Lebanon’s Directorate General of Civil Status (DGCS) has initiated a campaign encouraging voters to confirm their personal information on online voter lists by March 1, 2025.
Under Lebanese municipal and parliamentary electoral law, these lists must publicly display voters’ full names, parents’ names, registration numbers, gender, birth date, and sect to ensure accurate identification. Voters can check their records online using their national ID numbers.
Exposing voter lists and personal details online allows anyone to access and misuse this information, as seen in the recent war in Lebanon. It is also concerning that users can see all the voters in the same section by selecting the voter’s governorate, village, neighborhood, gender, sect, and civil registry number.
When you enter these details, the platform displays your information and other relatives with the same or similar civil records. This raises privacy concerns due to the potential for manipulation, which could expose relatives in specific regions, reveal personal data, and enable illegal activities. Personal information can be exploited for malicious purposes, including targeted attacks, harassment, and discrimination.
Data misuse during the last war and Lebanon’s history of data leaks since the digitization of personal records highlights the need to protect citizens’ data from breaches and manipulation. Recent incidents in Lebanon, including the leaks of voters’ data from embassies, data from schools, and recurrent leaks of car registration records, all underscore the country’s vulnerable cybersecurity landscape.
Moreover, government agencies have shown they do not sufficiently protect user data, and the legal framework is weak. The Electronic Transactions and Personal Data Law is insufficient and fails to offer adequate safeguards for personal data.
Chapter Five of the e-Transactions legislation encompasses personal data protection. This legislation only mandates that data processors inform the Ministry of Economy before processing personal data and exempts public authorities from this requirement (Article 94). Additionally, the law ambiguously defines this “notification” and leaves it to the Ministry of Economy’s discretion.
On the other hand, a cybersecurity strategy has existed since 2019 but has not been implemented and is outdated.
The DGCS platform, which receives financial and technical support from the European Union and the United Nations Development Programme (UNDP), lacks a privacy policy and terms of service. This omission prevents users from understanding what data is collected about them, how and where it is stored, the safety and security measures implemented to protect this data, and the steps taken in case of a breach.
We attempted to reach DGCS’s General Manager, Elias Khoury, but received no response.
International practices
While countries like the US and the UK allow the public listing of voter data, others, such as France and Germany, do not.
The Commission governs France’s Data Protection Act on Informatics and Liberty (CNIL), an independent regulatory agency that oversees personal data. The Act “helps professionals achieve compliance and empowers individuals to manage their data and exercise their rights.” It ensures that any processing of personal data, including voter information, has a legitimate basis and grants individuals the right to access, correct, and object to using their data.
In Germany, the Federal Data Protection Act complements the GDPR by outlining strict guidelines for handling personal data. The act restricts access to voter information to authorized personnel only.
If we use France as an example of online voter verification, French citizens can check their voter registration status online through the official government website Service-Public.fr. This service provides information about the registered municipality, polling station location, national voter number, and existing proxies. To use this online service, you must authenticate via FranceConnect or a Service-public.fr account, ensuring the security and privacy of personal data. FranceConnect, a digital identity platform, is employed for secure authentication across public services.
Service-Public.fr employs various data protection measures to safeguard user information. Personal data and documents are securely stored in confidential storage spaces accessible through user accounts. The platform follows the “data minimization” principle, collecting only essential information for specific purposes, such as account management and administrative procedures. Furthermore, access to personal data is restricted to authorized personnel and tracked to ensure accountability and security.
What is needed in Lebanon
Legal reforms are necessary to ensure voter privacy. The electoral law should be amended to restrict the personal data published on voter lists, allowing only essential identifying information to be publicly accessible.
Additionally, the Personal Data chapter of the Electronic Transactions Law should be revoked. A new law solely focused on Personal Data Protection should be adopted to establish a legal framework that protects privacy and applies to both the public and private sectors.
Entities responsible for collecting and managing voter data have a crucial duty to ensure its security and integrity, preventing unauthorized access or breaches. Recommended measures include implementing robust technical safeguards, adhering to strict data protection protocols, and promoting a culture of transparency and accountability.
Simultaneously, Lebanon must strengthen its data management and cybersecurity infrastructure. This can be accomplished by implementing robust and comprehensive cybersecurity measures designed to protect sensitive voter data and any other personal information collected and processed by public entities and governmental authorities.
Cover Photo by IBRAHIM AMRO / AFP
