Quick overview: Lebanese Data Protection Law (Law no. 81/2018)
I- Introduction:
1. On October 10th, 2018, the Lebanese parliament approved a new Data Protection Law (DPL), Law no. 81/2018, which is applicable to both automatic and non-automatic processing of personal data.
2. The law also includes an exemption for processing related to personal activities carried out by individuals exclusively for the fulfillment of their needs.
3. While this Law aims to address the urgent need for protecting the personal data o by establishing obligations for data controllers in their data collection and processing activities and enumerating the rights available to data subjects, it falls short in certain crucial aspects, making it far from being a precise endeavor.
II- Obligations of Data Controllers:
4. Two phases must be clearly distinguished: the pre-processing phase (A) and the processing itself of personal data by the data controllers (B).
A- Pre-processing phase:
5. Information. According to Article 95 of the DPL, before engaging in their data collecting/processing activities, data controllers should inform the Ministry of Economy and Trade (MoET), except for the personal data mentioned in Article 94 of the DPL (Data controllers are defined as natural or legal persons responsible for establishing the processing objectives and methods, as outlined in Article 1 of the DPL).
6. Licenses. However, Article 97 of the DPL stipulates that data controllers are required to obtain a license from competent authorities if the personal data is related to:
a. Foreign and national state security matters under a joint decision of the Minister of National Defense and the Minister of Interior and the Municipalities.
b. Criminal offenses and judicial proceedings of various sorts under a decision issued by the Minister of Justice.
c. Cases of health, genetic identity, or sexual life of persons under a decision issued by the Minister of Public Health.
B- Processing phase:
7. Article 87 of the DPL establishes a set of regulations that data controllers operating within Lebanon must adhere to when collecting and processing of personal data.
8. Bona Fide. The acquisition of personal data must adhere to principles of faithfulness, pursuing legitimate, explicit, and specific objectives.
9. Careful selection. The obtained data must be carefully selected, conforming strictly to the stated objectives.
10. Purpose-driven Processing. The said data may not be processed for purposes that are not in line with the objectives specified, except in instances related to statistical, historical, or scientific research.
11. Security. Remarkably, an obligation to safeguard the integrity and security of personal data can be induced from Article 93 of the DPL, wherein such responsibilities are imposed upon data processing officers, notwithstanding the absence of explicit targeting of data controllers.
III- Rights of Data subjects:
12. The DPL confers various rights upon data subjects in connection with the protection of their personal data (A). These rights are subject to legal enforcement through competent courts (B).
A- The substantial rights:
13. Opt-Out. Data subjects possess the right to object or opt-out pursuant to Article 86 of the DPL. They are entitled to request a review and express objections, before the data processing officer, regarding the processing associated with their data. This entitlement is reiterated in Article 92 of the DPL and encompasses objections to both the collection and processing for purposes such as commercial promotion.
14. Limitations. However, the data subject is prevented from exercising the right of objection:
a. If the data-processing officer is obligated to collect the data under the law.
b. If he has given his consent for the processing of his personal data.
15. Right to Information. Article 88 of the DPL stipulates that data subjects possess the right to information. They have the authority to request information from the data processing officer regarding the following:
a. Identity of the data-processing officer or the identity of their representative.
b. Objectives of the processing.
c. Mandatory or optional nature of responding to the raised questions.
d. Consequences of non-response.
e. The recipients of the data.
f. Right to access and correct information, along with the means established for such actions.
16. Right to Access. Article 99 of the DPL establishes a right to access, enabling the data subject to inquire with the data processing officer about the processing of personal data. This article further specifies that the proprietor of the personal data, or any of their heirs, may also request the data processing officer, in accordance with the conditions outlined in Paragraph II of the DPL , to provide additional information regarding the purposes, categories, source, subject, and nature of the processing. This includes the identification of individuals to whom the personal data is being transmitted or who have access to this data, as well as the timing and purposes of such access.
