This issue is filled with great insights and expert commentary on areas that are relevant to the legal landscape and highlight how the business community is embracing technology, media and telecommunications. There are various topics covered, from new ways of working and digital transformation in the finance sector to data protection regulatory updates and guidance. We also have a series of articles that focus on e-commerce across a number of jurisdictions.
You will also find insights from our lawyers around real estate analytics, tech trends, and data centres.
We hope this edition of Law Update provides some useful food for thought – enjoy the read!Take a read of the edition
Hakam Al Shawwa
The entrenchment of the quaternary business sector, comprising online services and platforms, into everyday professional transactions and social interactions, has rendered essential the placement of protective checks and measures to preserve the security, privacy and confidentiality privileges of online platform users. Naturally, the use of online services requires the submission of personal, sometimes sensitive data on users, or data subjects, to be controlled and processed by service providers and/or third parties. National, regional and international data protection frameworks have been developed in consideration of the aforementioned; perhaps most notably, the General Data Protection Regulation (‘GDPR’) has been legislated and enforced across all European Union (‘EU’) member states to, inter alia, (i) regulate the “free movement of personal data”, and (ii) protect the “fundamental rights and freedoms” of data subjects.
With the GDPR’s enforcement and the compliance therewith by a vast majority of international online service providers, growing economies increasingly turn attention to regulating their data protection legal frameworks for the avoidance of data subject exploitation and to uphold best practice standards relating to data protection. In light of these developments, the Jordanian government has proposed in 2019 a draft data protection law (‘Draft DPL’) currently pending ratification by the Jordanian Parliament for enactment. This Article aims to provide an overview of the current data protection framework in Jordan, to the extent of its existence, and discuss and demonstrate the substance of the Draft DPL and its potential impact on data protection in Jordan.
Data protection is not regulated in Jordan under a specific law for that purpose. Due to the lack of such law, there is no clear definition for what constitutes private information, and no regulatory body dedicated to overseeing and governing data protection. However, multiple laws and regulations in Jordan, drafted for different purposes, stipulate provisions on data protection pertaining to their respective scopes. By way of demonstration, the following are examples of broad data protection safeguards in Jordan:
In consideration of the lack of a generic Jordanian data protection legislation, the Jordanian government has proposed the Draft DPL to regulate data protection in the context of online services and platforms.
The Draft DPL applies with respect to any personal data “dealings”, relating to individuals located in Jordan, even if the dealings are conducted outside of Jordan. Importantly, the Draft DPL establishes the Data Protection Council, an unprecedented body of authority in Jordan, the functions of which include, but are not limited to:
Additionally, the Draft DPL establishes the Data Protection Unit, which assists on the oversight of data protection in Jordan and is authorised to take action against breaches thereof. The Data Protection Unit also delivers proposed policies, strategies, plans, programmes, and recommendations on legislations relevant to the data protection sector. Generally speaking, the Draft DPL places the Data Protection Council in a supervisory position whereby it receives, examines and issues decisions on draft policies, strategies and legislations submitted by the Data Protection Unit.
Further to introducing unprecedented bodies of authority to regulate data protection in Jordan, the Draft DPL imposes conditions and restrictions on the collection of personal data, accounting for legitimate interest for purposes of collection, relevance of data collected, anonymisation of such data, and other grounds to which data collection is limited. Additional conditions and restrictions are applied to sensitive personal data, and accountabilities and obligations, including notification obligations, are set forth against data controllers in relation to data breaches.
The Draft DPL places in favour of data subjects rights in relation to controlling their personal data, including rights to consent to the collection and processing thereof, withdraw any consent, request the deletion of data collected on them, and be notified in case of breach of their personal data. Furthermore, controls on data transfer, both local and overseas, are set forth under the Draft DPL in order to ensure that sufficient security measures surround collected data, notwithstanding the location of storage.
Current Jordanian legislations provide limited protection over personal data in a manner specific to certain sectors and non-inclusive of the vast majority of current online platforms and services. Indeed, there is an increasingly noticeable gap forming between the technologies available to Jordanian consumers via online media, and the protections set in place to regulate them. Hence, attention has been drawn to the Draft DPL and its enactment. The Draft DPL is expected to come into force later this year, and remains subject to amendment prior thereto. In consideration of continuous development across other international data protection frameworks, potential remains for progressive reform of the Draft DPL prior to its enactment to offer a more comprehensive framework.
Al Tamimi & Company’s Banking and Finance team regularly advises on financial agreements and transactions. For further information please contact Hakam Al Shawwa.