Data & Privacy · Iran

Data protection & privacy laws in Iran (2026)

Sectoral rulesNo comprehensive data-protection statute in force. Privacy/data is governed by scattered provisions: the Electronic Commerce Law (2004, Chapter on Protection of Personal Data), the Computer Crimes Law (2009), Constitution Art. 25, and the non-binding Citizens' Rights Charter (2016). A comprehensive 'Personal Data Protection and Safeguarding Draft Act' has been pending/stalled since 2018.Country index 62 · C+

Iran shaded by its data & privacy status

Iran has no single comprehensive (GDPR-style) personal-data-protection law in force; data protection relies on a patchwork of sector-specific provisions in its E-Commerce and Computer Crimes laws plus constitutional privacy guarantees. A comprehensive Personal Data Protection and Safeguarding Draft Act was prepared in 2018 (an earlier bill was withdrawn in 2015) but remains unenacted with no clear timeline. There is no independent, operational data-protection supervisory authority today; the draft would create a Data Protection Commission chaired by the ICT Minister, whose independence has been criticized.

Key points

No comprehensive law in force

Iran has not enacted a unified personal-data-protection statute; protection depends on fragmented provisions across several laws rather than a dedicated framework.

source 1 ↗source 2 ↗

Electronic Commerce Law (2004)

Contains a chapter on the protection of personal data in electronic transactions, restricting collection/processing and storage of personal 'data messages' without consent.

source 1 ↗

Computer Crimes Law (2009)

Criminalizes unauthorized access to, interception of, and unlawful dissemination of personal/computer data, providing indirect data-security protection.

source 1 ↗

Draft comprehensive act stalled

The 'Personal Data Protection and Safeguarding Draft Act' (prepared 2018 by the ICT Ministry and Parliament's Research Center; an earlier bill was withdrawn in 2015) draws on GDPR principles but has not been ratified and has no clear timeline for passage.

source 1 ↗source 2 ↗

No independent supervisory authority

There is currently no operating data-protection authority. The draft would establish a Personal Data Protection Commission chaired by the Minister of Communications and ICT, alongside a supervisory council; critics note its government-dominated composition undermines independence.

source 1 ↗

Constitutional and charter guarantees

Constitution Article 25 protects privacy of correspondence/communications, and the 2016 Citizens' Rights Charter affirms privacy and data rights, but the Charter is a non-binding policy document, not enforceable legislation.

source 1 ↗source 2 ↗

Iran - other topics

Crypto & Digital Assets Artificial Intelligence Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Cybersecurity Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →