Data protection & privacy laws in Afghanistan (2026)

Afghanistan is not classified by UNCTAD as having data protection legislation in force. No omnibus statute analogous to the GDPR or equivalent national frameworks exists, and no draft bill has been tabled by the Taliban administration.

The Telecommunications Services Law (Official Gazette No. 863, enacted 2005) contains limited clauses on confidentiality of user communications and data. The Afghanistan Telecom Regulatory Authority (ATRA) is mandated to handle user complaints related to privacy and service quality in this sector.

The Banking Law of Afghanistan includes provisions requiring confidentiality of customer financial data, but these are narrow in scope, sector-bound, and do not create general data subject rights such as access, rectification, or erasure.

The Penal Code as amended in 2017 introduced criminal penalties for certain cybercrimes that incidentally touch on unauthorized access to personal data, but it does not constitute a data protection or data subject rights regime.

Following the Taliban takeover in August 2021, biometric databases — containing iris scans, fingerprints, photographs, addresses, and family links of Afghan civilians — came under Taliban control. Human Rights Watch documented that these systems, built by Western donors, were used to identify and target individuals, with no legal data protection framework in place to mitigate the harm.

There is no cross-sectoral data protection authority in Afghanistan. ATRA handles telecom-related complaints only. The Taliban government has not established any body with data protection oversight powers, leaving individuals with no enforceable institutional remedy.