The English translation of Chapter 5 of the E-Transactions Law concerning the processing of personal data can be found at the end of the article.
An “Ugly” New Data Protection Law in Lebanon
The recently passed Electronic Transactions and Personal Data Law (E-Transactions Law), initially introduced in 2004 for the purpose of regulating various aspects of online commerce, contains outdated and ineffective protections for personal data of Lebanese citizens. Though the text of the law changed between 2004 and 2018, the goal remained the same: facilitate the expansion of online commerce without regard to the effect this expansion might have on data protection. Therefore, the law does not reference or reflect the General Data Protection Regulation (GDPR), which has been dubbed “the world’s most sweeping privacy law,” or any other advancements in data privacy law.
In 2004, just 9% of the Lebanese population was using the internet, compared to 76.1% today. Furthermore, the social media platforms that dominate daily life did not exist and individuals did not generate as much data and metadata as they do currently. Personal data also did not hold the same innate value (and therefore did not carry the same risk of exploitation) that it does in this day and age. All of these factors demonstrate how drastically the ecosystem has changed. By 2017, 120 countries already had data protection laws; Lebanon lags behind. Chapter 5 of the new E-Transactions Law focuses on the collection of personal data, but ultimately neglects the protection of it by concentrating power in the executive branch and failing to provide many standard safeguards adopted in international data protection legislation.
Concentration of Power in the Executive Branch
The new law provides little oversight on the processing of personal data, which includes collecting, storing, modifying, using, and publishing this data. The power is concentrated within the executive branch as the Ministry of Economy and Trade is almost solely responsible for handling data processing requests. Article 95 grants the Ministry this authority, stating, “with the exception of the exemptions provided for in the preceding article, those wishing to collect and process personal data shall inform the Ministry of Economy and Trade.” Unlike other countries, such as France and Tunisia, which have data protection authorities comprised of representatives from parliament, the judicial branch, various ministries of governments, and sometimes the private sector, the new E-Transactions Law gives just ONE ministry this authority. This structure does not have checks and balances from a multistakeholder group and therefore increases the risk of arbitrary decisions and abuses of power, which could easily lead to the exploitation of the personal data of Lebanese citizens and residents.
Moreover, the vague language in the law does not clarify how the Ministry of Economy could authorize the sharing of this data. Article 98 compels the Ministry to “make available to the public, especially on its website, a list of possible processes that meet the licensing or authorization requirements set forth in this section” and also tasks the Ministry with defining those requirements. Thus, the Ministry has the power to decide on “third parties who are authorized to view the data” and “where appropriate, personal data intended for transfer to a foreign state.” Instead of legislating when data can be shared with these entities, the law leaves the decision to the Ministry of Economy. Likewise, Article 92 authorizes the granting of permits for “processing [personal data] for the purpose of commercial promotion” and it also does not define what activity constitutes commercial promotion.
Additionally, the Ministry of Economy and Trade is not currently prepared to manage the processing of personal data requests. A reputable source told SMEX that the Ministry has hired no new personnel to implement these measures, has not been planning for the handling of these requests in the years that the law has existed in draft form, and has no immediate plans to establish a website so that people can start filing these requests. The Ministry’s lack of preparation highlights the risk in placing authority in the hands of a single ministry and moreover, entrusting this power exclusively to the executive branch.
The law gives a number of other ministries, most notably the Ministry of Interior and Ministry of Defense, limited, but dangerous, oversight of the handling of personal data. Article 97 gives the two ministries the power to award licenses for any data pertaining to “external and internal security of the state,” without defining the term. The Ministry of Interior has already mismanaged personal data by publishing lists of registered voters. Moreover, Article 103 gives special status to data related to the “internal or external security of the state, stipulating that “the owner of the data of a personal nature shall not be informed of his/her data under processing in case this may endanger the objectives of the processes or the internal security of the state.” Article 97 bestows authority on the Minister of Justice to issue licenses for data related to “judicial proceedings of various kinds” and on the Minister of Health to make decisions in “cases of health, genetic identity, or sexual life of persons.” Pierre Khoury, a legal expert in the fields of Information and Communication Technology (ICT) and consumer protection and a member of the parliamentary committee that studied this law in draft form, noted these provisions open the window for any private company which has a good relationship with one of these ministers to obtain access to incredibly sensitive personal data.
Lack of Safeguards
The rules for collecting data, outline in Article 87, are vague and ambiguous. The article does not require the collection of data to have a fixed goal or be proportionate to the purpose, but states that the collection merely not “go beyond the stated objectives.” Furthermore, the article states that data “shall be collected faithfully and for legitimate, specific, and explicit purposes,” without defining these purposes.
Instead of enumerating the cases where personal data may be processed, the law opts to list situations where a license or permit is not required rather than describing those situations that do require a permit. Article 94 lists exemptions for broad groups such as “students of educational institutions” or “members of the institutions, commercial companies, trade unions, associations, and self-employed persons.” Individuals that fall within this category, thus, do not even have the protection of the weak safeguards implemented by this law. The law does not compel exempted institutions to inform individuals their data is being collected or to require consent.
The law also does not clearly define consent or provide the right to withdraw consent, which contradicts the protections outlined in the European Union’s GDPR. Article 94 prohibits a person from objecting to data collection if they have previously agreed to it, without stipulating whether this need be explicit or implicit agreement. This lack of clarity could minimize data protection as corporations could easily include a statement of use in their terms of service without clearly bringing it to the consumer’s attention.
The provisions regarding the data processing officers include no clear-cut regulations or explanation. The law does not set out how the officers are chosen or establish a code of conduct for the officers to abide by. In contrast, Article 40 of the GDPR sets out a monitoring body to enforce the codes of conduct. Additionally, there is no article requiring officers to notify individuals if there is a breach of data, which could lead to further abuses of power. Article 100 allows officers to object to “requests of an arbitrary nature” without defining what qualifies as arbitrary, apart from requests that are “repetitive and systematic.” The constraints set out by this provision reduce the right of access and correction as data processing officers may determine validity of requests based on vague stipulations.
Parliament should amend the law in light of the GDPR and other recent data protection legislation to better ensure the protection of personal data. First and foremost, the amended law must establish an independent data authority akin to the CNIL in France or the INPDP in Tunisia, with a limited scope of power to oversee the processing of personal data. In Lebanon, this authority should probably exclude the the Ministry of Telecommunications and OGERO as they operate monopolies in industries where personal data is a valuable commodity.
In addition, parliament should amend the legislation to explicitly list all the instances where personal data processing permits are required instead of broadly listing instances in which they are not. This will ensure the protection of the data of citizens and residents. The amendments should take into consideration the instances laid out in the GDPR, clarifying the selection and responsibilities of data processing officers and giving data subjects the right to withdraw.
As the European Union recently set a standard with the passage of the (GDPR), there is absolutely no reason for the Lebanese government to adopt such a shoddy law that fails to protect the personal data of Lebanese citizens and residents in so many different ways. In a country where personal data is regularly exploited, whether through the publication of election records, the leaking of license plate numbers, or the sale of phone numbers, the government should focus on adopting a practical and comprehensive data protection law that safeguards privacy. Protecting personal data is especially important as the Lebanese government continues to collect an increasing amount of it, with the introduction of biometric passports and residency permits and plans to register IMEI numbers. Khoury joked that the the recently passed law should be referred to as “The Good, The Bad, and the Ugly,” referencing the focus on e-commerce, website registration, and data protection, respectively.