Answer ... There is no specific data protection regime in Iraq. Generally, the processing of personal data is governed by the general rules under applicable Iraqi laws, including the Iraqi Constitution of 2005, the Civil Code and the Penal Code.
In general, the Iraqi Constitution protects the right to personal privacy, so long as it does not contradict the rights of others and public morals. It further stipulates that the freedom of communication and correspondence shall be guaranteed and may not be monitored, wiretapped or disclosed, except for legal and security reasons necessitated by judicial decision. Certain criminal acts as defined in the Penal Code may be linked to the improper use of personal data, such as defamation and disclosure of confidential information.
More specifically, certain provisions of several laws and regulations are applicable to data protection in the fintech space. These include the following:
- The Banking Law (94/2004) requires banks to maintain banking and professional secrecy with regard to accounts, deposits, securities and clients’ deposit boxes. Clients’ data must not be directly or indirectly disclosed without their written consent.
- Employees of the Iraq Securities Commission, established by virtue of Coalition Provisional Authority Order 74/2004, must not disclose any confidential information that comes to their knowledge in the course of their job, subject to sanctions imposed by the commission. Moreover, brokers must keep investors’ private information confidential.
- Payment service providers must take the necessary steps to store and protect clients’ data against disclosure, destruction, misuse, loss and theft, and maintain secrecy in banking transactions.
Answer ... There is no general cybersecurity regime in Iraq. Draft laws on cybercrimes and telecommunications and information technology have been prepared, but have not yet been enacted, and their content may be subject to review by the Iraqi Parliament before their enactment.
Nevertheless, certain provisions found in several laws and regulations are applicable to cybersecurity in the fintech space. These include the E-signature and E-transactions Law (78/2012), the Electronic Payment Services Regulation (3/2014) and Central Bank of Iraq Decision 14/611 of 2019, which compel banks, financial institutions and other licensed institutions such as payment service providers to implement measures to mitigate cybersecurity risks. These measures include:
- user identity management systems;
- identification and protection of personal data and security; and
- protection systems that prevent hacks and attacks.