Iran’s Draft Data Protection Act: Too little but not too late

Iran’s Draft Data Protection Act: Too little but not too late - Digital

Iran's Minister of Information, Communication and Technology reveals the draft act in July 2018.

Iranian Lawmakers Must Implement International Digital Rights Standards in the new Personal Data Protection and Safeguarding Draft Act

A Draft Personal Data Protection Act currently awaiting review in the Iranian Parliament, that apparently aims to protect the rights of individuals to have their personal data protected, is instead likely to enable further surveillance and censorship. The Draft Act (like data protection laws in general) aims to protect individuals when their data are processed and obliges both public and private sector organisations to respect such rights when they process personal data. While this Draft Act is different than those concerning surveillance, it leaves room for the government to collect personal data, which when done without the individual’s consent (a pillar of data protection) in the name of national security, amounts to surveillance, and is of great concern for freedom of expression.

With vague and inconsistent provisions, the draft law risks granting greater online controls to the state and thereby endangering the lives of journalists and activists who fall prey to government surveillance. The draft was released in July 2018, written in cooperation between the Ministry of Information Communication and Technology and the Research Center of the Islamic Legislative Assembly (the research arm of the Iranian parliament). As of June 2019 however, Iranian legislators have noted there is a lack of clarity on when the government will bring the Draft Act to parliament for review and ratification.

Since the exponential growth of Iranian internet use in the late 1990s and early 2000s, the government has sought to institutionalise its control over Iranians use and access to the global internet. While sporadic and sometimes ad hoc, the Ministry of Communications has enforced a number of controls to censor Iranians’ information access online.

After the Green Movement protests of 2009, Iran’s legislative cogs shifted into high gear to ratify the Computer Crimes Law (CCL) of 2010. Alongside this Law’s problematic provisions, there have been a number of policy provisions, government led projects, and new draft laws that have garnered fears for increasing centralisation of the Iranian Internet. However, despite years of these restrictive policies, in May 2018 the Minister of Information Communications and Technology, Mohammad-Javad Azari Jahromi announced that his Ministry welcomed the European Union’s General Data Protection Regulation (GDPR).  He promised to launch a data protection bill for Iran and cooperate with the EU on “constructive talks with the EU about mutual legal and technical assistance.”

Given the precedent Iran has set as one of the most restrictive environments for freedom of expression, such a step towards protecting rights would be welcome. But it raises many questions of how such a new law would work in conjunction with pre-existing problematic provisions within the country’s Islamic Penal Code and Computer Crimes Law.

While efforts to improve data protection by the Iranian government are welcomed by ARTICLE 19, as are efforts to engage with the EU and global initiatives to protect individuals across digital borders, the draft act fails to live up to global standards. In our analysis of the Draft Act, we present a series of recommendations for the draft law to strengthen its protections of individuals’ human rights.

The EU’s General Data Protection Regulation versus Iran’s Draft Data Protection Act

When the European Union created its new data protection legislation in April 2016, which entered into force in May 2018 in the form of the General Data Protection Regulation (GDPR), it placed data protection onto the map as a global standard. While certainly not the first regulation of data protection in the world (or even in the EU), it was the first to encompass such a large region as the European Union. As a result it cultivated a platform for global partnerships and helped considerations on the global nature of data flows. It’s also been one of the most comprehensive efforts to secure the rights of the individual in the digital realm.

In contrast, Iran’s Draft Data Protection Act lacks clear scope in terms of what materials count as data (data processed by computers, or as in the GDPR, data that also includes things in filing systems), as well as the rights it affords to companies. The draft law also lacks protections from the risks that data processing regulations could pose against journalistic and cultural pursuits, and transparency efforts, as set out in Iran’s Freedom of Information Act. Recent cases of journalists facing persecution for their work to expose government corruption would potentially be supported by Article 12 of the Draft law, which includes a worryingly broad definition of “security” exceptions to protecting an individual’s data from being processed without consent. The draft therefore risks further legitimising judicial repression of journalists and activists.

Iran has already set terrifying precedents of “security” concerns being abused by Iran’s Revolutionary Guards to access the data of individuals such as journalists, those belonging to marginalised groups, or dual nationals, to unjustly persecute them. Notable cases have included the illegal seizure of jailed dual-national Nazanin-Zaghari Ratcliffe’s data, and the illegal hackings of email and social media accounts of Washington Post journalist Jason Rezaian prior to his arrest. These seizures of data, both through the Revolutionary Guards, were then used to build absurd cases of espionage against both of these individuals.

Furthermore, the proposed data protection commission’s (charged with overseeing processing of data according to the Draft law) inclusion of individuals known to be part of the security apparatuses that suppresses freedom of expression is deeply concerning. This law would allow immunity for processing and collection of data on individuals who are deemed in breach of Iran’s pre-existing and wide-ranging national security laws. The Iranian Penal Code contains numerous overbroad and vague content-based restrictions on freedom of expression, which are in violation of international human rights law and facilitate the targeting of human rights defenders, journalists, and other dissenting or minority voices. Article 12 could be potentially also be used in prosecution of such cases, which currently are categorised as crimes under the Iranian Penal Code.

Elements of the draft law aiming to increase internet localisation also chime with the wider project of the National Information Network (NIN), created during the era of President Mahmoud Ahmadinejad and continued throughout the Rouhani administration. These localisation efforts have included government incentives to Iranian software developers to build messaging applications to rival foreign ones, rewarded on the bases of their users; institutional requirements to follow updates about university programs or government departments on the public channels of the Islamic Republic of Iran Broadcasting’s messenger Soroush; or hiding the association of messengers to Iranian authorities, such as Telegram clients Telegram Talaee and Hotgram, or the application Wispi. The processing of this data, proven by security engineers to be outside of protocols of encryption (encryption is illegal according to Article 10 of the CCL), further undermines international standards of privacy. These localisation requirements, in addition to the weak language of accountability and independence of the Commission that oversees public processing of data, must be removed, and follow international standards, which require global cooperation, as opposed to physical localisation.

ARTICLE 19 believes the draft act, if properly brought into line with international standards, could serve as a small step towards protecting the human rights of Iranians. Iran must therefore take this opportunity to revise the draft before it is ratified. All countries need robust laws to protect individual rights in the digital era and we encourage Iranian parliamentarians and politicians to revise the law according to our recommendations to ensure it is in line with Iran’s international obligations. We also encourage governments in dialogue with Iran to take this opportunity to engage with Iran to encourage these changes.

Read our full analysis of the draft law here.

If you would like to discuss the context and analysis of this Draft Act further, please contact Mahsa Alimardani at [email protected].