Introduction
Privacy refers to the realm of the life of anyone who, typically, by definition, or with previous announcements, expects others not to enter, look, or monitor the territory without their consent to information about that territory. In this regard, private homes, private places, persons’ bodies, personal data, and private communications are the most important cases of privacy, and all members of society, regardless of their religious, and even political and cultural views, should respect it. Privacy is a very important issue that has been consistently gaining human attention and has been stated in many international documents about human rights such as the Universal Declaration of Human Rights (1948), the European Convention for the Protection of Human Rights and Fundamental Freedoms (1950), the International Covenant on Civil and Political Rights (1966), and the Islamic Declaration of Human Rights (1990), that it is inviolable. Also today, almost all countries recognize and protect the right to privacy in their constitutions as a whole or as a compact, and at least they point to right of inviolable housing and privacy of communications (Ansari, 2011, 7). Privacy of communication and information, such as physical privacy and home, is also of great importance, to the extent that legislators have punished for violating the privacy of communication and disclosing confidential information associated with it. The possibility of violating privacy has expanded through the development of communication and access to communication and the internet. The legislator has tried to investigate the crime and punish it.
Privacy in the Constitution of Iran
Privacy was mentioned for the first time in the constitutional law approved in 1906. This information indicates that citizens’ privacy was protected by Iranian lawmakers even before the adoption of the Universal Declaration of Human Rights. The Constitution of the Islamic Republic of Iran, like the Constitution of many other countries, has numerous articles that explain privacy, such as Principles 22[1], 23[2] and 25[3]. In the theory dated 19/09/1981 of the Council of Guardians, according to Article 22 of the Constitution, the disclosure of the records of abuse of personal dignity is obligatory, and according to Article 23 of Constitution, the beliefs of people are internal matters and part of human nature. It should not be molested or violated, and Article 25, which protects the privacy of communication in the case of the crime and the prosecution of the criminals, is exceptional in this case (Vakil and Askari, 2009, 122-125), Article 39[4], by banning the affront and dignity of detainees and prisoners and designating the punishment for the perpetrators, is furthermore considered privacy.
Privacy in the other laws of Iran
In addition to the Constitution, the right to privacy has been considered in international documents such as the International Covenant on Civil and Political Rights to which Iran is also a party, and all the documents upstream of cyberspace and in section 6 of the last Supreme Leader’s warrant for the appointment of Members of the Supreme Council of Cyberspace[5] in August 2015.
Some believe that the result of the establishment of data privacy laws is to reduce the means of data privacy violations; While privacy violations are simplified as a result of the development of technology, the more the protection of data privacy and the extent of violating legal responsibility must be increased to maintain balance and legal order (Jafari and Rahbari Pour, 2017, 49). No government was able to control the privacy of its citizens in the past, but by using the technological capability that makes it possible to receive and transmit data simultaneously with a single device, a citizen can have full-time monitoring and these threats are even made by ordinary people (Ansari, 2004, 3). Thus, due to the ease of privacy violations in cyberspace, the Iranian communicative laws must take more notice of this issue and more attention should be considered to systematize governmental oversight on cyberspace and bring transparency to the surveillance area. Finally, the necessary preemptive steps should be taken to address the violation of privacy by other persons.
In addition to general laws, such as the Civil Responsibility Act of 1960 and the Law on Respect for Legitimate Freedoms and Protection of Citizenship Rights of 2004, which emphasize privacy including privacy in cyberspace, other laws and regulations have paid attention to the right to privacy in cyberspace and to protect data, and some measures have been taken to protect this right. The Law on Dissemination of and Free Access to Information, which defines personal information[6], sets out Articles 14 and 15[7] in the second Sub-chapter of the Law “Protecting Privacy.” The law protects the privacy and data of regulatory authorities and prohibits unauthorized persons from accessing personal information. The privacy of individuals as well as manifestations of information such as information about the safety of the legislators is determined, but proper support is not provided. If non-existent information is published about the person, the right to follow up through the general rules of civil responsibility is known to the person but it should be recognized that the possibility of compensating for the violation of civil liability is immediate and at the lowest cost and harm.
