Jordan Cybercrime Law 2023 New Rules, Broader Powers, Unresolved Gaps

🇯🇴 JordanSeptember 202312 min read

# Jordan Cybercrime Law 2023: New Rules, Broader Powers, Unresolved Gaps

Jordan's Cybercrime Law No. 17/2023 was issued on August 13, 2023 and entered

into force on September 13, 2023, replacing the 2015 Cybercrimes Law that had governed

Jordan's digital legal landscape for eight years. The new law expanded the scope

of prosecutable cybercrime offenses, broadened the public prosecutor's authority

to initiate proceedings without a victim's personal complaint for offenses affecting

government entities and national interests, and introduced new categories of offense

targeting content-based activities online. Maximum fines under the law reach JOD 5,000

(approximately $7,000 USD) for individual offenses, with imprisonment terms for more

serious violations.

The law drew immediate criticism from human rights organizations, press freedom bodies,

and legal scholars. Amnesty International reported that "hundreds" of

individuals were charged under the law between its enactment in August 2023 and August

2024, with many prosecutions relating to online speech rather than traditional cybercrime.

Article 17 of the law, which criminalizes the publication of content deemed to "provoke

sectarianism or sedition," attracted particular criticism as a tool for suppressing

legitimate expression. This analysis examines what the law achieves in cybersecurity

terms, where it falls short as a data protection instrument, and what organizations

operating in Jordan need to understand about the legal environment it creates.

## Key Facts

• .**What:** Jordan enacted Cybercrime Law No. 17/2023 expanding prosecutorial powers.
• .**Who:** All internet users and organizations operating in Jordan.
• .**Data Exposed:** No breach; analysis reveals no data protection obligations for organizations.
• .**Outcome:** Hundreds charged under speech provisions; max fine JOD 5,000.

## What Was Exposed

• .The legislative gap at the core of Jordan's digital rights framework: a Cybercrime Law that criminalizes attackers but imposes no affirmative data security obligations on organizations that process personal data
• .The absence of a breach notification regime - organizations breached under the 2023 law have no statutory obligation to notify affected individuals, regulatory authorities, or the public within any defined timeframe
• .Hundreds of individuals charged under the law's speech-related provisions between enactment and August 2024, demonstrating that the law's enforcement has been directed significantly toward expression rather than cybersecurity
• .The structural accountability gap for organizations whose inadequate security practices enable breaches: the law prosecutes attackers, not negligent victims
• .Jordan's distance from the data protection adequacy standards that would enable recognized cross-border data transfers with the EU and other major data protection jurisdictions

Cybercrime Law No. 17/2023 is a substantially expanded document relative to its 2015

predecessor. The 2015 law addressed the core categories of cybercrime - unauthorized

system access, data interception, and system interference - in relatively sparse

terms, reflecting the state of digital law in the region at that time. The 2023 law

addresses a wider range of conduct, including financial fraud conducted through digital

means, identity theft and impersonation online, cyberbullying and harassment, non-consensual

distribution of intimate images, and the creation and distribution of malware. These

additions reflect genuine legislative modernization that addresses criminal activity

that the 2015 law's sparse provisions did not adequately cover.

The prosecutorial power expansion is the most significant structural change introduced

by the 2023 law. Under the 2015 framework, many cybercrime offenses required a personal

complaint from the victim before the public prosecutor could initiate proceedings.

This requirement created a significant barrier to prosecution in cases where victims

were reluctant to report (due to reputational concerns, fear of secondary investigation,

or simply not being aware they had been victimized), where victims were foreign entities

with no practical means of filing complaints in Jordan, or where the offense was against

the public interest rather than a specific identifiable victim. The 2023 law removes the

personal complaint requirement for offenses affecting government entities, critical

infrastructure, and national security interests, enabling the public prosecutor to act

on intelligence or law enforcement referrals without waiting for victim initiative.

