The Lebanese E-transaction Law In Relation With Personal Data Protection
On October 10 2018, the Lebanese Parliament passed Law №81 related to Electronic Transactions and Personal Data (the E-transaction law). The law came out to adapt the legislative framework to the realities of a digital society where an increasing number of private and public interactions are done through electronic means of communication. That’s where a tremendous amount of public and private data is gathered in digital archives. The law has eight distinct sections and it is centered on electronic commerce and the electronic signature, but it also contains sections which discuss personal data protection. The passing of the law has been seen by many commentators as a necessary step forward in the direction of a digital economy. The same commentators argue that the law has numerous flaws especially in the area of personal data protection in spite of the fact that the law addresses issues of collection, processing and usage of personal data through electronic means (Chedid & Tymburski, 2019; “State of Privacy in Lebanon”, 2019). Mainly, the law fails to offer sufficient legal protection of Lebanese people’s right to data agency, right to redress and rectify their collected personal data; and right to be protected against unethical uses of their personal data including automated decision making that might affect their livelihoods.
First, the E-transaction law does not ensure complete security when entities collect personal data from Lebanese citizens. Although the law states that individuals or groups have to be informed about their data being collected, informed consent is not required in case the entity collecting the data can invoke circumstances that make it difficult for it to notify the people that it is collecting data from (Article 88). According to the Signal Code, participants should have the right to be informed about the way in which their personal data is being treated during all phases of data management starting from acquisition and ending with deletion (Harvard Humanitarian Initiative, 2016). Moreover, in line with OCHA (2019) standards for data protection, this requirement also applies to sensitive data that regards a certain population instead of an individual, as long as the collection of that data can lead to the identification of the population and place the population at risk of harm. However, the E-transaction law fails to define what “an effort that is not commensurate with the benefit of the conducting” (Art. 89) means. Thus this gap gives an opportunity for data processing entities to abuse the legal framework and avoid obtaining informed consent from individuals. Specifically, those who are already marginalized and living in poor conditions are most at risk of not being able to exercise their data agency. This is not only unethical, but also against the rights that are guaranteed in the Lebanese Constitution. Dorine Saleh, a Lebanese judge, said that Article 7 of the Constitution guarantees that all Lebanese are equal in law and that they enjoy the same civic and political rights, as well as being equally responsible for their civic duties. Saleh also added, “the E-transaction law is weak because it does not ensure that people get the support they need in order to understand their rights in relation to personal data protection; and that the law assumes that all citizens are equally able to understand a legislative text and other types of legal and administrative documents like an informed consent form.”
Moreover, the law places much of the responsibility for the protection of citizens’ rights over their personal data in the hands of the Lebanese Ministry of Economy and Trade, instead of establishing an independent agency in charge of monitoring the collection, processing and usage of personal data. Considering the high level of corruption inside the public system in Lebanon, commentators fear that this will lead to a weak protection of citizens’ data rights and that companies with connection to the government will be given a free hand to use the personal data of their consumers as they see fit (Chedid & Tymburski, 2019). In addition, the law is extremely vague when it comes to the acceptable reasons for data collection. Instead, it focuses on presenting a long list of entities that are exempted from needing a permit to collect and process personal data (Art. 94). This lack of precision makes it very easy for the Ministry of Economics and Trade to grant permits to those entities that it favors and to reject applications from those entities that are not in the good graces of the ruling party (“State of Privacy in Lebanon”, 2019). In addition, it is safe to assume that the Ministry of Economics and Trade does not have the necessary resources (skilled employees with enough time) to enact an effective oversight over all data management aspects that are covered by the E-transaction law. Even if citizens claim instances of abuse, their requests will be processed with serious delays and will prevent citizens from protecting their personal data in a timely manner. Saleh, a Lebanese University graduate said, “It would have been much better to have a greater separation of powers between the executive and administrative branches, and the law should have created a separate and independent agency for the monitoring of the management of personal data.”
