The article was first published by SMEX on February 16, 2022. An edited version is published as part of an agreement with Global Voices.
As Jordan moves towards new legislations that will culminate in laws that enshrine digital security, questions are being asked about whether the Personal Data Protection Law will really see the light, and, more importantly, whether it be implemented independently.
On December 30, 2021, the Jordanian Council of Ministers approved the 2021 Personal Data Protection Draft Law, which has been under deliberation since 2013, and submitted it to the House of Representatives. The latter then referred it to the Parliamentary Economic and Investment Committee on January 24, as a matter of urgency, to carry out the necessary constitutional deliberations. The draft law aims to establish a legal framework that strikes a balance between the individual rights to personal data protection mechanisms on one hand, and information processing and cyberspace storage mandates on the other.
“The draft law aims to establish regulatory frameworks on the storage, processing, and circulation of data within a clear set of limitations and obligations securing the trust needed to engage in the digital economy and encourage e-commerce and e-services in the Kingdom,” the director of policies and strategies at the Ministry of Digital Economy and Entrepreneurship, Engineer Tawfiq Abu Baker, told SMEX.
A controversial oversight committee
The draft law has raised several concerns, specifically regarding the proposed structure and establishment of the data protection authority. Article 4 of the proposed bill stipulates that the data protection committee shall be chaired by the Minister of Digital Economy and Entrepreneurship, which denies the committee — a supposedly supervisory body — its much needed independence.
In an interview with SMEX, Executive Director of the Jordan Open-Source Association (JOSA) Issa Mahasneh warned that “the proposed structure indicates a clear conflict of interest. The executive authority is represented by the Ministry and members of the security services within the committee. As the most prominent collectors of information, these entities will not only effectively organize and manage the protection of data but will also be processing it.”
Mahasneh further asks:
Can the data protection committee under the currently proposed structure investigate complaints related to privacy violations if, for example, the perpetrators fall under the executive authority?
At the same time, expert on media legislation and digital rights and freedoms Dr. Nahla Al-Momani told SMEX: “There are attempts to bring more diversity into the authority and promote its independence.” She evoked best practices for appointing the head of the committee, including “holding deliberations and appointing a chair through a vote, all while striking a balance within the committee by involving civil society, the government, experts, and independent institutions.”
But will the government implement best practices? Engineer Tawfiq Abu Baker confirmed that the government is “aware of best practices for data organization.”
Abu Baker attributed the authority’s lack of independence to “limited financial resources and the Jordanian parliament’s plan to integrate authorities and ministries.”
As such, the Directorate for the Protection of Personal Data, established by the Ministry of Digital Economy and Entrepreneurship, will handle legislation pertaining to data protection and will receive reports and complaints related to the violation of legal provision. He added that the directorate will “draft regulations and observe the level of maturity in the data sector.”
Contentious clauses in the legal text
In addition to the dilemma surrounding the data processing authority, the wording of the draft law remains contentious as it uses broad and generic language. For example, Article 15 on exceptions not only allows the processing of personal data without the express and documented consent of the concerned person, but also authorizes access to the information for several bodies, such as the “judiciary” and the “prosecutor.”
These loopholes “pave the way for illegal data processing without the consent of the person concerned and grant several entities access to this information. It is a violation of fundamental rights and undermines the spirit and purpose of the law, and it deprives citizens of their right to be forgotten if they wish to,” according to Al-Momani.
Abu Baker argued that sometimes “concerned institutions” might need to access personal data and not have time to wait for permission, something the law refers to in many of its articles, saying that sometimes “a competent public authority” needs access to implement “tasks mandated by law,” for or medical or crime-related purposes.
Article 16 of the law enshrines the concerned person’s right to object to processing decisions that may have a financial or moral impact on them, and the processing party must thus respond to their request. According to Article 17, the said party must also inform the person whose data it wishes to process, in writing or electronically, before initiating the process. It must also specify the period throughout which the personal data will be processed, and provide that this duration is not extended without the concerned person’s consent.
More personal agency over data
The 2021 Personal Data Protection Draft Law is addressed to all agencies, institutions, companies, and parties that collect electronic or non-electronic files or records or personal data, whether inside or outside the Kingdom. Every natural person has the right to protect their data, which may not be collected, processed, disclosed, divulged, or circulated without the concerned person’s prior consent. The provisions of this law apply to data that is collected or processed before it enters into force.
“The law offers one strong advantage, and that is the need to secure citizens’ prior consent before using their data,” said Al-Momani. Article 8 stresses that the consent should be “explicit and in writing and shall be granted for a specified time and purpose. The law also stipulates that citizens should be informed in advance of their data’s fate and reasons for collection. It also criminalizes the processing of data for reasons other than the purpose intended.
In Article 20, the draft law also guarantees citizens the right to be forgotten and remain anonymous, and allows anyone to access, view, or erase their personal data, and demand that it be amended in the event of misinformation or inconsistency with their directives or their religious, political, or other affiliations. More importantly, the law also criminalizes refraining from deleting the stored data after a citizen’s request, Al-Momani confirmed.
According to Abu Baker, the law covers all personal data relating to a natural person, which will aid in their direct or indirect identification, irrespective of its source or form. This includes data associated with the individual person or to their familial status or whereabouts, in addition to sensitive information that directly or indirectly reveals their origin, race, opinions, political affiliations, or religious beliefs. The law also addresses data pertaining to financial status, health, physical, mental or genetic condition, biometric fingerprints, criminal record, or any information or data that the council deems sensitive if its disclosure or misuse would cause harm to the person concerned.
“Data protection is a pressing need, not a luxury,” stressed Mahasneh. He called for addressing specific aspects left out by the draft law, particularly in light of the government’s efforts to digitize services and paperwork and shift to a smart national identity system, including each citizen’s biometric data. The smart identity project includes biometric identifiers such as the “iris identifier and fingerprint of the identity holder. At a later stage, the national identity card will contain additional information on the holder’s health insurance, social security number, etc.,” added Mahasneh. “It is, therefore, necessary to provide additional protection for biometric data while imposing harsher penalties in relation thereto.”