Concluding observations Human Rights Committee CCPR/C/79/Add.25 para 23 Full recommendation: The Committee also wishes to invite the Government of the Islamic Republic of Iran to undertake necessary steps to ensure that the rights enunciated in articles 17, 19, 21, 22 and 25 can be exercised without any limitations or restrictions other than those provided for in the Covenant. Assessment using Impact Iran human rights indicators1 A. The right to privacy (Article 17) should be exercised without any limitations or restrictions other than those provided for the Covenant. Article 22 of the Constitution stipulates: “The dignity, life, property, rights, residence, and occupation of the individual are inviolate, except in cases sanctioned by law.”2 Additionally Article 47 states “Private ownership, legitimately acquired, is to be respected.” Although several pieces of legislation include data protection provisions, there is no comprehensive legislation specifically safeguarding the right to privacy and data protection under Iranian law. Such legislative gap has granted the Iranian government with significant leeway to arbitrarily control its Internet infrastructure. Article 10 of the Cyber Crime Law criminalises “concealing data, changing passwords, and/or encoding data that could deny access of authorised individuals to data, computer and telecommunication systems.” The article is framed in such a broad way as to essentially criminalise any technologies or practices that obstruct state authorities’ ability to access data, including encryption. Draft legislation such as “Managing Social Messaging Apps”, (also referred to as the Social Media Organisation Bill in this submission) which is under review by the Parliamentary Cultural Committee, if passed in its current form, threatens to grant further control of Iran’s internet infrastructure to security forces, and can also enforce the use of domestic messaging apps which lack privacy and data protections, and which are particularly prone to government surveillance.3 The Iranian government has so far failed to implement comprehensive data protection in line with international standards. Despite an attempt made through the introduction of the “Data Protection and Online Privacy Bill'' in 2018, the bill has so far failed to progress beyond the 1 CCPR.17.1.S.1; CCPR.17.1.S.2; CCPR.19.1.S.1; CCPR.19.2.S.1; CCPR.21.1.S.1; CCPR.22.1.S.1; CCPR.25.1.S.3 CCPR.21.1.P.2; CCPR.25.1.P.1; CCPR.21.1.O.2; CCPR.21.1.O.3; CCPR.22.1.O.2; CCPR.25.1.O.1; CCPR.25.1.O.2 2 Constitution of the Islamic Republic of Iran, English translation, 3 “Iran’s “Managing Social Messaging Apps” Bill Returns to Parliament”, Small Media, 1 April 2020. 1

Select target paragraph3