A 2020 investigation coordinated by the Business & Human Rights Resource Centre found that five Jordanian internet service providers were collecting intrusive user information - beyond what is necessary for service provision - without adequately disclosing this practice to their subscribers or obtaining informed consent. The providers identified in the investigation included Orange Jordan, Zain Jordan, and Umniah among the country’s primary market participants.
Key Facts
- WhatFive Jordanian ISPs collected intrusive user data without consent.
- WhoSubscribers of Orange Jordan, Zain Jordan, Umniah, and two other ISPs.
- Data ExposedBrowsing histories, app usage, behavioral profiles, and subscriber identities.
- OutcomeNo penalties imposed; Jordan lacks enforceable data protection legislation.
What Was Exposed
- Browsing histories, application usage data, and internet behavioral profiles of subscribers at five Jordanian ISPs, collected without subscriber knowledge or consent
- Usage metadata beyond what is necessary for network management: detailed records of subscriber communication patterns, application preferences, and online activities
- Subscriber identification data linked to behavioral profiles, enabling the association of specific individuals with their internet activity histories
- Data collected without disclosure that may have been shared with government agencies, third-party advertisers, or data brokers - the investigation did not establish the full scope of data sharing arrangements
- Potentially deep packet inspection (DPI) data if providers employed traffic analysis technologies that examine the content of communications beyond header metadata
- The aggregate subscriber data of three of Jordan’s largest operators - Orange, Zain, and Umniah - which between them serve the vast majority of Jordan’s internet subscribers
The term “intrusive user data collection” encompasses a spectrum of practices that go beyond what a subscriber would reasonably expect their ISP to collect in the course of providing connectivity services. At one end of this spectrum are practices like retaining detailed web browsing histories, DNS query logs, and application-level traffic records beyond the period necessary for billing or network troubleshooting.
At the more invasive end are practices involving deep packet inspection (DPI) technology - systems that analyze the content of network traffic, not merely its metadata - enabling ISPs to reconstruct subscriber browsing behavior, intercept unencrypted communications, and build profiles of subscriber interests and activities with a granularity that no subscriber would expect or consent to.
Jordan’s legal framework for ISP data collection creates a permissive environment for surveillance-grade data retention. The Cybercrime Law (both the 2015 predecessor and the 2023 successor) contains provisions requiring ISPs to retain traffic data for defined periods to support law enforcement investigations. The Telecommunications Law creates licensing obligations that include cooperation with security and intelligence agencies.
These legal requirements create a baseline of data retention that serves law enforcement objectives - but they do not limit what ISPs may additionally collect for commercial or other purposes, nor do they require that subscribers be informed of the full scope of data retention and potential disclosure.
The three named ISPs - Orange Jordan, Zain Jordan, and Umniah - together account for the substantial majority of Jordan’s internet subscribers across both mobile broadband and fixed-line connectivity. Orange Jordan, as the former state monopoly incumbent, holds the largest share of fixed-line and broadband subscribers.
Zain Jordan is the Jordanian subsidiary of the Kuwaiti-headquartered Zain Group and serves a large mobile subscriber base. Umniah is the third major mobile operator, majority owned by Bahrain’s Batelco. All three are international corporations with parent companies headquartered in jurisdictions with more developed data protection frameworks than Jordan currently provides - a parent-subsidiary regulatory arbitrage that allows practices in Jordan that would not be permissible under the frameworks governing their parent companies.
The Freedom House 2024 assessment of Jordan’s internet freedom includes documentation of ongoing concerns beyond ISP data collection: website blocking, social media monitoring, arrests of users for online expression, and the use of the Cybercrime Law No. 17/2023 to prosecute speech-related online activity.
The data collection practices of ISPs exist within this broader digital rights environment, where the data accumulated about subscribers’ online activities may be accessed by authorities to support investigation of Cybercrime Law offenses that include the publication of content deemed to “provoke sedition” or undermine national unity. The intersection of commercial data collection practices with law enforcement access provisions creates a surveillance infrastructure in which ISPs serve as both commercial data processors and instruments of state monitoring.
The acknowledgment by MoDEE that data privacy is a national priority, made in the context of the 2020 investigation, was not accompanied by specific regulatory action against the ISPs identified in the investigation or by the enactment of the personal data protection legislation that would have provided the enforcement mechanism for addressing the documented practices. This gap between policy acknowledgment and legislative action is characteristic of Jordan’s data protection trajectory:
the country has repeatedly signaled its intention to develop a comprehensive personal data protection law without completing the legislative process. The National Cybersecurity Strategy 2024-2028 reaffirms this intention, but the absence of an enacted law means that ISPs continue to operate in an environment without binding transparency or consent requirements for their data collection practices.
Regulatory Analysis
The regulatory analysis of Jordan’s ISP data collection practices requires engagement with three distinct legal frameworks: the constitutional privacy guarantee, the telecommunications licensing regime, and the cybercrime law. None of these frameworks individually provides a comprehensive basis for compelling ISPs to limit their data collection to what is necessary and disclosed - but together they create a normative architecture that a properly empowered enforcement body could use to address the practices documented in the 2020 investigation.
Article 18 of Jordan’s Constitution provides that all postal, telegraphic, and telephonic communications are secret and shall not be subject to surveillance except by judicial order. Applied to internet communications - which the constitutional drafters could not have anticipated but which represent the primary communication medium of contemporary Jordanian life - Article 18 establishes a privacy baseline that ISP behavioral data collection without subscriber consent arguably violates.
The collection of detailed browsing histories and usage profiles constitutes a form of continuous surveillance of subscriber communications that goes beyond routine service provision and engages the constitutional privacy interest. However, without a constitutional court with the mandate to receive complaints from affected subscribers and issue binding rulings against ISPs, Article 18’s application to ISP data collection remains a theoretical legal argument rather than an enforceable right.
The Telecommunications Regulatory Commission (TRC) licenses Jordan’s ISPs and has the authority to impose conditions on licensed operators, including conditions related to subscriber privacy and the scope of data collection.
The TRC’s existing license conditions require operators to protect subscriber confidentiality in the context of law enforcement access - establishing procedures for government requests for subscriber data - but do not include conditions requiring operators to limit commercial data collection to what is necessary for service provision or to disclose their data collection practices to subscribers in accessible terms.
A TRC regulatory intervention requiring ISPs to publish clear, detailed privacy notices and to limit data collection to specified categories with specified retention periods would address the disclosure gap identified in the 2020 investigation without waiting for the enactment of standalone personal data protection legislation.
Jordan’s Cybercrime Law No. 17/2023 explicitly requires ISPs to retain certain categories of traffic data and to provide access to authorities upon lawful demand.
These obligations represent the floor of ISP data retention, not the ceiling. There is nothing in the 2023 law that authorizes ISPs to collect data beyond what law enforcement retention requirements mandate - but equally nothing that prohibits it. The absence of a data minimization principle in the applicable legal framework means that ISPs face no legal constraint on collecting additional data for commercial purposes, provided they do so within the general terms of their licensing agreements and subscriber contracts.
This permissive environment is precisely the gap that a Personal Data Protection Law with data minimization and purpose limitation principles would close.
What Should Have Been Done
Addressing Jordan’s ISP data collection problem requires simultaneous action at three levels: mandatory legislative standards that define what ISPs may collect and how they must disclose it, regulatory enforcement by the TRC and MoDEE using existing licensing authority, and industry self-regulatory commitments that demonstrate good faith engagement with subscriber privacy expectations. The MoDEE’s acknowledgment that data privacy is a national priority creates a public commitment that should be translated into concrete regulatory action.
At the legislative level, Jordan’s long-pending Personal Data Protection Law must include specific provisions for the telecommunications and ISP sector.
These should include a data minimization principle requiring ISPs to collect only the data necessary for the provision of contracted services and compliance with lawful data retention orders; a purpose limitation principle restricting the use of collected data to the specific purposes for which it was collected; mandatory privacy notices at the point of subscription explaining in plain language what data is collected, for what purposes, with whom it is shared, and for how long it is retained; and an individual right to access personal data held by the ISP and to request its deletion where retention is not legally required.
These principles are established international standards, reflected in the OECD Privacy Guidelines, the GDPR, and numerous national data protection laws enacted by Jordan’s regional peers.
The TRC should exercise its existing licensing authority to require immediate transparency improvements from licensed operators. A TRC guidance note requiring all ISPs to publish accessible privacy notices describing their data collection practices - including any behavioral profiling, DPI deployment, or data sharing arrangements with third parties or government agencies - would address the most immediate disclosure gap without waiting for standalone legislation.
ISPs that fail to publish compliant privacy notices within a defined compliance window should face license condition enforcement action. This regulatory intervention is within the TRC’s existing powers and does not require new legislation, making it the most immediately actionable response to the documented practices.
ISPs themselves should implement privacy-by-design principles in their data management architectures, treating the minimization of personal data collection as a design requirement rather than a compliance afterthought. This includes technical controls that prevent the collection of data beyond what is specified in documented retention policies, automated deletion of data upon expiry of its retention period, segregation of law enforcement retention data from commercial operations data, and annual privacy impact assessments for any new data processing initiative.
For ISPs with parent companies headquartered in the EU or other jurisdictions with established data protection standards, the group-level policies of the parent should set a floor for data protection practices in Jordan that meets or exceeds the parent’s domestic obligations, not a ceiling that is selectively applied only where legally required.
Five years after the 2020 investigation documented ISP data collection practices that violated the spirit of Jordan’s constitutional privacy guarantee, the structural conditions that enabled those practices remain in place - the absence of a Personal Data Protection Law, the absence of an independent data protection authority, and the absence of effective TRC enforcement of subscriber privacy rights collectively ensure that Jordan’s internet users remain without meaningful protection against surveillance-grade data collection by their own service providers.