Article 4 of the Supreme Council of Cyberspace Act emphasizes to protection of the privacy of users, and by the Technical Provisions of the E-Government Development Act 2014, the Secretariat of the Supreme Council of Information Technology (IT) requires the establishment of a working group in cooperation with relevant organizations to amend existing laws and regulations or to adopt new legislation and regulations to protect the privacy of the public and to protect the data and databases of the electronic government. In the Code of Criminal Procedure of 2015 in the electronic justice section, the judiciary is obliged to provide all technical and legal measures necessary to protect the privacy of individuals and secure their data[8]. The punishment for violators is determined[9] and the legal procedures are applied here together.
Article 3 of the Law on Duties and Powers of the Ministry of Communications and Information Technology, to protect the privacy of citizens in cyberspace, protects the various communication, conversations, and information of persons as one of the duties of this Ministry, and assigns the responsibility for protecting the privacy of communications and information about them to this Ministry, which according to its executive policy authorities can establish and announce rules, independently or according to the case by the Communication Regulatory Commission and the Organization of Radio Communication and Regulatory Authority. In the legislation of the Communications Regulatory Commission and the licenses issued by the Radio Telecommunications Regulatory Authority, it is also noted that in carrying out its task of issuing communication and information technology licenses and monitoring activists of the country’s communications and information technology sector such as telecommunications operators and license holders, establish and exploit fixed communications networks[10] and fixed communications services[11], it has established and issued regulations to protect the privacy of personal information and communication of users and subscribers.
The Citizens Rights Charter of the Islamic Republic of Iran, adopted in 2016, focuses on the privacy of citizens in cyberspace in Article 35[12] and emphasizes privacy in articles 36 to 42[13]. Although legally, this Charter is not binding and no certain sanctions are mentioned to ignore the Charter’s obligations and violate the privacy of citizens, its promotional aspect is very effective in institutionalizing and claiming citizens. Moreover, it is a good basis to pursue many citizens’ legitimate demands and expectations and the need for accountability of the executive institutions against them. Also, an attempt has been made to rectify the legal shortcomings of the regulation and modify the administrative system. Article 19 of the Charter of Citizens’ Rights on the administration system, violation of the principles of this Charter is one of the examples of administrative violations.
Article 1 of the Act on Protection of Rights of Computer Software Creators 2000[14] also provides respect for privacy and property. Article 31 of the Press Law[15] of 1985 prohibits the disclosure of personal secrets and irreverence and Note 3 of Article 1 of the Law (amended 2000) considers the protection of privacy in cyberspace including electronic publications.
Article 5 of the Law on the Punishment of Illegal Audiovisual Activities, adopted in 2000 (amended 2008), also determines punishments for other cases of violating the privacy of information and data. But, to fulfill the Article 5 section (i.e., secret preparation of the film or any vulgar image of the family celebration and the alteration of it), the first thing must be the production of the film or the image in secret; Secondly, the films and images provided must be vulgar. The drawbacks are “vulgar” film or photo restraints; While individuals do not wish to be taken any photographs or videos from their private locations without their consent, it is also desirable to protect the privacy of information and data of individuals against such changes in absolute terms. Other forms of this article involve the preparation of images or videos of vulgarities of family or private events, such as these kinds of restrictions are not permitted; For in the event of the ceremony, the individual lives in his or her residence comfortably and without full coverage, and the preparation of pictures or films in ordinary situations, especially of women, is a violation of privacy which should be supported as appropriate. But the positive point of this article is found in paragraph B about films and photographs of women’s exclusive sections. Contrary to the original concept, privacy is also recognized and protected in public places, and swimming pools, gyms, and such places at certain times are reserved for women while maintaining the general character of privacy, are considered to be their privacy. The European Court of Human Rights in Peck’s suit against the UK government in 2003 ruled that “there are areas of interaction with others, even in a public place, which is within the framework of private life” (Jafari and Rahbari Pour, 2017, 56-63), and, taking advantage of this, it is worthy of our legislators to adopt new laws in which the content and images which are published in cyberspace, personal profiles of social networks and groups are unaccounted for and ignored by privacy.
