Data Privacy and Protection in Lebanon, New Legislation

Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data is a Lebanese data privacy law that was recently passed in 2018. Prior to the enactment of Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data, Lebanon has yet to pass any forms of legislation regulating the collection or processing of personal data, despite the fact that the Constitutional Council of Lebanon recognizes privacy as a constitutional right. As such, while Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data is not a comprehensive data protection law, as the requirements placed on data controllers and processors are not as stringent as many modern data protection laws, the law nevertheless provides Lebanese citizens with protections as it pertains to their personal data.

How are data controllers and processors defined under Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data?

Under Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data, a data controller is defined as “the natural or legal person which determines the purposes and means of the processing of personal data.” Conversely, the law does not provide a definition for the term data processor, as the regulations and obligations that the law establishes as it relates to the collection and processing of personal data apply to data controllers. To this point, the law defines personal data as “any information related to a physical person which enables his/her identification, directly or indirectly, including by comparing information collected from various sources or by cross-checking various information.” Alternatively, while the law does not provide a definition for sensitive personal data, “data related to the health, genetic identity, and sex life of an individual is subject to specific provisions.”

What are the requirements of data controllers under Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data?

Under Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data, data controllers who operate within Lebanon are responsible for upholding the following data protection principles:

• The principle of purpose limitation.
• The principle of lawful, safe, specific, and transparent processing.
• The principle of accuracy.
• The principle of proportionality.
• The principle of storage limitation.
• The principle of security.
• The principle of confidentiality.

In addition to the data protection principles listed above, data controllers operating within Lebanon are also obliged to abide by other various requirements as set forth in the law. For example, data controllers are required to obtain a license from the Ministry of Economy and Trade or MoET for short, prior to collecting or processing data “related to foreign and national state security matters.” Additionally, the law also mandates that personal data may only be collected from Lebanese citizens for safe, legitimate, determined, and explicit purposes, and all personal data that is collected for such purposes must also be correct, complete, and up to date.

What are the rights of Lebanese citizens under Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data?

As Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data is not a comprehensive data protection law, some provisions of the law are not consistent with other major privacy legislation that has been passed in recent years, such as the EU’s GDPR law. To illustrate this point further, “the Law does not provide any definition of consent or any specific provision pertaining to the requirement of consent for the processing of personal data or any provisions pertaining to the conditions of consent.” Nonetheless, Lebanese citizens do have the following data privacy rights under the law:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to object/opt-out.
• The right to seek legal recourse.

As it pertains to penalties regarding noncompliance with the law, Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data does not establish an independent regulator for data protection within the country. However, “Article 106 of the Law provides for a penalty of a fine of LBP 1 million ($642) to LBP 3 million ($1,917) and/or imprisonment of three months to three years for the following infraction”:

• The collection or processing of personal data without a license or declaration.
• The processing of personal data in violation of the provisions of Chapter 2 of Part 5 of the Law.
• The disclosure of processed personal data to unauthorized third parties, irrespective of whether said disclosure is intentional or unintentional.

As comprehensive data protection laws have been few and far between with respect to the region of the Middle East, with the exceptions of certain laws such as The Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020, the passing of Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data represents a step forward for the country of Lebanon as it relates to data protection. Through the passing of the law, Lebanese citizens have an avenue for recourse should they feel as though their data privacy rights have been violated under the law. As such, despite the fact that the law is still somewhat limited, it does create a legal basis upon which personal data must be collected and processed within the country, as well as penalties that can be imposed against data controllers who fail to follow this legal basis.