17 November 2016
The Ministry of Information and Communications Technology (‘ICT’) launched, on 2 November 2016, a public consultation on a draft data protection law (‘the Draft Law’). The Draft Law states that an entity will be liable in respect of the personal data in its control and contains a range of conditions relating to the disclosure of personal data, data security, data transfer and data subject access.
Safwan Moubaydeen and Lara Saraireh, Partner and Senior Associate respectively at Dentons, told DataGuidance, “Businesses must examine their processes and procedures to ensure compliance once the Draft Law is enacted. Costs may need to be incurred to ensure that the design of databases conforms with the requirements set out in the Draft Law, in particular, the ability to allow data subjects to access and amend information. Accountability will need to be determined within businesses, and employees need to be trained to ensure they have the ability and understanding to comply with the provisions of the Draft Law.”
In addition, under Article 9 of the Draft Law, there is a requirement to appoint a data protection officer who shall be responsible for creating and controlling data processing procedures for an entity as well as receiving and responding to complaints from data subjects.
Moubaydeen and Saraireh added, “The Draft Law also requires that certain conditions must be met in respect of the transfer of data, including the consent of the data subject and adequate knowledge of the purpose of the transfer. Personal data must not be transferred outside of Jordan to entities operating in countries which are not deemed to offer sufficient protection levels. However, the Draft Law contains certain exceptions including judicial cooperation and regional and international cooperation in combating cybercrime.”
Violations of the Draft Law’s data transfer provisions would result in a fine not exceeding JOD 10,000 (approx. €12,000) and the possibility of imprisonment for a period not exceeding one year. These penalties also apply to infringements of the Draft Law’s provisions on processing and disclosing personal data without consent as well as the rules on data security.
Moubaydeen and Saraireh noted, “Following the conclusion of the consultation on 1 December 2016, the Prime Minister shall refer the Draft Law to the House of Representatives, which shall have the right to accept, amend, or reject the Draft Law but, in all cases, the House shall refer the Draft Law to the Senate. No law may be promulgated unless it is passed by both Houses and confirmed by the King.”
Thomas Brookes | Privacy Analyst