Iran Recording Laws: All-Party Consent Rules and Penalties (2026)

How Iran Approaches Recording and Surveillance

Iran does not have a recording consent framework in the way that Western legal systems define one. There is no statute that spells out whether one party or all parties must agree before a conversation can be recorded. Instead, Iranian law addresses recording through a patchwork of constitutional provisions, penal code articles, and a 2009 cybercrime statute that together create a general prohibition on unauthorized interception.

The practical reality in Iran is dominated by a stark contradiction. On paper, the constitution forbids surveillance and protects the privacy of communications. In practice, the state operates a sophisticated and well-documented surveillance apparatus that monitors phone calls, internet traffic, and mobile device activity on a massive scale, often without judicial oversight.

For ordinary citizens, the legal landscape means that recording someone without their knowledge carries criminal risk. For those concerned about being recorded, the far greater threat comes not from private individuals but from state agencies with broad and largely unchecked monitoring powers.

Quick Answer: All-Party Consent and the State Surveillance Overlay

Iran is effectively an all-party consent jurisdiction for private recording. No statute creates an explicit consent rule, but both the Constitution (Article 25) and the Computer Crimes Law of 2009 prohibit unauthorized interception and recording of communications. The absence of a one-party consent exception means there is no legal pathway for a private citizen to record a conversation without the knowledge of all parties. Courts applying the constitutional privacy framework and the Computer Crimes Law would treat unauthorized recording as presumptively unlawful. Penalties for private citizens who intercept or disclose electronic communications range from 91 days to two years in prison under the Computer Crimes Law.

The state surveillance overlay creates an inverse reality for citizens. While private recording without consent is criminally risky, the Iranian government routinely records private communications without consent through the SIAM platform, ISP data retention mandates, and warrantless interception by security agencies. The legal framework that theoretically limits state surveillance under Islamic Penal Code Article 582 is not enforced against security agencies in practice.

Jurisdiction scope: This article addresses recording law in the Islamic Republic of Iran, including the Constitution of 1979, the Islamic Penal Code (Law of 1392/2013, Book Five), the Computer Crimes Law (Law No. 71063, 2009), the Electronic Commerce Law (2004), and the Protection of the Family through Promoting the Culture of Hijab and Chastity Law (2024). It does not address recording law in any other country. For US recording consent rules by state, see US recording laws by state.

Constitutional Protections: Article 25

The Constitution of the Islamic Republic of Iran contains a privacy provision that, read on its own, sounds like one of the strongest communications protections in the Middle East.

Article 25 states that the examination, non-delivery, recording, and disclosure of telephone conversations, telegraphic and telex communications, censorship, and "any kind of investigation" are all forbidden unless ordered by law. The language covers virtually every form of communication that existed when the constitution was drafted in 1979.

Article 22 adds that the "dignity, life, property, rights, residence, and occupation of the individual are inviolate, except in cases sanctioned by law." Together, Articles 22 and 25 establish that Iranians have a constitutional right to private communications and that the government cannot lawfully intrude without specific legal authorization.

The critical qualifier is the phrase "except as provided by law." Iranian courts and security agencies have interpreted this exception broadly, treating national security and public order concerns as sufficient legal basis for surveillance activities that would otherwise violate Article 25.

Islamic Penal Code Article 582: Officials Who Record Illegally

What Article 582 Prohibits

Article 582 of the Islamic Penal Code specifically targets government employees and state officials who intercept private communications outside the bounds of what the law permits. The article states:

"If any state official or civil servant, in cases other than those permitted by law, opens, seizes, destroys, inspects, records, or intercepts the letter, telegraph, or telephone communications of people, or discloses their contents without their owners' permission, that official shall be sentenced to one to three years' imprisonment or a fine of six to eighteen million rials."

The article covers a wide range of acts: opening physical mail, seizing correspondence, destroying letters, recording phone calls, and disclosing the contents of any intercepted communication. It applies exclusively to people acting in an official government capacity.

Penalties Under Article 582

A state official convicted under Article 582 faces:

• One to three years in prison, or
• A fine of six to eighteen million rials (roughly USD $14 to $43 at current unofficial exchange rates)

The court chooses between imprisonment and a fine. There is no provision for imposing both penalties simultaneously.

The Enforcement Problem

Article 582 was designed to prevent government overreach. In practice, enforcement is rare. Iranian security agencies, including the Ministry of Intelligence and the Islamic Revolutionary Guard Corps (IRGC), conduct surveillance operations that would clearly fall within the scope of Article 582, but prosecutions of officials for illegal wiretapping are virtually nonexistent.

The provision serves more as a theoretical check on power than as an active restraint on state behavior. When the government characterizes surveillance as necessary for national security or public order, the "cases permitted by law" exception in Article 582 effectively swallows the rule.

Computer Crimes Law of 2009: Digital and Telecom Interception

Overview of the Law

Iran's Computer Crimes Law (Law No. 71063), approved by parliament in January 2009 and effective that June, is the primary statute governing electronic surveillance and digital privacy. The law contains 55 sections organized across five parts and has been incorporated into the broader Islamic Penal Code.

Chapter 1 of the law addresses crimes against the confidentiality of data and computer and telecommunications systems. It establishes three categories of offense: unauthorized access, unauthorized interception, and computer espionage.

Unauthorized Interception of Communications

The unauthorized interception provision criminalizes eavesdropping on the content of non-public communications transmitted through computer systems, telecommunication systems, electromagnetic waves, or optical waves. The law does not require that the interceptor be a government official. Private citizens who illegally intercept electronic or telecommunications content face the same penalties.

The penalty for unauthorized interception is six months to two years in prison or a fine. Iranian legal sources cite the fine range as five to twenty million rials, though the exact amount depends on judicial interpretation and periodic legislative adjustments.

Article 17: Unauthorized Disclosure of Private Images and Sounds

Article 17 of the Computer Crimes Law addresses the downstream act of sharing what has been recorded without authorization. Any person who, by means of computer or telecommunications systems, issues or makes accessible the audio, images, private or family video, or personal secrets of another person without permission, in a manner that causes damage to their dignity or causes them loss, faces:

• 91 days to two years in prison, or
• A fine of five to forty million rials, or
• Both penalties simultaneously

Article 17 applies to the act of distribution, not the initial recording. A person who secretly records a conversation and then distributes it could face both the interception penalty and the Article 17 disclosure penalty. The fine range under Article 17 is notably higher than under the interception provision and courts may impose both imprisonment and a fine, unlike the either/or structure of Article 582.

Article 21: ISP Data Retention Mandates

Article 21 takes a different approach from the interception prohibition. Rather than restricting surveillance, it requires it. The article mandates that internet service providers retain records of internet traffic data and the personal information of their users. ISPs must store this data and make it available to authorities upon request.

The retention requirement has no specified time limit in the original statute. In practice, Iranian ISPs retain data for extended periods to remain in compliance with CRA directives.

Article 48: VoIP Recording Requirements

Article 48 goes further than the data retention mandate. It requires ISPs to record data from telephone conversations conducted over the internet, meaning Voice over Internet Protocol (VoIP) calls. This provision effectively mandates the capture of content, not just metadata, from internet-based phone calls.

The combination of Articles 21 and 48 creates a legal obligation for private telecommunications companies to function as extensions of the state surveillance system. ISPs that fail to comply face penalties and risk losing their operating licenses.

Other Relevant Provisions

Article 12 addresses computer data theft, carrying penalties of one to twenty million rials in fines if the data owner retains a copy, or 92 days to one year in prison if the data is removed.

The SIAM Platform: State Surveillance Infrastructure

What SIAM Is

In 2022, leaked internal documents from Iranian telecom carrier Ariantel revealed the existence of a surveillance platform called SIAM (Subscriber Identity and Activity Monitoring). Researchers at the Citizen Lab at the University of Toronto subsequently published a detailed analysis of the system in January 2023.

SIAM is a web-based program operated by the Communications Regulatory Authority (CRA) that provides direct access to the cellular networks of Iranian mobile operators. The system has approximately 40 distinct surveillance and control functions.

What SIAM Can Do

The platform gives the CRA the ability to:

• Track locations of individual phones or groups of phones by identifying which cell towers they connect to
• Pull call detail records (CDRs) showing who called whom, when, for how long, and from where
• Access internet session logs revealing websites visited and applications used
• Read SMS message content and metadata
• Force network downgrades that push phones from 4G or 3G down to 2G, which makes data connections nearly unusable and exposes voice calls to easier interception because 2G encryption is weak
• Block or redirect calls and manipulate call forwarding settings
• Throttle or block specific applications such as WhatsApp, Telegram, or social media platforms
• Suspend service entirely for targeted phone numbers

No Warrant Required

The leaked documents and subsequent analysis found no mention of judicial warrants, court orders, or oversight mechanisms governing the use of SIAM. The CRA's access is direct and does not appear to require authorization from any judicial body.

All Iranian telecom operators are required to provide the CRA with direct access to their systems for querying customer information and modifying services through web service APIs. This requirement operates outside the framework of lawful intercept standards developed by international bodies like 3GPP and ETSI, which typically mandate judicial oversight.

Additional Surveillance Components

SIAM is part of a broader surveillance ecosystem that includes:

• SHAHKAR: A national database of all mobile subscriber information that prevents unregistered SIM card use
• SHAMSA: A bulk collection system for call detail records and IP detail records
• LI (Legal Intercept) System: A real-time API integration with mobile providers for conducting surveillance

Phone Call Recording: Legal Risks for Individuals

No Formal Consent Framework

Iran does not have a statute that establishes a one-party or all-party consent rule for phone call recording. The legality of recording a phone call depends on how courts apply the general prohibition on interception found in the Computer Crimes Law and the constitutional privacy protections of Article 25.

In the absence of a specific consent framework, the safest legal interpretation is that recording a phone call without the knowledge and agreement of the other party is unlawful. Article 25 of the Constitution prohibits the recording and disclosure of telephone conversations as a general rule, and the Computer Crimes Law criminalizes interception of telecommunications content.

Penalties for Unauthorized Phone Recording

A private citizen who records a phone call without authorization could face:

• Six months to two years in prison under the Computer Crimes Law's unauthorized interception provision
• 91 days to two years in prison or a fine of five to forty million rials under Article 17 if the recording is shared

A government official who records phone calls outside legal authorization faces:

• One to three years in prison or a fine of six to eighteen million rials under Islamic Penal Code Article 582

Evidence Admissibility

Iranian law does not have a clearly codified exclusionary rule comparable to the Fourth Amendment framework in the United States. Courts have discretion in evaluating the admissibility of evidence, and the legal system operates under Islamic jurisprudence principles that give judges significant latitude.

Recordings obtained through unauthorized means may be challenged on the basis that they violate Article 25 of the Constitution. However, Iranian courts have not developed a consistent body of case law establishing firm rules on whether illegally obtained recordings are automatically excluded from proceedings.

In-Person Recording

General Prohibition

The same legal principles that govern phone recording apply to in-person conversations, though with less statutory specificity. Article 25 of the Constitution references telephone, telegraphic, and telex communications but does not explicitly mention face-to-face recording. The Computer Crimes Law focuses on electronic and telecommunications interception.

In-person recording falls into a legal gray area. The constitutional privacy protections of Articles 22 and 25 provide a basis for arguing that secret recording of any private conversation is unlawful. The Computer Crimes Law's Article 17 provisions on unauthorized disclosure of personal sounds and images would apply if an in-person recording were distributed.

Private vs. Public Settings

Iranian law does not draw a clear statutory line between recording in private and public spaces, unlike many Western legal systems. The general principle under Article 22 of the Constitution is that personal dignity and rights are inviolable, which courts could apply to recording in either setting.

The absence of specific public-space recording legislation means that police and prosecutors have wide discretion in deciding whether to pursue charges related to in-person recording. Context matters: recording a private meeting without consent carries more legal risk than filming a public street scene. For a comparison of how other countries treat recording in public spaces, see the world recording laws hub.

Recording State Authority Figures

Filming or recording police officers, Revolutionary Guards, or other state authority figures carries substantial legal risk in Iran that goes well beyond the penalties for ordinary unauthorized recording.

Iran does not have a law explicitly prohibiting members of the public from documenting the conduct of law enforcement. In practice, however, authorities have prosecuted those who record or distribute footage of official conduct using broad charges rather than specific recording statutes. The charges most commonly applied include:

• "Propaganda against the state" (under the Islamic Penal Code)
• "Spreading false information to disturb public opinion"
• "Insulting the Supreme Leader"
• "Cooperation with hostile foreign governments"

The pattern of prosecution documented by human rights organizations demonstrates that the recording itself is rarely the stated charge. Instead, authorities use the content of the recording or its distribution as evidence of the underlying offense.

The Mahsa Amini Protests: A Documented Pattern

The 2022 protests following the death of Mahsa Amini in police custody produced the most extensively documented wave of journalist and activist arrests related to recording in Iran's recent history. At least 38 journalists were reported arrested in the first six weeks of protests according to human rights monitors.

Reporters Niloofar Hamedi and Elaheh Mohammadi were arrested in September 2022 after their coverage of Amini's case and the subsequent protests. Hamedi received a sentence of seven years in prison on a charge of "cooperating with the hostile government of the United States." Mohammadi received six years on the same charge. Neither was prosecuted under recording-specific statutes; their documentation work was treated as evidence of political collaboration rather than a technical privacy violation.

The 2025 and 2026 Escalation

The pattern continued and intensified. In January 2026, photojournalist Artin Ghazanfari was arrested on January 19 and environmental photographer Fariborz Heydari was arrested on January 27, both during documentation of protests. Security forces confiscated professional equipment in both cases. Baha'i photographer Navid Zarrehbin Irani was arrested January 16, 2026 at his home in Mashhad; his family stated he had been documenting protests.

The 2025 Espionage Expansion

In July 2025, Iran's parliament introduced a bill expanding the definition of espionage (already a capital crime) to include activities linked to information dissemination and media work, specifically including contact with foreign and diaspora media outlets. If enacted, this provision would expose anyone who records and transmits footage of state activities to foreign or diaspora media to capital espionage charges. The US State Department's 2024 Human Rights Report documented this bill as a significant escalation of legal risk for journalists and activists.

Watch out: In Iran, the act of distributing footage of officials to foreign news organizations has been treated as evidence of "cooperation with hostile governments." Anyone who records state conduct and shares it with international media faces prosecution risk far exceeding the ordinary penalties for unauthorized recording.

Hijab and Chastity Law: Recording and Sharing Footage

The Protection of the Family through Promoting the Culture of Hijab and Chastity Law (71 articles), approved by Iran's Guardian Council in September 2024 and published in the official gazette on November 27, 2024, introduced an entirely new category of recording-related legal risk connected to women's clothing in public.

Surveillance Mandates Under Article 28

Article 28 of the Hijab and Chastity Law mandates that law enforcement agencies deploy traffic monitoring cameras and artificial intelligence systems to identify potential hijab violations and report them to the judiciary. This provision converts the existing physical surveillance infrastructure described in earlier sections of this article into a mandatory enforcement tool for dress-code monitoring.

By April 2024, the Iranian state had already deployed aerial drone surveillance to monitor hijab compliance in public spaces, and facial recognition software was installed at the entrance of Amirkabir University in Tehran to monitor compliance by women students.

Penalties for Sharing Non-Hijab Footage

Articles 37 and 42 of the Hijab and Chastity Law impose significant obligations on social media platforms and serious risks on individuals who share footage of women without hijab. Social media platforms operating in Iran must remove hijab-violation content within 12 hours of notification. Individuals who share such content face fines and restrictions on internet activity.

Article 38 further penalizes anyone who "insults or ridicules the hijab" or "promotes nudity, indecency, unveiling and bad dressing" with up to five years in prison, travel bans, and fines.

The Death Penalty Exposure

Article 36 provides that anyone who "promotes a culture of nudity in collaboration with foreign entities" faces five to ten years in prison. For individuals whose conduct is characterized as "corruption on earth," the death penalty applies. Human rights organizations including Amnesty International and the Center for Human Rights in Iran have documented this provision as creating death penalty exposure for activists who share images of unveiled women with foreign journalists or human rights organizations.

The overlap between the Hijab and Chastity Law and the 2025 espionage expansion is significant. A person who records footage of hijab-related protest, shares it with foreign media, and is characterized as acting in collaboration with a hostile foreign government could face both the Hijab Law's "corruption on earth" provisions and the espionage charges in the expanded bill.

Voyeurism and Hidden Camera Recording

Iran does not have a standalone voyeurism statute that mirrors the dedicated anti-voyeurism legislation found in many Western countries. The legal framework for hidden camera recording and voyeuristic surveillance is addressed through the Computer Crimes Law and the Islamic Penal Code's general privacy provisions.

Computer Crimes Law Article 17 as the Primary Provision

Article 17 of the Computer Crimes Law is the most directly applicable provision for cases involving unauthorized recording and distribution of private footage. It covers:

• Audio recordings of private conversations
• Images or video of private or family situations
• Any personal secrets made accessible through computer or telecommunications systems

The provision applies when disclosure "causes aspersion of dignity" or "causes loss" to the subject. A hidden camera recording that is subsequently shared or posted online would fall clearly within Article 17. The penalty of 91 days to two years in prison plus fines of five to forty million rials applies to the act of disclosure; the initial recording without consent could separately engage the interception provisions of Chapter 1.

Islamic Penal Code Provisions

The Islamic Penal Code addresses unauthorized recording of intimate content under provisions governing immoral acts. Under the IPC's framework for content involving nudity or sexual situations, persons who produce pornographic materials with intent to sexually exploit others face flogging of 30 to 74 lashes plus fines of ten to fifty million rials and loss of social rights for two to five years. If the conduct meets the threshold for "corruption on earth," the death penalty applies.

Hidden camera recording in private spaces, particularly bathrooms, changing rooms, or bedrooms, would be treated as a serious criminal matter under both the IPC's morality provisions and the Computer Crimes Law's interception and disclosure articles. No published case law establishes specific precedent, but the available penalty ranges make prosecutorial discretion the governing variable.

Deepfakes and AI-Generated Content

Iran does not have dedicated deepfake legislation or a comprehensive AI content regulation framework as of May 2026. No provision of the Computer Crimes Law or the Islamic Penal Code specifically addresses AI-generated synthetic media.

Applicable Existing Law

Computer Crimes Law Article 17 would be the most likely provision applied to non-consensual deepfake distribution. If a person creates and distributes an AI-generated image or video of another individual without consent in a manner that damages their reputation or causes them loss, the disclosure penalty of 91 days to two years and fines of five to forty million rials would apply. The provision was not drafted with deepfakes in mind, but its language covering "audio, image, private or family video" is broad enough to reach AI-generated content depicting real individuals.

The IPC's provisions on defamation and insult would apply to AI-generated content that damages the reputation of named individuals. Publishing content that causes "aspersion of dignity" against a private person carries penalties under both the IPC and Article 17 of the CCL.

The 2025 False Content Bill

The 2025 "Bill on Combating the Spread of False News Content in Cyberspace," submitted by Iran's Ministry of Justice with double-urgency status, would grant service providers the authority to remove content they characterize as "false" without a court order. If enacted, this bill would create an administrative mechanism for suppressing AI-generated content that authorities label as disinformation, though the bill's vague definitions would give enforcement bodies wide discretion. As of May 2026, the bill had not been enacted into law.

Iran has itself been documented as a producer of deepfakes for foreign influence operations. The US Treasury sanctioned IRGC-linked entities for using AI-generated deepfakes in an influence operation targeting the 2024 US election. Domestic legal protection against deepfakes targeting Iranian citizens is significantly weaker than Iran's investment in creating deepfakes for external operations.

Note: The absence of dedicated deepfake legislation means victims of non-consensual synthetic media in Iran have limited and uncertain legal recourse. Complaints would be routed through Article 17 CCL or IPC defamation provisions, both of which require the claimant to demonstrate damage to dignity or material loss. Enforcement depends heavily on prosecutorial discretion.

Workplace Recording and Monitoring

No Specific Workplace Privacy Statute

Iran's Labor Code (1990, as amended) does not contain provisions specifically addressing workplace surveillance, employee monitoring, or employer recording of communications. The code focuses on employment terms, safety requirements, and dispute resolution.

In the absence of specific workplace privacy legislation, the general constitutional protections of Articles 22 and 25 technically apply in the workplace. An employer who records employee phone calls or monitors electronic communications without disclosure could face liability under the Computer Crimes Law or the constitutional privacy framework.

Practical Reality

In practice, workplace privacy enforcement is minimal. Iranian employers, particularly state-owned enterprises and companies operating in sensitive sectors, commonly monitor employee communications. The government itself mandates certain forms of workplace surveillance, particularly in industries related to telecommunications, media, and technology.

The 2024 mandate requiring all businesses to install police-approved surveillance cameras and link them to centralized police networks has further expanded the state's ability to monitor workplace activity. Under regulations from the Chamber of Guilds, businesses ranging from supermarkets to restaurants must register their camera systems on a government portal called Saptam, and a police technician connects the system to the police's cloud storage network.

Public Space Surveillance

Expanding Camera Networks

Iran has been rapidly expanding its network of surveillance cameras in public spaces. In 2023, authorities announced that footage from cameras in public places, including subway stations, would be used in combination with facial recognition technology to identify and penalize women who do not comply with mandatory hijab requirements.

The Ministry of Roads and Urban Development has incorporated surveillance equipment into national building standards. Residential complexes and commercial buildings with four or more units must install cameras at entrances, parking lots, corridors, and common spaces. Non-compliance creates obstacles in obtaining building permits.

Legal Basis

There is no single statute that authorizes or regulates public space surveillance in Iran. The expansion of camera networks has been carried out through administrative regulations, ministerial directives, and executive orders rather than through legislation debated and passed by parliament. This approach has allowed the government to rapidly scale its surveillance infrastructure without the constraints of a formal legislative process.

The Cyber Police: FATA

Role and Operations

The Iranian Cyber Police, known by its Farsi acronym FATA, was established in 2011. FATA operates stations in dozens of cities across all 31 provinces and is responsible for investigating cybercrimes, including privacy violations, online fraud, and what the government defines as propaganda against the state.

FATA's mandate extends well beyond traditional cybercrime enforcement. The agency monitors social media activity, tracks online activists, and investigates violations of content restrictions. During periods of political unrest, FATA's monitoring operations intensify significantly.

Civilian Volunteer Network

Since March 2014, FATA has recruited approximately 42,000 civilian volunteers with digital skills to assist in its monitoring operations. The agency has described this program as "society-based policing," with the stated goal of creating a culture where "every citizen is a police officer."

This volunteer network effectively extends the state's surveillance capacity beyond the resources of formal law enforcement. Volunteers report online content and activities that they believe violate Iranian law, creating a distributed monitoring system that supplements FATA's institutional capabilities.

Recent Legislative Developments

The December 2025 Audio-Visual Content Control Bill

In December 2025, a bill titled "Support and Handling of Violations in the Domain of Audio and Visual Content in Cyberspace" was advanced in Iran's parliament. The bill is a successor to the long-pending Internet Protection Bill, reintroducing its core mechanisms under a new name and with expanded powers for the Islamic Republic of Iran Broadcasting (IRIB). The bill would hand the state broadcaster comprehensive control over online video content, require international technology companies to maintain a legal representative in Iran, and mandate cooperation with government surveillance and censorship operations.

The 2025 "Untrue Content" Bill

Earlier in 2025, Iran's Ministry of Justice submitted a bill titled the "Bill on Combating the Spread of False News Content in Cyberspace" with "double urgency" status, requiring parliament to vote within 30 days and bypassing normal legislative debate.

The bill would grant service providers and social media platforms the authority to independently block or restrict content they consider "false" without a court order or judicial oversight. Platforms would be required to respond to complaints within 12 hours.

Human rights organizations including Article 19 and the Center for Human Rights in Iran have warned that the bill's vague definitions of "false" content would give authorities broad discretion to suppress speech and expand surveillance powers.

The 2025 Espionage Expansion Bill

In July 2025, Iran's parliament introduced a bill expanding the definition of espionage to include activities linked to information dissemination and media work, specifically including contact with foreign and diaspora media outlets. Because espionage is a capital crime in Iran, this expansion represents a severe escalation of legal risk for anyone who records and distributes documentation of state conduct to international audiences. The bill was documented in the US State Department's 2024 Human Rights Report.

Data Protection: Gaps in the Law

No Comprehensive Framework

Iran does not have a comprehensive data protection law. The country remains one of the most populous nations in the world without dedicated personal data legislation.

Privacy protections are scattered across multiple laws:

• Constitution Articles 22 and 25: General privacy and communications protections
• Electronic Commerce Law of 2004: Articles 58 and 59 address sensitive data and establish consent requirements for personal data processing
• Computer Crimes Law of 2009: Criminalizes unauthorized access and interception
• Charter of Citizens' Rights (2016): A non-binding document issued by President Rouhani containing 120 articles, including provisions on privacy and data protection that the government has not implemented

Electronic Commerce Law: Articles 58 and 59

Article 58 of the Electronic Commerce Law prohibits storing, processing, or distributing electronic data that reveals ethnic origins, religious beliefs, ethical characteristics, or information about a person's physical, psychological, or sexual condition without explicit consent.

Article 59 permits processing of personal electronic data only with the subject's consent, requires that the purpose of collection be clearly specified and limited to necessity, and grants individuals the right to request complete deletion of their personal data files.

These provisions represent Iran's closest approximation to data protection standards found in frameworks like the European Union's GDPR. However, enforcement is minimal, and no dedicated data protection authority exists to oversee compliance.

Draft Personal Data Protection Act

In 2019, a draft Personal Data Protection and Safeguarding Act was circulated, representing the first attempt at comprehensive data protection legislation. As of May 2026, the draft has not been enacted into law.

Cross-Border Considerations: US Citizens and Dual Nationals

Iran presents some of the highest recording-related legal risks in the world for foreign nationals, particularly US citizens and dual nationals of Iranian heritage.

Level 4 Travel Advisory and Photography Prohibitions

The US State Department maintains a Level 4 "Do Not Travel" advisory for Iran. The advisory explicitly warns that photography near military and other government installations is strictly prohibited and could result in criminal charges including espionage, which carries the death penalty.

This prohibition is not limited to formal military bases. In practice, Iranian authorities have characterized photography near government ministries, Revolutionary Guard facilities, nuclear sites, border crossings, and infrastructure as evidence of espionage. The boundary between what constitutes a prohibited government installation and a photographable public space is not clearly defined in Iranian law, giving security forces wide discretion to treat any photography as suspect.

Dual Nationals: No Consular Protection

A critical legal reality for dual US-Iranian nationals is that Iran does not recognize their US citizenship. The State Department advisory states that "Iran will not permit Swiss consular officers to visit detained US citizens who also hold Iranian citizenship," leaving dual nationals with no diplomatic protection channel if detained. This makes any arrest, including an arrest related to recording or photography, functionally more dangerous for dual nationals than for single-citizenship US tourists.

At least five dual and foreign nationals holding Iranian-American status were arrested in Iran as of mid-2024. The Committee to Protect Journalists documented the arrest of at least three journalists in January 2026 alone, as Iran imposed internet shutdowns during domestic unrest.

The Espionage Framework for Recording

Under Iranian law and practice, recording and transmitting footage of state activities to foreign recipients can be characterized as espionage. The July 2025 parliamentary bill expanding espionage definitions to include media work and contact with diaspora outlets removes any previous ambiguity about whether such acts might fall below the espionage threshold.

Foreign nationals should be aware that:

• Recording near any government or military facility risks espionage charges
• Transmitting recordings to foreign media creates independent espionage exposure under the 2025 bill framework
• Possession of professional recording equipment increases the likelihood of investigative detention
• Social media accounts posting footage of government activity may be monitored before or after a trip
• The Iranian government has the technical capability through SIAM and allied surveillance tools to identify individuals who recorded specific events based on metadata, cell tower logs, and ISP records

Watch out: Dual US-Iranian nationals arrested in Iran for any reason, including photography, have no access to US diplomatic assistance. The Swiss consulate serves as the US protecting power for single-citizenship US nationals but cannot assist dual nationals. This removes the primary protective mechanism available to US citizens in other high-risk jurisdictions.

Penalties Summary

Offense	Law	Penalty
Government official intercepts communications illegally	Islamic Penal Code Art. 582	1 to 3 years prison or 6 to 18 million rial fine
Unauthorized interception of electronic/telecom communications	Computer Crimes Law Ch. 1	6 months to 2 years prison or 5 to 20 million rial fine
Unauthorized disclosure of private images, sounds, or personal secrets	Computer Crimes Law Art. 17	91 days to 2 years prison or 5 to 40 million rial fine (or both)
Unauthorized access to protected computer data	Islamic Penal Code Art. 729	91 days to 1 year prison and/or fines
Computer data theft (owner retains copy)	Computer Crimes Law Art. 12	1 to 20 million rial fine
Computer data theft (data removed)	Computer Crimes Law Art. 12	92 days to 1 year prison or 5 to 20 million rial fine
Sharing footage of hijab violations online	Hijab and Chastity Law Arts. 37, 42	Fines and internet activity restrictions
Promoting nudity or unveiling in public	Hijab and Chastity Law Art. 38	Up to 5 years prison, travel ban, fine
Promoting nudity in collaboration with foreign entities	Hijab and Chastity Law Art. 36	5 to 10 years prison; death penalty for "corruption on earth"
Photography near military or government installations	Criminal/espionage statutes	Up to death penalty for espionage
Producing pornographic material (with intent to exploit)	Islamic Penal Code	30 to 74 lashes plus fines; death for "corruption on earth"

Business and Compliance Considerations

For Foreign Companies

Foreign businesses operating in Iran face a challenging compliance environment. The absence of a comprehensive data protection law means there are no clear rules governing how companies must handle personal data. At the same time, the Computer Crimes Law imposes criminal penalties for unauthorized access and interception, and ISPs must comply with extensive data retention and VoIP recording mandates.

Companies with employees or operations in Iran should assume that electronic communications conducted through Iranian telecommunications infrastructure are subject to government monitoring. The SIAM platform and associated surveillance tools give the CRA direct access to mobile communications, and ISPs are legally required to retain and hand over user data.

The 2025 espionage expansion bill creates additional risk for companies that employ staff who communicate with foreign media or diaspora contacts about workplace conditions or government contracts. Communication that would be protected speech in most other jurisdictions could be characterized as espionage under the expanded framework.

For Individuals

Anyone visiting or living in Iran should be aware that:

• Recording conversations without the other party's knowledge carries criminal penalties
• Mobile phone communications are subject to state interception without warrant requirements
• VPN use without a license is illegal, and authorities actively block unauthorized VPN services
• Internet shutdowns occur frequently, with 34 documented shutdowns in 2023 alone
• The government has the technical capability to downgrade mobile connections, intercept SMS messages, and track physical locations through cell tower data
• Social media accounts are monitored and content posted from inside Iran can be evidence in subsequent prosecutions

---

Information last verified on May 15, 2026. This article presents general legal information about recording law in Iran and does not constitute legal advice. The laws described reflect publicly available information about Iranian statutes and the analysis of international human rights organizations; enforcement in Iran operates under rule-of-law constraints that make formal legal analysis an incomplete guide to actual risk. Readers in or traveling to Iran, or with professional obligations connected to Iran, should consult a qualified legal professional licensed in a relevant jurisdiction. This article does not address the law of any country other than Iran.