Besides paying attention to privacy in multiple articles[16], the Islamic Penal Code has allocated a lot of material to privacy in cyberspace and communication. In the Islamic Penal Code, the cybercrime section, the penalties against data privacy and multiple materials for unauthorized listening and unauthorized access as well as the second chapter of computer forgery, the third chapter of theft and fraud, and the fifth chapter of defamation and denunciation are considered as the rights of citizenship privacy and are respected in the crime section. The violators will be brought to justice. In Article 968 (745) of the Penal Code, also in the protection of privacy, the dissemination of films and images of individuals by computer and communication systems in a way that leads to loss or abuse of dignity, is considered a crime for which the punishment is applied and in comparison with previous laws, the screening of films in cyberspace is explicitly considered and is a positive point.
The Islamic Penal Code also, in articles 813 (582) and 867 (641), provides penalties for government officials and employees who illegally open, seize, inspect, or eavesdrop on persons’ correspondence and telecommunications, and for intruders using communications equipment. The act also criminalizes listening to the content of telecommunications in a non-public transfer that implies privacy, and in the Crimes against Public Morals and Personal Information, which refers to the protection of a person’s data. On the other hand, the law has provisions made for a person’s sole responsibility for the protection of traffic data and users’ information, i.e. providers of access and hosting services, only if they have not complied with the penal sanctions, and they have no right to present or disclose this information except for the competent judicial authorities. Moreover, immediate preservation of computer data that is only exercised by judicial authority in cases of emergency is not the disclosure of the information of the protected systems; nor in the inspection and confiscation of data and computer and telecommunications systems, according to the law, to protect the privacy and honor of individuals from access to data by law enforcement authorities and non-required information has been prevented and stipulated by conventional suspicion which data or systems are required for the pursuit of their criminal information and the enforcement of personal taste by persons is strictly controlled by the law.
Absolute prohibition of the disclosure of all the information and data collected, and absolute prohibition of their use by judicial and tax authorities, stated in Article 7 of the Iranian Statistical Center Law, is intended to demonstrate the “anonymity of data” principle, which means that the subject is not disclosed. Therefore it is understood that the import of related data in electronic government databases etc is forbidden (Mohseni, 2009, 487-488) and this indicates the sensitivity of legislators in the past decades to protect the privacy of citizens, making it impossible for even the judicial and government authorities to access personal information.
The Electronic Commerce Law takes into account the privacy and data protection laws in Article 5[17], 58[18] and 59[19], while Article 71 of this law also provides for the punishment of imprisonment for those who violate this right. According to this law, for the privacy and security of citizens, electronic tools and systems protection practices are necessary to be dynamic and update the system protection methods, and these conditions are assessed according to the context of the message exchange. The implication is that the claimant of the system must prove his claim and the conditions set in this article are met by the court, and to determine the conditions, the court refers the matter to an expert, which requires a great deal of time and expense, and which the claimant may not be able to prove, thus it is appropriate that some existing technical methods be introduced to ensure that the draft of this law was considered in Article 127, and a committee, the Committee on Standardization of Technology and the Systems of Information were by the latest methods, considered as the best scientific achievements. The introduced technical instruments could be accepted without proof in court. Thus, the burden of proof of claim should be lessened by using standard versions and conformed procedures (Abdollahi & Shahbazi Nia, 2009, 123-129) and purely by cooperation of the governments at the global level and promulgation of rules corresponding to ICT usability, regulatory mechanisms and prior policies, and a long-standing CYBERSPACE framework can be used to protect users’ privacy.
Under the Law on Electronic Commerce, Crimes and Punishments under Articles 67 and 68 also fraud and forgery through cyberspace are punished. The privacy of electronic business activities should be considered here and reasonable efforts should be made to maintain the confidentiality of commercial documents if privacy is violated. Nevertheless, despite the allocation of some issues in support of message data citing personal information and predicting the punishment for violators in this law, the relevant regulations have not been approved, after more than a decade.
