Within one week, several cases of personal data breaches affecting Lebanese citizens have been reported, the most flagrant of which was the leaking of public school teachers’ data.
Teachers were surprised to learn that their personal data, including their names, phone numbers, email addresses, and government salaries and bonuses, had been leaked on a WhatsApp group.
A.R., a primary school teacher in Lebanon, told SMEX that “this was not the first incident of its kind,” adding that the leaked data was shared on WhatsApp groups that include hundreds of primary school teachers.
However, there has been no strong reaction to the breach by teachers, whether legally or through their unions. According to a teacher who preferred to remain anonymous, there have only been individual condemnations, “especially since many people prefer not to publish their personal and financial information.”
A few months ago, the personal data of teachers in South Lebanon was also leaked, including their transportation allowances. A.R. believes that these data leaks are due to the corruption at the Ministry of Education and Higher Education since “these corruption scandals and the risks they pose for teachers have been ignored.”
(Screenshot of the leaked Excel spreadsheet)
Meanwhile, journalist Abdullah Kamh published a post on “X” warning of attempts to collect information on students in Lebanon through an education survey promoted on WhatsApp asking students to provide detailed personal information and their phone numbers.
Kamh stated that these may be attempts to collect information by Israeli or other parties infiltrating student groups. SMEX contacted the Director-General of the Ministry of Education, Imad Ashkar, for comment but received no reply.
In 2022, the results of the Intermediate Certificate examinations of nearly 56,000 students were leaked, in addition to students’ personal data such as email addresses, phone numbers, and other information. The investigations at the time failed to determine who was responsible for the leak.
In a similar context, SMEX received information that the Ministry of Public Health in Lebanon now asks to photograph patients who wish to receive their medications from the ministry. To one patient’s surprise, he was asked to appear in person to submit the application and have his photograph taken to be attached to his medical file, in addition to submitting data and reports on his health condition.
SMEX tried to ask the ministry why patients’ photographs are now required for the medical files but received no response. It is unclear whether these photographs will be used solely by the Ministry of Health or shared with donors who offer certain medications to patients. SMEX also attempted to contact the Director-General of the Ministry of Health, Fadi Senan, but received no reply.
Insufficient Ministerial Powers
These violations of citizens’ privacy elicited no reaction, and none of the competent authorities or the parties affected by the leaks submitted any complaints or reports about the incidents.
In an interview with SMEX, Sadek Alawieh, member of the Economic, Social, and Environmental Council and writer at Al-Kaws legal newspaper, said that “since 2018, successive governments have taken no measures to develop the Electronic Transactions and Personal Data Law No. 81/2018 or to enhance the protection of residents’ data.”
On the contrary, Alawieh stated that the Lebanese government “completely disregarded this law in its subsequent decisions.” It also failed to issue the law’s executive decrees and regulations, except for Decision No. 59 of May 11, 2020, issued by the former Minister of Economy on regulating the procedures to disclose, process, amend, and publish personal data. “All the remaining provisions remained mere ink on paper,” Alawieh added.
In addition, Law 81 stipulates that the Ministry of Economy is solely responsible for processing personal data, as it is the only authority empowered to make available to the public on its website a list of parties authorized to process personal data.
Marleine Nehme, the Head of the Legal Department at the Ministry of Economy, told SMEX that “the law is highly deficient,” adding that not all of its provisions are implemented. For example, the Monitoring Authority has not yet been established, and the Ministry’s work is limited to publishing a list of parties authorized to process personal data so that citizens may have access to it. However, in the event of any misuse or breach of data privacy, citizens have to resort to the judiciary.
The law does not empower the Ministry of Economy to interfere legally to hold the companies or platforms that have collected Lebanese citizens’ data in the past few years accountable. “There are many shortcomings when protecting citizens’ data, which is not stored securely,” added Nehme. “Citizens are unaware of how to protect their data and file lawsuits against parties violating their privacy.”
Laws Cannot Protect Citizens’ Data
Since the beginning of Lebanon’s economic crisis in 2019 and the spread of the COVID-19 pandemic, the government has asked citizens to register on special platforms to benefit from the ration card, the vaccination platform, and the passport renewal platform.
All these platforms ask citizens to provide important personal information and documents, such as ID card numbers and copies thereof, passport numbers, detailed addresses, etc.
However, successive Lebanese governments have failed to address the issue of personal data protection per the Electronic Transactions and Personal Data Law (October 10, 2018), whose provisions seek to facilitate official and private transactions, protect electronic transactions and personal data, and impose criminal penalties on violators.
In fact, since its issuance, the personal data protection law has failed to protect citizens’ right to privacy and personal data protection, according to several reports published by SMEX and statements issued by other parties.
In a statement issued on May 9, 2023, the Euro-Med Human Rights Monitor stated: “At a time when its provisions are still insufficient, out of date, and improperly applied, with responsibilities concentrated in a single government agency without oversight or accountability, the legal framework in Lebanon that governs the internet and communications remains largely fragile.”
It also warned that “the Ministry of Communications in Lebanon, with the aid of internet and telecommunication service providers, has complete control over gathering data and sharing it with governmental organizations without the users’ knowledge or consent.”
In addition, it is a well-known fact that the Lebanese government has been referring telecom data to security agencies since 2013. On several occasions, SMEX confirmed that any decision issued by the Council of Ministers requiring service providers to share all data related to telecom traffic or data is considered illegal and, in particular, contrary to the provisions of Law 81 and Law 140/1999 on the protection of the secrecy of communications via all means.
Impeding the Digital Transformation of the Lebanese State
During a session held on January 12, 2024, the Council of Ministers refused to discuss the law on electronic transactions and official documents under the pretext that the Lebanese Accreditation Council (COLIBAC) has not yet been established, despite the issuance of the relevant law in 2004.
COLIBAC is responsible for regulating and overseeing the issuance of accreditation certificates and designations, as well as regulating official laboratories, inspection bodies, and engineering offices carrying our technical supervision and monitoring duties for construction activities, facilities, and the installation and maintenance of equipment (that is, parties in charge of issuing competence and eligibility certificates for professionals), per Article 16 of the Electronic Transactions and Personal Data Law No. 81/2018.
Electronic signature is considered the first building block for the digital transformation of the Lebanese State. This transformation would enable the complete restructuring of the public sector, reduce bribery, and minimize paper transactions, which are the main reasons for exploiting citizens and delaying their transactions, according to Alawieh.
He added that certain aspects of the digital transformation plan, such as “official electronic documents, only have legal value after their adoption. This is a simple matter that only requires the issuance of a ministerial decree based on the proposal of the Minister of Justice.”
According to Law 81, “Electronic writings and signatures shall have the same legal effect as the writings and signatures made on paper or any other medium, provided that the person producing them is identifiable and that they are organized and stored in a way that preserves their safety.”
But, according to Alawieh, the question remains: “How can the Lebanese government legalize the status of middlemen who follow up on transactions while completely disregarding the need to automate administrative transactions and claiming that it is near-impossible, despite the issuance of the relevant laws?”
Citizens Can Only Resort to the Judiciary if their Privacy is Breached
Law 81 only authorizes the collection of electronic data from citizens directly if the party collecting the data is clearly identified and if it informs citizens of the purpose of the processing and the persons to whom this data will be sent.
Therefore, according to Article 88 of the Electronic Transactions and Personal Data Law, any party intending to collect data must inform citizens of the reasons for this collection and specify how this data will be processed, including the following:
- Identity of the data-processing officer or their representative;
- Objectives of the processing;
- Mandatory or optional nature of answering the questions raised;
- Consequences of responding to such questions;
- Persons to whom the data is to be sent; and
- Right to access and correct information and the means of doing so.
The forms used for data collection shall include an explicit and clear statement of the six items above, as mentioned in the law. Alawieh also explained that “failure to abide by these requirements is considered a misdemeanor punishable by imprisonment from three to six months and/or a fine ranging from LBP 10 to 50 million.”
