Answer ... (a) Internet (e-commerce)
The E-signature and E-transactions Law sets out the legal framework for transactions carried out through electronic means. The Electronic Payment Services Regulation governs the electronic transfer of money. Electronic payment service providers must be licensed by the Central Bank of Iraq (CBI).
Every payment service provider must take steps, among other things, to:
- provide safe services to customers;
- take the necessary risk mitigation measures;
- store and protect data against disclosure, destruction, misuse, loss and theft;
- facilitate the CBI’s access to its systems for supervision purposes; and
- maintain secrecy in banking transactions.
Electronic documents and contracts have the same probative value as paper documents and contracts, provided that, among other things:
- they are stored with a possibility of retrieval;
- they are kept in the same form as created, sent or received, or in any way that facilitates the verification of the accuracy of the information; and
- the sender, receiver and date and time of sending and receipt of such electronic documents and contracts are all identifiable.
Specific legal issues associated with e-commerce in Iraq include the absence of specific data protection and cybersecurity legislation. Iraq has prepared draft laws on cybercrimes and telecommunications and information technology, but these drafts have not yet been enacted.
(b) Mobile (m-commerce)
Mobile commerce is governed by the same legislation and regulation applicable to e-commerce (see question 3.1(a)).
Mobile payment service providers are bound by the same obligations as payment service providers and must further undertake the following actions, among other things:
- entering into contracts with mobile operators and providing copies thereof to the CBI; and
- settling payments in Iraq in the national currency.
Specific legal issues associated with m-commerce in Iraq include the absence of specific data protection and cybersecurity legislation. Iraq has prepared draft laws on cybercrimes and telecommunications and information technology, but these drafts have not yet been enacted.
(c) Big data (mining)
There are no specific big data-related regulations in the fintech space in Iraq.
(d) Cloud computing
CBI Decision 14/611 of 2019 sets out certain criteria to be implemented by banks, financial institutions, payment service providers, exchange counters and other licensed institutions when dealing with cloud computing service providers. Upon engaging in such activities, these institutions must take into account operational risks and factors such as confidentiality, integrity, cybersecurity, regulatory compliance and data transfer. The measures to be implemented by banks, financial institutions and other licensed institutions to ensure the safety of the operations include:
- user identity management systems;
- identification and protection of personal data; and
- security and protection systems that prevent hacks and attacks.
The legal issues associated with outsourcing to cloud computing service providers include cybersecurity risks and protection of personal data by cloud computing service providers. In order to mitigate such risks, banks must have the cloud computing service provider sign a non-disclosure agreement. Banks must further ensure that they have the right to audit the cloud computing service provider, to verify its ability to protect the safety and integrity of data. Banks much ensure that the cloud computing service provider returns all data upon termination of the agreement and destroys any copies thereof in its possession.
(e) Artificial intelligence
Artificial intelligence is not expressly regulated under Iraqi law.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Blockchain and cryptocurrencies are not expressly regulated in Iraq.