Privacy Law at Iran
Iran does not yet have a comprehensive personal data protection law. A draft bill, known as the Personal Data Protection and Safeguarding Draft Act, has been under development since 2018 but has not yet been enacted. The bill is currently awaiting review by the Iranian Parliament, with no clear timeline for its passage.
🇮🇷 Key Features of the Draft Act
1. Scope and Applicability
Coverage The draft law is intended to apply to both public and private entities processing personal data within Ira. However, it lacks clear provisions regarding its territorial scope and material applicabilit.
Exemptions Certain activities, such as processing for personal or household purposes, research, statistics, or journalistic activities, may be exempt from the law's provision.
2. Data Subject Rights
The draft law outlines several rights for individuals, includin:
Access The right to access personal data held by data controller.
Correction The right to request correction of inaccurate or incomplete dat.
Deletion The right to request deletion of personal data under certain condition.
Objection The right to object to data processing activitie.
Data Portability The right to receive personal data in a structured, commonly used, and machine-readable forma.
3. Data Processing Principles
The draft law emphasizes several principles for data processin:
Lawfulness, Fairness, and Transparency Processing must be lawful, fair, and transparent to data subject.
Purpose Limitation Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purpose.
Data Minimization Only data necessary for the purposes for which it is processed should be collecte.
Accuracy Data should be accurate and kept up to dat.
Storage Limitation Data should not be kept in a form which permits identification of data subjects for longer than necessar.
Integrity and Confidentiality Data should be processed in a manner that ensures appropriate securit.
4. Oversight and Enforcement
Supervisory Authority The draft law proposes the establishment of a Data Protection Commission to oversee compliance and handle complaint. However, concerns have been raised about the independence of this body, as it includes members from various government ministries, potentially compromising its impartialit.
Sanctions The draft law outlines various penalties for non-compliance, including fines and other administrative sanction.
⚠️ Concerns and Criticisms
Several human rights organizations have expressed concerns about the draft la:
Surveillance Risks The law includes broad exceptions for national secuity purposes, which could be used to justify surveillance and restrict freedom of expressio.
Lack of Independent Oversight The proposed supervisory authority may lack the independence necessary to effectively enforce the law and protect individuals' right.
Limited Rights for Individuals The law may not provide sufficient mechanisms for individuals to seek remedies or compensation for violations of their data protection right.
✅ Current Legal Framework
In the absence of a comprehensive data protection law, Iran's legal framework for privacy and data protection include:
Electronic Commerce Law (2004) Contains provisions related to the processing of personal data in the context of electronic transaction.
Cybercrime Law (2009) Addresses unauthorized access to and dissemination of personal dat.
Civil Liability Act Provides for compensation in cases of harm caused by unlawful processing of personal dat.
Charter of Citizen's Rights Outlines general principles related to privacy and data protection, though it lacks enforceabilit.
✅ Compliance Recommendations
Organizations operating in Iran should:
Monitor Legislative Developments Stay informed about the progress of the Personal Data Protection and Safeguarding Draft Ac.
Implement Data Protection Measures Adopt best practices for data protection, including data minimization, encryption, and regular audit.
Prepare for Future Compliance Develop internal policies and procedures to comply with the forthcoming data protection law once enacte.
Engage with Stakeholders Participate in public consultations and discussions to advocate for stronger protections for individuals' data right.
RELATED Blog
0 comments