AMMAN — Jordan’s first data regulatory bill, due to be
introduced in the near future, is meant to fill a legislative gap and regulate
the collection and processing of personal data, experts say.
اضافة اعلان
The purpose of the bill is to protect people’s private data
and regulate data collection. To this effect, the bill introduces penalties for
misuse of data and the exchange of personal data set out by the bill, be it
inside or outside the kingdom. However, experts question the government’s role
in oversight and worry that parts of the bill are too vague.
Responding to
Jordan News’ questions, the Ministry of
Digital Economy and Entrepreneurship stated that the bill “establishes legal
rules and restrictions to enhance the ability of the economy to join the global
digital economy, and it facilitates trade, commerce and electronic services.”
To this end, the draft law differentiates between sensitive
and non-sensitive personal information. It stipulates the need for written consent
from users, indicating their approval of the processing and collection of their
personal data.
For example, profiling individuals would be considered
sensitive information under the bill. Reem Masri, a journalist and data researcher, told Jordan News that
profiles compiled from data can be “very dangerous because you’re jumping to
conclusions (about) what a person thinks, their activities, interests, and
political views through their interactions.”
The Jordanian bill mimics the European General Data
Protection Legislation (GDPR), and, in addition to protecting privacy, seeks to
open the economy to data centers and big data. Furthermore, the bill will allow
for better data exchange between European and Jordanian law enforcement
agencies.
Issa Mahasneh, executive director at the Jordan Open Source
Association (JOSA) said in remarks to
Jordan News: “We care about data
transfer. Many Jordanian companies work with clients from the EU; they (EU
clients) cannot process Jordanian data unless Jordan has legislation that
matches same the level of protection as the GDPR.”
“One of the points
that came up in the early stages of developing this law was the exchange of
data between Jordanian and EU law enforcement agencies. The GDPR also
stipulates that European security agencies cannot share information with
nations that do not offer the same level of protection as the GDPR,” added
Mahasneh. “So if Jordan wanted to take data from the law enforcement agencies
in the EU, or other way around, there must a level of protection.”
Microsoft spokesperson, Lilian Nganda, told Jordan News that
the “GDPR establishes important new privacy rights that are relevant
globally. Microsoft has extended the
rights at the heart of GDPR to all of our consumer customers worldwide. However,
data protection is an evolving field given the rapid technology changes that we
are witnessing. As such, we expect legislation to change over time to adjust to
those changes as well as to citizens and government priorities and usages.”
However, big data such as Microsoft lobbied and took part in
initial consultations to draft the bill, according to Dima Samaro, MENA policy
analyst at Access Now.
She added that Microsoft’s motive for protecting personal
data might be “more economic oriented and for economic gain.”
Masri added that it could be cheaper for Microsoft to store
data in Jordan. “Microsoft does that, their data centers are not placed in the
US, they are in countries where it’s cheaper to run these data centers ...
because these centers require a lot of electricity and operational power,” said
Masri.
Microsoft declined to comment on the possibility of
establishing data centers in the Kingdom, but they did state: “We advocate for
legislation that protect personal data and align with international global
standards, while enabling cross-border data flows.”
The same can be said for the government, Samaro noted. “When
it comes to data protection, I think they see it as how they can encourage more
economic growth in the country rather than (an issue of) protecting
individuals’ privacy.”
The bill is projected to have an impact on local data
aggregators as well as on individuals. Currently, policies governing data usage
are “partial and scattered” said Nahla Momani, an expert on human rights and
freedom of expression issues.
There are rules on data usage in the Penal Law, the
Cybercrime Law, the Telecommunications Law, and the Law of Access to
Information.
Among those predicted to be affected significantly are
Internet Service Providers (ISPs), which are large Jordanian data aggregators.
According to the Telecommunication Regulatory Commission
(JTR), major internet providers in the country provide internet services to
more than 88 percent of the Jordanian population and have access to their data
and online activity.
However, how much access they have — and who they share it
with — is largely unknown, said Masri.
According to a study conducted by Impact International and
Access Now in 2019, which investigated the privacy policy of the five major
ISPs, “none of the ISPs examined in this study fully respect and comply with
human rights principles and that the privacy policies of Jordanian ISP
companies must be modified to address the revealed shortcomings.”
Both JTR and the Ministry of Digital Economy and
Entrepreneurship issued statements in response to the aforementioned study
stressing that data privacy violations will be investigated and necessary
measures will be taken against those companies.
“Before this bill, there was a legislative gap, which meant
that Jordanian’s data was up for grabs. For example, you’d go to a store and
you give them your mobile number, your age, and where you live. Next thing you
know you would start receiving advertisement on your phone and even elections
campaign messages,” said Mahasneh.
However, experts see major gaps in the bill, particularly in
regards to the government in its capacity as a major data aggregator.
“The most concerning thing (to me) is related to the vague
and broad definitions within the law that would permit the processing of
personal data without obtaining prior approval in case there is an issue with
security or (of) public interest,” said Samaro.
Another major concern is the structure of the personal data
protection council, stipulated in the bill. Under the proposed bill, the
council would be headed by the minister of digital economy and includes, as
members, a protection commissioner whose appointment is approved by the Prime
Ministry, and two members from security agencies.
Masri says that this structure “definitely does not reflect
independence and it could create a conflict of interest.”
“When violations occur by the executive branch, it is
unclear how things will be investigated because it is headed by the minister of
digital economy and entrepreneurship.” Samaro added.
A spokesperson from the Ministry of Digital Economy and
Entrepreneurship, told Jordan News that “the perfect scenario would be the
establishment of a new and independent entity.”
However, the spokesperson added: “In light of the current
circumstances the Kingdom is facing and the government efforts to reduce the
number of independent entities, there came a need for an objective solution to
ensure the implementation of the law.”
Once the bill is approved, it will be implemented in
retrospect and will be enforced on personal data collectors even if data was
collected and processed before the introduction of the law. The bill allows for
a grace period of six months so that companies will have the time to rectify
their situations.
