| 15 August, 2017

Lebanon lacks data protection laws

The lack of a regulatory system means that governmental authorities are collecting detailed personal information without a clear outline: report

Cyber Security Firewall Privacy Concept

Cyber Security Firewall Privacy Concept


15 August 2017

BEIRUT: The rise of digitally enabled mass data collection sparked a global debate on where to draw the line between privacy, rights and security. While many countries have revised their legal framework accordingly, Lebanon has embraced new technologies absent of a legal framework that ensures the protection of civil rights. A report by the Social Media Exchange (SMEX) – an NGO promoting civil rights in the digital era – highlighted the discrepancy between data collection and the legal framework regulating this practice and the effect this might have on the rights of citizens.

“In Lebanon, we don’t have a law on data protection and a clear definition of data and what does it mean to treat data,” Elham Barjas, lawyer with The Legal Agenda and contributor to the report, said at its launch last Friday. “Collection of personal data without a legal framework constitutes a [risk].”

As Barjas explained, current legislation does not have a dedicated law concerning the protection of personal data – although personal data is mentioned within other Lebanese legislation. Currently, a personal data protection bill dating back to 2005 is being debated before a Parliamentary commission.

The lack of a regulatory system, the report underlined, means that governmental authorities are collecting detailed personal information without a clear outline on how this data should be stored, treated and protected, and of who should be held accountable in case of an overreach.

In August 2015, all Lebanese passports were updated to include biometric data. Residency applications for Syrian and foreign nationals are also being collected by means of this technology – which includes facial recognition, iris recognition and fingerprints.

“This data is encrypted and put into a server,” Hussein Mehdi, a journalist and contributor to the report, said at the launch. Mehdi pointed out that General Security was contacted for the report, but refused to provide any additional information measures they have implemented, citing security concerns.

A previous SMEX report, published in December 2016, managed to identify Lebanon-based security provider Inkript and the Dutch company Gemalto – which itself was the target of a hacking attempt in 2015 – as the companies responsible for safeguarding the information.

Similarly, the American University of Beirut Medical Center, the Beirut Governmental Hospital and the Hotel Dieu Hospital refused to provide information on their security systems. Mehdi argued at the launch that the lack of public information on how personal data is stored – combined with the lack of a legal framework to hold institutions accountable in case of leaks – is leaving Lebanese nationals vulnerable to abuse.

“A vulnerable protection system does not only mean that information can be stolen, it can also be falsified or amended,” Mehdi said, adding that the perception that this scenario shouldn’t worry honest law abiding people is a misconception.

“If insurance companies get hold of the medical records of their clients, for example, they might raise the insurance or stop working with certain people,” Mehdi said.

Information leaks have taken place in the past, including some targeting major institutions like AUB and the Lebanese Car Plate Directory. Mobile apps like Cars 961 and Lebanon Directory are periodically shut down by the authorities because they enable users to obtain addresses and other personal information from a car’s number plate or a person’s phone number.

“Criminal groups can, for instance, create forged papers for a stolen car based on the personal details of the owner of a similar car – so that there are two vehicles roaming around with the same registration details,” Mehdi said.

The voluntary dissemination of personal details between the government and other entities is also possibility. “Technically, the data can be put on a database and be shared between two countries collaborating, for example on terrorism,” Mehdi said. Lebanon is signatory to the Arab Convention Against Terrorism, since 1999, and no national law prevents the government from sharing information about its residents if it chooses to do so.

“In the future, Lebanon might choose to share the information collected on refugees with Syria, for all we know,” Mehdi said, adding that General Security also refused to provide details on the protection of refugees’ personal details and the extent of its information-sharing with the UNHCR.

According to the report, Alfa and touch – both government-managed telephone companies – are among the businesses benefitting from the voluntary dissemination of personal data for commercial purposes. “Touch and Alpha admit to the sale of subscriber’s data to businesses or individuals who want to send SMS messages to a target category [of people],” the report stated.

This is possible given that Law 431 of 2002, which regulates the telecommunications services sectors, fails to mention the protection of the information collected by the phone companies upon registration.

A new law attempting to regulate data collection and use – known as the “Electronic Transactions and Personal Data Bill” – is currently under study. Pierre Khoury, a professor at Sagesse Law School, discussed the strengths and limits of the proposed law at the launch. “It has a large number of exceptions and limited safeguards,” Khoury said. A comparison of the draft law and guidelines set up by the United Nations Economic and Social Commission for Western Asia ESCWA reveals some discrepancies, including the failure to mention biometric data and website “cookies.” This, Khoury pointed out, was due to the fact that the proposal dated back to 2005. “Technology [has] improved a lot in 10-years and the law should be updated,” he said.

Although limited in its reach, the approval of the bill would guarantee the protection of some basic privacy rights, such as the right to access one’s own personal information and to request its modification. The approval would mean the first time a code is entirely dedicated to regulating personal data – ensuring that the law keeps pace with technology.

© Copyright The Daily Star 2017.