ARTICLES & UPDATES

Data Privacy and Protection Laws in Kuwait

Data collection has rapidly increased among companies to provide personalized services, ascertain trends, enhance customer experience, and formulate business strategies. This widespread collection and processing of data have raised significant concerns about data protection and privacy across the globe. Various countries have established robust laws to address these concerns. In this article, we will discuss Kuwait’s data protection laws, the obligations upon data collectors, the rights of individuals, and the regulatory authorities vested with the regulation and enforcement of data protection in Kuwait.

Overview of Kuwait’s Regulatory Framework for Data Protection

Kuwait does not have standalone legislation specifically governing data protection and privacy. Various laws, regulations, and ministerial policies/circulars govern data protection and privacy in Kuwait.

The Electronic Transactions Law (Law №20/2014)

The Electronic Transactions Law (Law №20 of 2014) and its executive regulations (Decision №48/2014) presently govern the protection of private and public data of electronic records, including signatures, documents, and payments. This law applies to electronic records, documents, and information involved in civil, commercial, or administrative transactions conducted electronically, either fully or partially. The law states that the parties desirous of participating in an electronic transaction must do so through mutual consent.

The law obligates entities, including government authorities, public institutions, private companies, and non-governmental institutions, to secure individuals’ consent when collecting data (including personal data and data related to individuals’ profession, social status, health records, or financial information) and specify the purpose of the data collection. The entities must also ensure that prior consent is obtained to access, disclose, share, or process the collected data.

Under Article 35, the entities are mandated to regularly verify and update the accuracy of the personal data or information stored in their electronic records or processing systems. They must also implement appropriate measures to safeguard the collected data and information stored in their electronic records or processing systems against loss and damage. Further, Article 36 confers individuals the right to request the deletion or amendment of any of their personal data or information stored by the entities.

Article 33 of the E-Transactions law grants individuals the right to request access to their data or information stored in the electronic records or processing systems maintained by entities, except for personal data and information, which the government security bodies keep in its records and electronic processing systems for the reasons of national security of the country.

Data Privacy Protection Regulations (DPPR)

The Communication & Information Technology Authority (CITRA) enacted the Data Privacy Protection Regulation, №42 of 2021 in April 2021, which marked an important milestone in Kuwait’s data protection landscape indicating Kuwait’s efforts to meet the international expectations, particularly the General Data Protection Regulation (Regulation (EU) 2016/679).

Initially, the DPPR broadly applied to all service providers in Kuwait’s telecommunications industry and related industries. However, the recent amendment to the DPPR by Resolution №26 of 2024, which replaced the earlier regulations, has narrowed down the scope of its applicability. The DPPR now applies to service providers and licensees licensed by CITRA. The amendment defined service provider/licensee as follows: “A person who is licensed to provide one or more communication services to the public or who is licensed to manage, set up, or operate a telecommunications network, or an internet service to provide telecommunications services to the public, including providers of information or content provided via a telecommunication network.”.

The DPPR creates data protection obligations for the licensed service providers engaged in the activities of collecting, processing or storing personal data. It applies to the storage, collection, and processing of data performed inside or outside Kuwait.

The Key obligations of Service Providers/Licensees under the DPPR are as follows:

1. To obtain the consent of the user (data subject) to collect or process personal data, ensuring that they are informed and have agreed to all the terms, commitments, and provisions regarding data collection and processing.
2. To provide all information and the terms of service, including the manner to request the modification or deletion of data, clearly in both English and Arabic.
3. To clearly state the purpose of collecting the user’s personal data and the necessity thereof to provide the service and explain how the data will be utilized.
4. In case of a breach of personal data, the service provider/licensee shall, within 72 hours from knowledge of such breach, notify the same to CITRA.

 

The DPPR grants the individual (data subject) the right to modify their data stored with the service provider and the right to withdraw their consent to any form of use of their personal data; upon the request of the data subject, the service provider shall remove and destroy the stored data from their systems.

The DPPR doesn’t apply to the state security authorities that store data for the sole purpose of monitoring and maintaining peace and preventing crime or threats to public security.

Cyber Crime Laws (Law №63/2015)

The Law №63/2015 on Combating Cyber Crimes (the Cyber Crimes Law) imposes penalties on anyone who illegally gains access to a computer or system, a data electronic processing system, an automated electronic system, or an information network. Severe penalties are imposed if the illegal access has resulted in the abolition, deletion, damage, destruction, disclosure, alteration, or re-publication of data or information, and the penalties will include a jail term of up to three years and a fine of between 3,000 and 10,000 dinars if the data is personal.

