Jordan issues first personal data protection law

The Hashemite Kingdom of Jordan has issued its first comprehensive national legislation to regulate the collection and processing of personal data. This long-awaited development is consistent with wider regional and international trends to recognise the privacy of individuals and regulate the protection of their personal data. In this article, we provide a summary of the legislation and our commentary on the implications of this latest important development in the Middle East data protection landscape.

What is the new law?

Law No. 24 of 2023 regarding personal data protection (Jordan PDPL) was published in the Official Gazette on 17 September 2023. It follows the passing of a new Electronic Crimes Law (No. 17 of 2023) in August that codified various cybercrime offences.

The Jordan PDPL will come into effect six months after the date of its publication (on 17 March 2024) and shall apply retrospectively to protect data collected or processed prior to its entry into force.

Who and what is within the scope of the Jordan PDPL?

The Jordan PDPL is designed to protect “personal data”, which is defined as:

“any data or information of any source or form, which are relating to an identifiable natural person, which would make him/her identified directly or indirectly, including the data related to his person, marital status, or location”.

It includes special provision for “sensitive personal data”, which is separately defined as:

“any data or information relating to a natural person revealing directly or indirectly the individual’s racial or ethnic origin, political opinions or affiliations, religious beliefs, or any data concerning his/her financial standing or health, physical, or mental condition, biometric and genetic data, or in his/her criminal record, or any other data or information which are determined by the Board to be sensitive if the disclosure or abuse of which would cause harm to the data subject concerned”.

The Jordan PDPL applies to the processing of personal data or sensitive personal data whether it is collected or processed before or after the effective date of the law. In common with other international legislation, it does not apply to individuals who are processing such data for personal reasons but it will otherwise regulate “controllers” who supervise any data processing activities or “processors” who process data on behalf of controllers.

The Jordan PDPL does not provide any indication of geographical scope or extra-territorial application.

Lawful bases for processing

Article 4(a) states that processing of personal data is only permitted with the prior consent of the “data subject” (the individual to whom the data relates), unless otherwise permitted by law. Consent must be clear and in writing with a specified period and purpose, in an intelligible and easily accessible form using clear and plain language.

Personal data may be processed without prior consent in the following cases:

1. where the processing is carried out by a competent public authority to the extent that is necessary for the purposes of performance of the tasks entrusted to it or by other entities under contract (provided that such contract incorporates the relevant obligations and requirements provided under the law);
2. where processing is necessary for the purposes of preventative medical care, medical diagnosis or the provision of healthcare by a licensed medical practitioner; 
3. where processing is necessary to protect the life or vital interests of the data subject;
4. where processing is necessary for prevention or detection of crime by a competent entity or for the prosecution of criminal offences committed in breach of the provisions of the Jordan PDPL;
5. where processing is required or authorised by or in implementation of law or a court order;
6. where processing is necessary for the entities which are subject to the control and supervision of the Central Bank of Jordan to carry out their tasks as determined by the Central Bank of Jordan, including the transfer and exchange of data inside Jordan or abroad;
7. where processing is carried out in accordance with the provisions of the law itself;
8. where processing is necessary for scientific or historical research purposes, provided that the purpose of which shall not be taking any decision or procedure in respect of a certain person; 
9. where processing is necessary for statistical, national security requirements or archiving purposes in the public interest; or
10. where processing relates to personal data which are manifestly made public by the data subject concerned.

While the majority of these lawful bases align to equivalent concepts in other international laws, there are some notable omissions in the Jordan PDPL. In particular, it does not expressly allow for processing where it is necessary for the purposes of legitimate interests pursued by the controller or a third party.

What are the main features of the Jordan PDPL?

Conditions for processing: The Jordan PDPL lists a number of requirements that processing should satisfy that are broadly consistent with international principles and standards, including lawfulness, fairness and transparency, purpose limitation, accuracy, storage limitation, integrity and confidentiality.

However, there is no express recognition of the principle of “data minimisation”. This is a key feature found in many international data protection laws and requires that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed.

Data subject rights: Data subjects will have a number of rights with respect to their personal data under the Jordan PDPL, including:

1. rights of information, review, access to and obtaining of their personal data;
2. the right to withdraw consent;
3. the right to rectification, alteration, addition or updating of their data;
4. the right to have their data processed for purposes falling within a specific scope;
5. the right to erasure of data, i.e. the right to be forgotten (subject to certain conditions in the law); 
6. the right to object to processing and profiling if such activities are no longer necessary to achieve the purposes for which the data were collected (or exceed its requirements) or are found to be discriminatory, prejudicial, or in breach of law;
7. the right to transfer a copy of the data; and 
8. the right to be informed of any breach, infringement, or any data security and integrity breach.

A data subject must be allowed to exercise these rights without facing any adverse financial or contractual consequences.

Data transfers: There are restrictions on the transfer or exchange of data with any third parties without the consent of the data subject. These include conditions relating to transparency and maintaining records of data transfers or exchanges, although data may be transferred and exchanged with competent public authorities to the extent that is required for the performance of tasks for which they are legally entrusted.

Personal data may not be transferred to any person outside Jordan if the level of protection the recipient provides is less than that is provided by the Jordan PDPL, unless any of the following cases apply:

1. regional or international judicial cooperation under international agreements or treaties in force in Jordan;
2. regional or international cooperation with international or regional entities, organisations or agencies engaged in combating crime or prosecuting its perpetrators
3. exchanges of medical data of the data subject that are necessary for his/her treatment;
4. exchanges of data relating to pandemic or health disasters or anything which affects the public health in Jordan; and 
5. banking operations and transfer of funds outside Jordan.

The Jordan PDPL does not currently anticipate that standard contractual clauses or other safeguards could be applied to facilitate the export of personal data outside Jordan. This may prove problematic for international businesses operating in the Kingdom that want to transfer personal data to other jurisdictions.

Data protection officer: A controller shall appoint a data protection officer (or auditor) if the controller’s core activities consist of processing personal data or it is involved in the processing of sensitive personal data, the data of persons lacking legal capacity, any data containing financial information or databases that will be transferred outside Jordan. The Personal Data Protection Board may also specify other cases requiring the appointment of such individual. This is a broader approach than many other jurisdictions where mandatory DPO requirements are often limited to cases of high risk or large-scale data processing.

The Jordan PDPL sets out a list of responsibilities for the appointed person including implementing appropriate controls, ensuring evaluation and periodic reviews of data systems, managing the submission and consideration of complaints and organising training for employees of the controller.

Breach notification: In the event of a data security and integrity breach that would cause serious harm to the data subject concerned, the controller must inform data subjects concerned within 24 hours of discovering the breach. It must provide them with information on the necessary measures for the avoidance of any consequences which may arise from such breach. The controller is also obliged to inform the Unit within 72 hours from the discovery of the breach, including details of the source and the affected data subjects. 
A controller that is responsible for a serious mistake or infringement is liable to indemnify any affected data subject.

What are the penalties for non-compliance?

The Jordan PDPL establishes the following sanctions for non-compliance:

1. suspension of cancellation of licences or permits or a daily fine for failure to comply with a notice issued by the Unit;
2. a fine of JOD 1,000 (USD 1,408) to JOR10,000 (USD 14,086) for any breach of the law, rules or instructions issued thereunder, which may be doubled in case of recurrence; and
3. the destruction of data or cancellation of a database that is the subject of any case where a conclusive order of conviction was issued.

Accordingly, it appears likely that the Unit will first serve a notice on any violator to cease the violation and rectify it within a specific period. If such period lapses without compliance with the notice, the Personal Data Protection Board (at the Unit’s direction) may impose the penalties set out above.

How will the Jordan PDPL be enforced?

The Jordan PDPL establishes an organisational unit (Unit) of the Ministry of Digital Economy and Entrepreneurship (Ministry) to be responsible for monitoring compliance and preparing draft legislation relating to data protection.

The Unit will work alongside a Personal Data Protection Board, which is presided by the Minister and includes an Information Commissioner, the Human Rights Commissioner-General, the Chairman of the National Cyber Security Centre, a representative of the Central Ba, two representatives of security agencies nominated by the directors of such agencies based on the Minister’s request, and four competent and experienced persons (including representatives of the telecommunications, banking and information technology sectors as nominated by the Cabinet).

The Board has the following power and responsibilities:

1. approving and monitoring the implementations of policies, strategies, plans and programmes;
2. approving data protection standards and measures, including code of conduct relating to the proper performance by the controller and processor;
3. issuing licences relating to the archiving, processing, profiling and transferring data;
4. approving the forms related to prior consent, withdrawing consent, objections and requests submitted by the data subject; 
5. considering complaints and applications lodged by data subjects; and
6. issuing and updating a list of accredited states, international or regional bodies or organisations which have an adequate level of protection of data.

What happens next?

The Jordan PDPL will take effect from 17 March 2024, but it provides that parties handling personal data prior to this date will have a period of one year from the effective date to adjust their position to comply with the new requirements of the law. We envisage that this will effectively amount to a “grace period” until March 2025 (although this may not apply to organisations established after the effective date of the law).

Further regulations are also expected to be issued under the Jordan PDPL to clarify aspects of its implementation, including:

1. types of licenses and permits, their associated requirements and conditions of suspension or cancellation;
2. conditions and procedures for obtaining prior consent (and its withdrawal);
3. conditions for disclosure of data, persons to whom personal data may be disclosed and categories of data that are authorised to be disclosed; and
4. regulation of the Unit’s mechanisms and procedures.

All businesses operating in Jordan will need to assess their activities and make changes to align with the incoming Jordan PDPL as quickly as possible. We have previously issued tips for enterprises on how to create an effective privacy framework and worked with many organisations to help them implement the required processes and policies for compliance.