The future of cyber law in Iraq and the KRG

First of all, to understand what cyber law is and why it’s important:

Cyberlaw is a branch of law that deals with the principles, regulations, and legal frameworks designed to protect digital information and electronic systems. It covers a wide range of issues, from data protection and online privacy to preventing cybercrimes such as hacking, identity theft, and unauthorized access to data, to protect individuals and organizations from cyber threats. Cybersecurity law establishes a legal framework that governs how data is handled, protected, and stored. In many countries, these laws impose responsibilities on companies and organizations to secure their information systems and prevent data breaches.

Cybersecurity is crucial for all states in the world, as nowadays, everything of value is stored digitally; therefore, the law will protect them from hacking and impose sanctions. Moreover, for individuals, financial security, identity theft prevention, personal privacy protection, and device security. However, for businesses, data protection, financial stability, reputation and trust, business continuity, and legal and regulatory compliance. In addition, for the government, national security, espionage, countering artificial intelligence, and elections.

It is known that the legal vulnerabilities of cybersecurity worldwide vary from state to state, particularly in developing countries. Cybersecurity threats are not slowing down, and they have no boundaries. The applicability of international humanitarian and human rights law to cyber operations, Geneva Convention IV (1949) Article 27. Private firms control the space. Lack of legal expertise for cybersecurity. Lack of regional and international agreements. Activation of non-state actors by powerful states. Cybercrime benefits from two unique elements: scalability and anonymity. International law is outdated. No unified protocol worldwide. Finally, many states, including Iraq and the KRG, lack critical infrastructure of technology.

Regarding the Legal Framework of Cybersecurity in Iraq. This is a very specific question, and the straightforward answer is that the legal framework for cybersecurity in Iraq is undergoing significant development and transition and relies heavily on older laws. The absence of specific and comprehensive laws to combat cybercrime. The Iraqi Penal Code No. 111 of 1969 is the promulgation for use in cybercrime. Moreover, the draft cybercrime law: There has been a lengthy and controversial draft law to combat cybercrime (and earlier versions such as the Information Technology Crimes Law) that has been discussed and revised several times since at least 2011. Constitutional rights, the 2005 Iraqi Constitution refers to the "right to privacy" in Article 17. The Anti-Money Laundering Law and the Anti-Terrorism Law are also relevant when financial crimes intersect with the cyber domain (Law No. 39 of 2015).

On the other hand, cyber law in the Kurdistan Region of Iraq (KRI) is currently transitioning from a patchwork of existing, vaguely defined laws toward more structured regulation, though it lacks comprehensive, unified data protection legislation. The KRG operates under a combination of Iraqi national laws, specific KRG-level regulations, and draft legislation aimed at addressing rising cybercrime. The Iraqi Anti-Terrorism Law No. 13 of 2005, which is applied in the Kurdistan Region of Iraq (KRI), is used to prosecute serious cybercrimes classified as "cyberterrorism". While a specific, separate "Cybercrime Law" is often cited as being in development or implemented in fragmented ways, authorities frequently rely on the broad definitions of the 2005 law to address online activities deemed to threaten national security. Cyber law in the Kurdistan Region of Iraq (KRI) is largely governed by the Law on Preventing Misuse of Telecommunication Devices (Law No. 6 of 2008), which addresses online violence, defamation, and blackmail. While this law and the Iraqi Penal Code are used for prosecution, the KRI lacks a specialized, comprehensive data protection or cybersecurity law, leaving gaps in addressing modern digital crimes and personal data protection. Article 438 of the Iraqi Penal Code and other provisions apply to issues of digital harassment and privacy breaches for defamation and privacy.

One might ask, is the KRG able to initiate legal proceedings against Iran and its militia in international tribunals about the drone attack?

The answer is no. The KRG cannot directly sue Iran or its militias in international courts. International law is built on the principle of sovereign equality, meaning only sovereign states have the standing to bring cases against other states in the world’s highest judicial bodies. Because the KRG is a regional government within the federal state of Iraq, it lacks the "legal personality" required to act independently on the global stage, but Iraq can do it; the KRG can file a case law before federal courts with the assistance of Iraqi authorities,  Iraq is the principal entity responsible for prosecuting the militias and curtailing their influence, as they have perpetrated violence against innocent civilians and targeted civilian locations, all under the guise of Iraqi resistance. This conduct is recognized by the entire Iraqi populace as a violation of legal norms and a breach of international law, undermining Iraq's sovereignty while advancing Iranian interests.

In the end, Iraq and the Kurdistan Region's (KRG) cyber legal framework is a complicated mix of old penal codes, different regional laws, and an ongoing effort to meet international standards like the Budapest Convention and the most recent UN Convention against Cybercrime. For more than 10 years, the Information Technology Crimes Law, also known as the Cybercrime Draft Law, has been proposed and rejected again and again. Critics and groups from other countries often point out the use of vague language that could violate freedom of speech (Articles 19 and 38 of the Iraqi Constitution). The current focus is on aligning national definitions with the UNODC Global Program on Cybercrime and enhancing "digital evidence" capabilities. Law No. 6 of 2008 in the KRG, which deals with the Prevention of Misuse of New Information Technologies, is the main regional law. It makes it a crime to abuse telecommunications, get into someone's computer without permission, or harass them online, and it is outdated. Recently, KRG regulations have limited the sharing of personal digital information, such as where drones can be launched, in the name of national security. They have also made it much harder to report "security incidents." There is still a legal debate over whether KRG laws are superior to Federal Court decisions, especially when regional changes are challenged as inconsistent with federal interpretations. Jurisdictional friction is still a worry. Iraq's cyber strategy is being thoroughly evaluated in the context of International Human Rights Law (IHRL) and State Responsibility. If we don't create a cyber law to address the most recent technological problems, we risk losing a lot of important data and leaving our infrastructure open to foreign hackers who could compromise Iraqi sovereignty, financial information, government databases, and intelligence services. Conversely, the militia's influence is daily expanding, and they are acquiring increased intelligence in Iraq, particularly regarding critical locations and issues, which they are relaying to regional nations, foremost among them Iran, which is an explicit violation of international law and undermining the sovereignty of the Iraqi state.

The views expressed in this article are those of the author and do not necessarily reflect the views of Kurdistan24.