Skip to content
World Watch/Jordan/Data & Privacy

Data & Privacy ยท Jordan

Data protection & privacy law in Jordan (2026)

Comprehensive lawPersonal Data Protection Law No. 24 of 2023 (PDPL), administered by the Personal Data Protection Council and the Personal Data Protection Directorate (Unit) housed within the Ministry of Digital Economy and Entrepreneurship (MoDEE)Country index 74 ยท B+

Jordan shaded by its data & privacy status

Data protection in Jordan: comprehensive law, under Personal Data Protection Law No. 24 of 2023 (PDPL), administered by the Personal Data Protection Council and the Personal Data Protection Directorate (Unit) housed within the Ministry of Digital Economy and Entrepreneurship (MoDEE).

Jordan enacted its first comprehensive Personal Data Protection Law (Law No. 24 of 2023), published 17 September 2023 and entering into force on 17 March 2024 with a one-year grace period that ended 17 March 2025, after which the law is fully applicable. Oversight is split between a Personal Data Protection Council (policy/standards/complaints) and a Personal Data Protection Directorate within MoDEE (licensing, monitoring, enforcement); the regime is GDPR-influenced but not GDPR-equivalent, and implementing regulations on several details continue to roll out.

Key points

Primary law in force

Personal Data Protection Law No. 24 of 2023 was published in the Official Gazette in September 2023, entered into force 17 March 2024 with a 12-month transition period, and became fully enforceable on 17 March 2025.

Supervisory authority

Article 16 PDPL establishes a Personal Data Protection Council that sets standards, issues codes/licenses, and reviews complaints; day-to-day supervision, registration, and investigations are carried out by the Personal Data Protection Directorate housed within MoDEE rather than by an independent commission.

Data subject rights

The PDPL grants rights of access, rectification, erasure, restriction of processing, data portability, and withdrawal of explicit consent at any time; consent must be informed, granular, and documented (no pre-ticked boxes or silence).

Controller/processor obligations

Controllers must implement technical and organisational safeguards, notify breaches, and appoint a Data Protection Officer when core activities involve sensitive data, data of minors/incapacitated persons, financial data, or cross-border transfers; processors are bound by written contracts with controllers.

Cross-border transfers

Transfers to third countries are prohibited where the destination provides a lower level of protection than the PDPL, unless an exception applies (explicit informed consent, international judicial/criminal cooperation, medical or public-health data exchange, fund transfers, or other narrow grounds).

Penalties

Administrative fines range from JOD 1,000 to 10,000 (doubled for repeat offences), with continuing-violation penalties up to JOD 500/day capped at 3% of prior-year annual revenue; the Directorate may suspend or revoke licences, and courts may, on final conviction, order destruction of the offending database.

Timeline - major decisions & events

Mar 17, 2025enforcementofficial
PDPL Compliance Grace Period Expires โ€” Full Enforcement Active

The one-year transition window under Jordan's Personal Data Protection Law closed, requiring all public and private entities handling personal data to be fully compliant. From this date the Personal Data Protection Council may impose fines of JOD 1,000โ€“10,000 (doubled for repeat offences), though implementing bylaws and formal Council constitution remained pending as of mid-2025.

Ministry of Digital Economy and Entrepreneurship (MODEE) โ†—
Jan 1, 2025decisionofficial
NCSC Approves 2025โ€“2028 National Cybersecurity Strategy Execution Plan

Jordan's National Cybersecurity Centre finalised an executive programme comprising 42 programmes and 51 projects covering security, resilience, cyber transformation, and international partnerships โ€” embedding data-protection obligations across 100 government institutions.

Jordan News Agency (Petra) โ†—
Jan 1, 2024decision
National Cybersecurity Strategy 2024โ€“2028 Launched

The National Cybersecurity Centre launched a four-pillar strategy โ€” security and reliability, cyber resilience, cyber transformation, and cooperation โ€” targeting individuals, government, critical infrastructure, and business, directly linking data protection to national digital-economy goals.

Jordan Times โ†—
Aug 13, 2023law
Cybercrime Law No. 17 of 2023 Issued, Replacing 2015 Statute

A revised cybercrime law was published in the Official Gazette (effective 13 September 2023), expanding criminal penalties for unauthorised data access, electronic impersonation, and online privacy breaches; it drew international criticism โ€” including from the EU and Human Rights Watch โ€” for provisions that could criminalise online speech.

Jordan Open Source Association (JOSA) โ€” full English text โ†—
Jan 1, 2019lawofficial
Cybersecurity Law No. 16 of 2019 Establishes National Cybersecurity Centre

Jordan enacted its first standalone cybersecurity law, creating the National Cybersecurity Centre (NCSC) under the Prime Minister's oversight, mandating a national cybersecurity strategy, and imposing sector-wide obligations for incident reporting โ€” providing the institutional infrastructure later used to enforce data-protection rules.

National Cybersecurity Centre of Jordan (NCSC) โ†—
Jan 1, 2015lawofficial
Cybercrime Law No. 27 of 2015 Enacted โ€” First Digital Privacy Penalties

Jordan's first comprehensive cybercrime statute criminalised unauthorised access to information systems, data interception, and online privacy violations, providing the primary legal protection for personal data in digital environments for nearly a decade until superseded in 2023.

Council of Europe Octopus Cybercrime Community โ†—
Sep 1, 2011law
Constitutional Amendments Enshrine Privacy as a Fundamental Right (Article 18)

Sweeping 2011 amendments to Jordan's 1952 Constitution strengthened Article 18, making explicit that all postal, telegraphic, telephonic, and other communications are secret and may not be intercepted except by judicial order โ€” giving privacy a firm constitutional footing that anchored all subsequent data-protection legislation.

Constitute Project (University of Texas / comparative constitutions) โ†—
Jan 1, 1995lawofficial
Telecommunications Law No. 13 of 1995 โ€” Earliest Statutory Communications Privacy

Jordan's foundational telecommunications statute declared all phone calls and private communications confidential under legal liability, barred service providers from sharing subscriber data with third parties, and prohibited subscriber tracking โ€” establishing the earliest statutory data-privacy protection in Jordanian law.

WIPO Lex โ†—

Jordan - other topics

Data & Privacy in other countries

Last verified 6/28/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’