Ahead of the May 6 parliamentary elections, Lebanese embassies abroad have exposed the personal data of Lebanese citizens living abroad, leaving private information easily accessible to third parties.
In February, the Lebanese embassy in the UAE sent an email to Lebanese residing in the country with an attached spreadsheet containing the personal details of more than 5,000 Lebanese citizens who have registered to vote in the upcoming elections. The email asked them to confirm their voter registration information.
A screenshot of the email sent by the Lebanese embassy in The Hague to one of the registered voters in the Netherlands in addition to more than 200 other cc’d recipients.
Around the same time, the Lebanese embassy in the Hague sent a similar email, of which SMEX obtained a screenshot, to more than 200 recipients. The email also contained an attached spreadsheet with the personal data of the Lebanese voters in the Netherlands.
Moreover, the person who sent the email entered all the recipient addresses in the Cc field instead of using the Bcc field to conceal this data.
The personal information in the spreadsheets in both the UAE and the Netherlands included each voter’s full name, mother’s name, father’s name, sex, date of birth, religion, marital status, and address.
On March 29, a Lebanese citizen living in Paris tweeted that he had received a WhatsApp message, intended for someone else, from a candidate in the upcoming election. He believed that he had received the message because he had included his number in other people’s files while registering them to vote. This suggested, he said, that the candidate had obtained the voter’s information from the voter database.
These latest cases of the mishandling of personal data by the Lebanese Ministry of Foreign Affairs and Emigrants (MFA) come after the discovery, last November, that the website the ministry had built for Lebanese in the diaspora to register online to vote used cookies to track over 90,000 visitors without their consent.
The legal framework for data protection in Lebanon is weak, as SMEX has reported in “Building Trust: Toward a Legal Framework that Protects Personal Data in Lebanon” and in the 2018 State of Privacy: Lebanon.
Vague language in Article 115 of the 2017 Election Law actually requires the MFA to “publish and circulate” lists of registered voters living abroad “using all available means” in order to confirm that the identity of the expatriates matches the information listed in the Personal Status Register.
This practice is another example of Lebanon’s disregard for the protection of personal data. Lebanon needs legislation that directly addresses the protection, storing, processing, and transfer of all personal data and establishes an independent body to monitor the government’s handling of this data.