DLA Piper Intelligence

Data Protection
Laws of the World

Breach Notification

No specific provisions.

Last modified 22 Jan 2024
Law
Kuwait

To date, Kuwait does not have a specific personal data protection law.  Previously, legislation such as Kuwait Law No. 20 of 2014, on Electronic Transactions (the “E-Commerce Law”), regulated privacy and data protection of private and public electronic records, signatures, documents, and payments.  Whereas, Kuwait Law No. 63 of 2015, on Combating Cyber Crimes the (“Cybercrime Law”) imposed heavy penalties for illegal tampering with or acquisition of personal or governmental data or information.   

However, the introduction of Decision No. 42 of 2021 on Data Privacy Protection Regulation (“Data Protection Regulation”) by the Communications and Telecommunications Regulatory Authority (“CITRA”), imposed obligations in relation to data protection on Telecommunication Services Providers and related industry sectors who collect, process, or store personal data, in whole or in part. The Data Protection Regulation describes the conditions for collecting and possessing personal data and the obligation of a service provider during the provision of the service or after the end thereof, in relation to the collection and processing of such data.

The introduction of the Data Protection Regulation has been a huge milestone since there was no dedicated data protection laws or regulations, and thus, reliance was placed on limited relevant legal provisions found under different legislation(s) such as the E-Commerce Law and Cybercrime Law. The Data Protection Regulation applies to all service providers irrespective of whether the data processing is undertaken inside or outside Kuwait, which requires that service providers inform users about how their data is collected, processed, and stored.

The Data Protection Regulation provides a wider ambit of the definition of “service provider” which ranges from traditional telecommunications service providers to anyone who operates a website, smart application or cloud computing service, collects or processes personal data or directs another party to do so on its behalf through information centers owned or used by them directly or indirectly. Furthermore, the Data Protection Regulation indicates that users have a right to withdraw their consent and, consequently, the service provider must delete / destroy the information provided by the user. However, the provisions of the Data Protection Regulation do not apply to natural persons who collect and process personal and family data; or security authorities for the purposes of controlling crimes and the prevention of threats related to public security.

Thus, the introduction of the Data Protection Regulation marks a significant milestone towards recognizing the importance that has been given to personal data in relation to Kuwait's legal scene. The Data Protection Regulation has brought a wide range of entities / sectors who are technically not TSP’s, to the extent that they are related to the field of telecommunication services, but own a website, an application, or provide cloud computing services etc., for which they collect data in some way from their users / customers.

Furthermore, CITRA has also issued, the Data Classification Policy (“DCP”), whereby entities dealing with large amounts of data can use as a guidance for data protection. The DCP classifies data into four separate categories to help in better decision making, regarding data access and processing in line with the data classification levels.

Last modified 22 Jan 2024
Definitions

Definition of personal data

Kuwaiti law does not define personal data. However, personal data is considered to include at least personal information about a person’s:

  • Positional affairs
  • Personal status
  • Health status, or
  • Elements of financial disclosures

These elements are undefined, but broadly construed to encompass any personal information relating to the specified data element.

Definition of sensitive personal data

Kuwaiti law does not define sensitive personal data.

Last modified 22 Jan 2024
Authority

There is no national data protection authority in Kuwait.

Last modified 22 Jan 2024
Registration

Not required.

Last modified 22 Jan 2024
Data Protection Officers

Not required.

Last modified 22 Jan 2024
Collection & Processing

The Regulation requires that prior to the provision of service, the service providers must:

  • Provide all the information about the services to be provided and the terms of service in easy language both in English and Arabic;
  • Clarify the purpose of collecting, and method of use of such data to the requester of service; and
  • Obtain consent  of the requester of service for collection and processing of data and his knowledge and acceptance of all conditions, obligations and provisions for data collection and processing. 

Beside the Regulation, the E-Commerce Law includes a general obligation prohibiting Kuwaiti governmental bodies, agencies, public institutions, companies, non-governmental bodies, or employees thereof from collecting or processing any information in an illegal manner without the consent of the concerned person or his or her representative.

Last modified 22 Jan 2024
Transfer

The E-Commerce Law similarly includes a general obligation prohibiting Kuwaiti governmental bodies from transferring any information in an illegal manner without the consent of the concerned person or his or her representative.

Last modified 22 Jan 2024
Security

No specific provisions.

Last modified 22 Jan 2024
Breach Notification

No specific provisions.

Last modified 22 Jan 2024
Enforcement

The Regulation does not provide specific penalties for breach of prescribed obligations but instead it prescribes to impose penalties and fine as per the CITRA Law, which lays down a range of punishments including imprisonment for a term from one to five years and fine ranging from five hundred Kuwaiti Dinars to twenty thousand Kuwaiti Dinars or a combination thereof.

Violations of the E-Commerce Law are punishable by a maximum of three years imprisonment, and fines of no less than KWD5,000 (US$17,500) for anyone who discloses personal information without proper consent or a court order. The E-Commerce Law also provides for confiscation of tools, programs or devices used for unauthorized disclosure.

Last modified 22 Jan 2024
Electronic Marketing

No specific provisions.

Last modified 22 Jan 2024
Online Privacy

No specific provisions.

Last modified 22 Jan 2024
Contacts
Ahmad Saleh
Ahmad Saleh
Senior Associate
GLA & Company
T +965 9220 3033
Last modified 22 Jan 2024