Data Protection in Jordan: An Overview of the Current and Future Framework

Introduction

The entrenchment of the quaternary business sector, comprising online services and platforms, into everyday professional transactions and social interactions, has rendered essential the placement of protective checks and measures to preserve the security, privacy and confidentiality privileges of online platform users. Naturally, the use of online services requires the submission of personal, sometimes sensitive data on users, or data subjects, to be controlled and processed by service providers and/or third parties. National, regional and international data protection frameworks have been developed in consideration of the aforementioned; perhaps most notably, the General Data Protection Regulation (‘GDPR’) has been legislated and enforced across all European Union (‘EU’) member states to, inter alia, (i) regulate the “free movement of personal data”, and (ii) protect the “fundamental rights and freedoms” of data subjects.

With the GDPR’s enforcement and the compliance therewith by a vast majority of international online service providers, growing economies increasingly turn attention to regulating their data protection legal frameworks for the avoidance of data subject exploitation and to uphold best practice standards relating to data protection. In light of these developments, the Jordanian government has proposed in 2019 a draft data protection law (‘Draft DPL’) currently pending ratification by the Jordanian Parliament for enactment. This Article aims to provide an overview of the current data protection framework in Jordan, to the extent of its existence, and discuss and demonstrate the substance of the Draft DPL and its potential impact on data protection in Jordan.

An Overview of the Current Data Protection Framework in Jordan

Data protection is not regulated in Jordan under a specific law for that purpose. Due to the lack of such law, there is no clear definition for what constitutes private information, and no regulatory body dedicated to overseeing and governing data protection. However, multiple laws and regulations in Jordan, drafted for different purposes, stipulate provisions on data protection pertaining to their respective scopes. By way of demonstration, the following are examples of broad data protection safeguards in Jordan:

• The Telecommunications Law No. (13) of 1995 and its Amendments (‘Telecommunications Law’) regulates the telecommunications sector in Jordan and imposes confidentiality requirements against telephone calls and private communications, but does not regulate online platform providers.
• The Cybercrime Law No. (27) of 2015 (‘Cybercrime Law’) generally acts to criminalise unlawful access to websites or information systems such as access without authorisation, permission or in a manner that breaches the said authorisation or permission. Provisions under the Cybercrime Law as such regulate unlawful access to data, but do not govern the lawful collection and processing of data by data controllers and/or third parties authorised thereby.
• Multiple legislations regulating the Jordanian banking system exist to preserve the confidentiality of client data and ensure that sufficient security checks are in place in that respect. These include the Banking Law No. (28) of 2000 (‘Banking Law’) and the Electronic Payment and Transfer of Money Regulation No. (111) of 2017 (‘Electronic Money Regulation’), pursuant to which disclosures on client transactions and information are highly restricted and made subject to rigorous requirements. The Cloud Computing Guidelines of 2018 also apply to regulate the use and integration of Cloud Consumers in the financial sector, defined as parties requesting and using resources and services offered via cloud technology. Although comprehensive in nature, these legislations are limited to the financial sector and do not constitute a data protection framework per se.

In consideration of the lack of a generic Jordanian data protection legislation, the Jordanian government has proposed the Draft DPL to regulate data protection in the context of online services and platforms.

The Draft DPL

The Draft DPL applies with respect to any personal data “dealings”, relating to individuals located in Jordan, even if the dealings are conducted outside of Jordan. Importantly, the Draft DPL establishes the Data Protection Council, an unprecedented body of authority in Jordan, the functions of which include, but are not limited to:

• Drafting and admitting policies and strategies in relation to data protection.
• Issuing instructions demonstrating the mechanism for processing, and acting on complaints and applications submitted by data subjects against data controllers, or submitted by data controllers in relation to third parties.
• Issuing recommendations in relation to treaties, agreements, legislations, regulations and instructions on data protection.
• Issuing instructions setting forth the conditions and procedures regulating consent and the withdrawal thereof, in addition to forms for consent and the withdrawal thereof, and permits for the transfer and exchange of data within and outside Jordan.

Additionally, the Draft DPL establishes the Data Protection Unit, which assists on the oversight of data protection in Jordan and is authorised to take action against breaches thereof. The Data Protection Unit also delivers proposed policies, strategies, plans, programmes, and recommendations on legislations relevant to the data protection sector. Generally speaking, the Draft DPL places the Data Protection Council in a supervisory position whereby it receives, examines and issues decisions on draft policies, strategies and legislations submitted by the Data Protection Unit.

Further to introducing unprecedented bodies of authority to regulate data protection in Jordan, the Draft DPL imposes conditions and restrictions on the collection of personal data, accounting for legitimate interest for purposes of collection, relevance of data collected, anonymisation of such data, and other grounds to which data collection is limited. Additional conditions and restrictions are applied to sensitive personal data, and accountabilities and obligations, including notification obligations, are set forth against data controllers in relation to data breaches.

The Draft DPL places in favour of data subjects rights in relation to controlling their personal data, including rights to consent to the collection and processing thereof, withdraw any consent, request the deletion of data collected on them, and be notified in case of breach of their personal data. Furthermore, controls on data transfer, both local and overseas, are set forth under the Draft DPL in order to ensure that sufficient security measures surround collected data, notwithstanding the location of storage.

Summary and Concluding Remarks

Current Jordanian legislations provide limited protection over personal data in a manner specific to certain sectors and non-inclusive of the vast majority of current online platforms and services. Indeed, there is an increasingly noticeable gap forming between the technologies available to Jordanian consumers via online media, and the protections set in place to regulate them. Hence, attention has been drawn to the Draft DPL and its enactment. The Draft DPL is expected to come into force later this year, and remains subject to amendment prior thereto. In consideration of continuous development across other international data protection frameworks, potential remains for progressive reform of the Draft DPL prior to its enactment to offer a more comprehensive framework.

Al Tamimi & Company’s Banking and Finance team regularly advises on financial agreements and transactions. For further information please contact Hakam Al Shawwa.