The provisions and rules of computer information networks approved by the Supreme Council of the Cultural Revolution of 2001 (Sessions of 482-488), though in Section 10-3-5 of Section B, as the Regulations of the Units providing information and internet services, companies or institutions providing information and Internet services, Rasa (ISP)[20] are obliged to consider the arrangements to protect the rights of users and to prevent attacks on them, and in Section 15-3-5, 13-6, 17-6, 19-6, to pay special attention to privacy and to prevent access to the data in Part 6 of the IP code The International Call Point Technical Regulation has made the International Call Point Director obliged the Internet Actions Bank of its users to the Ministry of Communications and the Ministry of Intelligence requests that this information be made available to them through a judge’s order. Therefore, this legislation is not completely compatible with the privacy of citizens and the protection of their privacy by the state; Data storage is of utmost importance since the Ministry of Communication is not aware of the duration of data storage and it does not have long term. Also, the availability of stored data shall be limited to the source and destination of communication. Further collection and disclosure of further information by a judge order shall not guarantee the privacy of citizens and the provision of more information should be subject only to actions against national security, with the competent authority ruling.
The guidelines for the terms and conditions for the establishment, operation and liquidation of the judicial electronic services office, announced by the head of the judiciary in 2013, and the regulations on the use of computer and telecommunication systems, announced by the head of the judiciary in 2016, also emphasize the observance of privacy, and Article 6 of the governing principles On the issuance of licenses for counter offices of the government and the non-governmental public sector, approved by the Commission for the Regulation of Communications Regulations in the meeting number 261 dated 06/08/2017 based on Note 2 of Article 26 of the Constitution of the National Post Company of the Islamic Republic of Iran approved on 08/08/2016 and paragraph p Article 67 of the Law of the Sixth Development Plan of the country, under the title of the regulations for issuing licenses for establishment and operation, the obligations and duties of the licensee, the conditions of office location and equipment, renewal, change of name and location of the office, and cancellation of the license, in paragraph 12 of Article 2, which the duties and powers of the licensee states, the preservation and protection of the documents, documents and information that is provided to him is among the duties of the license holder, which is the attention of the communication regulatory body to protect the privacy of citizens.
Article 15 of the Executive Guidelines on the Provision of Compulsory Public Service for Communication and Information Technology approved by the Commission on Regulation of Communications, Operator’s Obligations to Respect Confidentiality and Confidentiality, Compliance with Service Level Contracts and Subscribers’ Contracts, and Necessity of Accountability in These Matters. Nevertheless, our country still does not have an independent law to protect the privacy and personal information of its citizens and subjects, and until now no legal proposals have been completed. It seems that the most significant obstacle that has so far prevented this fundamental field from enjoying a comprehensive legal infrastructure in the legislative and regulatory sectors is that this fundamental human right has been categorized against both public order and security fields on the one hand, and cyber activities on the other hand, especially in the context of modern information and communication technologies. The first group faces the very serious challenge of identifying threats and threats in infinite cyberspace. If it does not provide the information it needs at the time, it cannot fulfill its vital task. New economic activists, especially those who founded their businesses in cyberspace and based on the capabilities of the data, such as the vast majority of data, need increasing information about this space; hence, it is necessary to make the decisions governing the scope of this domain, reasonable decisions about the issues.
