Beirut – Largely due to the legislative authorities’ negligence and the concentration of power in the executive authorities, the Lebanese data protection law has failed to uphold citizens’ rights to privacy and personal data protection, Euro-Med Monitor said in a statement.
At a time when its provisions are still insufficient, out of date, and improperly applied, with responsibilities concentrated in a single government agency without oversight or accountability, the legal framework in Lebanon that governs the internet and communications remains largely fragile.
Although the law stipulates that data processing requests are handled by the Ministry of Economy and Trade of Lebanon, governmental and non-governmental organisations do not request that the ministry process personal data. However, instead, they collect, store, and handle data themselves in a flagrant violation of the law.
The ministry has not yet released the necessary circulars that lay out the steps for submitting requests for data processing or collection. In every instance, these organisations are not held accountable for their actions regarding citizens' personal information. Furthermore, both the Ministry of Interior and the Ministry of National Defence in Lebanon have the authority to oversee the processing of individuals’ data if necessary and when it pertains to “internal and external state security.”
This comes at a time when numerous prior incidents document the Ministry of Interior’s misuse of personal data, including the publication of Lebanese voters’ data with their detailed personal information based on a provision in the Law for Parliamentary Elections, in a blatant violation of individuals’ privacy. The law reveals the extent of the Lebanese parliament’s disregard for citizens’ right to privacy.
Euro-Med Monitor warns that the Ministry of Communications in Lebanon, with the aid of internet and telecommunication service providers, has complete control over gathering data and sharing it with governmental organisations without the users’ knowledge or consent.
Article 8 of the Lebanese Constitution guarantees individual freedom. Additionally, Article 13 guarantees citizens the right to freedom of expression and information access, which indirectly protects the citizens’ right to privacy through all forms of communication. Yet, many common laws have undermined these constitutional protections.
Law No. 140 of 1999 concerning the protection of the secrecy of communications, stipulates the right to the confidentiality of local and international communications, via any means, whether wired or wireless connections.
Although Article 1 in the aforementioned law aims to protect the right to privacy of correspondence that occurs through any means of communication, Article 2 undermines it by introducing exceptions, such as “intercepting correspondence must be carried out by judicial order” and “in case of extreme necessity,” without defining these terms or establishing any standards to constrain the court’s authority. Instead, it is the court’s decision to decide whether to permit interception or not. This is due to a highly politicised and polarised legal system, which jeopardises the right of people and groups to the privacy of communications and personal information.
Although the passing of Law No. 81 of 2018 relating to Electronic Transactions and Personal Data is still a positive step, the law has not yet been effectively implemented. About six years after the law was approved, the Ministry of Economy failed to start defining the procedures to be followed for gathering and processing personal data, which is what motivates the processing of this data outside of any legal framework or controls.
The law has significant flaws and a lengthy development period, as improvements began in 2004 and were only approved in 2018. Furthermore, since 2004, the law’s content has not been modified to stay consistent with the advancements in technology that the world has seen. As a result, it is unable to adequately address privacy-related internet issues.
Euro-Med Monitor’s regional office director in Lebanon, Mohammad Moghabat, said that the Lebanese legislative authorities view people’s personal data as an “economic opportunity” rather than a sensitive component and a recognised right that requires extra protection and is principally linked to individuals’ rights to dignity and privacy.
Moghabat added that since the Lebanese authorities do not penalise companies’ public and private entities that violate the law, their drive to prioritise the protection of personal data in their operations remains largely lacking. According to Moghabat, the law does not clearly define sensitive personal data, which causes uncertainty and non-compliance among institutions that deal with the data, He argues that some provisions of the law are ambiguous, which prevents a decisive application.
Internet accessibility–or lack thereof–in Lebanon, is another barrier to the citizens’ ability to exercise the range of related rights, including the right to access information and free expression. Internet accessibility and personal data protection have long been issues for Lebanon's people, with governmental and non-governmental organisations violating related standards.
The severity of these violations has escalated significantly in recent years, especially after the exacerbation of the social, political, and economic crises since 2019. As a result of the currency’s deprecation and the high cost of subscribing to the internet service, it became challenging for a significant portion of citizens and residents to access the internet.
Lebanon is the fifth most expensive country for communication services in the MENA region, which poses a significant barrier to the population’s access to the internet, especially given that the country is going through one of the worst global economic and monetary crises.