17. Limitations. However, this right of information and access is subject to two significant limitations:
a. Article 100 of the DPL grants the data processing officer the right to object to requests that he deems arbitrary. To exercise this right, the officer is encouraged to assess the repetition of the request.
b. Article 103 of the DPL imposes significant restrictions on the aforementioned rights when the processes are related to the internal or external security of the State.
18. Right to Rectification and Erasure. Article 101 of the DPL provides that the data subjects have the right to ask the data processing officer to process, correct, complete, update and erase such personal data when it is incorrect, incomplete, ambiguous, expired, or incompatible with the purposes of processing, or is not to be processed, collected, used, saved, or transferred.
19. Limitations. Nevertheless, it is essential to acknowledge that the exercise of the aforementioned rights is contingent upon the illicit collection or processing of personal data. Therefore, such requests are not valid if the data is handled lawfully. Similarly, Article 17 of the EU’s GDPR has constrained the right to erasure to specific situations aligned with the unlawfulness of processing, such as when the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
B- Enforcement:
20. Framework. Article 102 of the DPL empowers the enforcement of these rights, at the request of the data subject.
21. Jurisdiction. In this context, data subjects are entitled to seek justice before competent courts and a specific reference was made to the Judge of Expedite Matters.
IV- Inconstancies:
22. This Data Protection Law lacks several key elements, including the absence of a well-defined territorial scope (A), along with other regrettable omissions (B).
A- Lack of Territorial Scope:
23. Scope of Application. An informed observer would notice that the DPL lacks explicit indications regarding its territorial scope. In this context, one could assume it applies solely to data processing activities within Lebanon. Specifically, the key standard for applying this Law is whether the data processing activity occurs within the territory of the Republic of Lebanon. This prompts the question: Does the Law extend to data controllers established in Lebanon conducting their data processing activities outside the country?
24. Comparison. In contrast, Article 3(1) of the EU’s GDPR deems it applicable to any data controller or processor established within the European Union, irrespective of whether the processing occurs within the European Union or not.
25. Lack of subjective factors. Moreover, it is uncertain whether this Law governs the activities of data controllers established outside of Lebanon but targeting Lebanese citizens/residents. The DPL therefore lacks a subjective connecting factor related to the center of interest of the Data subject residing in Lebanon.
26. Comparison. Also in contrast, Article 3(2) of the EU’s GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor established outside of the European Union. This is applicable when the processing activities are related to: the offering of goods or services, regardless of whether payment is required from the data subject to such data subjects in the Union; or the monitoring of their behavior as far as their behavior takes place within the Union.
27. Lastly, the territorial effects of the present Law's provisions seem to be confined to Lebanon. Similarly, the European Court of Justice has restricted the territorial reach of the right of dereferencing and more generally of the EU’s GDPR to the territory of the European Union (please see: ECJ, C-507/17, Google LLC v CNIL, dated 24 September 2019)
B- Other omissions:
28. Lack of Definitions. The DPL unfortunately lacks critical definitions and requirements.
a. The law lacks a definition of the concept of consent, despite its pivotal role in the framework.
b. Despite the frequent mention of the term "data protection officer" in the Law, there are no provisions establishing an obligation for data controllers to designate one. Oddly, this term has not been defined in the provisions of this Law.
29. Regulator. Regrettably, by neglecting to establish an independent governing body responsible for monitoring personal data protection, Lebanese officials have dealt a severe blow to the effectiveness of the DPL. This leaves data subjects with the recourse of seeking justice before the competent courts, as emphasized in Article 102 of the DPL. In contrast, Article 51 of the EU’s GDPR imposed the establishment of such a governing body. For example, France's data protection authority (CNIL) can receive complaints from data subjects and enforce the EU’s GDPR regulations upon data controllers.
V- Conclusion:
30. The enactment of the Data Protection Law in 2018 represented a significant step towards safeguarding individuals' right to privacy. However, upon thorough scrutiny, it becomes evident that the law lacks clarity in certain aspects. Moving forward, it is imperative to revisit and refine the law, ensuring it adeptly addresses the evolving challenges in data privacy, while striking a delicate balance between individual rights and the demands of the digital era.
GHADY RIZK (Associate)