Mohammad Amin Amin Roaya[21]
Resources
Rules and Regulations
-2004: The Law concerning Respect for Legitimate Freedoms and Protection of Civil Rights. (in Persian)
-Constitution of Iran. (in Persian)
-The Constitutional Law of 1906. (in Persian)
– The Law on Dissemination of and Free Access to Information. (in Persian)
-2015: Code of Criminal Procedure. (in Persian)
-E-commerce law. (in Persian)
– The Act on Protection of Rights of Computer Software Creators 2000. (in Persian)
-Islamic Penal Code. (in Persian)
– The Law on Punishment of Persons Who Engage in Unauthorized Activities in Audio-Visual Matters, approved in 2000 (amended in 2008). (in Persian)
-Iran Statistics Center Act. (in Persian)
-The Civil Liability Act of 1960. (in Persian)
-The Press Law was passed in 1985. (in Persian)
-Ministry of Communications and Information Technology Duties and Authorities Act. (in Persian)
-2016: Regulation on the Use of Computer and Communication Systems, Informing the Head of the Judiciary. (in Persian)
-Executive Guidelines of Compulsory Public Service of Communications and Information Technology Approved by the Communication Regulatory Commission. (in Persian)
– Guidelines on the Establishment, Activity, and Dissolution of the Office of Electronic Judicial Services, Informing the Head of the Judiciary 2013. (in Persian)
-Technical Provisions for E-Government Development 2014. (in Persian)
-The Supreme Council of Cyberspace Act. (in Persian)
-The resolutions of the Commission for the Regulation of Telecommunications. (in Persian)
-Rules and Regulations of Computer Information Networks Approved in 2001 by the Supreme Council of Cultural Revolution. (in Persian)
-The Charter of the Rights of Citizens of the Islamic Republic of Iran 2016. (in Persian)
Books
Ansari, Baqer, 2012, Privacy Law, Tehran, Human Science Books Study and Compilation (s.a.m.t). (in Persian)
Nuri, Mohammad Ali; Nakhjavani, Reza, 2004, Data Protection Rights, Tehran, Treasure Library of Knowledge. (in Persian)
vakil, Amir Sa’ed; Askari, Pouya 2009, Constitution in the Order of the Current Law, Tehran, Majd Publications. (in Persian)
Articles
Ansari, Baqer, 2004, “Privacy and its Protection in the Law of Islam, Comparative and Iran”, Journal of the Faculty of Law and Political Science, N. 66, p. 1-53. (in Persian)
Jafari, Ali; Rahbaripour, Mohammad Reza, 2017, “Civil Liability arising from Violation of Data Privacy in Imamiye and Jurisprudence,” Private Law Research Chapter, N. 18, p. 43-74. (in Persian)
Abdullahi, Mahbouba; Shahbazi, Morteza, 2009, “A secure information system in e-commerce law”, Legal Research Journal, N.16, p. 123-131. (in Persian)
Fathi, Younes; Shahmoradi, Khayr Allah, 2017 A, “Scope and scope of Privacy in Virtual Space”, Legal Journal of Justice, N. 99, p. 229-252. (in Persian)
Fathi, Younes; Shahmoradi, Khayr Allah, 2017 B, “Violation of the Privacy of Persons and National Security in Confronting Cyber Terrorism”, Journal of Judgment, N. 91, p. 1-28. (in Persian)
Kadkhodaei, Abbas, 2008, “Global Information Networks and Human Rights Violations with Emphasis on Privacy Rights”, Communication Research Center, Latest Update 2016, available at: http://vista.ir/article/313123. (in Persian)
Theses
Jalali Farahani, Amir Hossein, 2005, “Prevention of Computer Crimes”, Master’s Thesis, Guide Professor: Ali Hossein Najafi Abrandabadi, Imam Sadiq University, Criminal Law Group, and Criminology. (in Persian)
Mohseni, Farid, 2009, “Criminal Protection of Privacy in the Field of Information”, Thesis Ph.D., Imam Sadiq University, Private Law Group. (in Persian)
[1]– The dignity, life, property, rights, residence, and occupation of the individual are inviolate, except in cases sanctioned by law.
[2]– It is forbidden to search for opinions, and no one can be attacked or punished for having an opinion.
[3]– Inspection and refusal of letters, recording or disclosing phone calls disclosure of telegraphic and telex communications, censorship, non-communicating and non-delivery of them, eavesdropping, and any other surveillance are forbidden unless by law.
[4]– All affronts to the dignity and reputations of persons arrested, detained, imprisoned, or banished in any way shall be prohibited and punishable under the law.
[5]– Special care to secure and maintain all aspects security of the country’s cyberspace, as well as to protect the privacy of the society and to effectively counter foreign influence and manipulation in this field.
[6]– The first chapter of the first paragraph (b) defines personal information as following: information pertaining to individuals such as name, surname, home and work addresses, the situation of family life, personal habits, physical problems, bank account numbers and passwords.
[7]– Article 14: If the requested information pertains to privacy of persons, or is regarded as information obtained through the violation of privacy, the request should be rejected.
Article 15: If accepting the request leads to the illegal disclosure of personal information of the third person, the institutions subject to this law should withhold the requested information unless:
A – The third party has given his/her consent, explicitly and in writing, to the disclosure of information about him/her.
