Data Privacy & Digital Rights

Kuwait's first Personal Data Protection law is CITRA Resolution 26/2024 (effective 19 February 2024). Cybercrime Law 63/2015 covers NCII and online harassment.

Covered in this guide:

Removing Non-Consensual Intimate Imagery (NCII)
Your Rights Under CITRA Resolution 26/2024 (Kuwait PDP)
Cyberstalking and Online Harassment in Kuwait

Kuwait's data-protection era began on 19 February 2024, when CITRA Resolution 26 of 2024 — the Personal Data Protection Regulation entered force. It is Kuwait's first dedicated PDP legislation. Service providers had a 1-year grace period to reconcile with the Regulation. Regulator: CITRA (Communications and Information Technology Regulatory Authority).

For NCII, the criminal framework is the Cybercrime Law 63/2015, with content / image offences carrying significant penalties. Investigation: MOI Cyber Crimes Department. Victims should also use StopNCII.org (18+) or takeitdown.ncmec.org (under-18) — both free.

Key Laws

CITRA Resolution 26/2024 — Personal Data Protection Regulation

CITRA Resolution 26/2024 — effective 19 February 2024

Kuwait's first dedicated PDP legislation. Applies to CITRA-licensed service providers (banks, telcos, e-commerce, healthcare, government). Explicit consent, data-subject rights, 24-hour breach notification to CITRA. 1-year grace period from publication for providers to come into compliance.

Cybercrime Law (Law No. 63 of 2015)

Law 63/2015 — effective 12 January 2016

Article 7 up to 10 years for serious offences; defamation / insulting religious beliefs up to 3 years and KD 3,000. Enforcement: MOI Cyber Crimes Department.

Key Laws

CITRA Resolution 26/2024 — Personal Data Protection Regulation

Cybercrime Law (Law No. 63 of 2015)

Removing Non-Consensual Intimate Imagery (NCII)

Your Rights Under CITRA Resolution 26/2024 (Kuwait PDP)

Cyberstalking and Online Harassment in Kuwait