Jordan's Cybercrime Law No. 17/2023 was issued on August 13, 2023 and entered into force on September 13, 2023, replacing the 2015 Cybercrimes Law that had governed Jordan's digital legal landscape for eight years. The new law expanded the scope of prosecutable cybercrime offenses, broadened the public prosecutor's authority to initiate proceedings without a victim's personal complaint for offenses affecting government entities and national interests, and introduced new categories of offense targeting content-based activities online.
Key Facts
- WhatJordan enacted Cybercrime Law No. 17/2023 expanding prosecutorial powers.
- WhoAll internet users and organizations operating in Jordan.
- Data ExposedNo breach; analysis reveals no data protection obligations for organizations.
- OutcomeHundreds charged under speech provisions; max fine JOD 5,000.
What Was Exposed
- The legislative gap at the core of Jordan's digital rights framework: a Cybercrime Law that criminalizes attackers but imposes no affirmative data security obligations on organizations that process personal data
- The absence of a breach notification regime - organizations breached under the 2023 law have no statutory obligation to notify affected individuals, regulatory authorities, or the public within any defined timeframe
- Hundreds of individuals charged under the law's speech-related provisions between enactment and August 2024, demonstrating that the law's enforcement has been directed significantly toward expression rather than cybersecurity
- The structural accountability gap for organizations whose inadequate security practices enable breaches: the law prosecutes attackers, not negligent victims
- Jordan's distance from the data protection adequacy standards that would enable recognized cross-border data transfers with the EU and other major data protection jurisdictions
Cybercrime Law No. 17/2023 is a substantially expanded document relative to its 2015 predecessor. The 2015 law addressed the core categories of cybercrime - unauthorized system access, data interception, and system interference - in relatively sparse terms, reflecting the state of digital law in the region at that time. The 2023 law addresses a wider range of conduct, including financial fraud conducted through digital means, identity theft and impersonation online, cyberbullying and harassment, non-consensual distribution of intimate images, and the creation and distribution of malware.
These additions reflect genuine legislative modernization that addresses criminal activity that the 2015 law's sparse provisions did not adequately cover.
The prosecutorial power expansion is the most significant structural change introduced by the 2023 law. Under the 2015 framework, many cybercrime offenses required a personal complaint from the victim before the public prosecutor could initiate proceedings.
This requirement created a significant barrier to prosecution in cases where victims were reluctant to report (due to reputational concerns, fear of secondary investigation, or simply not being aware they had been victimized), where victims were foreign entities with no practical means of filing complaints in Jordan, or where the offense was against the public interest rather than a specific identifiable victim.
The 2023 law removes the personal complaint requirement for offenses affecting government entities, critical infrastructure, and national security interests, enabling the public prosecutor to act on intelligence or law enforcement referrals without waiting for victim initiative.
This prosecutorial expansion has clear cybersecurity benefits: it enables proactive prosecution of threat actors identified through law enforcement investigation (as in the r1z case, where the FBI's investigation preceded any formal victim complaint to Jordanian authorities) and reduces the structural barriers to pursuing criminal actors who target government systems and national critical infrastructure. The NCSC's incident response mandate is strengthened by a legal framework that supports prosecution without requiring victim cooperation in each case.
Dentons' October 2023 analysis of the new law noted several key provisions with direct implications for businesses operating digital services in Jordan. The law establishes liability for electronic service providers who fail to comply with legally mandated data retention and access obligations, creating a compliance dimension for ISPs, cloud service providers, and other digital intermediaries beyond the pure criminal liability that applies to individual bad actors.
The Library of Congress's September 2023 legislative summary noted that the law's scope extends to offenses committed against Jordanian citizens or entities by actors outside Jordan's borders, establishing extraterritorial jurisdiction that is increasingly common in cybercrime legislation globally.
" These content-based offenses carry maximum penalties of up to three years imprisonment and fines up to JOD 5,000. Reporters Without Borders (RSF) and Amnesty International have both documented prosecutions of journalists, bloggers, and social media users under these provisions for content that, under international freedom of expression standards, would be protected speech. The conflation of cybercrime legislation with speech restriction creates a chilling effect on online expression that goes beyond the law's legitimate cybersecurity objectives.
Regulatory Analysis
Understanding what Cybercrime Law No. 17/2023 does - and does not - achieve in data protection terms is essential for any organization operating in Jordan. The law is best characterized as a comprehensive cybercrime statute with significant speech restriction provisions, not as a data protection law. Organizations seeking to understand their data protection obligations in Jordan must look beyond the Cybercrime Law to the constitutional framework, sector-specific regulations, and the contractual obligations they assume through their service agreements with customers and business partners.
The law's most significant data protection gap is the absence of affirmative security obligations for data controllers. In jurisdictions with comprehensive data protection laws - the EU's GDPR, Bahrain's PDPL, Saudi Arabia's PDPL, UAE's PDPL - organizations that process personal data are required to implement appropriate technical and organizational security measures, conduct data protection impact assessments for high-risk processing activities, and notify supervisory authorities and affected data subjects when breaches occur. The Jordanian Cybercrime Law contains no equivalent obligations.
An organization operating in Jordan that suffers a data breach because it stored passwords in plaintext, failed to patch a known vulnerability, or neglected to implement multi-factor authentication faces no regulatory liability under the Cybercrime Law - the law makes the attacker a criminal, but it does not make the negligent organization accountable.
