Amid Jordan’s ongoing digital and electronic revolution, the country is quickly becoming more reliant on electronic rather than paper services and transactions. In parallel, the Kingdom is proposing new legislations that will culminate in laws that enshrine digital security, given its prominent role in protecting personal data. But will the Personal Data Protection Law see the light? And more importantly, will it be implemented independently?
On December 30, 2021, the Jordanian Council of Ministers approved the 2021 Personal Data Protection Draft Law and submitted it to the House of Representatives. The latter then referred it to the Parliamentary Economic and Investment Committee on January 24, as a matter of urgency, to carry out the necessary constitutional deliberations leading up to its promulgation. The draft law aims to establish a legal framework that strikes a balance between the individual rights to personal data protection mechanisms on one hand, and information processing and cyberspace storage mandates on the other.
“The draft law aims to establish regulatory frameworks on the storage, processing, and circulation of data within a clear set of limitations and obligations securing the trust needed to engage in the digital economy and encourage e-commerce and e-services in the Kingdom,” the Director of Policies and Strategies at the Ministry of Digital Economy and Entrepreneurship, Engineer Tawfiq Abu Baker, told SMEX.
A Controversial Oversight Committee
The draft law has raised several concerns, specifically regarding the proposed structure and establishment of the data protection authority. Article 4 of the Personal Data Protection draft law stipulates that the data protection committee shall be chaired by the Minister of Digital Economy and Entrepreneurship, which denies the committee—a supposedly supervisory body—the much needed independence.
In an interview with SMEX, the Executive Director of the Jordan Open-Source Association (JOSA), Issa Mahasneh, warned that “The proposed structure indicates a clear conflict of interest. The executive authority is represented by the Ministry and members of the security services within the committee. As the most prominent collectors of information, these entities will not only effectively organize and manage the protection of data but will also be processing it.”
“Can the data protection committee under the currently proposed structure investigate complaints related to privacy violations if, for example, the perpetrators fall under the executive authority?” Mahasneh asks.
At the same time, expert on media legislation and digital rights and freedoms Dr. Nahla Al-Momani, told SMEX that “There are attempts to bring more diversity into the authority and promote its independence.” She evoked best practices for appointing the head of the committee, including “holding deliberations and appointing a chair through a vote, all while striking a balance within the committee by involving civil society, the Government, experts, and independent institutions.”
But will the government implement best practices? We know that it can. Engineer Tawfiq Abu Baker confirmed that the government is “aware of best practices for data organization.”
Abu Baker attributed the authority’s lack of independence to “limited financial resources and the Jordanian parliament’s plan to integrate authorities and ministries.”
As such, the Directorate for the Protection of Personal Data, established by the Ministry of Digital Economy and Entrepreneurship, will handle legislation pertaining to data protection and will receive reports and complaints related to the violation of legal provision. He added that the Directorate will “draft regulations and observe the level of maturity in the data sector.”
Contentious Clauses in the Legal Text
In addition to the dilemma surrounding the data processing authority, the wording of the draft law remains contentious as it uses broad and generic language. For example, Article 15 on exceptions, not only allows the processing of personal data without the express and documented consent of the concerned person, but also authorizes several bodies to access the information, such as the “judiciary” and the “prosecutor.” These loopholes “pave the way for illegal data processing without the consent of the person concerned and grant several entities access to this information. It is a violation of fundamental rights and undermines the spirit and purpose of the law, and it deprives citizens of their right to be forgotten if they wish to,” according to Al-Momani.
Abu Baker explained that “many concerned institutions might require access to the personal data without prior authorization in their line of work. Such uses may serve preventive medical purposes, where the processing cannot be postponed until the concerned person’s consent is secured. The law has made reference to this issue in several articles, highlighting the processing of data carried out directly by a competent public authority to the extent required to implement the tasks mandated by law, or for medical purposes if necessary, and finally to prevent or detect a crime by court order or to prosecute crimes that constitute a breach of the law.”
Article 16 of the law enshrines the concerned person’s right to object to processing decisions that may have a financial or moral impact on them, and the processing party must thus respond to their request. According to Article 17, the said party must also inform the person whose data it wishes to process, in writing or electronically, before initiating the process. It must also specify the period throughout which the personal data will be processed, provided that this duration is not extended without the concerned person’s consent.
More Personal Agency over Data
This law applies to all companies that collect and process the personal data of individuals in the Kingdom, according to Abu Baker. The 2021 Personal Data Protection Draft Law is addressed to all agencies, institutions, companies, and any party that collects electronic or non-electronic files or records or personal data, whether inside or outside the Kingdom. Every natural person has the right to protect their data, which may not be collected, processed, disclosed, divulged, or circulated without the concerned person’s prior consent. The provisions of this law apply to data even if it is collected or processed before it enters into force.
“The law offers one strong advantage, and that is the need to secure citizens’ prior consent before using their data,” said Al-Momani. Article 8 stresses that the consent should be “explicit and in writing and shall be granted for a specified time and purpose. The law also stipulates that citizens should be informed in advance of their data’s fate and reasons for collection. It also criminalizes the processing of data for reasons other than the purpose intended.”
The draft law also guarantees citizens the right to be forgotten and remain anonymous in Article 20, whereby anyone can access, view, or erase their personal data, and demand that it be amended in the event of misinformation or inconsistency with their directives or their religious, political, or other affiliations. More importantly, the law also criminalizes refraining from deleting the stored data after a citizen’s request, confirmed Al-Momani.
According to Abu Baker, the law covers all personal data relating to a natural person, which will aid in their direct or indirect identification, irrespective of its source or form. This includes data associated with the individual person or to their familial status or whereabouts, in addition to sensitive information that directly or indirectly reveals their origin, race, opinions, political affiliations, or religious beliefs. The law also adressesses data pertaining to their financial status, health, physical, mental or genetic condition, biometric fingerprints, criminal record, or any information or data that the Council deems sensitive if its disclosure or misuse would cause harm to the person concerned.
“Data protection is a pressing need, not a luxury,” stressed Mahasneh. He called for addressing specific aspects left out by the draft law, particularly in light of the government’s efforts to digitize services and paperwork and shift to a smart national identity system, including each citizen’s biometric data. The smart identity project includes biometric identifiers such as the “iris identifier and fingerprint of the identity holder. At a later stage, the national identity card will contain additional information on the holder’s health insurance, social security number, etc.,” added Mahasneh. “It is, therefore, necessary to provide additional protection for biometric data while imposing harsher penalties in relation thereto.”
Where Does the Law Fall on the Legislative Ladder?
The bill, which is still in the drafting stage, has been approved by the Council of Ministers. The next step would refer the draft law to the House of Representatives for consideration. It would undergo a legislative process by a legal committee that will then submit proposals or amendments. Following the House of Representatives’ approval, the law is referred to the Senate for discussion or amendment and finally submitted to the King for final approval.
Mahasneh explains that the Legal Committee of the House of Representatives “holds power to amend any law, based on the opinion of experts. The law is then passed if considered a matter of urgency.” He called for “expediting the promulgation of the law as it is one the government’s economic priorities, similar to other major draft bills.”
Approved by the Government in 2021, the Personal Data Protection Draft Law has been under study since 2013. “It is one of the bills that have been heavily stalled,” states Al-Momani, who believes that “Jordan has struggled to catch up with other countries in promulgating a similar law.” However, according to Al-Momani, “this does not justify some of the imbalances in the legal content, or the fact that the law does not meet the desired standards.”