Brief Note on New Data Protection Regulation Introduced by Kuwaiti Regulator

The Kuwaiti Communications and Information Technology Regulatory Authority (CITRA) has issued a significant regulatory update by publishing Data Protection Regulation No. 26/2024, which supersedes the previous regulation, No. 42/2021. This new regulation places a strong emphasis on safeguarding the personal data collected by telecommunications companies and information technology service providers operating within Kuwait. It underscores the principles of transparency, informed consent, and purpose limitation about data collection and processing activities. The regulation will have implications for all service providers licensed by CITRA, regardless of the geographic locations where data processing takes place. Notably, the regulation mandates that service providers promptly notify CITRA of any data breaches and implement stringent security measures to protect personal information.

Key Features and Obligations

1. Transparency: Service providers are obligated to communicate terms and conditions in clear language, using both English and Arabic, and inform users about the processes for requesting modifications or deletions of their data.

2. Informed Consent: Explicit consent must be obtained from users before any personal data is collected, with full disclosure of the conditions and obligations associated with data processing.

3. Purpose Limitation: A clear and specific explanation of the purpose for which personal data is being collected must be provided, emphasizing the necessity of such data for the provision of services.

4. Data Breach Notification: Service providers are required to report any data breaches to CITRA within 24 hours, adhering to specific protocols designed to minimize the consequences of such incidents.

5. Security Measures: Appropriate security measures, including encryption, must be implemented by service providers by their respective data classification policies to ensure the protection of personal information.

6. Retention Limitation: Personal data must be deleted upon termination of the service contract, with exceptions permitted for purposes of security, compliance with judicial rulings, and financial claim resolution.


Concurrently, CITRA has repealed the Data Classification Policy (2021). Service providers are encouraged to engage with CITRA to clarify the objectives of this approach and address potential concerns, such as inconsistencies among service providers, enforcement challenges, and the possibility of inadequate data protection levels.


The implementation of Resolution No. 26/2024 represents a positive step towards strengthening data privacy protections for users in Kuwait. By establishing clear guidelines and enforcing strict data breach notification protocols, CITRA aims to create a more secure environment for users while fostering continued growth and development in the information and communications technology sector.