The 14th government has begun its term in a highly vulnerable state of cybersecurity, leaving the public and experts both anxious and hopeful about the passage of the Personal Data Protection Bill and the implementation of user privacy protection guidelines.
The research arm of the Parliament has also highlighted legal gaps in data protection and put forward suggestions to be included in the Data Protection Bill.
As the 14th government begins its term under the most vulnerable cybersecurity conditions, both the public and experts are anxiously awaiting the approval of the Personal Data Protection Bill and the implementation of user privacy protection guidelines. The research arm of Parliament has highlighted the legal gaps in data protection and suggested several recommendations for inclusion in the Data Protection Bill.
In this challenging environment, the Minister of Communications, Sattar Hashemi, has recently emphasized increasing collaboration with the military in areas such as cybersecurity, mitigating frequency interferences, cargo services at the international airport, the special economic zone of Payam, and the space industry. However, experts argue that beyond the absence of adequate laws, filtering (internet censorship) poses the greatest threat to cybersecurity. To effectively protect Iranians’ data, Hashemi’s first priority should be to lift these filtering measures.
The Missing Link in Data Protection
Cybersecurity in Iran has been in a poor state over the past two years, suffering from numerous hacker attacks. According to the first report by the Telecommunications Infrastructure Company, in just 21 months, 430,000 DDoS (Distributed Denial of Service) attacks targeted 79,000 cyber destinations within the country. The ratio of the largest DDoS attack in Iran to the largest recorded globally stands at 49.2%. In response to the surge in cyberattacks, the “Detection and Mitigation System for DDoS Attacks” was launched in October 2022. Reports from this system indicate that the country’s internet network has become increasingly insecure due to the continuation of restrictive policies and filtering.
Another initiative by the 13th government was the drafting and issuing of user privacy protection guidelines in 2023. Despite the repeated extensions for businesses to implement these guidelines and the end of the 13th government’s term, no reports have been released on its enforcement. Experts and some business leaders believe that this guideline lacks sufficient enforceability and deterrence. They argue that merely drafting a guideline is not enough; it must also be closely monitored for proper implementation.
The lack of laws protecting data has been a frequent point of criticism by experts. The Parliament’s research center emphasized the importance of stringent legal measures to prevent data corruption, as seen in countries like South Korea, France, Ireland, Canada, the UK, and Italy, where over 124 legal requirements exist for protecting personal data. In contrast, only 13 such requirements are present in Iranian law.
After many delays, the Personal Data Protection Bill, which has been in the works since 2017, was finally approved by the government in July 2024. Issa Zarepour, the Minister of Communications during the 13th government, hailed this bill’s primary feature as the protection of privacy and data on domestic platforms. However, the security of Iranian platforms has been questioned, and despite various statistics, Iranian users continue to prefer foreign platforms, even under the constraints of filtering and VPNs.
Lifting Filtering as a Solution
The Parliament’s research center has also examined the legal gaps in data protection within the data value chain, comparing Iranian laws with those of the United States, and made several recommendations for drafting the Data Protection Bill. These include special provisions for protecting government data (prioritizing the rights of citizens and domestic residents) and private sector data (balancing the costs of compliance for the private sector with citizen rights), flexibility in the bill’s provisions during crises like the COVID-19 pandemic, varying levels of privacy protection depending on vulnerability (e.g., children and journalists), and establishing independent bodies to oversee compliance by law enforcement agencies and the private sector.
Moreover, it is crucial to avoid irreversible and unmonitored government reliance on the private sector for the creation, maintenance, and provision of profiles related to sensitive public data. The research arm of Parliament recommends periodic oversight and monitoring of progress in implementing these provisions, as well as the enactment of capacity-building measures for data protection, including sensitivity analysis, classification of data held by agencies, and privacy protection with the help of consultants.
Despite these recommendations, no details have been released about the Data Protection Bill so far, leaving uncertainty about how well these issues have been addressed in its drafting and whether it will effectively protect data. In this context, with Sattar Hashemi having received a vote of confidence as the Minister of Communications for the 14th government and having begun his role last week, he considers VPNs as akin to the “foot soldiers” of enemy infiltration in cyberattacks.
Hashemi stated in a tweet: “As an expert, I emphasize that the role of VPNs in many cyberattacks against the country’s critical infrastructure is akin to the role of the enemy’s infiltrating foot soldiers.” He also supports a review of filtering policies and has expressed hope for potential openings.
Despite these positions, Hashemi recently met with the Chief Commander of the Army, emphasizing increased cooperation in cybersecurity, combating frequency interference, cargo services at the international airport and the Payam Special Economic Zone, and the space industry. While experts acknowledge that such actions, along with legislation and infrastructure development, are crucial in countering cyberattacks, they believe that filtering remains the greatest threat to cybersecurity and data protection for Iranians. They view the immediate removal of filtering as a key solution in addressing these challenges.
No Comment! Be the first one.