Kuwait

Summary

Kuwait presents medium-high risk for web crawling with notable complexity in its data protection framework. The Cybercrime Law (Law 63/2015) criminalises unauthorised access to computer systems, data processing systems, and networks, with penalties up to 6 months' imprisonment and KWD 2,000 for basic access violations, escalating to 3 years and KWD 10,000 where personal data is deleted, altered, or disclosed. Kuwait's data privacy landscape is fragmented: the CITRA Data Privacy Protection Regulation (Decision 42/2021, narrowed by Decision 26/2024) applies only to CITRA-licensed telecom and IT service providers. The Electronic Transactions Law (Law 20/2014) and its executive regulations impose consent and purpose-specification duties for personal data held in electronic systems, but its scope and practical enforcement against commercial scrapers is uncertain. A comprehensive cross-sector personal data protection law applicable to all industries is not yet in force as of this record. Kuwait's copyright law protects databases under a compilation- originality standard; no EU-style sui generis database right exists, and there is no TDM exception. No scraping-specific case law is publicly available. Kuwait remains the GCC outlier without a full cross-sector PDPL.