Data bill, a necessity, but raises worries

markus-spiske-FXFz-sW0uwo-unsplash
(Photo: Unsplash)
AMMAN — Jordan’s first data regulatory bill, due to be introduced in the near future, is meant to fill a legislative gap and regulate the collection and processing of personal data, experts say. اضافة اعلان

The purpose of the bill is to protect people’s private data and regulate data collection. To this effect, the bill introduces penalties for misuse of data and the exchange of personal data set out by the bill, be it inside or outside the kingdom. However, experts question the government’s role in oversight and worry that parts of the bill are too vague.

Responding to Jordan News’ questions, the Ministry of Digital Economy and Entrepreneurship stated that the bill “establishes legal rules and restrictions to enhance the ability of the economy to join the global digital economy, and it facilitates trade, commerce and electronic services.”

To this end, the draft law differentiates between sensitive and non-sensitive personal information. It stipulates the need for written consent from users, indicating their approval of the processing and collection of their personal data.

For example, profiling individuals would be considered sensitive information under the bill.  Reem Masri, a journalist and data researcher, told Jordan News that profiles compiled from data can be “very dangerous because you’re jumping to conclusions (about) what a person thinks, their activities, interests, and political views through their interactions.”

The Jordanian bill mimics the European General Data Protection Legislation (GDPR), and, in addition to protecting privacy, seeks to open the economy to data centers and big data. Furthermore, the bill will allow for better data exchange between European and Jordanian law enforcement agencies.

Issa Mahasneh, executive director at the Jordan Open Source Association (JOSA) said in remarks to Jordan News: “We care about data transfer. Many Jordanian companies work with clients from the EU; they (EU clients) cannot process Jordanian data unless Jordan has legislation that matches same the level of protection as the GDPR.”

 “One of the points that came up in the early stages of developing this law was the exchange of data between Jordanian and EU law enforcement agencies. The GDPR also stipulates that European security agencies cannot share information with nations that do not offer the same level of protection as the GDPR,” added Mahasneh. “So if Jordan wanted to take data from the law enforcement agencies in the EU, or other way around, there must a level of protection.”

Microsoft spokesperson, Lilian Nganda, told Jordan News that the “GDPR establishes important new privacy rights that are relevant globally.  Microsoft has extended the rights at the heart of GDPR to all of our consumer customers worldwide. However, data protection is an evolving field given the rapid technology changes that we are witnessing. As such, we expect legislation to change over time to adjust to those changes as well as to citizens and government priorities and usages.”

However, big data such as Microsoft lobbied and took part in initial consultations to draft the bill, according to Dima Samaro, MENA policy analyst at Access Now.

She added that Microsoft’s motive for protecting personal data might be “more economic oriented and for economic gain.”

Masri added that it could be cheaper for Microsoft to store data in Jordan. “Microsoft does that, their data centers are not placed in the US, they are in countries where it’s cheaper to run these data centers ... because these centers require a lot of electricity and operational power,” said Masri.

Microsoft declined to comment on the possibility of establishing data centers in the Kingdom, but they did state: “We advocate for legislation that protect personal data and align with international global standards, while enabling cross-border data flows.”

The same can be said for the government, Samaro noted. “When it comes to data protection, I think they see it as how they can encourage more economic growth in the country rather than (an issue of) protecting individuals’ privacy.” 

The bill is projected to have an impact on local data aggregators as well as on individuals. Currently, policies governing data usage are “partial and scattered” said Nahla Momani, an expert on human rights and freedom of expression issues.

There are rules on data usage in the Penal Law, the Cybercrime Law, the Telecommunications Law, and the Law of Access to Information.

Among those predicted to be affected significantly are Internet Service Providers (ISPs), which are large Jordanian data aggregators.

According to the Telecommunication Regulatory Commission (JTR), major internet providers in the country provide internet services to more than 88 percent of the Jordanian population and have access to their data and online activity.

However, how much access they have — and who they share it with — is largely unknown, said Masri.

According to a study conducted by Impact International and Access Now in 2019, which investigated the privacy policy of the five major ISPs, “none of the ISPs examined in this study fully respect and comply with human rights principles and that the privacy policies of Jordanian ISP companies must be modified to address the revealed shortcomings.”

Both JTR and the Ministry of Digital Economy and Entrepreneurship issued statements in response to the aforementioned study stressing that data privacy violations will be investigated and necessary measures will be taken against those companies.

“Before this bill, there was a legislative gap, which meant that Jordanian’s data was up for grabs. For example, you’d go to a store and you give them your mobile number, your age, and where you live. Next thing you know you would start receiving advertisement on your phone and even elections campaign messages,” said Mahasneh.

However, experts see major gaps in the bill, particularly in regards to the government in its capacity as a major data aggregator.

“The most concerning thing (to me) is related to the vague and broad definitions within the law that would permit the processing of personal data without obtaining prior approval in case there is an issue with security or (of) public interest,” said Samaro.

Another major concern is the structure of the personal data protection council, stipulated in the bill. Under the proposed bill, the council would be headed by the minister of digital economy and includes, as members, a protection commissioner whose appointment is approved by the Prime Ministry, and two members from security agencies.

Masri says that this structure “definitely does not reflect independence and it could create a conflict of interest.”

“When violations occur by the executive branch, it is unclear how things will be investigated because it is headed by the minister of digital economy and entrepreneurship.” Samaro added.

A spokesperson from the Ministry of Digital Economy and Entrepreneurship, told Jordan News that “the perfect scenario would be the establishment of a new and independent entity.”

However, the spokesperson added: “In light of the current circumstances the Kingdom is facing and the government efforts to reduce the number of independent entities, there came a need for an objective solution to ensure the implementation of the law.”

Once the bill is approved, it will be implemented in retrospect and will be enforced on personal data collectors even if data was collected and processed before the introduction of the law. The bill allows for a grace period of six months so that companies will have the time to rectify their situations.