The element of “protection” refers to the regime`s intention to “protect” Iranian users from content it considers “harmful”, un-Islamic, Western or promoted by “hostile” elements. (See here for a more in-depth analysis of the bill.) In addition, the inclusion of people known to be part of the security apparatus that suppresses freedom of expression by the proposed Data Protection Commission (tasked with overseeing data processing under the bill) is deeply concerning. This law would grant immunity for the processing and collection of data on individuals who violate Iran`s already existing and far-reaching national security laws. Iran`s Penal Code contains numerous overly broad and vague restrictions on freedom of expression that violate international human rights law and facilitate targeted prosecutions of human rights defenders, journalists, and other dissenting or minority voices. Article 12 could also be used to prosecute cases currently classified as crimes under Iran`s Penal Code. Personal data processors are responsible for the internal control of the protection of the personal data processed. Each entity subject to Instruction No. 47 of 14 September 2018 (i.e. large processing companies) must authorise in writing at least one Data Protection Officer (“DPO”) (Albanian terminology: contact person) to carry out an internal check. Small processors hired by large processors are also advised to appoint a DPO.
In addition, it should be noted that the Electronic Communications Act (Articles 124 to 126) introduces rules for the processing of location data. The exchange of personal data with diplomatic missions of foreign governments or international institutions in the Republic of Albania is considered an international transfer of data. However, it leaves the possibility for the government to collect personal data in the name of national security. This collection takes place when it is carried out without the consent of the individual – a pillar of data protection – constitutes surveillance and is of great importance for freedom of expression. In contrast, Iran`s draft data protection law lacks a clear scope in terms of what materials are considered data (data processed by computers or, as in the GDPR, data that also contains information in an offline format) as well as the rights it grants to companies. The draft law also lacks protection against the risks that data processing regulation could pose to journalistic and cultural activities, and transparency efforts, as stipulated in Iran`s Freedom of Information Law. The full harmonisation of the current Albanian data protection legislation with the GDPR has been one of the main objectives of the Information and Data Protection Commissioner`s Office since 2018, but this goal has not yet been achieved (partly due to the Covid-19 pandemic). In accordance with Decision No. 8 of the Commissioner of 31. October 2016, the following countries have an adequate level of data protection: Information obtained by the Commissioner in the performance of his duties may only be used for supervisory purposes in accordance with the legislation on the protection of personal data.
The Commissioner remains bound to confidentiality even after leaving office. Small processors: controllers or processors who process personal data electronically or manually by fewer than six processors, either directly or through processors. Those measures shall aim to ensure an adequate level of protection and security of personal data against potential foreseeable risks. With regard to users` personal data, professionals of public electronic communications networks and services are required to inform their users of a specific risk, how the risk can be reduced by users, as well as the possible costs to be borne by the user if the risk incurred goes beyond the measures that the trader can take. Recent cases of journalists being prosecuted for their work exposing government corruption could be supported by Article 12 of the bill, which contains a disturbing definition of what constitutes a “security” exception to protect an individual`s data from processing without consent. The draft therefore carries the risk that judicial repression against journalists and activists will continue to be legitimized. While the Iranian government`s efforts to improve data protection are welcomed by ARTICLE 19, as well as cooperative efforts with the EU and global initiatives to protect people beyond digital borders, the bill falls short of global standards. In our analysis of the bill, we make a number of recommendations to strengthen the protection of human rights.
It should be noted that no additional personal data can be added to the data in the public data list without the consent of the data subject. However, the controller may store such personal data in its filing file even if the data subject has objected to the processing. This data may only be used if the data subject provides their content. The protection of personal data is based on the adequacy of the data, the data relevant to the purpose of their processing and not excessive in relation to that purpose, as well as the accuracy of the data, the updated and complete data. Article 39 (1) of the Data Protection Act stipulates that data processing contrary to the Data Protection Act is an administrative offence and may be punishable by fines ranging from ALL 10,000 (approximately EUR 83) to ALL 1,000,000 (approximately EUR 8300), with legal entities being charged twice the amount. Data protection law introduces the obligation for the controller or processor to take appropriate organisational and technical measures to protect personal data against unlawful or accidental destruction, accidental loss or access or disclosure by unauthorised persons, as well as against any type of unlawful processing. The transmission of sensitive data for scientific research only takes place if there is an important public interest. Personal data will only be used by persons who are required to maintain confidentiality. Where data processing is carried out in such a way as to allow the identification of the data subject, the data should be immediately encrypted so that the data subjects are no longer identifiable. Encrypted personal data will only be used by persons who are required to respect confidentiality. The level of security must be appropriate to the way in which personal data are processed.
The Commissioner established the detailed rules on the security of personal data by Decision No. 6 of 5 August 2013 “On the establishment of detailed rules on the security of personal data”. Furthermore, in this opinion, the Commissioner underlines the importance for controllers to adopt data protection directives, which should include, inter alia: The elements of the bill to improve Internet localization are also consistent with the broader National Information Network (NIN) project, created during the era of President Mahmoud Ahmadinejad and across the Rouhani government. was prosecuted. These localization efforts include government incentives for Iranian software developers to develop messaging apps that compete with foreign apps, such as rewards for the number of users. Security engineers have proven that the transmission of user data through these applications is outside encryption protocols (encryption is illegal under Article 10 of the CDC), further undermining international privacy standards. The Commissioner is based at Rr. “Abdi Toptani”, Nd. 5, 1001, Tirana, Albania. The international transfer of personal data to a State that does not have an adequate level of protection of personal data may take place if: Many Iranians use one or more VPN apps on their mobile phones, tablets, and computers. The VPN market in Iran is estimated at $21 million per year. Some VPNs are backed by grants funded by foreign governments and foundations like Psiphon.
The company shared its usage data with ARTICLE19 for 2021, which showed that about 1.15 million users in Iran were using the platform. In addition, the data shall be stored in a form which does not allow the identification of the persons concerned for longer than is necessary in relation to the purpose for which they were collected or further processed. The Commissioner for the Right to Information and Data Protection (the “Commissioner”) is the independent Albanian authority responsible for monitoring and controlling the protection of personal data and the right to information respecting and guaranteeing human rights and fundamental freedoms in accordance with the legal framework. In addition, the Electronic Communications Act provides that the processing of location data may take place during the duration of the value-added services and only if the data is anonymized or if the user has previously given consent, which can be revoked at any time. In addition, the data subject shall have the right to request the controller not to start processing or, if processing has started, to stop processing of personal data concerning him or her for direct marketing purposes and to be informed in advance before personal data are disclosed for the first time for that purpose. The Commissioner defined cookies in an online dictionary as data stored on the computer that contains certain information. This rudimentary definition is supplemented by a brief explanation indicating that cookies allow each server to know which pages have been visited recently by simply reading them. Data documentation shall be retained for as long as necessary for its collection.