We appreciate the Lebanese Central Inspection’s efforts to seriously consider and respond to inquiries by SMEX and other organizations regarding data collection on the DAEM Social Safety Net platform.
We also acknowledge that DAEM’s data collection and processing practices adhere to the Ration Card Law No. 230/2021 law and its legal implementation mechanism. The recently published privacy policies on DAEM and other government-operated platforms is another step in the right direction.
This encourages us to continue monitoring the safety, privacy and security of applications and websites launched by the government or the private sector. SMEX offers technical and policy guidance to stakeholders and informs the public of measures taken in response to legal and technical concerns and recommendations.
We also demand that the Lebanese government publish all its decisions publicly on its platforms, especially the provisions of Decision No. 5/Q-M of 30/9/2021, so people are informed and allowed the chance to review the relevant laws.
We hope and strive for the enactment of a comprehensive privacy law in Lebanon, one that endorses best practices for data protection and privacy. It must also make them statutory requirements, rather than the current trend of relying on external laws.
In light of the above, the General Inspection should address a series of additional questions that can offer further clarification on the following matters:
How is the Lebanese State the owner of the data? Which state administration or institution is responsible for the collection, protection, processing, use and third-party access to this data? Which state administration or institution is responsible for abiding by the obligations imposed on parties collecting and processing personal data, in accordance with Law No. 81/20218?
Which official and unofficial third parties are authorized to view this data (organizations, security agencies, donors, etc.)? And why are they given access to this data?
In the interest of transparency, why is IMPACT’s mail server still hosted by a German web-hosting service provider?
The Central Inspection has repeatedly stated that “encrypted data is stored on servers, which are also encrypted, hosted by Ogero.” However, SMEX’s Tech Unit has serious doubts around the actual location of the server IPs, whether these are on Lebanese servers or are still on the German SaaS Leaseweb, with only the Nginx reverse proxy placed on a Lebanese IP to cover the real location.