Right to Access Information Act (Law №12/2020)

While data privacy legislations like E — Transactions Laws, DPPR, and Cybercrime laws focus on protecting data, the Right to Access Information Act provides natural or legal persons with the right to request their personal data, except for information related to national security or information deemed confidential in the public interest, from public entities, companies in which the state has more than 50% stake and private companies and institutions that maintain information and documents on behalf of these entities.

Chapter IV (Article 6–11) lays down the procedure for accessing the information stored with the public entities. It states that an application shall be submitted to the entity holding the information in the prescribed form, accompanied by the information mentioned under the law. It prescribes that the concerned entity shall process the application within 10 days from the date of receipt. The processing period can be extended up to 3 months where the data requested is large or requires consultation with another entity.

In the event that the application is rejected or a response is not received within the prescribed period, the applicant has the right to file a complaint with the concerned entity in writing or electronically within 60 days from the date of knowledge of rejection or expiry of the period prescribed for processing the application. The concerned entity shall respond to the complaint with the reasons for rejections within 60 days from the date of receipt.

Key provisions related to data protection and privacy in other laws:

– Article 39 of the Kuwaiti Constitution guarantees the confidentiality of communication through post, telegraph, and telephone.

– Article 6 of the Mail Services Law (Law №1/1970), guarantees the confidentiality of mail correspondences and shall not be censored or disclosed, except as provided under the provisions of this law.

– Under Article 43 of Kuwait Law №39/1980, the Evidence Law, an obligation is imposed on professionals, such as lawyers, doctors, agents, or ‘others’ who acquire information in the course of carrying out their professional duties. These professionals are required to protect and refrain from disclosing personal information even after the end of their service or representative capacity unless the information was provided to them with the intention of committing criminal activity. The category of ‘others’ is broad enough to cover various types of businesses. For example, these obligations extend to information or data acquired or obtained during the course of a commercial relationship with customers or clients.

– In a circular dated 2 December 1986 (the circular), the Central Bank of Kuwait determined that banks fall within the category of “others” under Article 43 of Kuwait Law №39/1980. According to the circular, bank officers and employees are prohibited from disclosing information about their customers or any information about customers of other banks acquired or obtained during the course of their business. A bank can be found vicariously responsible for the actions of its officers and employees who are in violation of this duty of confidentiality.

– Kuwait Law №70/2020 on the Practice of the Medical and Paramedical Professions, the Rights of Patients and Health Facilities, restricts physicians and healthcare workers from disclosing patient information obtained through professional practice or entrusted to them

Regulatory Authorities Regulating the Data Protection in Kuwait:

The regulatory oversight of data protection is vested with the following authorities:

• The Communication and Information Technology Regulatory Authority (CITRA);
• The Central Agency for Information Technology (CAIT);
• Electronic and Cyber Crime Combating Department (ECCCD) under Kuwait’s Ministry of Interior.

CITRA (established under Law №37/2014) and CAIT (established under Law №266/2006) are vested with the responsibility of regulating data protection in accordance with the E-Transactions Law and the DPPR.

CITRA is responsible for overseeing the telecommunications sector, monitoring and protecting the interests of users and service providers and regulating the services of telecommunication networks in the country. The CITRA Law (Law No 37/2014) authorizes CITRA to collect information relevant to the telecommunications and IT sectors and to issue any reports, circulars and guidelines to users. It is also responsible for increasing public awareness regarding issues prevailing in the telecommunications and IT sectors.

The Central Agency for Information Technology (CAIT) in Kuwait plays a pivotal role in advancing the country’s digital transformation and aligning with the Kuwait Vision 2035. CAIT acts as the central authority for information technology in the government sector, aiming to improve efficiency, productivity, and profitability through digital initiatives. CAIT focuses on several key areas, including enhancing IT infrastructure, promoting the use of artificial intelligence (AI), and supporting the transition towards e-government services.

The Electronic and Cyber Crime Combating Department (ECCCD) is a dedicated department established to enforce Kuwait’s cybercrime laws and investigate cyber-related crimes. The ECCCD’s main objective is to protect and preserve national security along with the well-being of its citizens and residents by undertaking measures to enhance cyber security and combat cybercrime.

In conclusion, data protection and privacy laws in Kuwait protect individuals’ personal information by establishing frameworks for data collection, handling, processing, storage and security. The regulations focus on ensuring transparency, consent, and accountability among data controllers and processors. Compliance with these laws not only helps protect individual privacy but also fosters trust and security in the digital environment.

If you would like to know more about Data Privacy and Protection, please write to us at info@arazzaqlaw.com

View Update