After years of being stowed away in government departments, Jordan’s “Personal Data Protection Law” (PDPL) is set to take effect this February. The law was approved by the House of Representatives during a special session in August 2023.
In 2014, the Ministry of Digital Economy (formerly the Ministry of Communications) proposed the first draft for the safeguarding of personal data. Extensive discussions and revisions ensued, with active involvement from digital rights activists and experts. These collaborative efforts led to several refined drafts. Ultimately, the Council of Ministers endorsed the Personal Data Protection Law for the year 2021.
Following its transfer to the Jordanian National Assembly, the law encountered controversy due to perceived conflicts between the law’s provisions and the broader interests of the government and third parties, particularly businesses reliant on personal data for advertising or commercial purposes.
While a welcome step, activists on social media have raised concerns about specific parts of the law, fearing potential misuse of personal data by decision-makers and third parties. This article aims to analyze the law’s key safeguards and loopholes, while also questioning its effectiveness in guaranteeing privacy protection for Jordanian citizens.
Missing the nuances
Lawmakers are hopeful that the PDPL in Jordan will efficiently regulate how people’s data is managed, reducing its exposure to different parties. This law is seen as a vital move to enhance digital security and protect citizens’ privacy rights, in line with constitutional goals of safeguarding personal data and private life.
Dr. Nahla Al-Momani, an expert on media legislation and digital rights, highlighted in an interview with SMEX, “This law’s main aim is to regulate how entities collect data, filling a gap in legislation. It sets up a comprehensive framework for data protection, covering collection methods, purposes, obtaining prior consent, and setting penalties for those who violate the law’s provisions.”
The significance of this law in regulating the digital landscape is emphasized by the rapid advancements in digital transformation worldwide. A law that safeguards people’s data is crucial for Jordan’s aspirations to create an investment-friendly environment.
Issa Mahasneh, the Executive Director of the Jordan Open-Source Association (JOSA), affirms that economic consideration played a pivotal role in driving Jordan’s pursuit of enacting the PDPL. As he explained, “The committee tasked with studying the law in the House of Representatives was the Economics and Investment Committee, not the Legal Committee.”
Mahasneh added that beyond the regulation and protection of data, the Jordanian government is placing significant emphasis on the economic advantages of the law, particularly concerning investments in the communications and information technology sector.
As Jordan aims to position itself as a leading hub for information technology in the region, Mahasneh highlights the importance of aligning Jordan’s laws with international data protection standards, like the European General Data Protection Regulation (GDPR), to attract investments.
He stresses that including articles about data subjects’ rights is one of the law’s most important aspects. These provisions match key principles in the GDPR, especially about defining data and sensitive data. However, Mahasneh also points out that the law doesn’t fully uphold some key privacy and data protection principles.
The new law defines personal data as encompassing “any data or information related to a natural person that could identify them directly or indirectly, irrespective of its source or form. This includes data pertaining to their person, family situation, or whereabouts.”
Additionally, it categorizes sensitive data as “any data or information concerning a natural person that directly or indirectly indicates their origin, race, opinions, political affiliations, or religious beliefs. It also includes data related to their financial situation, health, physical, mental, or genetic condition, as well as their vital (biometric) fingerprints, criminal record, or any other information deemed sensitive by the Council if its disclosure or misuse would cause harm to the individual concerned.”
However, lawmakers in Jordan treated sensitive data like personal data without giving it extra protection or separate regulations when it typically necessitates additional safeguards.
Jordan’s PDPL requires obtaining subjects’ prior consent before processing their data. It delineates specific conditions for obtaining such consent, as outlined in Articles 4 and 5. These conditions stipulate that consent must be explicit, provided in writing or electronically, and must clearly specify the duration and purpose of the data processing.
Moreover, the law stresses that the consent language must be clear and not misleading. Consent is deemed invalid if it is based on incorrect or misleading information or deceptive practices, or if there is a change in the nature, type, or purpose of the data processing without obtaining renewed consent.
Although the term “the right to be forgotten” was removed from earlier versions of the law, its core concept remains in Article 10. This article allows individuals to ask for their data to be deleted or hidden and to take appropriate actions in specific circumstances. These
include processing data for different purposes, against initial consent, or when consent is withdrawn.
Furthermore, the law sets up processes for individuals to file complaints and cases for unlawful data processing. It also imposes penalties on those who misuse their positions to unlawfully disclose data.
Who’s on the board?
