulations are nevertheless a step towards global alignment with international best practice in data protection, and introduce some key data protection concepts into a critical commercial sector in Kuwait.

Key Provisions

Territorial Scope: The Regulations apply to any Service Provider who provides CIT Services in the State of Kuwait and who collects, processes or stores Personal Data by any means, whether wholly or partially, permanently or temporarily, regardless of whether the processing is carried out inside or outside the State of Kuwait. The Regulations therefore apply to all Service Providers.

Data Classification: The Regulations require all natural or legal persons contracting with a Service Provider to classify their data for information security procedures. This can be either in line with Data Classification policy approved by the CITRA, or international best practices.

Conditions for Data Collection and Processing: The Regulations require Service Providers to be completely transparent regarding any data processing activities prior to collection or processing user data, and prior to engaging in CIT Services with the user (i.e. from the outset). This means Service Providers must inform all their end-users regarding how their (the user’s) Personal Data is collected and used, as well as the specific purpose behind collection or processing. Moreover, the Service Provider must provide users with their Terms of Service, and provide clear instructions on how users can change their data or request the cancellation of the data collection or processing. The Service Provider must also obtain a written confirmation (or tick box) from the user that they have full knowledge and acceptance of all conditions, obligations, and data collection and processing provisions.

Lawful basis for processing: Data Collection and Processing is only lawful where either one of these conditions is met:

1. consent of the user has been obtained; and
2. collection or processing is essential for the Service Provider to comply with a legal obligation;
3. the Data Holder is not made identified or identifiable;
4. collection or processing is essential to protect a natural or legal person’s data;
5. where the user (or Data Holder) is a child under 18 years of age, to obtain clear permission from the guardian.

Conditions for processing: While conducting CIT Services, the Service Provider must comply with certain conditions such as a) providing users with clear, easy access to their data practices and policies, and b) maintaining a clear purpose for data collection (purpose limitation) and c) maintaining appropriate technical and organisational measures to ensure that personal data is protected against unauthorised or illegal processing, accidental loss, destruction or damage, among other conditions.

Exemptions: The Regulations do not apply to a natural person who collects and processes personal or family data. They also do not apply to security agencies who process Personal Data for the purposes of preventing, investigating or detecting crimes, or for prosecuting criminals, enforcement, or preventing threats against public security.