Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kuwait: CITRA releases Kuwait's latest data privacy protection regulations

In a significant development within the State of Kuwait's regulatory landscape, the Communication and Information Technology Regulatory Authority (CITRA) has taken decisive steps to fortify data protection measures in the realm of telecom and IT services. Under Decision No. 26 of 2024, CITRA introduced a new set of Data Privacy Protection Regulations (the Regulations), effectively replacing the prior regulations. Concurrently, CITRA has repealed its former Data Classification Policy under Decision No. 34 of 2024, signaling a strategic shift towards more comprehensive safeguards for sensitive information.

This proactive update reflects CITRA's recognition of the growing need for strong data security measures as Kuwait's telecom and IT sectors expand. These regulatory changes also match Kuwait's big-picture plan for progress outlined in the New Kuwait 2035 strategy, emphasizing a focused push for better technology resilience and privacy standards in the country's digital world. Asad Ahmad and Salma Farouq, of GLA & Company, discuss the Regulations, highlighting the key provisions that individuals and entities should be aware of.

By Eve Livesey/Moment via Getty Images

Key amendments and scope

In the Regulations, several notable changes have been implemented. Paragraph 15 of Article 4 now mandates that if the personal data stored by the service provider is disclosed improperly, and such disclosure or access causes damage to a significant number of users, the service provider shall notify CITRA, the users, and law enforcement bodies as soon as possible, and no later than 72 hours in any event, extending the previous 24-hour window.

Conversely, paragraph 1 of Article 6 now tightens the timeline for reporting breaches of personal data. Service providers are required to notify CITRA within 24 hours of becoming aware of such breaches, reducing the previous allowance of 72 hours.

Additionally, the Regulations replace the definition of 'encryption' with a new one under 'removal and deletion of the data' where it is defined as 'a process or set of processes adopted by the licensee/service provider for the purpose of discontinuing the usage of the client's data for commercial objectives, and not making them available to the public, with the admissibility of its continuation of retaining such data and using them for security objectives, implementing court orders and judgments and financial claims resulting from the subscription contract signed between the beneficiary/user and service provider/licensee only.'

The Regulations define the term 'service provider/licensee' as 'the person licensed to provide one or more communication services to the public or licensed to manage, set up, or operate a communication network or internet service to provide communication service to the public, including the information or content providers by the communication network.'

Furthermore, as outlined in Article 1 of the Regulations, the provisions of the Regulations are applicable to all service providers licensed by CITRA. Specifically, they pertain to persons engaged in the collection, processing, and storage of personal data and user data content, whether in whole or in part. This includes data stored via automated means or any other method, forming part of the data storage system, irrespective of whether processing occurs within or outside Kuwait.

It is important to note that while the Regulations provide comprehensive guidelines for data handling by licensed service providers, certain exceptions apply. Practices related to security inquiries, monitoring violations, or actions conflicting with established laws, decrees, court judgments or financial claims arising from subscription contracts fall outside the purview of these regulations.

In essence, CITRA's Regulations apply exclusively to persons or entities holding licenses to offer communication services to the public, manage communication networks, or provide internet services for public communication, along with information or content providers within these networks. This delineation ensures that CITRA's regulatory oversight is tailored and limited to entities directly involved in the provision and management of communication services.

The National Cybersecurity Center

In alignment with the regulatory framework of CITRA as outlined above, it becomes apparent that entities falling outside the purview of the established Regulations concerning data privacy protection will likely come under the oversight of the newly established National Cybersecurity Center (NCSC).

The NCSC was established under Decree No. 37 of 2022 with the aim of achieving the objectives derived from the National Strategy for Cybersecurity (the Strategy), particularly the following:

  • building an effective national cybersecurity system, developing and organizing it to protect Kuwait from cyber threats, and efficiently and effectively confronting these threats in a way that ensures the sustainability of operations and the preservation of national cybersecurity;
  • protecting vital interests in the electronic space and supervising the development of specialized national capabilities in the field of cybersecurity;
  • enhancing the cybersecurity culture that supports the secure and proper use of the electronic space;
  • protecting and monitoring vital assets, infrastructure, national information, and the information network within Kuwait; and
  • providing methods for cooperation, coordination, and exchange of information among various local and international entities in the field of cybersecurity.

