This article explores the concept of personal data in the digital space, shedding light on the types of user data stored online and examining the responsibilities of private companies and governments in safeguarding this information.
The topic is explored in-depth in the first episode of 7th Layer’s second season, where the discussion centers on the methods used to collect personal data, the challenges of safeguarding it, and the obligations of both public and private entities in managing and securing user information effectively.
The Journey of Iran’s Personal Data Protection Bill
The drafting of Iran’s Personal Data Protection Bill began in 2017, but its progress faced numerous challenges.. Advancing this legislation became a key priority for the Ministry of Communications during President Ebrahim Raisi’s administration. Despite these efforts, the bill remained incomplete by the end of his presidency.
However, after years of legal debates and revisions, the Cabinet approved the bill on July 14, 2024, and submitted it to the Islamic Consultative Assembly for enactment. The draft defines personal data as “any information that, whether alone or in combination with other data, can identify the individual it pertains to.”
How Personal Data is Collected Online
Every day, as users navigate the internet, their personal data is being stored, often without their awareness. For instance, a user searching for running shoes might later encounter a wave of targeted advertisements promoting discounts on similar products. This raises questions: How do platforms know what users are looking for? What types of data are collected, and how are they used?
Every interaction online leaves a digital footprint, whether intentional or not. Websites collect personal data for various purposes, starting with basics like IP addresses and extending to detailed device information such as screen resolution, browser type and version, operating system, and even network type. Location data, internet service provider details, and connection methods (Wi-Fi, 3G, or 4G) are also routinely gathered.
Social media platforms and search engines collect data by tracking browsing histories, visited pages, and personal details shared in user profiles. Additionally, websites use cookies—small packets of data sent to a user’s browser—to identify and track their activities. While cookies can streamline user experiences, they also raise concerns when they store complex and sensitive information. Artificial intelligence tools, such as chatbots, also analyze user interactions, extracting valuable insights from seemingly simple conversations.
The Risks of Unchecked Data Collection
The implications of unchecked data collection extend beyond marketing. Vulnerable populations, such as seniors unfamiliar with the intricacies of the internet, can fall victim to deceptive advertising, losing significant financial resources. Similarly, children and teenagers, whose online activities are extensively tracked, are particularly susceptible to manipulative marketing strategies. Beyond commercial misuse, cybercriminals often exploit stored data to access sensitive information, such as financial, medical, or legal records, posing severe threats to individuals.
Amnesty International, for instance, criticized Meta (the parent company of Facebook) for its role in the 2017 Rohingya genocide in Myanmar. The organization argued that Meta’s algorithms, designed to prioritize engagement and profit, significantly contributed to the spread of harmful content that fueled violence.
The Need for Comprehensive Data Protection Laws
The extent to which companies can access and utilize personal data depends largely on their privacy policies, which are often deliberately opaque. In contrast, the General Data Protection Regulation (GDPR), adopted by the European Union in 2016 and enforced in 2018, provides a comprehensive framework for protecting personal data and privacy. It mandates clear and accessible policies, user control over their data, and transparent practices for handling third-party data requests. Unfortunately, many countries, including Iran, have yet to implement similar protections.
In Iran, despite years of discussion, the issue of personal data protection remains unresolved. Recent high-profile cyberattacks targeting government and private institutions have exposed the vulnerabilities in existing data protection measures. The government’s response, consisting mainly of ad hoc directives, lacks the comprehensiveness required to safeguard user data against misuse, especially by security and judicial bodies. Efforts to legislate data protection laws, including drafts proposed in 2018 and 2020, have repeatedly failed to materialize.
The Future of Data Protection in IranThe latest bill now before Parliament may represent the last hope for establishing a robust legal framework to protect personal data in Iran’s digital landscape. However, its effectiveness remains to be seen. Only with clear regulations and accountability measures can the protection of personal data in Iran move beyond mere promises to tangible actions.
