Telecoms operators occupy a unique position in the data protection landscape: by the nature of their services, they collect, process, and retain vast quantities of sensitive personal data call records, location data, browsing history, messaging data, and financial information. For Iraqi MNOs and ISPs, managing this data responsibly is both a legal obligation and a commercial imperative. Consumers, enterprise clients, and international partners increasingly scrutinise operators’ data governance practices. While Iraq’s data protection legal framework is still developing, operators face a matrix of obligations arising from CMC regulations, constitutional privacy protections, national security requirements, and for operators serving international customers or operating across borders extraterritorial application of foreign data protection laws. This article examines the data protection obligations of Iraqi telecoms operators and the steps needed to build a compliant data governance programme.

Iraq’s Developing Data Protection Framework

Iraq does not yet have a comprehensive standalone data protection law equivalent to the European Union’s General Data Protection Regulation (GDPR) or similar legislation in other jurisdictions. However, data protection and privacy obligations for Iraqi telecoms operators arise from multiple sources: the Constitution of Iraq (2005)  Article 17 protects the right to privacy of correspondence and communications, establishing a constitutional basis for data privacy; CMC licensing conditions CMC licences impose specific data protection and privacy obligations on telecoms operators, including restrictions on the use of subscriber data; sector-specific regulations, CMC regulations address subscriber data management, billing data retention, and consumer privacy; national security laws requiring operators to retain specified communications data and provide access to security authorities; and international standards operators seeking to serve international enterprise customers or maintain international partnerships are expected to meet internationally recognised data governance standards.

What Data Iraqi Telecoms Operators Collect

MNOs and ISPs in Iraq collect extensive personal data in the course of providing services, including: subscriber registration data, name, national identification number, address, and contact information collected at the time of SIM registration; call data records, records of calls made and received, including calling and called numbers, call duration, time, and the cell sites used; location data, records of the cell sites to which subscribers’ handsets are connected, enabling the operator to track subscribers’ approximate geographic locations continuously; internet usage data, records of websites visited, data volumes, and application usage for broadband subscribers; billing data financial transaction records, payment information, and credit data; device identifiers IMEI numbers and other device identifiers; and in some cases content data where operators provide messaging, email, or other communication services.

CMC Data Protection Requirements

CMC licence conditions and regulations impose specific data protection obligations on Iraqi telecoms operators, including: subscriber data confidentiality, operators must not disclose subscriber personal data to third parties without the subscriber’s consent or lawful authority; purpose limitation subscriber data collected for one purpose (e.g. billing) must not be used for incompatible purposes (e.g. selling to third-party marketers) without subscriber consent; data security, operators must implement appropriate technical and organisational security measures to protect subscriber data against unauthorised access, loss, or destruction; data retention, operators must retain specified categories of subscriber and call data for defined periods as required by CMC and national security regulations; and consumer rights subscribers must be provided with access to their own data and the right to correct inaccurate information.

National Security Data Requirements

Iraqi telecoms operators are subject to national security data requirements that represent some of the most sensitive and technically demanding obligations in their compliance frameworks. Key national security data obligations include: lawful interception, operators must implement technical capabilities enabling authorised security agencies to intercept the content of communications in real time pursuant to lawful process; communications data retention, operators must retain records of who communicated with whom, when, for how long, and from where, for periods specified in applicable regulations; expedited response obligations operators must respond to lawful requests for retained data within specified timeframes; and security of retained data retained data must be protected against unauthorised access and must be accessible only to authorised security agency personnel. These requirements require significant technical investment in lawful interception infrastructure and secure data management systems.

SIM Registration Requirements

Iraq, like most Middle Eastern countries, requires mandatory SIM registration,  all mobile subscribers must register their SIM cards with their national identification details before they can receive services. SIM registration creates a large database of subscriber identity information that operators must manage responsibly. Key SIM registration data protection obligations include: accurate identity verification, operators must verify subscriber identity against reliable identification documents; secure database management, SIM registration databases must be secured against unauthorised access and data breach; compliance with retention requirements SIM registration data must be retained for specified periods; and access control, SIM registration data must be accessible only to authorised personnel and to security authorities pursuant to lawful process.

Building a Telecoms Data Protection Programme

Iraqi telecoms operators should implement a comprehensive data protection programme including: data mapping identifying all personal data collected, processed, and retained across the operator’s systems; legal basis assessment establishing the legal basis for each data processing activity; privacy notices providing subscribers with clear, accessible information about data processing practices; data security measures implementing technical and organisational security controls appropriate to the sensitivity of the data processed; incident response establishing procedures for detecting, containing, and reporting data breaches; vendor management ensuring third-party suppliers that process subscriber data are subject to appropriate contractual data protection obligations; and staff training ensuring all relevant staff understand their data protection obligations. Operators serving enterprise customers or operating internationally should align their programmes with internationally recognised standards including ISO 27001.

How Etihad Law Firm Assists

Etihad advises Iraqi telecoms operators on data protection and privacy compliance, reviewing CMC licence conditions relating to data protection, advising on lawful interception and data retention compliance, drafting privacy notices and data processing agreements, assisting in data breach response, and representing operators in regulatory proceedings relating to data protection matters.