Nowadays, businesses are delegating more and more of their operations to the online arena, while the advertising and marketing activities are now predominantly conducted online, particularly on social networks. At the same time, a growing number of startups are fully established and managed in cyberspace.
It goes without saying that any venue and platform dedicated to trade naturally requires some form of security. Since e-commerce is conducted mainly over the Internet, it is inherently intertwined with cybersecurity. The security of cyberspace is governed by international laws such as the European Convention on Cybercrime (Budapest, 2004) alongside national laws. The security of E-commerce in Iran is ensured via national laws: Electronic Commerce Act (2004), Computer Crimes Act (2009), and the law on Publicizing and Access to Data (LPAD. 2010).
These laws are intended to provide protection for sensitive business data against unauthorized access, use, disclosure, alteration, and/or destruction.
Measures against computer crimes are generally undertaken by the Cyber Police of the Islamic Republic of Iran (FETA).
Even though cyberattacks originally targeted government agencies, today e-businesses are not immune from such attacks. Even individuals may be targeted for their credit card numbers and personal data. Especially with the increasing importance of personal and financial data, websites will remain a hot target. E-commerce business owners are fully aware of the repercussions of these threats in terms of loss of both data and customer trust. This is why the majority of e-businesses purchase the latest security products and increase their security staff.
E-commerce Law and Cybersecurity in Iran Act address data messages (Art 10-16) and the obligations of parties entering into contracts in the virtual space. It also addresses consumer rights including the obligation of service and good providers to present the consumers with information affecting their decisions regarding purchasing or accepting service terms of the agreement.
“The Computer Crimes Act (CCA) describes authority and jurisdiction which were not addressed in the E-Commerce Law of Iran. The act has describes two kinds of punishments: jail, forfeiture, or both. The CCA consists of two chapters: chapter 1 describes the elements of crime and punishment and chapter 2 describes the prosecution procedure.
The followings are some actions that CCA declares to be criminal offenses:
_The jurisdiction of Iranian courts in this regard includes the country’s land, air, and maritime territory. Iranian or non- Iranian persons outside Iran’s borders are subject to this law in cases of crime against computers, telecommunication systems, and websites of the three branches of the government.
Damages and remedies raised by the contractual liabilities under the e-commerce agreements and the right to terminate the contract in the event of a breach are other tools predicted to protect the rights of online sellers and consumers.
Considering the growing threats of cybercrime, e-commerce business owners in Iran must embed security throughout their company’s operation and business strategy. Aside from ensuring network security, cyber leaders must be able to quickly counter threats, respond to incidents, and inform the managers.
The security infrastructure needs to have the following basic capabilities:
|•||Identification/authentication: This is the first step of any security and privacy process: being able to tell who users are. Having a security infrastructure that can do this quickly and accurately is necessary for creating a good experience for customers and partners.|
|•||Authorization: Once the system determines who users are it must provide the correct levels of access to different applications and stores of information.|
|•||Asset Protection: The system must keep information confidential and private. This has become more difficult in the modern E-business environment, where information is traveling across multiple, often untrusted, networks.|
|•||Accountability: This is the ability to keep track of who has done what with what data. E-business solutions also need to ensure that participants in transactions are accountable.|
|•||Administration: This involves defining security policies and implementing them consistently across the enterprise infrastructures’ different platforms and networks.|
|•||Assurance: This demands mechanisms that show the security solutions are working, through methods such as proactive detection of viruses or intrusions, periodic reports, incident recording, and so forth.|
We should note that Iran has not enacted comprehensive data protection legislation. Draft Protection of Personal Data Law (The Draft Law 2018) which is announced by the Ministry of Communication and Information Technology, is awaiting review by the Islamic Republic Parliament of Iran. However, the expected timeframe for parliamentary deliberation is not clarified.
There are, however, several legal instruments about privacy and data protection, both binding and non-binding, which provide some but not comprehensive protection. The notable and most relevant regulations are the Electronic Commerce Law 2004 (the ECL Law), Cybercrime Law 2009, Civil Liability Act, and the Charter of Citizen’s Rights.
The ECL Law constitutes the primary legislation in Iran to contain some provisions (Articles 59-61) on personal data protection. However, for such a law, personal data protection is limited to a specific context, namely in the context of e-consumers dealing with internet commerce.
According to Article 59 of the ECL Law, personal “Data Messages ” should be stored/processed/ distributed upon the consent of the subject of the data subject, and the content of such private data message should be in line with the statutes laws of the Islamic Consultative Assembly.
Furthermore, the following conditions apply to the storing/processing/distributing of personal data messages:
The Cybercrime Law contains several provisions ensuring the rights of individuals, including privacy protections. (Article 1 and chapters 3, 4, and 5).
Article 17 of the Cybercrime Law in particular states that anyone who, by use of computer or telecommunication means, publicizes or makes accessible another individual film, picture or sounds and personal and family secrets without consent of the individual, and causes loss or damage to them, or violates that person’s dignity, will be sentenced to imprisonment between 91 days to 2 years, or fined from 5 to 40 million Rials or both punishments.
Article 12 sets a criminal penalty of imprisonment or fine or both for every person who, without authority, steals data belonging to others while the original data remains.
The law further states in article 13 that every person who earns any tangible or intangible property, by entering/ changing/processing/deleting/or producing unauthorized data, will be punished to restitution of such property in addition to imprisonment or fine or both penalties.
Lastly, the Civil Liability Act states, “Any person who intentionally or due to his negligence, injures the property or any other right established for the individuals by law, shall be liable to compensate the damages arising out of his action. “
Asgari law firm helps retailers, franchisors and distributors launch or use e-commerce platforms in Iran in order to grow market share, globalize their brands, and capitalize on digital marketing trends, we provide both legal and commercial insight regarding the new business models that have disrupted the model industry.
We would urge those seeking personalized legal assistance in the e-commerce industry in Iran to contact our law firm directly. As a business client, our lawyers can provide full-service assistance and legal guidance for all of your interactions with Iranian Law. Contact us today by using our contact form or by email/phone. Our e-commerce lawyers in Iran look forward to responding to your questions .