In the latter case, the prosecutor’s office should be involved because the issue of the loss of the rights of the general public is discussed
According to Iran digital economy annotation, After the news of Snapp Food being hacked and the hacker’s announcement to sell user information and set a price for this information, many people wondered what the position of the legal authority is about the information leak. Legal experts have different opinions about this; Some believe that real people can file complaints and others believe that complaints should be made by organizations, but in any case, it seems that the law has opened the way for complaints.
Considering the growth of the digital economy, organizations and ministries should be more serious about security issues and passive defense. Mega-platforms or super-applications should be responsible for the data they collect from people and this data should have a reasonable security, but it seems that this is not being done properly.
On the other hand, it is reminded that the information collected from people must also have a certain amount, but it seems that the information collected from users is redundant and there is no justification for keeping them. The existence of this information makes hackers interested in collecting data and exposing it for sale.
According to Article 58 of the Electronic Commerce Law; “Storing and processing personal data is absolutely prohibited” but unfortunately, this is not the first time that local systems have been hacked in the last few years, and in this regard, no follow-up has been done by the public prosecutor or the prosecutor’s office.
Poor public understanding in the field of information security
“Mohammad Jafar Nanakar”, an expert in technology law, told about why people did not complain after cyber attacks and their information was leaked: “One of the reasons for this incident could be the lack of awareness of private individuals and companies about their rights, and we We are facing a lack of public understanding in this area.
The lack of information in this field and the lack of concern of some Iranian users about security issues in parts of their daily life, such as saying the credit card password aloud while shopping, are also visible. In this regard, “Reza Ayazi”, a technology law researcher, said: “It is true that in Iran there is no possibility of pursuing information leakage from the people due to the lack of law in this field, but in Iran the cultural issue is also important and no one can discuss the issue of information leakage. It is not taken seriously, but if this happened in Europe, any citizen would be able to file a complaint, and as a result, the company would be in a dangerous situation.”
Trade secrets and the possibility of organizational complaints
According to Article 65 of the Electronic Commerce Law, which is related to trade secrets; Customer information is considered a trade secret. In this context, the release and hacking of data can be examined from two aspects; First from the customers whose data is at risk and second from the platforms and business personalities who have this data available. In general, companies are more likely to claim their rights after a data breach because their data is enterprise-grade.
Nanakar said: “In both cases, if these data are published; A crime has occurred. When the volume of hacking and data leakage is high, the public prosecutor must enter and declare the crime and follow up on the issue. In fact, in these cases, the prosecutor’s office can enter the matter and follow up the matter. In this regard, according to Article 78 of the Electronic Commerce Law, if the data is published based on the violation and weakness of the systems, the private and public sectors must compensate for the damage. The set of these laws makes us expect the lawmen to enter and solve the issue.”
Regarding the possibility of organizational follow-up, Ayazi told: “The legal punishments for these violators have not been defined, but there is a possibility of follow-up from the side of union systems, for example, from the side of Enamad, the union of cyberspace businesses and the trade union system, it is possible to follow-up as a violation of obligations And there is a claim of rights.”
Regarding Snappfood hacking, Ayazi also said: “There are several issues about Snappfood hacking that must be separated and two categories of information must be separated; One group of information is related to individuals and one group of information is related to organizations. If the hacked information is related to real persons, unfortunately, our law does not provide protection yet, but a bill entitled “Information Protection” is supposed to be passed.
About the information related to companies, if the organization complains that the information of the organization’s people is considered as confidential secrets, which should be followed up according to the e-commerce law. Ayazi emphasizes that if, for example, by processing information from an organization, it obtains confidential information about its employees, the organization can complain to the company that trade secrets have been disclosed. He knows in an organizational way.
If a license is issued by the European Data Protection Authority to an organization and some time later information is leaked and it is determined that the organization itself is responsible for this information leak; Serious crimes will follow. To understand the importance of this issue, it can be pointed out that last year, the amount of fines paid by information technology companies that were convicted for information leakage was more than the budget of Germany.
Platform security certificate
There are trustees such as “Efta”, “Defensive Defense” and “Iran Information Technology Organization” in this field, who must approve and issue the security certificates of the platforms, but many local platforms do not seek to obtain these certificates, or at the time of issuing these certificates, their work is They don’t do it right.
Nanakar says in relation to organizations that provide security certificates: “Of course, these organizations also have a deputy, and if it seems that there has been a defect and there has been a so-called legal omission, and the organization has a letter from one of these relevant organizations, these organizations should to be criticized and questioned.”
The need for the public prosecutor to enter
The government and the prosecutor’s office should intervene and become a public prosecutor in relation to the publication of public information because the public’s rights have been violated here. Nanakar said regarding the need for the prosecution to intervene: “In this recent issue, the prosecution must intervene, and if it does not, any of the people whose data has been published illegally on the internet can refer to the judicial authority and file a complaint. And the authorities are required to deal with it according to the law.”
Approval of the virtual data protection bill
We asked Reza Ayazi about the virtual data protection bill; A bill that has been circulating between the government and the parliament for years and has an unknown fate. He believes that there is a high probability that this bill will not be approved and continued: “I predict that the file of this bill, which has been open since 1995, will not be approved in the end, and even if it is, it will not cover the legal protections that we are considering today, because the structures Our administrative and judicial approach to this case is such that if we want this bill to be approved, we must have something similar to Europe’s GDPR.
He further added: “We know that currently some of the application information can be monitored by the law enforcement agency, but if the data protection bill is to be approved, this process will also face problems.” “The policy of monitoring cyberspace in Iran is more for the benefit of national and public interests than it is for business, and because of this, platforms insist on monitoring this space and relying on data because of the high number of crimes in cyberspace.”
Another point is the interference of several laws if this bill is approved; In this regard, Ayazi said: “For example, in the draft of the new computer crimes law (which has not been published yet) it is stated; You can only give the data to the authorized authority, but the problem here is that the authorized authority can be various institutions and people.
It seems that cyberspace users should be more aware of their rights and abandon indifference to the leakage of their personal information. Even though there are flaws in the laws in this area, it is possible to pursue legal action to a large extent with the current ruling laws.
No Comment! Be the first one.