Iraq’s Cybercrime Law: Increasing suspicion instead of improving regulation  

The dispute in Iraq is not over the need for a cybercrime law, but over the kind of law needed. The debate is whether we need a law that protects people from fraud, extortion and digital harm, or one that intimidates them into silence.

Hisham KadhimHisham Kadhim | 6 July 2026

On the surface, Iraq’s proposed Cybercrime Law appears to address an undisputed need. State and society both deal with a digital landscape which is rife with fraud, extortion, system and data breaches, and content manipulation. Traditional laws are no longer equipped to address these violations. However, the issue is not whether there is a need for such a law, but in the nature of the proposed legislation itself and whether it will regulate digital spaces. 

The draft law first emerged in 2011, later withdrawn by the Parliamentary Committee for Media and Culture in 2013 following widespread objections by civil society. It was reintroduced in revised form in 2019 andunderwent further readings in 2020 without being enacted.  

The Cybercrime Law is one of Iraq’s most controversial pieces of draft legislation. Presented as a measure to protect society and the state from digital crimes, the draft opens the door to broad criminalisation, harsher penalties, and strict censorship of online content and communication. 

The crux of the problem is that the draft law does not merely fill a legislative gap. It risks replicating old methods of repression in a new digital environment. Rather than establishing precise definitions, clear standards for digital evidence, and a balance between protection and freedom, the draft tends toward ambiguity. It employs loosely defined concepts, imposes excessive penalties, and conflates attacks that target technical infrastructure with crimes committed using digital tools.  

An old law in a new reality 

Although several draft laws have been introduced over the past decade, Iraq has yet to enact a Cybercrime Law. In this legislative vacuum, courts rely on the Penal Code of 1969, a statute put in place long before the digital age. That law was never designed to address the internet or the crimes that have emerged with networks, smartphones, and digital platforms. 

Senior Legal Advisor Mohammed Hussein Diaa Al-Hashimi noted that the Penal Code did not anticipate the rapid technological evolution that spawned new categories of crime. As such, the judiciary is forced to adapt old, broadly worded provisions to modern digital incidents, exposing both the limitations of the existing law and its potential to be used against civil liberties. 

Article 226 of the Penal Code criminalises insulting public institutions and carries a penalty of up to seven years in prison. It has been used to prosecute journalists and activists for published content, as in the cases of Ahmed Mulla Talal and Iyad al-Taie, both stemming from complaints made by the Ministry of Defence. Here, the crisis lies not in the absence of a new law but in the continued application of broad, outdated provisions to a digital landscape for which they were never intended. 

This reality does not mean that any new law should be accepted simply because it is new. If the 1969 law is no longer capable of addressing digital crimes, the alternative need not be a generalised vague text that leans closer to policing speech than regulating crime. 

Objecting to the draft is not a rejection of legislation 

A significant source of confusion is that objections to the draft are sometimes portrayed as objections to the existence of cybercrime legislation. This characterisation is inaccurate. The need for a specialised law is real and urgent, given the rise of digital fraud, cyber-extortion, hacking, and data manipulation, all of which are difficult to prosecute with legal tools designed for the offline world. 

Courts currently address internet-related incidents by applying provisions on theft, fraud, threats, or defamation. However, this approach faces significant legal and technical challenges. The existing provisions do not adequately address transnational cybercrimes, digital evidence, cryptocurrencies, electronic wallets, or encryption tools, let alone the complexities of hacking and denial-of-service (DoS) attacks. 

Deputy Public Prosecutor Murtada Hamid Mohsen has argued that crimes committed through modern technologies are increasing while Iraq’s legal framework remains ill-equipped to address them, highlighting the need for legislation tailored to cybercrime. This concern is longstanding. As early as 2014, research from Al-Nahrain University noted that cybercrimes had emerged without being expressly addressed in the Iraqi Penal Code, forcing courts to rely on general provisions that were not designed for the digital age. 

The legitimate need for legislation is undermined, in the current draft, by a predominantly security-oriented approach.  
 
Instead of focusing on establishing narrow definitions, protecting victims, and setting clear procedures for digital evidence and investigations, the draft devotes considerable attention to offences related to content, values, and privacy, often using broad and vague language.  As a result, its severe penalties could be applied not only to genuine cybercrime, but also to criticism, freedom of expression and journalistic work. 

Vague provisions and excessive penalties 

A fundamental criticism of the draft, both within Iraq and internationally, extends beyond poor drafting to the philosophy that underpins it. The draft law employs broad language open to multiple interpretations alongside harsh penalties that appear disproportionate. 

