Overview

The primary motivation behind drafting a data protection bill was to ensure the protection of personal data in the digital environment. Personal data is susceptible to collection, retention, and processing by various stakeholders. The aim was to strike a balance between individuals' rights to protect their personal data and the need to enable data processing, retention, and the utilization of information in cyberspace. Additionally, the emergence of big data and artificial intelligence (AI) concepts further required the development of a legal framework for data protection, leading to the drafting of a bill.

The Bill has introduced a regulatory framework that sets clear limitations and responsibilities for the storage and processing of personal data. It aims to promote e-commerce and e-services in Jordan while creating a supportive environment for ensuring the safety and stability of cyberspace.

Furthermore, the Bill has established the personal data protection council and determined its functions and power. It has also outlined the functions of the organizational unit within the Ministry of Digital Economy and Entrepreneurship that is responsible for safeguarding personal data.

Scope

The provisions of the Bill apply to the processing of both normal and sensitive personal information of individuals within Jordan, regardless of whether the data owner is located within or outside Jordan. This includes the transfer and exchange of personal information inside and outside Jordan.

However, it is important to note that the Bill does cover the processing of personal data by individuals for their personal purposes.

Sensitive personal information

According to the Bill, 'sensitive personal information' is defined as any information that has the potential to identify an individual. This includes the following categories:

• ethnic origin or political opinions;
• religious beliefs;
• health-related data;
• data concerning criminal records; or
• genetic data or biometric data that can be processed to identify a human being.

Legitimate bases

Article 4 of the Bill emphasizes the data subject's right to protect their personal data, and that the processing of such data is subject to the prior written consent of the data subject. However, it is important to note that this consent is subject to specific conditions outlined in Article 5 of the Bill, which include the following:

• the consent must be explicitly given and documented, either in writing or electronically;
• it should clearly specify the purpose and duration of the data processing;
• the request for consent should be communicated in clear, simple, non-misleading language and should be accessible; and
• in cases where the data subject lacks the legal capacity to provide consent, the approval of one of the parents or guardians of the data subject is required. In certain circumstances, the judge may grant consent based on a request by the organizational unit responsible for personal data protection at the Ministry.

In some cases, prior approval may not be deemed valid if:

• the approval was issued on the basis of incorrect information or deceptive or misleading practices; or
• the nature, type, or objectives of the data processing were altered without obtaining the data subject's prior consent.

However, as outlined in Article 6 of the Bill, there are certain situations in which prior consent may not be required, such as when:

• processing is carried out directly by a competent public authority to the extent necessary for fulfilling its legally assigned tasks, either directly or through contracted entities. The contract must include all the obligations and conditions specified in the Bill, as well as the accompanying regulations and instructions;
• processing is necessary for preventive medical purposes, medical diagnosis, or evaluation of healthcare, carried out by a licensed healthcare professional;
• processing is necessary to protect the life of the data subject or to protect their vital interests;
• processing necessary to prevent or detect a crime by a competent authority or to prosecute violations of Bill's provisions;
• processing is required or authorized by other legislation or a decision of a competent court;
• processing is necessary for scientific or historical research purposes, provided that it does not involve making decisions or taking actions concerning a specific person;
• processing is necessary for statistical purposes, national security requirements, or to fulfill the public interest; or
• if the personal data is publicly available by the data subject.

Main data protection principles

Transparency

According to Article 9 of the Bill, the data owner is required to provide written or electronic notification to the concerned individual before commencing any data processing. This notification should include the following details:

• the personal information that will be processed;
• the date on which the processing will begin;
• the purpose for which the personal information is being processed; and
• the duration for which the personal information will be processed.

Data accuracy

Article 7 of the Bill states that personal information should be accurate and undergo regular updates to ensure consistency and validity with each use. Furthermore, the purpose of processing should be legitimate, specific, and transparent, and any subsequent procedures should align with the original purpose for which the data was collected. All data processing should be conducted using lawful means.

Data minimization

While the Bill does not explicitly outline restrictions on the types or quantity of personal information that can be collected, it implies that collected data should be limited to what is necessary for the purpose of data processing. Any data that is not directly relevant to the processing purpose should be exempted and should not be collected.

Data retention

The Bill restricts the quantity of personal information that can be stored and the duration for which it can be retained for data processing purposes. However, the duration can be extended if approved by the concerned individual.

Purpose limitation

The Bill adheres to the principle of finality, which means that data processors must use the collected personal information only for the purposes for which it was originally collected unless consent has been obtained from the individual or as explicitly permitted or required by law.

If a data processor intends to use the stored personal information for a new purpose, prior consent must be obtained from the individuals concerned. This ensures that their personal information is only used for the newly identified purpose with their explicit approval.

