Data protection & privacy laws in Kuwait (2026)

Decision No. 26 of 2024, effective 19 February 2024, supersedes the earlier DPPR No. 42/2021. It mandates explicit user consent before data collection, purpose limitation, data minimization, breach notification to CITRA and affected users (within 24 hours), and security measures including encryption and disaster recovery — but applies exclusively to CITRA-licensed telecom and internet service providers.

A key feature of the 2024 revision is the explicit narrowing of the DPPR's scope to entities licensed by CITRA (telecommunications operators, ISPs). General commercial businesses, healthcare providers, and financial institutions are not covered by the DPPR; no economy-wide data protection statute fills that gap.

Governs privacy and data protection of electronic records held by public and private entities conducting civil, commercial, or administrative transactions. Requires consent and purpose specification for access/disclosure of personal data and imposes accuracy and safeguard duties, but is not a dedicated data protection statute.

Criminalises unauthorised access, alteration, disclosure, and destruction of personal or governmental data, with escalating penalties based on the sensitivity of the systems and data affected. Provides a criminal-law backstop but does not establish data subject rights or a proactive protection regime.

Under the DPPR, users have rights to access information about their personal data, request rectification or deletion, and withdraw consent. Licensees must facilitate these requests and may not retain data beyond the stated purpose or after consent withdrawal.

As of mid-2026, Kuwait has no enacted omnibus personal data protection law applicable across all sectors. Legal commentary (Chambers 2026, DLA Piper) notes the expectation of broader future regulation, but no parliamentary bill has been enacted. The current framework leaves significant sectors (finance, healthcare, retail) without a dedicated statutory data protection regime.