Acknowledging the importance of data governance in today’s digital age, Kuwait’s Communication and Information Technology Regulatory Authority (CITRA) has recently drafted Kuwait’s first comprehensive data privacy protection regulation, applicable to both public and private sector entities processing personal data of Kuwaiti citizens and domestic and overseas residents of Kuwait.
CITRA’s new regulatory framework plans to develop a robust ICT industry that will serve as a foundation for the New Kuwait 2035 vision. (Kuwait’s Data Classification Policy is only available in Arabic)
The authority of the new regulation will encompass all service providers who provide communication and information technology in the State of Kuwait, especially services that rely heavily on transborder transfer of data such as public telecommunications networks, website operators, digital applications, or cloud computing services, reads a public policy firm article on the topic.
The article further points out that while conducting these services, providers must comply with the following conditions:
a) provide users with user-friendly access to their data policies and protections
b) maintain a clear purpose for data collection (purpose limitation) and how the data will be used
c) an obligation to legally protect the data
d) ensure appropriate processing and encryption of personal data.
In terms of the rights afforded to data subjects, individuals will be able to:
a) withdraw consent
b) request data access, rectification and deletion
c) receive a notification from a service provider if they intend to transfer any personal data beyond the borders of Kuwait (which will be in accordance with a Data Classification policy issued by CITRA).
The article advises that the outcomes of the regulatory text could have a “significant impact on existing tech companies operating in the country. Therefore, early engagement with the CITRA is highly recommended at this stage.”