January 28, 2022.  This article is Part 4 in a series of posts providing an overview of some key legal and regulatory developments that happened in the Middle East during 2021 in the field of data protection and privacy.

Part 1 (United Arab Emirates) is accessible here.
Part 2 (Saudi Arabia) is accessible here.
Part 3 (Qatar) is accessible here.


On 28 June 2021, the Communication and Information Technology Regulatory Authority (“CITRA”) of Kuwait posted the Data Privacy Protection Regulation (“DP Regulation”) on its website.  The DP Regulation is rather unusual in comparison to more conventional national level data protection frameworks that have been promulgated in other jurisdictions, even amongst Kuwait’s neighbours in the Middle East.

Firstly, it is noteworthy that the DP Regulation appears to only purport to apply to so-called public or private sector “Communications and Information Technology Service Providers (Service Providers),” as opposed to a more generic, non-sector-specific classification of a data controller or processer generally.  A Service Provider is defined as “[a] natural or legal person who provides communications and information technology services in Kuwait and who provides, manages, establishes, creates a public communications network, operates a website, smart application or cloud computing services, collects or processes personal data or directs another party that collects and processes personal data on its behalf through information centers that they own or use directly or indirectly.

Moreover, the provision of the DP Regulation that establishes its scope of application even further narrows this by stating that it applies to all Service Providers “[…] who collect, process and store personal data and user related content in whole or in part, either permanently or temporarily using automated means or any other means that are part of a data storage system, whether processed inside or outside the State of Kuwait when it relates to processing activities linked to transmission of advertising or marketing material or monitoring the behaviours and tendencies of data owners.”  As such, the DP Regulation seems to only capture processing activities related to “advertising or marketing materials or monitoring the behaviours” of so-called “data owners,” which are defined in a separate Data Classification Policy instrument (“DC Policy”) as including individuals, government entities, or private companies that “own certain data” and have authority to process it.

Some additional highlights of the DP Regulation are as follows:

  • Anyone that seeks to enter into a contract with a Service Provider must classify the data at issue for security purposes in accordance with the provisions of the DC Policy.
  • All processing must be lawful and legitimate, which may be substantiated by consent of the data owner (which may be withdrawn), necessity (e., legal obligation or protection of lawful interests), or if the processing activities do not result in identification of the data owner.
  • Generally recognized principles of data protection are to be adhered to by Service Providers (g., clear and accessible privacy notices; transparent processing obligations; implementation of adequate security measures to safeguard against unauthorized disclosures or loss; purpose limitation; and data owner rights of access, rectification, and objection).
  • In the event of a data breach, and where such breach would “cause harm to a large number of users,” notifications should be issued to CITRA, the “end users” of the Service Provider, and law enforcement agencies within no more than 24 hours of the Service Provider becoming aware of the breach. Standard breach notifications are required to be sent within no more than 72 hours to both CITRA and the impacted data owner (where certain exemptions may apply that would not require data owner notification).
  • Certain encryption standards may be prescribed by CITRA, taking into account the classification of the data according to the DC Policy, which may also issue business continuity, disaster recovery, and risk management rules.
  • Service Providers are required to maintain records of processing activities, which must include contact details of the Service Provider (or local representative if based outside Kuwait) and the data protection officer, processing purposes, data categories, records of transfers outside of Kuwait, and general description of security measures implemented.
  • Additional requirements imposed on Service Providers include employee training, development of internal processing policies, implementation of systems to receive data owner complaints and/or access, correction and deletion requests, and conducting comprehensive data audits and compliance reviews.

Lastly, the DP Regulation also includes a rather unique (by regional comparative standards) provision that affords the Service Providers immunity from “civil, administrative or criminal liability” where user content on their systems is found to violate third party intellectual property rights (unless the Service Provider was aware of such violating content and failed to remove it).  This is commonly referred to in an ICT service provider context as a “safe harbour” provision (confusingly, given the nature of the framework, not to be confused with “safe harbour” principles pertaining to cross-jurisdictional data transfers).

Penalties imposed for violations of the DP Regulation may include potential terms of imprisonment (up to 5 years) and monetary fines not exceeding KWD 1,000,000 (approximately USD $3,306,000).  Service Providers are expected to be compliant with the DP Regulation within one year following its publication, so this should be a high priority activity for organizations falling under its purview early in the new year.