Lebanon: SMEX Demands a New Privacy Law

We appreciate the Lebanese Central Inspection’s efforts to seriously consider and respond to inquiries by SMEX and other organizations regarding data collection on the DAEM Social Safety Net platform. 

We also acknowledge that DAEM’s data collection and processing practices adhere to the Ration Card Law No. 230/2021 law and its legal implementation mechanism. The  recently published privacy policies on DAEM and other government-operated platforms is another step in the right direction.

This encourages us to continue monitoring the safety, privacy and security of applications and websites launched by the government or the private sector. SMEX offers technical and policy guidance to stakeholders and informs the public of measures taken in response to legal and technical concerns and recommendations.

The Central Inspection’s clarifications regarding data management and collection, e-governance monitoring process, as well as data storage and ownership, are of interest not only to SMEX, but to the public at large. Therefore, these clarifications should be integrated into the privacy policy of DAEM and all other platforms.

We urge all ministries, public administrations and institutions, and private companies to place privacy, data security and transparency at the heart of any platform or website that collects and processes personal data, whether public or private. The details of such processes should also be specified in the relevant privacy policy and terms of use.

We also demand that the Lebanese government publish all its decisions publicly on its platforms, especially the provisions of Decision No. 5/Q-M of 30/9/2021, so people are informed and allowed the chance to review the relevant laws.

We hope and strive for the enactment of a comprehensive privacy law in Lebanon, one that endorses best practices for data protection and privacy. It must also make them statutory requirements, rather than the current trend of relying on external laws.

In light of the above, the General Inspection should address a series of additional questions that  can offer further clarification on the following matters:

How is the Lebanese State the owner of the data? Which state administration or institution is responsible for the collection, protection, processing, use and third-party access to this data? Which state administration or institution is responsible for abiding by the obligations imposed on parties collecting and processing personal data, in accordance with Law No. 81/20218?

DAEM’s privacy policy and Article 14 of Ministerial Decision No. 5/Q-M mentions the Lebanese State’s ownership of the data.

Which official and unofficial third parties are authorized to view this data (organizations, security agencies, donors, etc.)? And why are they given access to this data?

In the section related to “data storage,” DAEM’s privacy policy stipulates that “We shall not disclose your personal data to any third parties not authorized to process it.”

In the interest of transparency, why is IMPACT’s mail server still hosted by a German web-hosting service provider?

The Central Inspection has repeatedly stated that “encrypted data is stored on servers, which are also encrypted, hosted by Ogero.” However, SMEX’s Tech Unit has serious doubts around the actual location of the server IPs, whether these are on Lebanese servers or are still on the German SaaS Leaseweb, with only the Nginx reverse proxy placed on a Lebanese IP to cover the real location.

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

Abed Kataya

Digital Content Manager at SMEX. Digital safety trainer and freelance journalist. Interested in technology, economics and entrepreneurship. Follow him on Twitter @kataya_abd.