Iran’s Draft Data Protection Act: Too little but not too late · Global Voices
Mahsa Alimardani

Iran's Minister of ICT (second from the right) reveals Iran's Draft Data Protection Act in July 2018.
This post was originally published as part of an ARTICLE19 legal analysis.
A Draft Personal Data Protection Act currently awaiting review in the Iranian Parliament, that apparently aims to protect he personal data of individuals, is instead likely to enable further surveillance and censorship.
The draft act—like data protection laws in general—aims to protect individuals when both public and private sector organisations process their data.
However, it leaves room for the government to collect personal data in the name of national security. This collection, when done without the individual’s consent—a pillar of data protection—amounts to surveillance, and is of great concern for freedom of expression.
With vague and inconsistent provisions, the draft law risks granting greater online controls to the state and thereby endangering the lives of journalists and activists who fall prey to government surveillance. Released in July 2018, the draft was written by the Ministry of Information and Communications Technology and the Research Center of the Islamic Legislative Assembly (the research arm of the Iranian parliament). As of May 2019 however, Iranian legislators noted a lack of clarity on when the government will bring the draft act to parliament for review and ratification.
Since the exponential growth of Iranian internet use in the late 1990s and early 2000s, the government sought to institutionalise its control over Iranians’ use and access to the global internet. While sporadic and sometimes ad hoc, the Ministry of Communications has enforced a number of controls to restrict Iranians’ information access online.
After the Green Movement protests of 2009, Iran’s legislative cogs shifted into high gear to ratify the Computer Crimes Law (CCL) of 2010. Alongside this Law’s problematic provisions, there have been a number of policy provisions, government led projects, and new draft laws that garnered fears for increasing the centralisation of the Iranian Internet. However, despite years of these restrictive policies, in May 2018 the Minister of Information and Communications Technology, Mohammad-Javad Azari Jahromi announced that his Ministry welcomed the European Union’s General Data Protection Regulation (GDPR). He promised to launch a data protection bill for Iran and to engage in “constructive talks with the EU about mutual legal and technical assistance.”
Given the precedent Iran has set as one of the most restrictive environments for freedom of expression, such a step towards protecting rights would be welcome. But it raises many questions of how such a new law would work in conjunction with pre-existing problematic provisions within the country’s Islamic Penal Code and Computer Crimes Law.
While efforts to improve data protection by the Iranian government are welcomed, as are efforts to engage with the EU and global initiatives to protect individuals across digital borders, the draft act fails to live up to global standards.
The EU’s General Data Protection Regulation versus Iran’s Draft Data Protection Act
When the European Union created its new data protection legislation in April 2016, which entered into force in May 2018 in the form of the General Data Protection Regulation (GDPR), it placed data protection onto the map as a global standard. While certainly not the first regulation of data protection in the world (or even in the EU), it was the first to encompass such a large region as the European Union.  As one of the most comprehensive efforts to secure the rights of the individual in the digital realm, it cultivated a platform for global partnerships around the global nature of data flows.
In contrast, Iran’s Draft Data Protection Act lacks a clear scope in terms of what materials count as data (data processed by computers, or as in the GDPR, data that also includes information in an offline format), as well as the rights it affords to companies. The draft law also lacks protections from the risks that data processing regulations could pose against journalistic and cultural pursuits, and transparency efforts, as set out in Iran’s Freedom of Information Act.
Recent cases of journalists facing prosecution for their work to expose government corruption would potentially be aided by Article 12 of the draft law, which includes a worryingly broad definition of what constitutes a “security” exception to protecting an individual’s data from being processed without consent. The draft therefore risks further legitimising judicial repression of journalists and activists.
Iran has already set terrifying precedents of “security” concerns being abused by Iran’s Revolutionary Guards to access the data of individuals such as journalists, those belonging to marginalised groups, or dual nationals, to unjustly persecute them. Notable cases include the illegal seizure of jailed dual-national Nazanin-Zaghari Ratcliffe’s data, and the illegal hackings of email and social media accounts of Washington Post journalist Jason Rezaian prior to his arrest. These seizures of data, both through the Revolutionary Guards, were then used to build absurd cases of espionage against both of these individuals.
Furthermore, the draft law proposes the establishment of a data protection commission (charged with overseeing the processing of data in accordance with the law), which would include individuals known to be part of the security apparatuses that suppress freedom of expression. This law would additonaly allow immunity for the processing and collection of data on individuals who are deemed in breach of Iran’s pre-existing and wide-ranging national security laws. The Iranian Penal Code contains numerous overbroad and vague content-based restrictions on freedom of expression, which are in violation of international human rights law and facilitate the targeting of human rights defenders, journalists, and other dissenting or minority voices.
Elements of the draft law aiming to increase internet localisation also chime with the wider project of the National Information Network (NIN), created during the era of President Mahmoud Ahmadinejad and continued throughout the Rouhani administration. These localisation efforts include government incentives to Iranian software developers to build messaging applications to rival foreign ones such as rewards on user numbers. These apps’ transmission of user data was proved by security engineers to be outside of protocols of encryption (encryption is illegal according to Article 10 of the CCL), which further undermines international standards of privacy.
These localisation requirements, in addition to the weak language of accountability and independence of the Commission that oversees the processing of user data, must be removed, and Iranian parliamentarians and politicians should revise the law according to international standards.
If the draft act is properly brought into line with international standards, it could serve as a small step towards protecting the human rights of Iranians.