Article 16 of the PDPL establishes the “Personal Data Protection Council” with multiple duties. These include handling complaints against entities accessing or processing data without consent, setting data protection standards, issuing licenses for storing, processing, diagnosing, and transferring data, and overseeing regulatory tasks.
However, concerns have been raised regarding the council’s structure and its ability to operate impartially. Currently, the council primarily comprises members of the executive authority, raising doubts about potential conflicts of interest and the council’s capacity to hold government agencies accountable in case of data breaches. This structure also deviates from international standards for data protection, which emphasize the importance of independence to ensure the council’s effectiveness and adherence to best practices.
For instance, the council is chaired by the Ministry of Economy and Entrepreneurship, represented by the Minister. This ministry has vested interests in the development of the IT sector and companies focused on gathering extensive personal data, potentially prioritizing commercial interests over data privacy, as noted in a policy brief by Access Now issued in 2022.
Moreover, the council includes two members of the security services and a representative from the Central Bank. The law further entrusts the Prime Minister with appointing four experts to the council, a provision that undermines the council’s independence as a supervisory body.
Issa Mahasneh raises critical questions about the council’s effectiveness, particularly in cases where individuals are harmed by data processing conducted by council member entities. He questions the feasibility of filing complaints against a body that is part of the council and highlights the inherent conflict of interest. Mahasneh stressed the need to address this conflict to ensure fair and impartial oversight.
In this situation, Al-Momani emphasizes the importance of having a special council to oversee the protection of personal data. This council provides an important way for people to complain and ensures that the law is followed. To make sure this council works well and is trusted, Al-Momani recommends clear rules for choosing experts and protecting members from being removed, similar to what’s done in other laws.
Ambiguous language and extensive “exceptions”
While the PDPL in Jordan specifies rights for individuals to protect their personal data and requires consent for data processing, it also includes broad exceptions that could have been more narrowly defined.
The legislator has broadened the scope of situations where data can be accessed and processed without consent or notifying the subject concerned. These include cases where a competent public body processes data for preventive medical purposes, to protect the life of the subject, or to prevent or detect crimes. There are also exceptions for scientific research, statistical purposes, or national security requirements.
Al-Momani contends that the PDPL in Jordan incorporates exceptions that are in line with legal principles and international human rights standards, as well as best practices observed in comparative legislation.
However, she also acknowledges that the law includes exceptions for certain contracting parties, provided that the contract explicitly incorporates the provisions of the PDPL. This raises concerns because individuals may not fully understand contract terms, especially when contracts with private companies offer limited choices for acceptance or rejection.
The regulation also incorporates exceptions necessary for entities under the supervision of the Central Bank, such as banks and insurance companies. These exceptions allow data processing, including its transfer and exchange within and outside Jordan, in accordance with directives issued by the Central Bank of Jordan. Consequently, these broad entities are authorized to process data without obtaining explicit consent from the individuals concerned.
Exceptions outlined in the law include terms like “national security” and “national interest,” which can be broadly interpreted without specific clarification from the legislator. Mahasneh is concerned about the vagueness of these exceptions, especially when data processing is claimed to serve the public interest, as the law doesn’t provide clear guidelines in such cases.
Moreover, the legislator not only broadened exceptions for data processing entities but also introduced provisions for issuing licenses and permits for data processing without the explicit consent of the individual, as directed by the Council of Ministers.
Mahasneh criticizes this licensing practice, arguing that it contradicts the law’s fundamental purpose of protecting data. He asserts this violates the principles of the GDPR, which require all data processing to be based on the explicit consent of the data subject.
Implementation: What to expect?
The Jordanian PDPL requires all parties involved in data handling to adjust their practices within one year of its enactment. However, optimism is tempered by the presence of broad exceptions and provisions for permits and licenses.
Initially optimistic about the law’s emphasis on privacy rights, Issa Mahasneh now expresses reservations about exceptions related to permits and the law’s referral primarily to the Economic and Investment Committee rather than the Legal Committee. He also points out the law’s requirement for implementing regulations and the establishment of a Personal Data Protection Council, which has yet to be formed.
Mahasneh raises concerns about the judiciary’s readiness to enforce the law, given its newness and the introduction of new concepts and offenses. He questions whether judges are well-informed about the law’s details.
Nahla Al-Momani emphasizes the importance of allowing time for the law’s implementation, believing it to be the most effective way to uncover any loopholes directly.
