Navigating new terrain: key updates in Jordan's technology-related legal framework
Bann Beiruti
Beiruti Attorneys and Counsellors at Law, Amman
Introduction
It is no surprise that the rapid proliferation of technology and artificial intelligence (AI) applications has entrenched global markets in recent years. The inherently borderless nature of technology allows it to seamlessly integrate into diverse sectors, communities and jurisdictions. However, regulatory bodies play a crucial role, employing selective permeability to both facilitate and control this integration, ensuring protection where necessary.
The regulatory landscape in the Hashemite Kingdom of Jordan (Jordan or the ‘Kingdom’) has notably demonstrated its agility by swiftly adapting to the challenges and opportunities presented by these technological advancements. With the enactment of the Jordanian Cybercrimes Law 20233 (CL) and the Personal Information Protection Law 2023 (PIPL), Jordan has strategically positioned itself to address the dual imperatives of criminalising certain online activities while robustly safeguarding personal data. These legislative measures underscore Jordan’s commitment to creating a secure and regulated digital environment, reflecting a keen awareness of the nuanced balance between enabling innovation and protecting the rights of its citizens in the digital age. Accordingly, this article provides an overview of the recent changes in law in the area of technology in Jordan, the strengths and limitations of such changes and what this means for Jordan and its positioning in the world.
Overview on the Jordanian Cybercrimes Law 2023
The Jordanian Cybercrimes Law 2023, officially enacted in September, represents a pivotal advancement in the country's legislative framework, extending its reach to encompass a broad spectrum of online activities and imposing stringent penalties for various offenses. This expansion is a clear indication of Jordan's robust approach to confronting the evolving landscape of cyber threats that accompany technological advancements.
The legislation criminalises a range of activities that compromise the safety and privacy of individuals and the integrity of information networks. These include: data interception (Art 7 CL); unauthorised access of private (Art 3 CL) and public (Art 4 CL) organisations networks; the creation of fake accounts (Art 5 CL); phishing schemes (Art 10 CL); the use of virtual private networks (VPNs) to commit a crime under the law (Art 12 CL); and the dissemination of misinformation. It also addresses online behaviors such as the unauthorised collection of funds (Arts 9 and 10 CL) and the promotion of material related to weapons manufacturing or pornography (Art 13 CL). The specificity of these prohibitions reflects a comprehensive strategy aimed at safeguarding individual privacy and maintaining public safety.
Beyond individual activities, the law takes a stringent stance on harmful online content. It imposes severe penalties for the distribution of false news that threatens national security (Art 15 CL), material that incites violence or content that promotes religious insult or sectarian strife (Art 17 CL). The severity of these penalties, which range from hefty fines to multiple years of imprisonment, underscores the government's commitment to maintaining public order and upholding societal values in the digital realm.
Regulatory measures extend to the management of online anonymity and the operations of foreign social media platforms. To enhance accountability, the law mandates that platforms with significant user bases in Jordan establish a local office, otherwise restrictions will be imposed and internet bandwidth for such platforms will be marginally reduced (Art 37 CL). Moreover, the law empowers authorities to enforce content removal, block access to or impose sanctions on platforms that fail to adhere to local regulations. These provisions aim to ensure that digital platforms do not become conduits for illicit activities while respecting the legal framework of the Kingdom.
Furthermore, the law also includes critical measures to protect vulnerable populations, specifically minors under the age of 18, from online sexual exploitation (Art 13 CL). This issue has become a particular concern in recent years and, whilst previous laws governed such crimes under a different umbrella, through this law and the inclusion of more severe penalties for related offenses, Jordan's proactive stance on shielding minors from the dangers inherent in the digital realm is emphasised. This focus is part of a broader commitment to fostering a safe online environment for all users, especially the most vulnerable.
Despite the law's comprehensive scope and the rigorous penalties it enforces, concerns about the potential for broad and vague definitions to impact freedom of expression have been voiced by critics and human rights organisations[1]. These concerns highlight a tension between the need for security and the protection of fundamental human rights, such as freedom of expression and privacy. The law's ambiguity in certain areas raises questions about possible censorship and arbitrary enforcement, which could undermine public accountability and restrict online freedoms.
The law also poses many issues for companies and organisations. Primarily, it mandates that managers of social media platforms filter both content and comments that would fall under any of the criminal offenses listed under the law. Meaning that actual account managers must delete any comments on the social media platform they are managing which, for instance, defame or commit ‘personality assassination’ (Art 16 CL) of any person, otherwise they are held liable before the law on the same scale as the person that wrote such comment or committed the crime (Art 25 CL). Many marketing companies today manage social media platforms and, since the law is concerned with those ‘actually’ managing the platform, such companies have to ensure that they ensure a highly restricted approach to filtering comments. Moreover, according to Article 35 of the law, Internet Protocol (IP) addresses are considered a legitimate means of evidence before judicial authorities. Accordingly, if a person working at an organisation commits a crime using the IP address of that organisation, then it subjects the organisation to searches which many involve the halt and closure of the organisation for the duration of the investigation.