The right to redress and rectify any aspect related to the data that was collected is also insufficiently covered by the Lebanese E-transaction law. The law specifies that individuals have the right to ask for modifications of the data that is false, inaccurate or incomplete, which matches the requirements of the Signal Code (Harvard Humanitarian Initiative, 2016). However, it is not clear if this right applies to the entire period during which the personal data is managed. For example, according to Art. 92 normal people can object to the collection and processing of data only if they have not agreed to the processing before; while according to Art. 101, the owner of the data can ask the data processing officer not to process, collect, or transfer his data. Moreover, the law states that in the situation when the individual informs the data officer about the intention to have his data deleted and the data officer fails to take effective action, the individual has to address the Magistrate of Summary Justice (Art. 102), which makes the exercise of the right to redress and rectify extremely costly and difficult to Lebanese citizens. Saleh gave the example of phone calls and mobile numbers, which are completely encrypted. But, if there’s an accusation on one person, that harms the public interest or the higher interest of the country, it is allowed to break through the suspect’s cellular data concerned with phone calls. Thus, under one rule personal data can be penetrated, that is the higher interest of the country and the public. Higher interests of the public include causing harm on the country as a whole or being suspected with terroristic attacks.
Finally, the law also includes an article that refers to the right to be protected against decisions based on automated processing that can produce a legal or administrative effect (Art. 86). However, the law only mentions that individuals have the right to review and object, and does not include any responsibility for the data officer to provide individuals with an explanation of the decision and with an effective means to challenge the decisions as required by European legislation on the protection of personal data (“Rights Related to Automated Decision Making”, n.d.). Saleh added that Article 7 of the Constitution guarantees personal freedom for those who do not go against the law and that no penalty can be imposed if it is not based on the law. There are many cases when companies make automated decisions about customers or about users (in the case of social media platforms for example) that affect their lives and might expose them to serious harm. An example of Facebook’s automatic algorithm for suicide prevention, which collects and scans data from people’s posts, and then sends the data that signals the risk of self-harm to a team of experts that may share the data with the police if they think that the person is in real danger or causes danger. Even though automated decisions are combined with human made decisions, this is still a matter of serious privacy invasion.
In conclusion, the E-transaction law has brought some improvements to the legislative framework that are certainly going to help the development of electronic commerce and electronic contracts, but it has utterly failed to properly address the issue of personal data protection. Lebanese citizens appear to be at the mercy of companies and organizations whose data management policies are monitored solely by the Ministry of Economics and Trade, since they already have plenty to deal with and is entirely unprepared for this challenge. Moreover, the elimination of certain requirements and the vagueness of some of the articles make it fairly easy for entities to continue to process the personal data of the Lebanese people without much consideration for their rights to data agency. Thus, it is unlikely that this law will help address the issues related to personal data management of Lebanese people. Instead of empowering citizens to exercise greater control over their personal data that might be used by various private and public entities, it only gives the government more power to control of this data.
References
Chedid, E., & Tymburski, K. (2019, January 21). “New Lebanese law on e-transactions and data protection”. Retrieved from: www.dentons.com/en/insights/alerts/2019/january/21/new-lebanese-law-on-etransactions-and-data-protection
Harvard Humanitarian Initiative (2016). The Signal Code. A Human Rights Approach to Information During Crisis. Retrieved from: hhi.harvard.edu/sites/default/files/publications/signalcode_final.pdf
Law №81 Relating to Electronic Transactions and Personal Data (October 2018). Retrieved from: smex.org/wp-content/uploads/2018/10/E-transaction-law-Lebanon-Official-Gazette_ENGLISH.pdf
OCHA (2019). Data responsibility guidelines — Working draft. Retrieved from: https://centre.humdata.org/wp-content/uploads/2019/03/OCHA-DR-Guidelines-working-draft-032019.pdf
“Rights related to automated decision making including profiling” (n.d.). Retrieved from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling
“State of privacy in Lebanon” (2019, January). Retrieved from: privacyinternational.org/state-privacy/1081/state-privacy-lebanon