Classification of electronic data under the NCSC

On June 6, 2023, the NCSC took a significant step in safeguarding digital privacy with the issuance of Decision No. 7 of 2023 (the NCSC Decision). This Decision pertains to the implementation of a comprehensive national framework aimed at classifying electronic data based on sensitivity and importance levels, and is applicable to civil, military, and security governmental entities, as well as public and private sector institutions in Kuwait, which are related to the NCSC's scope (the Concerned Entities).

Aligned with CITRA's decision No. 34 of 2024, which repealed its former Data Classification Policy, the classifications outlined in the NCSC Decision now stand as the authoritative guidelines for data classification within Kuwait.

Notably, the NCSC Decision defines 'electronic data' as data with electronic specifications in the form of texts, codes, voices, videos, graphics, images, computer programs, or databases that are established, received, processed, or stored as an electronic version.

Electronic data under the NCSC can be classified into three categories:

  • sensitive data: The data for which access, viewing, processing, or sharing is restricted to specific individuals or entities. The loss, misuse, unauthorized access, or non-permitted disclosure of this data by any person or entity can lead to severe harm or negative impact on national security, public safety, state economy, or the privacy and health of individuals. It includes potential damage to persons, properties, intellectual property, operations of concerned entities, assets, or their individuals. Additionally, this data might be classified as sensitive according to the applicable laws in Kuwait or the judicial authorities;
  • restricted data: The data for which access, viewing, processing, or sharing is restricted to specific individuals or entities, and is not deemed as sensitive data; or
  • public data: The data that is available to everyone without restrictions and anyone or any entity can access, view, process, or share them freely.

General policy and procedures for classification of electronic data

The comprehensive framework outlined in Articles 4 and 5 of the NCSC Decision addresses the general policy, procedures, and liability considerations governing the classification of electronic data by concerned entities.

Under the general policy, the concerned entities are obliged to:

  • classify electronic data by determining the level of sensitivity and importance of the electronic data based on its nature. concerned entities must also ratify it with the NCSC;
  • classify electronic data according to its nature, level of sensitivity, impact, and importance into different categories and levels;
  • take the necessary measures to issue a policy specifying the classification of their electronic data, which shall include details of the categories of classified electronic data;
  • take the necessary technical and organizational measures to ensure appropriate protection and security for each category of electronic data, according to its classification;
  • obtain approval from the NCSC before storing any sensitive data or processing it outside Kuwait;
  • monitor the classification of data by individuals when created or received from other entities. The classification must be carried out within a limited time frame, and periodic updates of the classification should also be conducted; and
  • provide appropriate training for their employees and personnel regarding the electronic data classification policy.

Regarding liability, the concerned entities must:

  • issue their electronic data classification policy and ratify it with the NCSC. The NCSC is responsible for reviewing and approving the draft policy of electronic data classification for the concerned entities;
  • conduct periodic evaluations of the effectiveness of the electronic data classification policy, ensuring its proper implementation and continuously updating the classification. They should also submit regular reports to the NCSC regarding the results of the implementation and application of their electronic data classification policy;
  • ensure that all employees working for concerned entities are responsible for adhering to the policies and procedures related to the classification of electronic data applicable to their respective organizations; and
  • report any suspicion, violation, or criminal activity related to electronic data to the competent authority within the Concerned Entities, in accordance with the laws, regulations, and rules applicable in Kuwait. Such reporting is essential to maintain the confidentiality, integrity, security, and availability of electronic data.

Final thoughts

In a strategic move to strengthen data protection measures, CITRA's introduction of Decision No. 26 of 2024 and the repeal of its former Data Classification Policy marks a big step forward in Kuwait's rules. These proactive moves match Kuwait's bigger plan outlined in the New Kuwait 2035 strategy, showing a promise to improve tech safety and privacy.

Looking ahead, CITRA's rule changes and the start of the NCSC independently highlight Kuwait's commitment to staying safe from new online dangers.

Asad Ahmad Senior Associate
[email protected]
Salma Farouq Associate
[email protected]
GLA & Company, Kuwait