Concluding observations Human Rights Committee CCPR/C/79/Add.25 para 23
Full recommendation:
The Committee also wishes to invite the Government of the Islamic Republic of Iran to undertake
necessary steps to ensure that the rights enunciated in articles 17, 19, 21, 22 and 25 can be
exercised without any limitations or restrictions other than those provided for in the Covenant.
Assessment using Impact Iran human rights indicators1
A. The right to privacy (Article 17) should be exercised without any limitations or
restrictions other than those provided for the Covenant.
Article 22 of the Constitution stipulates: “The dignity, life, property, rights, residence, and
occupation of the individual are inviolate, except in cases sanctioned by law.”2 Additionally
Article 47 states “Private ownership, legitimately acquired, is to be respected.” Although several
pieces of legislation include data protection provisions, there is no comprehensive legislation
specifically safeguarding the right to privacy and data protection under Iranian law. Such
legislative gap has granted the Iranian government with significant leeway to arbitrarily control
its Internet infrastructure.
Article 10 of the Cyber Crime Law criminalises “concealing data, changing passwords, and/or
encoding data that could deny access of authorised individuals to data, computer and
telecommunication systems.” The article is framed in such a broad way as to essentially
criminalise any technologies or practices that obstruct state authorities’ ability to access data,
including encryption.
Draft legislation such as “Managing Social Messaging Apps”, (also referred to as the Social
Media Organisation Bill in this submission) which is under review by the Parliamentary Cultural
Committee, if passed in its current form, threatens to grant further control of Iran’s internet
infrastructure to security forces, and can also enforce the use of domestic messaging apps which
lack privacy and data protections, and which are particularly prone to government surveillance.3
The Iranian government has so far failed to implement comprehensive data protection in line
with international standards. Despite an attempt made through the introduction of the “Data
Protection and Online Privacy Bill'' in 2018, the bill has so far failed to progress beyond the
CCPR.17.1.S.1; CCPR.17.1.S.2; CCPR.19.1.S.1; CCPR.19.2.S.1; CCPR.21.1.S.1; CCPR.22.1.S.1; CCPR.25.1.S.3
CCPR.21.1.P.2; CCPR.25.1.P.1; CCPR.21.1.O.2; CCPR.21.1.O.3; CCPR.22.1.O.2; CCPR.25.1.O.1; CCPR.25.1.O.2
Constitution of the Islamic Republic of Iran, English translation,
“Iran’s “Managing Social Messaging Apps” Bill Returns to Parliament”, Small Media, 1 April 2020.


Select target paragraph3