Iraq’s Financial Institutions Struggle with Data Security Measures

A Growing Concern in a Country without Codified Laws

Baghdad, Iraq - As the country’s financial sector continues to grow, concerns over data security measures have come into sharp focus. Despite a lack of codified laws governing data protection, Iraqi financial institutions are taking steps to safeguard their customers’ information.

No Single Law Governs Data Protection in Iraq

According to experts, there is no single law that governs data protection in Iraq, with various sector-specific regulations and piecemeal rules applying to the private sector. However, the government has been contemplating a cybercrime law for some time now.

Provisions Related to Privacy in the Penal Code

The Penal Code does contain provisions related to privacy:

• Article 437 states that anyone privy to confidential information who discloses it without authorization can face up to two years in detention and a fine.
• Article 438(2) penalizes individuals who disclose personal information, causing damage to another, with up to one year in detention and a fine.

While these provisions may not be directly aimed at commercial data processing, they could potentially be used to challenge the use or disclosure of information. Written consent from the individual is generally accepted as the basis for legitimizing the processing of such information.

Iraqi Financial Institutions Implement Data Security Measures

Iraqi financial institutions are taking steps to ensure data security, including:

• Implementing sector-specific general data protection requirements
• Document Retention Law No. 37 of 2016 requires public sector entities to retain certain documents
• Labor laws mandate employers with more than 15 employees to keep employee files for two years

Concerns Over Lack of Dedicated Data Protection Authority and Unclear Legal Bases

Despite these efforts, there are concerns over:

• The lack of a dedicated data protection authority
• Unclear legal bases for processing personal data
• No definition under Iraqi law for key terms such as “data controller,” “data processor,” “personal data,” or “sensitive data”

Penalties for Data Breaches Vary Depending on the Industry

Penalties for data breaches vary depending on the industry, with:

• Warnings
• Fines
• Revocation of licenses
• Blacklisting all possible consequences

However, there are currently no noteworthy public enforcement decisions related to data security.

Prioritizing Data Security Measures in Iraq’s Financial Sector

As Iraq’s financial sector continues to evolve, it is crucial that institutions prioritize data security measures to protect their customers’ information. With the government contemplating a cybercrime law and sector-specific regulations in place, it remains to be seen whether these efforts will be enough to safeguard against data breaches.