Financial Crime World

Lebanon’s Data Protection Laws: A Mixed Bag

In an era where digital information is at the forefront of modern life, ensuring data protection and privacy has become a pressing concern. In Lebanon, the Electronic Transactions and Personal Data Law (Law No. 81/2018) governs how financial institutions handle sensitive information. However, experts argue that while some aspects of the law are commendable, others fall short in safeguarding citizens’ rights.

Definition of Sensitive Information

What Constitutes Personal Data?

The law defines personal data as any information that can identify an individual directly or indirectly, including through comparison and combination with other sources. Interestingly, it does not provide a specific definition for sensitive personal data, but rather lists categories that require a license from the Ministry of Economy and Trade to process.

Categories Requiring a License

  • Data related to national security
  • Criminal offenses
  • Health
  • Genetic identity
  • Sexual life

Lack of Regulatory Authority

A notable omission in Lebanon’s data protection framework is the absence of a National Data Protection Authority (NDPA). The Ministry of Economy and Trade is responsible for issuing permits and licenses, but critics argue that this setup may lead to inadequate oversight and enforcement.

Exceptions to Registration

  • When individuals have provided consent
  • Processing carried out by public authorities, non-profit organizations, or educational institutions for legitimate purposes

Data Collection and Processing

Requirements for Data Controllers

  • Personal data must be collected faithfully and for specific, explicit, and legitimate purposes.
  • Individuals must be informed about the purpose of processing their data, the mandatory or optional nature of questions raised, and the consequences of non-response.

Security Measures

While the law does not mandate specific technical security measures, it requires data processors to take all necessary steps to ensure the integrity and security of personal data against unauthorized access or damage. However, critics argue that this is a vague requirement that may not be sufficient to protect sensitive information.

Enforcement Mechanisms

  • Data subjects can resort to the competent courts for matters related to enforcement of their rights under the law.
  • The public prosecutor and/or data subjects can also initiate legal proceedings for non-compliance with the law.

Electronic Marketing and Online Privacy

The law prohibits unsolicited marketing emails (SPAM) using real people’s names and addresses without consent, except in cases where individuals have legally obtained the address through previous engagement. However, it does not explicitly mention cookies or location data as personal information.

In conclusion, while Lebanon’s Electronic Transactions and Personal Data Law has some commendable aspects, such as requiring informed consent for data processing, its shortcomings, including the lack of a regulatory authority and vague security measures, raise concerns about effective data protection in the country.