Confidentiality

According to the Bill, both the data itself and the subject matter of data processing are confidential. Therefore, the Bill places general obligations on data controllers and processors to safeguard personal information against any unauthorized disclosures or misuse. This includes but is not limited to, ensuring the safety and security of personal information to prevent breaches or unauthorized disclosures. It also entails the establishment of suitable measures to detect and track potential attacks and threats to the security of personal information.

Accountability

The Bill establishes minimum requirements and regulations that must be followed by data owners and processors in relation to personal information. It also specifies the expectations for the techniques and procedures to be employed in data processing. Even if owners or processors have not implemented internal controls or techniques, they are still obligated to comply with the Bill. Failure to do so may result in sanctions being imposed on the non-compliant party.

Data subject rights

Individuals have several rights granted to them under the Bill, which include:

• right to access;
• right to object and withdraw the acceptance of processing;
• right to be informed;
• right to receive rectification and restriction of processing;
• right to data portability;
• right to be forgotten; and
• right to ensure data erasure.

Moreover, individuals have the right to claim monetary damages for harm or damage caused by data processors and data controllers. The civil law and tort provisions cover actual damages, as well as damage for emotional distress.

Cross-border data transfers

In general, prior to transferring data, data processors or owners must ensure the security and measures to be implemented by the outsourced processor. Such data transfers are restricted unless prior consent is obtained from the data subject. Furthermore, explicit agreement and consent from the data subject are required for personal information to be sold or shared for online targeted advertising purposes.

For any cross-border transaction of personal information, it is necessary to transfer the data to a party that provides an adequate level of data protection. The level of protection must be equivalent to the standards mandated by Jordanian laws and regulations, except in the following circumstances:

• judicial cooperation is established under international conventions and treaties;
• international cooperation in combating crimes;
• data exchange is essential for patient treatment;
• data exchange is related to epidemiological and health disasters;
• the data subject has given consent to the transfer after being informed that the level of protection outside the jurisdiction is not equivalent to that imposed by Jordanian laws and regulations; and
• transfer of funds abroad.

Appointment of a data protection officer

Data processors have a legal obligation to appoint a data protection officer (DPO) who has the capability to abide by their legal responsibilities, especially in the following circumstances:

• when the main activity of the data processor is data processing;
• when processing sensitive personal information;
• when processing information on individuals lacking legal capacity;
• when processing personal information related to credit information;
• when transferring personal information outside the jurisdiction of Jordan; or
• in other circumstances defined by the council for the protection of personal information.

Data protection authorities

The provisions of the Bill establish a council for the protection of personal information, which will in turn establish a personal information unit within the Ministry of Digital Economy and Entrepreneurship. This organizational unit is responsible for safeguarding personal information within the Ministry of Economy and Entrepreneurship. It is empowered with specific authorities outlined in Article 18 of the Bill, which include:

• preparing draft legislation and instructions related to the protection of personal information;
• receiving reports and complaints related to violations;
• investigating the perpetrators of violations and making appropriate decisions on these matters;
• monitoring the compliance of any person responsible for data processing, and the extent of their commitment to specific technical and administrative procedures;
• monitoring compliance with the provisions of the law, regulations, and instructions; and
• opening, supervising, and organizing an official registry of personal information officials, processors, and controllers.

Both the supervisory authority (the council for the protection of personal information) and the judicial system have responsibilities in handling public complaints and enforcing the provisions of the law through penal and administrative procedures. The competent court has broad discretion in assessing actual damages, determining compensation, and imposing penalties.

Breaches of Data Protection Bill

According to Articles 20 and 21 of the Bill, specific penalties are applicable in case of violations of the Bill, as well as the regulations and instructions issued under it. The severity of the penalty depends on the gravity of the violation.

Initially, the designated unit has the authority to issue a warning, requiring the violation to be rectified within a specific timeframe. If the warning is not heeded and compliance is not achieved within the period specified, the council for the protection of personal information, upon the recommendation of the personal information unit, has the power to take further actions. These actions include the suspension, cessation, or revocation of the license held by the violator. Additionally, the council can impose daily fines that do not exceed 500 Jordanian dinars (approx. $700) per day.

Moreover, financial penalties ranging from a minimum of 1,000 Jordanian dinars (approx. $1,400) to a maximum of 10,000 Jordanian dinars (approx. $14,000) can be imposed on individuals or entities that breach the provisions of the law. In cases where a conviction decision has been rendered, the court may also order the destruction of personal information or the cancellation of personal information that is the subject of the case.

Mariana Abudayah Legal Associate
[email protected]
Nsair & Partners – Lawyers, Amman