Data Privacy Week, celebrated worldwide from January 22 – January 28, commemorates the signing of Convention 108, the first binding international agreement on data protection, on January 28, 1981.
This year, Iran marked the occasion by publishing the Guidelines for the Protection of User Privacy on Cyberspace Systems and Platforms, a document that recognizes some rights for users regarding personal data protection in cyberspace for the first time.
However, these guidelines are far from being a comprehensive law that can effectively safeguard the digital privacy of Iranian citizens. They are a superficial response to the repeated hacking and publication of Iranian users’ information, which have occurred repeatedly in recent years and affected millions of users. They do not reflect thorough and comprehensive research on technical or legal matters, nor do they provide adequate guarantees to protect users from security and judicial institutions that can access user data at will.
The full title of the guidelines are “The Executive Guidelines for Improving the Protection of User Privacy and the Method of Collecting, Processing, and Storing User Information on Cyberspace Systems and Platforms.” They are introduced as the first part of a “Document on Policies and Obligations about Data Protection,” but it is unclear how many sections the document will have and what subjects they will cover. The guidelines consist of only four articles, which are vague, inconsistent, and insufficient to address the various issues and complexities of data protection in today’s world.
The guidelines do not foresee necessary, adequate guarantees to protect Iranian citizens from security and judicial institutions. For example, in the section on data erasure, which relies on phrases like “conditioned on a lack of incongruity with the country’s laws and regulations, and the missions and responsibilities of executive apparatuses,” security and judicial authorities are in practice left a free hand to access user data.
Moreover, while the “right to be forgotten” has been a key focus for advocates of internet freedom and rights, culminating in a campaign launched in 2021/2022 to promote this cause, the guidelines are lacking in this regard. While they advocate for the encrypted storage of identity data, they lack clarity on the encryption standards to be adhered to. This presents a contradiction: if identity data is encrypted using robust, one-way encryption, it becomes inaccessible for review, even if requested by a legal institution through a transparent and lawful procedure. This raises concerns about the balance between privacy and legal accountability.
Despite the apparent contradictions within the guidelines and the broad discretion granted to security and judicial institutions over user data access, certain rights have been recognized and established for Iranian users for the first time in this document.
It is important to acknowledge that contemporary legal frameworks designed to protect personal data are equipped with substantial legal and technical provisions. These frameworks are crafted to maintain their effectiveness amidst the rapid progress of information, communication, and artificial intelligence technologies.In this respect, the guidelines fail to compare with the existing legal instruments for data protection in other countries and regions. For instance, the European Union’s General Data Protection Regulation (GDPR) consists of 99 articles in 11 chapters, with 173 interpretive comments. By comparison, a set of guidelines made up of just a few articles cannot serve as an appropriate, comprehensive law to protect personal data.
The first attempt to draft a law supporting personal data in Iran was made in 2018/2019, during the tenure of Azeri Jahromi at the Ministry of Communications. This draft, comprised of 29 articles, never reached the Majles in the form of a bill. A subsequent draft was introduced to the Majles as a proposal by representatives in 2020/2021, but it was set aside with the inauguration of the Raisi administration.
Currently, the “Personal Data Protection and Preservation Bill” is being drafted under the Raisi administration, marking the third endeavor to enact legislation safeguarding the personal data of Iranian citizens. The draft text of this bill is yet to be finalized.
An Overview of the Guidelines:
The intended audience of these guidelines are entities that operate within cyberspace, encompassing both private sector companies, as well as government bodies that deliver public services via online platforms.Upon examining the guidelines and aligning them with standards for advocating personal data rights, we can categorize the key approaches and obligations as follows:
-
Provisions Related to Transparency and Consent
– Users ought to be aware of, and given their consent to, the way in which information is collected.
– Users ought to know if information is collected directly from the user, or through the use of other means or systems.
-Users ought to know for what purpose any data is collected, and consent to it.
