Access Alert: Kuwaiti regulator introduces new data protection regulation

In a significant move, the Kuwaiti Communications and Information Technology Regulatory Authority (CITRA) has published Data Protection Regulation No. 26/2024, replacing the previous regulation, No. 42/2021. With a focus on safeguarding personal data collected by telcos and IT service providers, the regulation emphasises transparency, informed consent, and purpose limitation for data collection and processing. It will impact all CITRA-licensed service providers, irrespective of data processing locations. Notably, service providers must promptly notify CITRA of any data breaches and implement stringent security measures.

Key Features & Obligations

1. Transparency: Service providers are mandated to communicate terms in clear language (English and Arabic) and inform users about data modification or deletion request processes.
2. Informed Consent: Explicit user consent is required before data collection, with full disclosure of conditions and obligations.
3. Purpose Limitation: A clear explanation of the purpose of data collection is required, emphasising the necessity for service provision.
4. Data Breach Notification: There is an obligation to report data breaches to CITRA within 24 hours, with specific protocols to minimise consequences.
5. Security Measures: Service providers must ensure appropriate security measures, encryption, and adherence to their respective data classification policies.
6. Retention Limitation: Personal data must be deleted post-contract termination, with exceptions for security, judicial rulings, and financial claims.

Concerns

In tandem, CITRA repealed the Data Classification Policy (2021). Service providers are encouraged to engage with CITRA to clarify the objectives of this approach and how it will safeguard against issues such as inconsistencies among service providers, enforcement challenges, and potential inadequate data protection levels.

Conclusion

The implementation of Resolution No. 26/2024 marks a positive step towards strengthening data privacy protections for users in Kuwait. By establishing clear guidelines and enforcing strict data breach notification protocols, CITRA aims to create a more secure environment for users while fostering continued growth in the ICT sector.

Access Partnership is closely monitoring regulatory developments both in Kuwait and across the GCC. If you would like to understand more about Kuwait’s position on data governance or need support with engaging the regulator, please contact Dana Ramadan at [email protected] or Nada Ihab at [email protected].