The lack of a comprehensive legal framework for privacy rights and data protection in Lebanon has led to the adoption of illegal mass surveillance programs and to the violation of individual and collective privacy without repercussions. In order to understand the mechanisms under which surveillance is conducted in the country, to identify areas in need of reform, and to devise strategic advocacy for privacy protections, SMEX issued its inaugural report on digital surveillance titled “Mapping the Landscape of Digital Surveillance in Lebanon” on December 14, 2016.
Having developed a foundational knowledge base on issues related to privacy, surveillance, and data protection, SMEX designed a program — the SMEX Fellowship for Reporting on Digital Freedoms — to promote, facilitate, and disseminate research on digital rights in Lebanon, with the aim of providing evidence to enhance public discussions surrounding these issues. The fellowship provides an opportunity to develop skills, expertise, and knowledge on digital freedoms-related issues in the Middle East and North Africa (MENA).
The report, “Building Trust: Toward a Legal Framework that Protects Personal Data in Lebanon” is the product of our call to journalists, human rights activists, and researchers to conduct further investigations and research into the state of digital rights in Lebanon. This report was produced by Elham Barjas, a journalist at the Legal Agenda, and Hussein Mehdy, a journalist who has exposed corruption at several Lebanese universities.
The Lebanese state is increasingly relying on digital technologies in its collection and storage of personal data. It has already started to issue biometric passports and smart biometric residence permits, and to convert driver’s licenses to biometric ones. The Communications Minister has proposed linking individuals’ phone numbers to their IDs through a specialized private company. It is clear that the government is trying to grow its use of new technologies to collect personal data through private companies.
However, the Lebanese state is embracing these new technologies and adopting these new policies without clear guidelines to protect the data it is amassing and without privacy guarantees. This is particularly troubling in light of several cases of data leaks, some of which are known to the Lebanese public while others remain unreported.
This rapid adoption of new technologies without any safeguards led SMEX to conduct a study on the regulatory framework for data protection, especially its legislative and technical aspects, which deal with personal data belonging to Lebanese citizens and people residing on Lebanese soil — to assess its strength and weaknesses. This assessment requires shedding light on both the legislative framework for personal data in Lebanon and the technological mechanisms employed by the relevant authorities to provide data protection. It also requires highlighting cases that justify the mounting questions and skepticism regarding the efficacy of the existing systems, both legal and technological, given that violations of the privacy of different groups of individuals have repeatedly taken place.
In its first section, the study examines the legal framework regarding personal data in Lebanon. Even though Lebanon participated in developing the directives on data protection legislation issued by the United Nations Economic and Social Commission for Western Asia (ESCWA) in 2012, the country still lacks specific legislation on personal data. At the time of publishing this report, the Lebanese legislature has not issued any legislation in this regard, but has held general discussions on the legal definition of personal data and suggested a theoretical framework to process it.
In its second section, the study defines biometric data, explains the technology employed in collecting it, and summarizes the most important methods used to encrypt and protect it from breaches. The study highlights the use of biometrics given recent technological advances and discusses the importance of using sophisticated protections to ensure that data is protected from leaks and breaches. The report summarizes and evaluates the recent adoption of biometric passports and residence permits by the General Directorate of General Security. Additionally, it highlights the types of data the authorities are storing relating to both Lebanese citizens and foreign residents, especially since the Directorate has unhindered access to this data.
In the third section, the study reviews data leaks originating from different sectors, underscoring the extent to which Lebanese citizens and residents’ personal data is being misused. The study reveals that personal data collected in the country is susceptible to infiltration and to leaks due to weak protection systems and the absence of specialized legislation.
In the fourth section, the study reviews the “Electronic Transactions and Personal Data Protection” draft law, which a subcommittee formed by the joint parliamentary committees is currently discussing. This draft law includes a complete section on the protection of personal data. However, since the bill is yet to become law, this study examines articles that protect personal data scattered among different Lebanese laws. It also scrutinizes and evaluates the draft law in light of foreign legislation, especially French law, which has informed the Lebanese draft law and the ESCWA directives with which the Lebanese law should be compatible. In addition, the study highlights the role of the Information and Communication Technology Center at the Beirut Bar Association in improving the bill through its participation in the ongoing discussions held by the subcommittee.