This article was written by Raya Sharbain of the Jordan Open Source Association (JOSA), who works to promote open source, free culture and digital rights in Jordan.
In November 2018, at the XXXI session of the Universal Periodic Review, Jordan received for the first time in its history two recommendations on the right to privacy. Estonia and Brazil called attention to the need to respect the privacy of citizens. However, Jordan's experience has shown that threats to privacy and digital rights come not only from the Government, but also from international organizations and companies, including internet service providers and emerging technology companies.
Without a privacy law, how do public, private and international actors handle personal data in Jordan today? And the enactment of a data protection law will strengthen the protection of privacy in the country.
Laws that allow government surveillance
For a long time, Jordanians believe that there is always someone listening, be it phone calls or through internet cables. Government surveillance is a strong threat to the right to privacy of Jordanians, which has prompted many, including journalists, to practice self-censorship.
The necessary and proportional principles
The International Principles on the Application of Human Rights to Communications Surveillance (the “Necessary and Provided Principles” or “Thirteen Principles”), were written by experts in privacy and technology, and published in September 2013 to “give civil society groups, states, courts, legislative and regulatory bodies, industry and others, a framework to assess whether current or proposed laws and surveillance practices worldwide are compatible with human rights. ”
The regulations on privacy and surveillance include the Telecommunications Law (13/1995) which states that “telephone calls and private telecommunications will be considered as confidential matters that cannot be violated, under legal responsibility” (Article 56: 4). Although it mentions a traditional means of communication, it does not make specific reference to digital platforms. In addition, the anti-terrorism law of 2006, and specifically its article 4, threatens privacy rights under the pretext of protecting public safety. It also violates the principles of necessity and proportionality, which stipulates that a person may be subject to surveillance “if the attorney general receives reliable information indicating that a person or a group of people are related to some terrorist activity.” The article has no definitions of what constitutes “reliable information” and “terrorist activity.”
In 2018, the Government proposed amendments to the cybercrime law that included “applications” to the list of “information systems” that may be subject to government inspection. The prosecutor was also given more powers of supervision. During a parliamentary session in February 2019, the majority of the members voted in favor of the amendments.
To make matters worse, as there is no data protection law, the Jordanian government is imposing mandatory smart IDs that store biometric data on its citizens, and a mandatory SIM card registration plan that will require citizens to send their fingerprints to register A new phone number.
Refugee Privacy Law
For their part, international institutions are also responsible. Jordan hosts some 531,000 Syrian refugees, of which 123,000 live in refugee camps (as of December 2019). When entering Jordan, refugees must provide their biometric data. According to UNHCR's data protection policy, data should only be obtained “by means of a written or oral statement, or by clear affirmative action.” But the World Food Program partnered with the United Nations Agency for Refugees (UNHCR) and the Jordanian-British company IrisGuard to implement a biometric transaction system whereby refugees buy food and groceries and take money from ATMs With scans of his iris. There is concern about whether refugees know the option of not participating in that system, and if they have really given their informed consent.
(embed) https://www.youtube.com/watch?v=oUtl8Hpg15w (/ embed)
Role of technology companies
In the private sector, it is mostly political gaps that threaten digital rights. Amman, the capital of Jordan, has a vibrant technological scene. Many regional companies, such as the OpenSooq online classified advertising platform, the Mawdoo3 Arabic publishing platform, the Arab weather service company ArabiaWeather and the regional online book retailer Jamalon, are based in Amman. International companies such as Expedia, Amazon, Microsoft and Careem have engineering offices in the country. As there is no data protection law, these companies handle user data in a disorderly manner. A slight look at some privacy policies of these websites reveals some invasive practices.
… We reserve the right to sell the information that is willingly posted by users on the site to third party customers seeking recruitment services. Akhtaboot is not responsible for any actions taken by any third party customer with regards to the information that is posted by users.
… We reserve the right to sell the information that users voluntarily publish on the site to third-party clients seeking contracting services. Akhtaboot is not responsible for the actions taken by third-party customers regarding the information published by users.
The Ministry of Transportation has demanded that the Careem application (acquired by Uber in March 2019) provide law enforcement with full access to their computers, servers and data in order to work in the country.
Internet service providers in Jordan have also participated in practices that violate user privacy. A recent study by AccessNow and impACT has shown that internet service providers not only collect more data than necessary, but also do not reveal to users what data they collect and how they process it.
Personal data protection law
In 2014, the Ministry of Information and Communication Technologies of Jordan (now known as the Ministry of Digital Economy and Business) introduced a bill to protect personal data, currently in its fourth and final draft to date.
The personal data protection bill partially complies with the fundamental aspects of the General Data Protection Regulation of the European Union (GDPR) and applies to all private and public institutions in Jordan, including locally registered international organizations and organizations . It reflects the concepts of transparency, accuracy, storage limitation and minimization of regulation data.
However, in its current state, the bill raises concerns. For example, the Jordan Privacy Commission, proposed by the bill, lacks independence. Moreover, according to the current project, the commission will not only be appointed by the Government but also chaired by the Minister of Information and Communication Technologies.
It is not yet known with certainty when the project will become law. It still has to be approved by Parliament, before being officially law within six months by real consent.
The late Syrian poet and diplomat Nizar Qabbani once lamented the state of freedom in the Arab region:
I am trying to draw a country that will be friendly to my poetry, a country that will not come between me and my thoughts, a country that won't have soldiers wandering over my forehead.
I am trying to trace a country that is kind to my poetry, a country that does not stand between my thoughts and I, a country that has no soldiers wandering around my forehead.
In Jordan, and throughout the region, surveillance has been used to silence the disagreement. However, in today's hyperconnected world, threats to privacy in Jordan come from the Government, and also from international agencies and corporations, including internet service providers and emerging technology companies.
Data protection laws tend to be perceived as a panacea for all privacy concerns, but it remains to be seen how the proposed bill in Jordan will take shape and if it will be effectively implemented once adopted.