-Users ought to know what information is necessary for any purpose, and which is optional, and be able to refrain from sending optional information.
-New use of data requires new consent from the user.
-
Necessity and Data Minimization
-Data ought to be collected, processed, and held to the extent necessary for the performance of legal duties or the furtherance of business. Even these two activities ought to be proportionate to the end communicated to the user and to which they have consented.
-
Protection of Confidentiality
-Data that allows the tracking of individual identities ought to be encrypted
-
The Right to be Forgotten
-Users ought to be able to request that their data be deleted.
-A request to delete data must be implemented immediately.
– This request may include the deletion of an account and all or part of the data pertaining to its activities on a system or platform.
– In line with the implementation of Article 667 of the Code of Criminal Procedure, traffic data and user data, after being deleted from a system or platform, will be transferred for storage to data support bases (which are offline, and separate from public communication networks); after six months the data is deleted from these, too.
-
Enforcement Guarantees
– Should the articles of these guidelines not be followed, the licenses of service providers and platforms will not be renewed.
-If, as a result of a failure to follow the above articles, the privacy of individuals is violated, civil and criminal responsibility resides with apparatuses and platforms.
The time periods determined for implementing the content of the guidelines are as follows:
-Two-month period: for implementing guideline provisions for collecting new data.
-Three-month period: for implementing articles pertaining to transparency, consent, and minimization for data which has been collected, stored, and processed before these guidelines were approved.
-One-month period: to use the identity verification capacity of the Records Organization to prevent redundancy in the collection of identity data. It appears this period will be activated after the Records Organization provides the necessary mechanism, per “The System for Reliable Identity in the Country’s Cyberspace.”
The Guidelines and the Under-the-Radar Implementation of the User Protection Bill
In February/March 2022, the latest version of the User Protection Bill was published. This edition also encountered significant backlash from both the general public and online business owners. Following this, the comprehensive enforcement of the Bill shifted from the public eye and the Majles to a more discreet authority—the Supreme Cyberspace Council. This move indicates a strategic approach to implementing the Billamidst public scrutiny.
This institution was formed in 2012 at the order of the Supreme Leader, who approves and changes its members. Since its founding, the Supreme Cyberspace Council has been the highest decision-making authority when it comes to cyber policy. It has gradually become clear, however, that the Council sees itself as having powers wider than executive policy and has moved toward legislation.
Per the Constitution, legislation is a power of the Majles. It stems from the fact that only representatives elected by the people may formulate laws. In practice, however, we see that initiatives from many non-elected institutions are judged to be law, such as the Supreme Council of Cultural Revolution, the Expediency Discernment Council, the Supreme National Security Council, and the Supreme Cyberspace Council.
One controversial aspect of the User Protection Bill which met considerable opposition was the fact that the Majles had, explicitly and clearly, yielded its own legislative right in cyber matters to the Supreme Cyberspace Council.
In part C of Article One of the most recent version of the User Protection Bill, which was published in February/March 2022, the approval of codes and regulations pertaining to cyberspace has been turned over to an entity under the Supreme Cyberspace Council called the “Supreme Commission for Cyberspace Regulation” (“Supreme Commission” from here on in this text); policymaking and oversight rest with Council subsidiaries as well.
Though the User Protection Bill was not pursued in the Majles after February/March 2022, steps have been taken to operationalize it in the Supreme Cyberspace Council. With the updating of the Supreme Commission’s duties and powers in April/May 2022, its scope has exceeded policy making and is nearing legislation power.
This has happened in such a way that the Supreme Commission has become responsible for the approval of cyberspace guidelines, criteria, and requirements of executive, technical, and supervisory natures. Consequently, this institution will henceforth be the decision-maker and regulator for matters including data collection and processing, user privacy on digital platforms, cybersecurity, as well as pricing for cyber services and online content. The Commission’s directives, which carry legislative weight, will be approved independently of the Majles.
