Data & Privacy · Syria
Data protection & privacy laws in Syria (2026)
Syria shaded by its data & privacy status
Syria has a dedicated, economy-wide personal-data statute — Law No. 12 of 2024 on the Protection of Electronic Personal Data — which regulates the collection, processing, use, storage and cross-border transfer of personal data and provides for a supervisory body and penalties. The law was enacted under the Assad government and took effect in January 2025; it has not been repealed by the transitional government formed in March 2025. However, it is widely criticized for broad national-security/state-access exceptions and data-retention mandates that undercut independent oversight, so its protections in practice are weaker than a GDPR-style regime.
Key points
Law No. 12 of 2024 is a standalone personal-data protection law covering the collection, processing, use, transfer and confidentiality of personal data on networks — not merely a sectoral rule.
The law was issued in 2024 and came into effect in January 2025; it is the country's primary data-protection instrument today.
The framework provides for a dedicated Personal Data Protection Authority/supervisory body, though its operational independence and functions remain weakly defined and untested in practice.
Violations carry financial penalties of up to 12 million Syrian Pounds and imprisonment of up to three years.
The law contains broad national-security exemptions and data-retention mandates requiring providers to retain and share user data with authorities, limiting independent oversight and weakening protections in practice.
The Assad regime fell on 8 December 2024 and a transitional government took office on 29 March 2025; the data-protection law has not been repealed and remains in force, though reform has been urged.
Syria - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →