Data protection in MENA

Policy brief: What’s wrong with Jordan’s data protection law and how to fix it

Jordan currently has no data protection law. As a consequence, both the government and industry in Jordan have collected and exploited people’s personal data on an industrial scale, with little to no respect for individuals’ privacy. That includes government and U.N. agencies’ use of iris-scanning technologies to collect the biometric data of millions, and internet service providers’ routine exploitation of people’s personal information, often without their knowledge or consent.

Fortunately, Jordan’s parliament is currently discussing passing a new data protection law. However, the draft legislation needs more work to meet global standards. We’ve prepared a new policy brief, How to strengthen Jordan’s data protection law, to guide lawmakers and ensure the law protects Jordanians’ fundamental human rights.

Download the brief

What’s wrong with the bill

The draft bill has been years in the making. The Ministry of Digital Economy and Entrepreneurship (formerly known as the Ministry of Information and Communications Technology) first introduced it in 2014. It has since gone through a number of different iterations. While we welcome movement on the bill, now called the Data Protection Law of 2022, the current draft casts serious doubts about whether the legislation will protect people’s privacy and personal information.

Let’s start with the good news: many provisions are in line with the E.U.’s General Data Protection Regulation (GDPR), a world-leading standard for a digital-age data protection framework. In fact, it adopts basic principles of the GDPR in 15 of its 24 articles.

Yet there are also significant differences from the GDPR, and loopholes that undermine its robustness. Among the weaknesses: the proposed structure for the future data protection authority (DPA), which already raised the alarms of Jordanian civil society during previous debate in 2017. As we explain in our brief, the DPA would be chaired by the ICT minister and include members of Jordan’s security agencies. That undermines the DPA’s independence and autonomy as an oversight body responsible for investigating any violations or complaints. The DPA must have the capacity to deal with complaints free from improper government influence.

What’s next

Now is the time to strengthen the law to protect people’s right to privacy and prevent data exploitation and abuse. In our brief, we explain how the current draft bill meets or departs from global data protection principles and provide recommendations for closing the loopholes and establishing a robust, user-centric and rights-respecting legislation.

In addition to reading our policy brief, we encourage lawmakers to consult our guide on the creation of a comprehensive data protection legislation. It is based on our learnings from Access Now’s work during the negotiations for the GDPR and related global legal frameworks. We are prepared to help lawmakers working on the bill ensure the legislation is robust. If you would like to work together, please reach out to Chérif El Kadhi, MENA Policy Analyst