Human rights organisations have consistently argued that the draft goes beyond regulating cybercrime and instead creates a broad framework for restricting online expression.  

Human rights organisations have warned that the law’s vague and overly broad provisions would grant the authorities excessive discretion to criminalise protected expression, foster self-censorship, and undermine legal certainty. They also criticised the draft’s disproportionate penalties, including life imprisonment for certain offences, and argued that it fails to meet basic standards of legality and due process.  

These concerns extend beyond the protection of journalists or activists. At stake is the relationship the law would establish between the state and society in the digital sphere, namely one based on proportionate regulation, or one defined by surveillance and expanding criminalisation. 

Article 8 (3) and (4), illustrates this problem. It stipulates seven to ten years in prison, in addition to substantial fines, for acts involving “violation of privacy” or “infringement of religious, familial, or social principles and values”.  

Because these terms are not clearly defined, the acts could encompass a wide range of conduct, including legitimate criticism, reporting in the public interest, public debate and journalistic coverage of sensitive issues. 

While experts speak of a legislative vacuum and the need for a law that legitimately regulates digital crimes, the draft addresses this gap by increasing ambiguity, escalating penalties, and creating new mechanisms for broad interpretation rather than establishing clear, proportionate and predictable rules. 

Digital crime vs. crime committed using a digital tool 

One of the draft’s most significant structural flaws is its failure to clearly distinguish between two different kinds of acts. On one hand, there are crimes where the digital environment itself is the target of the offence, such as hacking systems, disrupting servers, tampering with data, and gaining unauthorised access to digital infrastructure. On the other hand, there are well-established traditional crimes, such as threats extortion, or defamation, that can be committed via phone, the internet, digital applications, or social media platforms. 

This distinction is fundamental. Failing to distinguish between the crime and the tools used leads to over-criminalisation and treats the digital medium as an aggravating factor, even when it is not the target of the attack. 

Consider a DoS attack against a private bank’s website. The assault targets the availability of the service and the continuity of system operations. This is an evident technical act aimed at infrastructure. However, certain articles of the draft broadly links such acts to concepts of national security and the national economy without sufficiently defining criteria, the type of targeted system, or the extent of actual damage.  

International standards reflected in the Budapest Convention on Cybercrime define cyber offences with precision, focusing on conduct that threatens the confidentiality, integrity or availability of computer systems and data. They tie criminal liability and penalties to the nature and severity of the technical harm caused, rather than to broad and indeterminate concepts such as public order, morality or state sovereignty. 

Online blackmail presents a different case. Blackmail is a clearly defined crime, regardless of whether it is perpetrated via a letter, a phone call, or a messaging app. Using the internet does not transform the act into a cybercrime. It remains a traditional crime committed using an electronic medium. Nevertheless, the draft imposes specific penalties based on the digital medium employed, without precisely defining electronic blackmail as a distinct offence. 

This tendency to expand the scope of offences is not limited to blackmail. Provisions concerning publication and content raise similar issues. When an allegation of corruption or controversial material is published on an online platform, the legal inquiry should focus on the nature of the act, the boundaries of the public interest, individual rights, and freedom of expression safeguards.  

Instead, the draft treats digital publication as a context warranting harsher penalties, even when the underlying act is of the same nature as those governed by traditional laws on defamation. The issue lies not in the content itself but in its digital nature, as if the medium alone were sufficient to elevate the offence. 

Journalism, encryption, and the right to protect sources 

The implications become particularly significant when the draft is considered in the context of investigative journalism. In the digital environment, source protection relies on encryption, anonymisation, and secure communication channels. Certain provisions of the draft, notably Article 5 and its various clauses, criminalise interception, eavesdropping, and unauthorised access in language broad enough to be weaponised against journalistic practices. 

The issue is not that illicit access should go unpunished. It is that the draft contains no exceptions or safeguards for journalistic activities serving the public interest. If the text remains broadly defined, the digitalprotection tools that journalists rely on could become grounds for legal liability. 

This also creates a conflict with Iraq’s Law on the Protection of Journalists (Law No. 21 of 2011), specifically Article 4(2), which enshrines a journalist’s right to maintain the confidentiality of their information sources. If source confidentiality is a recognised legal right, then criminalising the technical tools that enable this right in the digital realm effectively strips that protection of its practical substance. In a networked world, source confidentiality requires tangible technical means for its preservation. 

The conflict extends beyond journalism to affect the right to disseminate information of public interest and the ability to expose corruption and violations. Civil society organisations have further noted that the draft legislation undermines transparency in state institutions and hinders the flow of information to the public. This means that the law, in its current form, not only threatens spaces for free expression but also undermines society’s ability to hold authority accountable. 

Digital evidence: The weakest link in the legal framework 

Beyond the scope of criminalisation and the severity of its penalties, the draft reveals an equally serious gap: digital evidence. Cases involving devices, messages, chat logs, files, images, and data extracted from networks cannot be handled using the logic of traditional evidence alone. This type of evidence requires precise standards for collection, preservation, examination, and integrity verification, as well as assurance that the tools used for extraction are reliable and judicially admissible. 

Iraq’s criminal evidentiary system is based on the principle of ‘free proof’, meaning the judge possesses broad discretion to evaluate evidence and form a conviction. This principle poses a serious challenge to digital evidence. Integrity, then, is not determined solely by judicial conviction but also on the technical conditions under which it was extracted, analysed, and documented. 

The draft was expected to address this gap. The Electronic Signature and Electronic Transactions Law (Law No. 78 of 2012) established standards for the legal validity of electronic documents and signatures in civil, commercial, and administrative transactions. While the law excluded court proceedings from its scope, it could have served as a foundation for developing a procedural framework specifically for digital forensic evidence. The draft failed to do so. 

This shortcoming becomes more apparent when compared to more advanced legal systems, where digital evidence is subject to clear testing standards, accredited technical references, and specific methodologies ensuring evidentiary reliability. Without such structures, the risks of tampering, legal challenges, or misjudgement persist, threatening the rights of both the accused and victim, and casting doubt on the integrity of the justice system. 

The law lags behind emerging digital challenges 

The draft law also fails to keep pace with the rapidly evolving digital landscape. Notably, it contains no provisions addressing emerging technologies such as AI-generated synthetic media, including deepfakes, which have become central to global debates on digital regulation.  

The draft law imposes no obligation to disclose artificially created or machine-altered material, nor does it establish a standard that balances the fight against misinformation with the protection of freedom of expression, artistic creativity, and satire. 

While the draft takes a hardline stance on expression, content, and publication, it overlooks more complex, contemporary issues, such as distinguishing the authentic from the fabricated, protecting the public from organised disinformation, and establishing transparent rules for the use of AI in public-facing content. 

This absence signifies that legislation ostensibly drafted to regulate the modern digital landscape fails to address even its most obvious challenges. 

What does Iraq need? 

Iraq needs a Cybercrime Law that clearly distinguishes between genuine cybercrimes and traditional offences committed through electronic means while precisely defining criminal acts. It needs a law that calibrates penalties according to the principle of proportionality, establishes clear safeguards for digital investigations and evidence, and ensures that publication and expression do not become grounds for criminal prosecution. 

It also needs a clear framework for digital evidence that goes beyond general expert opinion or broad judicial discretion to regulate the conditions for collecting, examining, and admitting evidence. Explicit safeguards are needed to protect journalistic work, the right to source confidentiality, and the use of encryption and legitimate digital tools in the public interest. 

Without these measures, the law’s stated aim of protecting society will remain incomplete, and the law risks becoming an instrument for prosecuting speech. The danger of the current draft lies not only in the potential for arbitrary application but in the fact that it is written in a way that makes such arbitrariness possible. It neither precisely defines the boundaries of criminal conduct nor clearly safeguards fundamental freedoms. It fails to establish a system of digital justice that is technically robust and legally reliable. 

In a country that still relies on provisions from a 1969 law to prosecute acts belonging to an entirely different era, what is required is not merely a legislative update but a redefinition of the philosophy of legislation itself. Is the goal to protect the citizen in the digital space or to exert tight control? 

If Iraq is to enact a cybercrime law, its success should be measured not by the severity of its penalties or the breadth of its powers, but by its ability to distinguish genuine cybercrime from protected conduct and to safeguard both security and fundamental rights. Without that distinction, the law will not resolve the existing legislative gap. It will merely extend legal uncertainty into the digital age. 

We learn from you

Do you have a note or comment on Jummar's content? Did you find any incorrect or inaccurate information that needs correcting? Do you find the language used in the article offensive, abusive, or discriminatory against any group on religious, sectarian, gender, class, geographic, or other grounds? Please get in touch with us via
editor@jummar.media

بقلم

Engineer and data analyst interested in the intersection of technology and society.