Data protection policy void threatens privacy rights of citizens and refugees in Jordan · Global Voices
This post was written by Raya Sharbain of the Jordan Open Source Association (JOSA), which works to promote open source, free culture and digital rights in Jordan.
In November 2018, at the 31st session of the Universal Periodic Review, Jordan received for the first time in its history two recommendations on the right to privacy. Both Estonia and Brazil called attention to the need to respect citizens’ privacy. However, Jordan’s experience has shown threats to privacy and digital rights come not only from the government but also from international agencies and corporations including Internet Service Providers and tech start-ups.
In the absence of a privacy law, how is personal data being handled in Jordan today by public, private, and international actors? And will the enactment of a data protection law reinforce privacy protections in the country?
Laws enabling government surveillance
It’s a long-standing belief among Jordanians that someone is always listening in, whether on phone calls or over internet cables. Government surveillance is a strong threat to Jordanians’ right to privacy which has pushed many, including journalists, to practise self-censorship.
The Necessary and Proportionate Principles
The International Principles on the Application of Human Rights to Communications Surveillance (the “Necessary and Proportionate Principles” or “13 Principles”), were drafted by privacy and technology experts, and launched in September 2013 to ”provide civil society groups, states, the courts, legislative and regulatory bodies, industry, and others with a framework to evaluate whether current or proposed surveillance laws and practices around the world are compatible with human rights.”
Privacy and surveillance regulations include the Telecommunications Law (13/1995) which states that “telephone calls and private Telecommunications shall be considered confidential matters which may not be violated, under legal liability” (Article 56:4). While it mentions a traditional medium of communication, it has no specific reference to digital platforms. Moreover, the Anti-Terrorism Law of 2006 and specifically Article 4 threatens privacy rights under the pretence of protecting public safety and security. It also fails to comply with the Necessary and Proportionate Principles, since it stipulates that a person can be subject to surveillance “if the Prosecutor General received reliable information indicating that a person or group of persons is connected to any terrorist activity.” Definitions for what constitute “reliable information” and “terrorist activity” are absent from the Article.
In 2018, the government proposed amendments to the Cybercrime Law which included “applications” to the list of “information systems” that can be subjected to government inspection. The prosecutor was also granted more surveillance powers. During a parliamentary session in February 2019, the majority of members voted in favour of the draft amendments.
To make matters worse, in the absence of a data protection law, the Jordanian government is imposing on its citizens mandatory smart IDs that store biometric data, and a mandatory SIM card registration plan that will require citizens to submit their fingerprints to register a new phone number.
Privacy rights of refugees
Meanwhile, international institutions also have accountability. Jordan hosts about 531,000 Syrian refugees with 123,000 living inside refugee camps (as of December 2019). Upon entering Jordan, refugees must give their biometric data. According to UNHCR’s data protection policy, data should only be obtained “either by a written or oral statement or by a clear affirmative action.” But the World Food Program partnered with the UN Refugee Agency (UNHCR) and Jordanian/British company IrisGuard in implementing a biometric transaction system whereby refugees purchase food and groceries and take out cash from ATMs by scanning their irises. There are concerns on whether refugees are aware of an option to opt out of such a system, let alone whether they have actually been given informed consent.
Role of tech companies
In the private sector, it is mostly policy voids that are threatening digital rights. Amman, the capital of Jordan, has a vibrant tech scene. Many regional companies such as online classified platform OpenSooq, Arabic-language publishing platform Mawdoo3, regional weather services company ArabiaWeather, and the regional online book retailer Jamalon, are headquartered in Amman. International companies like Expedia, Amazon, Microsoft, and Careem have engineering offices in the country. With no data protection law, these companies are left to handle user data haphazardly. Just a skim over some of these websites’ privacy policies reveals some invasive practices.
…we reserve the right to sell the information that is willingly posted by users on the site to third party customers seeking recruitment services. Akhtaboot is not responsible for any actions taken by any third party customer with regards to the information that is posted by users.
Ride-hailing app Careem (acquired by Uber in March 2019) has been required by the Ministry of Transportation to give law enforcement full access to its computers, servers, and data in order to be able to operate in the country.
Internet Service Providers in Jordan have also been involved in practices that infringe on user privacy. A recent study by AccessNow and impACT has shown that not only do ISPs collect more data than necessary, they also do not reveal to users what data they collect and how they process it.
Draft personal data protection bill
In 2014, the Jordanian Ministry of Information and Communication Technology (now known as Ministry of Digital Economy and Entrepreneurship) introduced a draft bill for personal data protection, which is currently in its fourth and final draft to date.
The draft personal data protection bill partially aligns itself with core aspects of European Union’s General Data Protection Regulation (GDPR) and applies to all private and public institutions in Jordan including international agencies and organizations registered locally. It mirrors GDPR’s concepts of transparency, accuracy, storage limitation, and data minimisation.
As it stands, however, the bill still raises major concerns. For example, the Jordan Privacy Commission, proposed by the bill, lacks independence. In fact, under the current draft, the commission will not only be appointed by the government but also chaired by the ICT minister.
It is still uncertain when the bill will become law. It still needs to be adopted by the parliament, before it officially becomes law within a six-month timeframe through royal assent.
The late Syrian poet and diplomat Nizar Qabbani once lamented the state of freedom in the Arab region:
I am trying to draw a country that will be friendly to my poetry, a country that will not come between me and my thoughts, a country that won’t have soldiers wandering over my forehead.
In Jordan, and the entire region, surveillance has been used to silence dissent. In today’s hyperconnected world, however, threats to privacy in Jordan emanate not only from the government, but also international agencies and corporations including ISPs and tech start-ups.
Data protection laws tend to be perceived as a panacea for all privacy concerns, but it is yet to be seen how the proposed bill in Jordan will take shape, and whether it will be effectively enforced after its adoption.