Support Centre



Law: There is no general data protection regulation.

Regulator: There is no general data protection authority.

Summary:  Although there is currently no specific legislation aimed at the protection of personal data in Kuwait, there have been reports that the Government of Kuwait is generally considering the introduction of such a law. At present, there are relevant sectoral requirements, which, alongside provisions in the Constitution of Kuwait 1962 (the Constitution), may be considered as outlining an essential but patchwork basis for the protection of personal data.

In February 2024, the Communication and Information Technology Regulatory Authority (CITRA) released the Data Privacy Protection Regulation No. 26 of 2024 (the Regulation) (only available in Arabic here). The Regulation, repeals and replaces the previous Data Privacy Protection Regulation, No.42 of 2021, and provides guidelines for the collection and processing of personal data by telecommunications and information technology service providers. Moreover, in the financial sector, the Cyber Security Framework for the Kuwaiti Banking Sector establishes several data protection-related obligations. The Labour Law No. 6/2010 for the Private Sector similarly sets out requirements that overlap and impact data protection in relation to employment.


In a significant development within the State of Kuwait's regulatory landscape, the Communication and Information Technology Regulatory Authority (CITRA) has taken decisive steps to fortify data protection measures in the realm of telecom and IT services. Under Decision No. 26 of 2024, CITRA introduced a new set of Data Privacy Protection Regulations (the Regulations), effectively replacing the prior regulations. Concurrently, CITRA has repealed its former Data Classification Policy under Decision No. 34 of 2024, signaling a strategic shift towards more comprehensive safeguards for sensitive information.

This proactive update reflects CITRA's recognition of the growing need for strong data security measures as Kuwait's telecom and IT sectors expand. These regulatory changes also match Kuwait's big-picture plan for progress outlined in the New Kuwait 2035 strategy, emphasizing a focused push for better technology resilience and privacy standards in the country's digital world. Asad Ahmad and Salma Farouq, of GLA & Company, discuss the Regulations, highlighting the key provisions that individuals and entities should be aware of.

The Kuwait Communication & Information Technology Authority ('CITRA') released the Data Privacy Protection Regulation, No.42 of 2021 ('the Regulation') in April 2021, which marked an important milestone in Kuwait's legal landscape. This is primarily because prior to the Regulation there was no dedicated data protection law or regulation, and thus, reliance was placed on limited relevant legal provisions found in different legislations, such as the Constitution of Kuwait 1962 and Law No. 20 of 2014 concerning Electronic Transactions. Ahmed Syed, Senior Consultant at International Legal Group Kuwait, discusses the application of the Regulation and what is required under its provisions.