This prosecutorial expansion has clear cybersecurity benefits: it enables proactive

prosecution of threat actors identified through law enforcement investigation (as in

the r1z case, where the FBI's investigation preceded any formal victim complaint

to Jordanian authorities) and reduces the structural barriers to pursuing criminal

actors who target government systems and national critical infrastructure. The NCSC's

incident response mandate is strengthened by a legal framework that supports prosecution

without requiring victim cooperation in each case.

Dentons' October 2023 analysis of the new law noted several key provisions with

direct implications for businesses operating digital services in Jordan. The law establishes

liability for electronic service providers who fail to comply with legally mandated data

retention and access obligations, creating a compliance dimension for ISPs, cloud service

providers, and other digital intermediaries beyond the pure criminal liability that

applies to individual bad actors. The Library of Congress's September 2023 legislative

summary noted that the law's scope extends to offenses committed against Jordanian

citizens or entities by actors outside Jordan's borders, establishing extraterritorial

jurisdiction that is increasingly common in cybercrime legislation globally.

The Jordan Open Source Association (JOSA), a digital rights organization that publishes

full-text analysis of Jordanian digital legislation, documented concerns about the

breadth of Article 17's sedition and sectarianism provisions and Article 18's

prohibition on content that "undermines national unity." These content-based

offenses carry maximum penalties of up to three years imprisonment and fines up to

JOD 5,000. Reporters Without Borders (RSF) and Amnesty International have both documented

prosecutions of journalists, bloggers, and social media users under these provisions

for content that, under international freedom of expression standards, would be protected

speech. The conflation of cybercrime legislation with speech restriction creates a

chilling effect on online expression that goes beyond the law's legitimate

cybersecurity objectives.

## Regulatory Analysis

Understanding what Cybercrime Law No. 17/2023 does - and does not - achieve

in data protection terms is essential for any organization operating in Jordan. The law

is best characterized as a comprehensive cybercrime statute with significant speech

restriction provisions, not as a data protection law. Organizations seeking to understand

their data protection obligations in Jordan must look beyond the Cybercrime Law to the

constitutional framework, sector-specific regulations, and the contractual obligations

they assume through their service agreements with customers and business partners.

The law's most significant data protection gap is the absence of affirmative

security obligations for data controllers. In jurisdictions with comprehensive data

protection laws - the EU's GDPR, Bahrain's PDPL, Saudi Arabia's

PDPL, UAE's PDPL - organizations that process personal data are required

to implement appropriate technical and organizational security measures, conduct data

protection impact assessments for high-risk processing activities, and notify supervisory

authorities and affected data subjects when breaches occur. The Jordanian Cybercrime

Law contains no equivalent obligations. An organization operating in Jordan that suffers

a data breach because it stored passwords in plaintext, failed to patch a known vulnerability,

or neglected to implement multi-factor authentication faces no regulatory liability

under the Cybercrime Law - the law makes the attacker a criminal, but it does

not make the negligent organization accountable.

The maximum fine of JOD 5,000 (approximately $7,000 USD) for individual violations under

the law is strikingly modest for what is intended to be Jordan's primary legal

instrument against digital threats to the national economy and individual privacy. For

comparison, the EU's GDPR allows fines of up to 4% of global annual turnover or

EUR 20 million, whichever is higher. Saudi Arabia's PDPL allows fines up to SAR 5

million for serious violations. Qatar's Personal Data Privacy Protection Law allows

fines up to QAR 5 million. The Cybercrime Law's maximum JOD 5,000 fine creates

minimal deterrence for large organizations where the cost of a security breach --

in operational disruption, reputational damage, and ransom payments - vastly

exceeds the regulatory penalty. The fine structure reflects the law's criminal

justice orientation: fines in criminal statutes are calibrated to the culpability of

individual offenders, not to the turnover of corporations processing vast quantities

of personal data.

For multinational organizations operating in Jordan, the Cybercrime Law creates compliance

dimensions that deserve careful legal mapping. The law's data retention obligations

for electronic service providers, its content moderation implications for social media

platforms and web services, and its extraterritorial jurisdiction provisions all require

assessment against the compliance postures of organizations headquartered in the EU or

other jurisdictions with different - and sometimes conflicting - legal

requirements. An EU-based organization subject to GDPR that also operates services

in Jordan must navigate the intersection between GDPR's data minimization

requirements and Jordan's mandatory data retention provisions, a potential

tension that legal counsel familiar with both frameworks must address.

