On February 19, 2024, the Communication and Information Technology Regulatory Authority (CITRA) published the Data Privacy Protection Regulation No. 26 of 2024 (the Regulation), after its publication in the Official Gazette on February 18, 2024. In particular, the Regulation, which repeals and replaces the previous Data Privacy Protection Regulation No. 42 of 2021 as amended, provides guidelines for managing and processing data by telecommunications and information technology service providers.

What is the scope of the Regulation?

The Regulation applies to all service providers licensed by CITRA who collect, process, and store personal data and user content, whether wholly or partially, permanently or temporarily, by mechanical means or any other means, constituting part of a data storage system, whether processed inside or outside Kuwait.

What are the key provisions of the Regulation?

The Regulation requires service providers to:

• obtain the consent of data subjects before collecting and processing their personal data, and clearly specify the purpose of the processing;
• provide data subjects, in both English and Arabic, all information and terms of service, including the request to change or delete data;
• take appropriate security measures to protect personal data from unauthorized access, use, or disclosure; and
• notify CITRA of any data breaches that could result in a high risk to the rights and freedoms of individuals.

You can read the Regulation, only available in Arabic, here.