Support Centre



Law: There is no general data protection regulation.

Regulator: There is no general data protection authority.

Summary:  Although there is currently no specific legislation aimed at the protection of personal data in Kuwait, there have been reports that the Government of Kuwait is generally considering the introduction of such a law. At present, there are relevant sectoral requirements, which, alongside provisions in the Constitution of Kuwait 1962 (the Constitution), may be considered as outlining an essential but patchwork basis for the protection of personal data.

In February 2024, the Communication and Information Technology Regulatory Authority (CITRA) released the Data Privacy Protection Regulation No. 26 of 2024 (the Regulation) (only available in Arabic here). The Regulation, repeals and replaces the previous Data Privacy Protection Regulation, No.42 of 2021, and provides guidelines for the collection and processing of personal data by telecommunications and information technology service providers. Moreover, in the financial sector, the Cyber Security Framework for the Kuwaiti Banking Sector establishes several data protection-related obligations. The Labour Law No. 6/2010 for the Private Sector similarly sets out requirements that overlap and impact data protection in relation to employment.


The Kuwait Communication & Information Technology Authority ('CITRA') released the Data Privacy Protection Regulation, No.42 of 2021 ('the Regulation') in April 2021, which marked an important milestone in Kuwait's legal landscape. This is primarily because prior to the Regulation there was no dedicated data protection law or regulation, and thus, reliance was placed on limited relevant legal provisions found in different legislations, such as the Constitution of Kuwait 1962 and Law No. 20 of 2014 concerning Electronic Transactions. Ahmed Syed, Senior Consultant at International Legal Group Kuwait, discusses the application of the Regulation and what is required under its provisions.