Digital resilience podcast series | Episode 1 | Intellectual property and data privacy issues in artificial intelligence
Data Protection & Privacy
The Hashemite Kingdom of Jordan has issued its first comprehensive national legislation to regulate the collection and processing of personal data. This long-awaited development is consistent with wider regional and international trends to recognise the privacy of individuals and regulate the protection of their personal data. In this article, we provide a summary of the legislation and our commentary on the implications of this latest important development in the Middle East data protection landscape.
Law No. 24 of 2023 regarding personal data protection (Jordan PDPL) was published in the Official Gazette on 17 September 2023. It follows the passing of a new Electronic Crimes Law (No. 17 of 2023) in August that codified various cybercrime offences.
The Jordan PDPL will come into effect six months after the date of its publication (on 17 March 2024) and shall apply retrospectively to protect data collected or processed prior to its entry into force.
The Jordan PDPL is designed to protect “personal data”, which is defined as:
“any data or information of any source or form, which are relating to an identifiable natural person, which would make him/her identified directly or indirectly, including the data related to his person, marital status, or location”.
It includes special provision for “sensitive personal data”, which is separately defined as:
“any data or information relating to a natural person revealing directly or indirectly the individual’s racial or ethnic origin, political opinions or affiliations, religious beliefs, or any data concerning his/her financial standing or health, physical, or mental condition, biometric and genetic data, or in his/her criminal record, or any other data or information which are determined by the Board to be sensitive if the disclosure or abuse of which would cause harm to the data subject concerned”.
The Jordan PDPL applies to the processing of personal data or sensitive personal data whether it is collected or processed before or after the effective date of the law. In common with other international legislation, it does not apply to individuals who are processing such data for personal reasons but it will otherwise regulate “controllers” who supervise any data processing activities or “processors” who process data on behalf of controllers.
The Jordan PDPL does not provide any indication of geographical scope or extra-territorial application.
Article 4(a) states that processing of personal data is only permitted with the prior consent of the “data subject” (the individual to whom the data relates), unless otherwise permitted by law. Consent must be clear and in writing with a specified period and purpose, in an intelligible and easily accessible form using clear and plain language.
Personal data may be processed without prior consent in the following cases:
While the majority of these lawful bases align to equivalent concepts in other international laws, there are some notable omissions in the Jordan PDPL. In particular, it does not expressly allow for processing where it is necessary for the purposes of legitimate interests pursued by the controller or a third party.
Conditions for processing: The Jordan PDPL lists a number of requirements that processing should satisfy that are broadly consistent with international principles and standards, including lawfulness, fairness and transparency, purpose limitation, accuracy, storage limitation, integrity and confidentiality.
However, there is no express recognition of the principle of “data minimisation”. This is a key feature found in many international data protection laws and requires that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed.
Data subject rights: Data subjects will have a number of rights with respect to their personal data under the Jordan PDPL, including:
A data subject must be allowed to exercise these rights without facing any adverse financial or contractual consequences.
Data transfers: There are restrictions on the transfer or exchange of data with any third parties without the consent of the data subject. These include conditions relating to transparency and maintaining records of data transfers or exchanges, although data may be transferred and exchanged with competent public authorities to the extent that is required for the performance of tasks for which they are legally entrusted.
Personal data may not be transferred to any person outside Jordan if the level of protection the recipient provides is less than that is provided by the Jordan PDPL, unless any of the following cases apply:
The Jordan PDPL does not currently anticipate that standard contractual clauses or other safeguards could be applied to facilitate the export of personal data outside Jordan. This may prove problematic for international businesses operating in the Kingdom that want to transfer personal data to other jurisdictions.
Data protection officer: A controller shall appoint a data protection officer (or auditor) if the controller’s core activities consist of processing personal data or it is involved in the processing of sensitive personal data, the data of persons lacking legal capacity, any data containing financial information or databases that will be transferred outside Jordan. The Personal Data Protection Board may also specify other cases requiring the appointment of such individual. This is a broader approach than many other jurisdictions where mandatory DPO requirements are often limited to cases of high risk or large-scale data processing.
The Jordan PDPL sets out a list of responsibilities for the appointed person including implementing appropriate controls, ensuring evaluation and periodic reviews of data systems, managing the submission and consideration of complaints and organising training for employees of the controller.
Breach notification: In the event of a data security and integrity breach that would cause serious harm to the data subject concerned, the controller must inform data subjects concerned within 24 hours of discovering the breach. It must provide them with information on the necessary measures for the avoidance of any consequences which may arise from such breach. The controller is also obliged to inform the Unit within 72 hours from the discovery of the breach, including details of the source and the affected data subjects.
A controller that is responsible for a serious mistake or infringement is liable to indemnify any affected data subject.
The Jordan PDPL establishes the following sanctions for non-compliance:
Accordingly, it appears likely that the Unit will first serve a notice on any violator to cease the violation and rectify it within a specific period. If such period lapses without compliance with the notice, the Personal Data Protection Board (at the Unit’s direction) may impose the penalties set out above.
The Jordan PDPL establishes an organisational unit (Unit) of the Ministry of Digital Economy and Entrepreneurship (Ministry) to be responsible for monitoring compliance and preparing draft legislation relating to data protection.
The Unit will work alongside a Personal Data Protection Board, which is presided by the Minister and includes an Information Commissioner, the Human Rights Commissioner-General, the Chairman of the National Cyber Security Centre, a representative of the Central Ba, two representatives of security agencies nominated by the directors of such agencies based on the Minister’s request, and four competent and experienced persons (including representatives of the telecommunications, banking and information technology sectors as nominated by the Cabinet).
The Board has the following power and responsibilities:
The Jordan PDPL will take effect from 17 March 2024, but it provides that parties handling personal data prior to this date will have a period of one year from the effective date to adjust their position to comply with the new requirements of the law. We envisage that this will effectively amount to a “grace period” until March 2025 (although this may not apply to organisations established after the effective date of the law).
Further regulations are also expected to be issued under the Jordan PDPL to clarify aspects of its implementation, including:
All businesses operating in Jordan will need to assess their activities and make changes to align with the incoming Jordan PDPL as quickly as possible. We have previously issued tips for enterprises on how to create an effective privacy framework and worked with many organisations to help them implement the required processes and policies for compliance.