Access Alert: Kuwaiti regulator introduces new data protection regulation

Access Alert: Kuwaiti regulator introduces new data protection regulation

In a significant move, the Kuwaiti Communications and Information Technology Regulatory Authority (CITRA) has published Data Protection Regulation No. 26/2024, replacing the previous regulation, No. 42/2021. With a focus on safeguarding personal data collected by telcos and IT service providers, the regulation emphasises transparency, informed consent, and purpose limitation for data collection and processing. It will impact all CITRA-licensed service providers, irrespective of data processing locations. Notably, service providers must promptly notify CITRA of any data breaches and implement stringent security measures.

Key Features & Obligations

  1. Transparency: Service providers are mandated to communicate terms in clear language (English and Arabic) and inform users about data modification or deletion request processes.
  2. Informed Consent: Explicit user consent is required before data collection, with full disclosure of conditions and obligations.
  3. Purpose Limitation: A clear explanation of the purpose of data collection is required, emphasising the necessity for service provision.
  4. Data Breach Notification: There is an obligation to report data breaches to CITRA within 24 hours, with specific protocols to minimise consequences.
  5. Security Measures: Service providers must ensure appropriate security measures, encryption, and adherence to their respective data classification policies.
  6. Retention Limitation: Personal data must be deleted post-contract termination, with exceptions for security, judicial rulings, and financial claims.

Concerns

In tandem, CITRA repealed the Data Classification Policy (2021). Service providers are encouraged to engage with CITRA to clarify the objectives of this approach and how it will safeguard against issues such as inconsistencies among service providers, enforcement challenges, and potential inadequate data protection levels.

Conclusion

The implementation of Resolution No. 26/2024 marks a positive step towards strengthening data privacy protections for users in Kuwait. By establishing clear guidelines and enforcing strict data breach notification protocols, CITRA aims to create a more secure environment for users while fostering continued growth in the ICT sector.

Access Partnership is closely monitoring regulatory developments both in Kuwait and across the GCC. If you would like to understand more about Kuwait’s position on data governance or need support with engaging the regulator, please contact Dana Ramadan at [email protected] or Nada Ihab at [email protected].

Related Articles

Access Alert: Maximising opportunities for the tech industry in a new era of EU competitiveness

Access Alert: Maximising opportunities for the tech industry in a new era of EU competitiveness

The Draghi report, published on 9 September 2024, presents a strategic roadmap for Europe to regain its global competitiveness. It...

11 Sep 2024 Opinion
旅客輸送サービスの現状調査:人口減少下の課題と展望

旅客輸送サービスの現状調査:人口減少下の課題と展望

Read the content in English 著者: Abhineet Kaul (Access Partnership), Swee Cheng Wei (Access Partnership), Chailyn Ong (Access Partnership) アドバイザー:...

30 Aug 2024 General
Passenger Transportation in Japan: Challenges and outlook with ongoing societal changes in less connected areas

Passenger Transportation in Japan: Challenges and outlook with ongoing societal changes in less connected areas

投稿を日本語で読む Authors: Abhineet Kaul (Access Partnership), Swee Cheng Wei (Access Partnership), Chailyn Ong (Access Partnership) Advisors: Dr. Tomoaki Watanabe (GLOCOM),...

30 Aug 2024 General
Access Alert: Update on Mexico’s Regulatory Reforms: What You Need to Know

Access Alert: Update on Mexico’s Regulatory Reforms: What You Need to Know

In recent developments, Mexico is moving forward with a constitutional reform aimed at dissolving several key autonomous agencies, including the...

28 Aug 2024 General