Despite the fact that the Regulation is limited in application to Telecommunication Services Providers ('TSPs') (as defined below) and related industry sectors, it has much wider implications and is seen as a step closer to international expectations, particularly the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Regulation sets out detailed guidelines for the collection, storage, processing, and transfer of data by private sector and public sector TSPs. The most interesting part of the Regulation is the wider ambit of the definition of TSPs, which ranges from traditional telecommunications service providers to anyone who operates a "website, smart application or cloud computing service, collects or processes personal data or directs another party to do so on its behalf through information centres owned or used by them directly or indirectly".

Exclusions to the obligations under the Regulation are for the collection and processing of private personal or family data by an individual; or for security agencies for the purposes of controlling crimes and implementing state security measures.

Prior to the provision of service, the Regulation requires TSPs to:

• provide all the information about the services to be provided and the terms of service in easy language both in English and Arabic;
• clarify the purpose for the collection, and the method for the use of such data to the requester of service; and
• obtain consent of the requester of service for the collection and processing of data and their knowledge and acceptance of all conditions, obligations, and provisions for data collection and processing.

During the provision of the service, the Regulation requires TSPs to, inter alia:

• maintain transparency throughout the entire process of the collection and processing of the data;
• determine the purpose for the collection and retention of the data;
• determine the entities with whom the data may be disclosed;
• employ security mechanisms to ensure protection of data;
• use the data only for the relevant purpose;
• destroy personal data upon completion of the contractual term;
• delete the data if user withdraws consent, data is not required, or end user is not subscribed to the service;
• create and maintain a written privacy policy; and
• employ trained personnel for collection and processing of data.

The Regulation clearly indicates that users have a right to withdraw their consent and, consequently, the service provider must delete/destroy the information provided by the user. While the Regulation does not go further on the rights of the data subject, in our view, if the service provider fails to honour the request to delete/destroy the data, it may amount to a breach of obligations by the service provider.

We recommend that all the companies which are/may be classified as a service provider and need to collect, process, and/or transfer the data of their customers must ensure that they maintain a robust data privacy policy and mechanism to ensure that the data is protected and processed in compliance with the Regulation.

Further, subject to some exceptions, the Regulation requires TSPs to notify CITRA within 24 hours if the data has been incorrectly disclosed to or accessed by a third party which might cause harm to a large number of users; or within 72 hours for a general breach of personal data.

CITRA personnel have been authorised to visit the premises of TSPs with prior notice to inspect the security measures in place and to issue instructions to enhance those if needed.

The Regulation absolves TSPs from civil, criminal, or administrative liability for violating content that has been uploaded on the service provider's system, unless they were aware and did not take appropriate action.

The Regulation requires TSPs to ensure that they are compliant within one year from the date of its issuance, being 1 April 2021. The Regulation does not provide specific penalties for breaches of prescribed obligations but instead it prescribes to impose penalties and fines, as per the Executive Regulations of Law No. 37 of 2014 regulating the establishment of the Communication and Information Technology Regulatory Authority, which lay down a range of punishments including imprisonment for a term from one to five years and a fine ranging from KWD 500 (approx. €1,460) to KWD 20,000 (approx. €58,560), or a combination thereof.

The Regulation marks an important step towards recognising the importance that has been given to personal data so far in Kuwait's legal scene. It has been regarded as bringing a wide range of entities/sectors who are technically not TSPs, to the extent that they are related to the field of telecommunication services, but simply own a website, an application, or provide cloud computing services etc., for which they collect data in some way from their users/customers. This very well might mean that CITRA will become a partial regulator of many other businesses which have an online presence with customer interface. However, it is still to be seen as to how CITRA implements it as the Regulation seems to have fallen short of providing a mechanism or appointing specific personnel to ensure its implementation. Nevertheless, it is still early to comment on its efficacy as the TSPs have one year from its publication on 1 April 2021 to implement it.

It is expected that CITRA will issue an amendment to the Regulation to cover the missing elements and make it more impactful. We recommend that companies regularly monitor the Kuwaiti legislative landscape while remaining compliant with the Regulation in the meantime.  

Ahmed Syed Senior Consultant
[email protected]
International Legal Group Kuwait, Kuwait City