Overall, the Jordanian Cybercrimes Law demonstrates a determined effort to tackle cybercrime comprehensively. However, it also presents significant challenges in balancing effective security measures with the protection of fundamental human rights, illustrating the complex interplay between national security and individual freedoms in the digital age. This balance is crucial for the law's success and its acceptance both domestically and in the international community.
Overview of the Jordanian Personal Information Protection Law 2023
Jordan's Personal Information Protection Law, represents a landmark advancement in the realm of data privacy, establishing a comprehensive framework for the safeguarding of personal and sensitive information. This significant legislation is applicable to all natural persons within Jordan and extends extraterritorially, much like the European Union General Data Protection Regulation, affecting data controllers and processors both within and outside Jordan. It regulates the processing of data collected both before and after its enactment and meticulously addresses the nuances of international data transfers.
The law introduces an expansive definition of personal data (Art 2 PIPL), which includes any information capable of identifying an individual directly or indirectly. Categories covered range from personal and family status to location data. Sensitive personal data receives a narrower definition (Art 2 PIPL), including details on racial or ethnic origin, political opinions, religious beliefs, health status and genetic data, among others deemed sensitive by the newly established Personal Information Protection Council.
Processing of personal data under this law primarily requires explicit, informed consent from the data subject (Art 4 PIPL), complemented by detailed disclosures concerning the purpose and duration of the processing. The law provides clear exceptions where consent is not required (Art 6 PIPL), allowing data processing for specific purposes such as tasks carried out by public authorities, medical purposes, protection of life, crime prevention, and other legally sanctioned scenarios. However, despite these scenarios, all entities must comply with the principles of the law (Art. 7 PIPL), which essentially embody the General Data Protection Regulation (GDPR) principles. In aligning closely with GDPR provisions, the law also grants individuals robust rights, such as the right to access, object to processing, and request correction or deletion of their data (Art 4 PIPL). It further introduces rights to data minimisation and data portability and mandates the prompt notification of data subjects in the event of data breaches that could negatively impact them.
The Personal Information Protection Law is enforced under the purview of the Personal Data Protection Council, which is established to ensure compliance and address issues related to data protection. This council is vital in supporting the law's implementation and maintaining the stipulated standards across all sectors, playing a pivotal role in the regulatory framework. Part of its mandates is to conduct training to personnel across different corporations and organisations, investigate breaches and complaints, as well as to establish regulations and instructions from time to time to ensure proper execution of the law (Art 17 PIPL).
With regards to breaches of the law, penalties are structured to ensure stringent compliance (Art 21 PIPL). Monetary fines are assessed based on the breach's severity, providing a financial deterrent to non-compliance. While imposing smaller fines compared to the GDPR, the Personal Information Protection Law introduces a requirement on corporations and organizations to obtain data processing licenses if required by law or if amongst their main activities is data collection and processing (Art 24 PIPL). The significance of this approach is that primarily the method of governance is different for such entities, and secondly that more severe or repeated violations may lead to the revocation of data processing licenses, significantly affecting the operational capabilities of non-compliant entities (Art 22 PIPL). This approach is effective in preventing non-compliance, particularly amongst larger companies that might otherwise absorb fines and continue operations unimpeded. Additionally, the council may issue corrective orders, compelling the responsible party to rectify the breach through specific actions. In cases of serious infractions, legal actions may be pursued, potentially resulting in additional penalties or other legal consequences as adjudicated by the courts.
Together, these measures firmly establish a robust framework for data protection in Jordan, aligning with international standards and significantly enhancing security and privacy rights within the kingdom. This law underscores the importance of data privacy and reflects Jordan's commitment to creating a secure and regulated digital environment in the era of global digital transformation.
Concluding Remarks
The enactment of the Jordanian Cybercrimes Law of 2023 and the Personal Information Protection Law represents a significant step for Jordan, enhancing both regional leadership and global collaboration. By establishing clearer guidelines and stricter penalties for cybercrimes, Jordan strengthens its cybersecurity infrastructure, crucial in an era of sophisticated digital threats. Simultaneously, the Personal Information Protection Law likely mirrors global standards like the EU’s GDPR, enhancing the privacy and protection of personal data. This alignment not only boosts trust in digital services within Jordan but also makes the country a more attractive destination for foreign investment, particularly for tech-focused businesses. Furthermore, these laws position Jordan as a leader in digital security and privacy in the Middle East, facilitating better compliance with international regulations and fostering international cooperation on cybercrime investigations. These developments are essential for Jordan's ongoing digital transformation and its integration into the global digital economy.
[1] Liz Throssell, ‘Jordan: Concerns over Cybercrime Legislation and Shrinking of Civic Space’ [2023] Office of the High Commissioner for Human RIghts <https://www.ohchr.org/en/press-briefing-notes/2023/08/jordan-concerns-over-cybercrime-legislation-and-shrinking-civic-space> Accessed 24 May 2024