Jordan adopts sweeping cybersecurity legislation

Jordan is bracing for protracted cyber insecurity. Since 2010, the Hashemite Kingdom has rolled out a raft of policies to manage digital vulnerabilities. In keeping with its proactive approach to cybersecurity, Amman is taking additional measures to inoculate the kingdom against digital ailments, including, most recently, the adoption of the 2019 Cybersecurity Law. The law, endorsed by Parliament on July 30, is the most comprehensive piece of Jordanian cyber legislation to date. The 10-page document lays out a detailed blueprint for sustaining Jordan’s cyber defense capabilities in the long term. 

The latest rendition of Jordan’s cyber law embraces an institutional approach to cyber governance. Until now, setting cybersecurity policy rested with the Ministry of Information and Communications Technology. With mounting security incidents rattling the digital landscape, current defense frameworks and policy models are fast becoming obsolete. In an effort to remedy institutional shortfalls and shore up the state’s capacity to contend with digital assaults, the recently passed cyber law echoes Jordan’s 2018 National Cybersecurity Strategy in calling for the establishment of two new structures: the National Cybersecurity Council and National Center for Cybersecurity. 

Article 3 of the law calls upon Jordan to assemble a National Cybersecurity Council. Members of the council are to be drawn from multiple state entities: the Ministry of Digital Economy and Entrepreneurship, Jordanian Armed Forces, Central Bank of Jordan, General Intelligence Department, Public Security Directorate, and the National Center for Security and Crisis Management. The council’s chairman will be appointed by royal decree. The composition of the council demonstrates an awareness among Jordanian officials that interagency collaboration is a requisite to developing and applying cybersecurity policy. 

Article 5 stipulates that Jordan set up a National Center for Cybersecurity under the oversight of the prime minister’s office. The center is envisioned as a focal point for cybersecurity policymaking, endowed with an expansive mandate to craft, execute, and enforce digital regulations. To facilitate its proper functioning, the center will also enjoy significant administrative and financial autonomy, as well as litigatory powers. Among its many duties are developing cybersecurity architecture, guarding critical infrastructure, promoting academic research, and imposing information security safeguards. The organization is also obligated to produce an annual report detailing Jordan’s cybersecurity posture. 

Policy achievements notwithstanding, a portion of Jordan’s cyber dossier — specifically stalled amendments to the Electronic Crime Law No. 27 of 2015 — has stirred great controversy. Introduced in September 2017 and withdrawn toward the end of 2018 amid widespread criticism, the draft law proposes criminalizing online hate speech and the dissemination of libelous material. The bill prescribes stiff penalties for both offenses, raising public concern. The suggested sentence for incitement, a term of up to three years and a maximum fine of 10,000 JD ($14,104), attracted particular scrutiny. 

Jordanian authorities billed the amendments as valid measures to combat disinformation and maintain digital order. In stark contrast to the government position, critics characterized the draft law as a thinly veiled assault on civic expression, citing the bill’s loose definition of hate speech and other prohibited conduct. Opponents of the draft law further posit that the text’s ambiguous language invites abuse by granting the authorities broad discretionary powers. 

The impending approval of the amendment package set off a flurry of demonstrations. In Amman, a protest movement incensed by unpopular income tax legislation adopted the cause of digital rights. Activists also launched a social media campaign, using the hashtag #withdraw_cybercrime_law, to convince the authorities to walk back the bill. Bowing to public pressure, Jordanian Prime Minister Omar Razzaz scrapped the draft law. In a bid to stave off further anger, Razzaz pledged to revise contentious amendment articles and consult civil society. To date, the government has yet to present an amended bill. 

The cybercrime saga enveloping Jordan sheds light on a troubling trend sweeping the region. Increasingly, states including the UAE, Lebanon and Egypt are manipulating cyber codes to advance partisan interests and stifle opposition. Political elites dispatch slander charges when expedient to muzzle opponents. Authorities are repurposing Cyber Crime Bureaus as vehicles to detect and stamp out dissent, extending the reach of security services and eroding the space for critical discourse. Other Arab governments are following suit, presaging greater repression. Civil society is poised to suffer as a result. 

Repressive undercurrents aside, Jordan’s experience with cyber legislation offers critical lessons, chief among which is the need to embrace adaptation. To remain effective, cyber codes must keep pace with the rapidly evolving threat landscape. The Jordanian government’s commitment to such adaptive policymaking, a central objective of the 2018 National Cybersecurity Strategy, is displayed by its routine enhancement of cyber laws. Other states should take note and perform regular reviews of cyber regulations. Instituting review mechanisms can enable governments to prune pernicious elements and briskly incorporate necessary amendments, both of which are essential to proactive digital governance. 

Sevan Araz is a Graduate Fellow with the Cyber Program at MEI and an analyst at Catalisto, a New York-based cybersecurity firm. Mr. Araz also conducts research with the Defense Innovation Board. The views expressed in this piece are his own.

Photo by Salah Malkawi/Getty Images