B – The applicant is the third party’s legal guardian or lawyer, and acting within his/her powers.
C – The applicant is a public institution, and the requested information is, based on the law, directly related to its powers and duties.
[8]– Article 658 of the electronic civil code of the Code of Criminal Procedure of the Judiciary is required to provide technical and legal measures that are necessary to protect the privacy of individuals and safeguard their data, in the framework of the actions provided for by this sector.
[9]– Article 660 of the electronic civil procedure law in the Code of Criminal Procedure, if persons who have data of that section provided for the violation of the privacy of persons or the confidentiality of information, or illegally disclose them or make them accessible to persons who are not qualified, they shall be condemned to imprisonment from two to five years or a fine from twenty to two hundred million Rials, and to be dismissed from two to ten years of service.
[10]– Fixed Communication Provider (FCP).
[11]– Servco.
[12]– Article 35 – Citizens have the right to security, communication, and information technologies, to protect their data and privacy.
[13]– Article 36 – Every citizen has a right to have their privacy respected. Residences, personal spaces, belongings and vehicles are immune from search and inspection, except pursuant to the law.
Article 37 – Searching, collecting, processing, using and disclosing of letters, whether electronic or otherwise, personal information and data, as well other mail and telecommunications, such as telephone communications, faxes, wireless, private internet communications and the like is prohibited, save pursuant to the law.
Article 38 – Collection and publication of private information of citizens is forbidden, except with their informed consent or pursuant to the law.
Article 39 – Citizens have the right to have their personal information, held by organs and natural persons and legal entities, protected and preserved. Providing access to and disclosure of personal information of individuals shall be barred, and where required at the request of judicial and administrative authorities, they shall be provided to them exclusively. No official and authority shall, without express legal permit, have the right to place personal information of individuals at the disposal of another person or divulge them.
Article 40 – All inspections and body searches must be made in accordance with the law, with due respect, and by using non-humiliating and non-intrusive methods and tools. Furthermore, compulsory medical tests and measures without legal authorization are forbidden.
Article 41 – Illegal audio and video controls in places of work, public places, shops and other spaces where services are provided to the public are prohibited.
Article 42 – Citizens have the right to have their dignity and privacy respected in the media and public fora. And, should this right be violated, causing material or immaterial harms, the violators shall be liable and obliged to make reparation, in accordance with the law.
[14]– Copyright, supply, implementation and the rights to the material and moral utilization of computer software belong to its creator. How the data are compiled and presented in a computer-processing environment is also subject to the software’s provisions. The duration of material rights is thirty (30) years from the date of the creation of the software and the duration of the unlimited intellectual property rights.
[15]– Article 31: It is prohibited to publish articles containing threats against honor or self-disclosure or disclosure of personal secrets, and it is the Director in charge of the Judicial Tribunals, who will be dealt with according to the Law of Taazirat.
[16]– Such as Material 801 (570) 804 (573) 809 (578) 811 (580).
[17]– Article 5 – Any change in the production, transmission, receiving, storing, or processing of the message’s data is valid by the parties with the specific agreement.
[18]– Article 58 – Storing, processing, or distributing personal messages containing ethnic or racial roots, beliefs, religion, moral characteristics, and “message data” relating to the physical, psychological, or sexual status of persons without their explicit consent is illegal.
[19]– Article 59 – If the subject’s consent is satisfied, the message’s data content shall be subject to the rules established by the Islamic Consultative Assembly: Storing, processing, and distributing personal message “data” in the scope of electronic transactions shall be subject to the following conditions:
A- Its objectives are clearly defined.
b – “Message data” must be collected only as necessary and by the purposes described during the gathering for the subject “message data” and used only for the intended purposes.
c – “Message data” must be correct and up-to-date.
d – The person subject to the message data should have access to the computer files containing their own personal message ‘data’ and can “delete or modify data of incomplete or incorrect messages”.
E- The subject “Message Data” person should be able to request at any time, in compliance with the relevant criteria, to complete the deletion of their respective PC “Message Data”.
[20]– Internet Service Provider.
[21]– Master of Jurisprudence and Law.