Jordan's enforcement pattern under the 2023 law deserves particular attention

from organizations whose employees, executives, or contractors might be subject to

prosecution. Amnesty International's August 2024 report documenting hundreds

of prosecutions in the law's first year - many for speech-related offenses

-- indicates an enforcement environment in which the law's broad offense

categories are applied aggressively. Organizations whose communications functions,

social media activities, or employee expression policies might generate content

characterizable as "provoking sedition" or "undermining national

unity" face genuine legal risk under Article 17, not merely theoretical exposure.

Foreign executives and employees operating in Jordan should receive specific guidance

on the law's speech-related provisions as part of any Jordan compliance program.

## What Should Have Been Done

Jordan's legislative trajectory in the digital domain requires evaluation against

both what the 2023 law achieves and what it leaves unaddressed. The law represents

genuine legislative modernization of Jordan's cybercrime framework, updating

offense categories, strengthening prosecutorial tools, and addressing forms of digital

harm that the 2015 law did not adequately cover. But the law's fundamental

limitations - its criminal justice orientation, its speech restriction provisions,

and its complete absence of data protection obligations - mean that the legislative

work required to bring Jordan's digital regulatory framework to the standard

of its regional peers is largely still ahead.

Jordan's parliament and the Ministry of Digital Economy and Entrepreneurship

should prioritize the enactment of a standalone Personal Data Protection Law as the

single most consequential step Jordan can take to address the data protection gaps

documented across all eight of the Jordan incident studies examined on this platform.

A PDPL modeled on international best practices - incorporating data minimization,

purpose limitation, transparency, individual rights, security obligations, breach

notification, and independent supervisory authority - would transform Jordan's

regulatory environment from one in which organizations face no accountability for

negligent data handling to one in which accountability is both defined and enforced.

The National Cybersecurity Strategy 2024-2028's identification of PDPL

enactment as a policy objective should be accompanied by a concrete legislative timeline

with parliamentary commitment.

The speech-related provisions of the Cybercrime Law require reform to bring them

into conformity with Jordan's obligations under the International Covenant on

Civil and Political Rights. Article 19 of the ICCPR protects freedom of expression

and permits restrictions only where they are provided by law, necessary, and proportionate

to a legitimate aim. The Cybercrime Law's Article 17, which criminalizes content

that "provokes sectarianism or sedition," and related provisions fail this

standard as applied in the hundreds of prosecutions documented by Amnesty International.

Reform of these provisions to require specific intent, concrete harm, and proportionate

application would align the law with ICCPR requirements while preserving the genuine

incitement-to-violence and national security provisions that a cybercrime law legitimately

needs.

For organizations operating in Jordan in the present regulatory environment, several

practical steps are warranted. First, legal mapping of the Cybercrime Law's

obligations against the organization's specific activities in Jordan --

particularly data retention requirements for electronic service providers and content

moderation obligations for platform operators. Second, development of a Jordan-specific

compliance policy addressing employee expression on social media, handling of government

data requests, and data retention practices, reviewed by counsel with specific Jordan

expertise. Third, proactive engagement with Jordan's evolving personal data

protection legislative process, participating in consultation processes when a draft

PDPL is published and advocating for provisions that align with international standards

while respecting Jordan's national context. The organizations that prepare for

a Jordan PDPL now will be positioned for faster compliance when the law is eventually

enacted; those that wait will face the same compressed compliance timelines that caught

organizations flat-footed when Jordan's regional peers enacted their data

protection laws.

Cybercrime Law No. 17/2023 is a meaningful but incomplete step in Jordan's

digital legal development: it strengthens the tools available to prosecute attackers

but does nothing to make organizations accountable for the negligent security practices

that make successful attacks possible - the defining gap between a cybercrime

law and the comprehensive data protection framework that Jordan's digital economy

and its citizens urgently need.