The maximum fine of JOD 5,000 (approximately $7,000 USD) for individual violations under the law is strikingly modest for what is intended to be Jordan's primary legal instrument against digital threats to the national economy and individual privacy. For comparison, the EU's GDPR allows fines of up to 4% of global annual turnover or EUR 20 million, whichever is higher. Saudi Arabia's PDPL allows fines up to SAR 5 million for serious violations. Qatar's Personal Data Privacy Protection Law allows fines up to QAR 5 million.
The Cybercrime Law's maximum JOD 5,000 fine creates minimal deterrence for large organizations where the cost of a security breach -- in operational disruption, reputational damage, and ransom payments - vastly exceeds the regulatory penalty. The fine structure reflects the law's criminal justice orientation: fines in criminal statutes are calibrated to the culpability of individual offenders, not to the turnover of corporations processing vast quantities of personal data.
For multinational organizations operating in Jordan, the Cybercrime Law creates compliance dimensions that deserve careful legal mapping. The law's data retention obligations for electronic service providers, its content moderation implications for social media platforms and web services, and its extraterritorial jurisdiction provisions all require assessment against the compliance postures of organizations headquartered in the EU or other jurisdictions with different - and sometimes conflicting - legal requirements.
An EU-based organization subject to GDPR that also operates services in Jordan must navigate the intersection between GDPR's data minimization requirements and Jordan's mandatory data retention provisions, a potential tension that legal counsel familiar with both frameworks must address.
Jordan's enforcement pattern under the 2023 law deserves particular attention from organizations whose employees, executives, or contractors might be subject to prosecution. Amnesty International's August 2024 report documenting hundreds of prosecutions in the law's first year - many for speech-related offenses -- indicates an enforcement environment in which the law's broad offense categories are applied aggressively.
Organizations whose communications functions, social media activities, or employee expression policies might generate content characterizable as "provoking sedition" or "undermining national unity" face genuine legal risk under Article 17, not merely theoretical exposure.
Foreign executives and employees operating in Jordan should receive specific guidance on the law's speech-related provisions as part of any Jordan compliance program.
What Should Have Been Done
Jordan's legislative trajectory in the digital domain requires evaluation against both what the 2023 law achieves and what it leaves unaddressed. The law represents genuine legislative modernization of Jordan's cybercrime framework, updating offense categories, strengthening prosecutorial tools, and addressing forms of digital harm that the 2015 law did not adequately cover.
But the law's fundamental limitations - its criminal justice orientation, its speech restriction provisions, and its complete absence of data protection obligations - mean that the legislative work required to bring Jordan's digital regulatory framework to the standard of its regional peers is largely still ahead.
Jordan's parliament and the Ministry of Digital Economy and Entrepreneurship should prioritize the enactment of a standalone Personal Data Protection Law as the single most consequential step Jordan can take to address the data protection gaps documented across all eight of the Jordan incident studies examined on this platform.
A PDPL modeled on international best practices - incorporating data minimization, purpose limitation, transparency, individual rights, security obligations, breach notification, and independent supervisory authority - would transform Jordan's regulatory environment from one in which organizations face no accountability for negligent data handling to one in which accountability is both defined and enforced.
The National Cybersecurity Strategy 2024-2028's identification of PDPL enactment as a policy objective should be accompanied by a concrete legislative timeline with parliamentary commitment.
The speech-related provisions of the Cybercrime Law require reform to bring them into conformity with Jordan's obligations under the International Covenant on Civil and Political Rights. Article 19 of the ICCPR protects freedom of expression and permits restrictions only where they are provided by law, necessary, and proportionate to a legitimate aim. The Cybercrime Law's Article 17, which criminalizes content that "provokes sectarianism or sedition," and related provisions fail this standard as applied in the hundreds of prosecutions documented by Amnesty International.
Reform of these provisions to require specific intent, concrete harm, and proportionate application would align the law with ICCPR requirements while preserving the genuine incitement-to-violence and national security provisions that a cybercrime law legitimately needs.
For organizations operating in Jordan in the present regulatory environment, several practical steps are warranted. First, legal mapping of the Cybercrime Law's obligations against the organization's specific activities in Jordan -- particularly data retention requirements for electronic service providers and content moderation obligations for platform operators. Second, development of a Jordan-specific compliance policy addressing employee expression on social media, handling of government data requests, and data retention practices, reviewed by counsel with specific Jordan expertise.
Third, proactive engagement with Jordan's evolving personal data protection legislative process, participating in consultation processes when a draft PDPL is published and advocating for provisions that align with international standards while respecting Jordan's national context. The organizations that prepare for a Jordan PDPL now will be positioned for faster compliance when the law is eventually enacted; those that wait will face the same compressed compliance timelines that caught organizations flat-footed when Jordan's regional peers enacted their data protection laws.
Cybercrime Law No. 17/2023 is a meaningful but incomplete step in Jordan's digital legal development: it strengthens the tools available to prosecute attackers but does nothing to make organizations accountable for the negligent security practices that make successful attacks possible - the defining gap between a cybercrime law and the comprehensive data protection framework that Jordan's digital economy and its citizens urgently need.