| | Date: Nov 19, 2018 | Source: The Daily Star | | New data privacy law needs ‘redo,’ committee head says | Behbod Negahban| The Daily Star
BEIRUT: A new law covering digital transactions and personal data does not sufficiently protect internet privacy in Lebanon, experts say, and the politicians who fought for it agree.
“[The critics] are right,” Nadim Gemayel, MP and chair of Parliament’s Informational Technology Committee, told The Daily Star when asked if the law was outdated.
But scrapping the law, he continued, would have been unfeasible because deliberations had taken since 2004 to resolve.
MP Nicolas Sehnaoui, the former telecommunications minister, agreed.
“What’s your guarantee that [a new law] would pass after 14 years [of long debate]?” he said.
“The safest way was to pass [this law] and amend it later.”
While the law contains provisions legalizing secure online transaction methods and defining cybercrime, it’s the law’s sections on personal data privacy that have come under greatest scrutiny.
These sections set out the permits that private and public agencies need to collect and analyze personal data on, for example, social media use.
Mohamad Najem, co-founder of digital advocacy and research NGO Smex, said these articles were outdated and dangerous.
On the one hand, he said, the executive branch of the government has far too much power on deciding when to give a private company or foreign state access to users’ data.
It requires them merely to consult with the Economy Ministry.
By contrast, France and Tunisia have entire independent bodies comprising multiple actors, including members of Parliament and the judiciary, to handle these requests.
The Health, Justice, Interior and Defense ministries can also grant licenses as they see fit to private companies to view and process data.
At the same time, the exceptions listed in the law to the permission process are so broad that many companies would not need a permit at all, Najem said.
The data of “students of educational institutions” and members of “commercial companies, trade unions, associations and self-employed persons” are all excluded from the process. These exceptions “emptied” all the protections provided by the law, he added.
When asked why the law seemed to contradict itself, Najem said it was a result of the law’s age.
“The kind of data we have now is much [more] different than what we had in 2004 [when the law was drafted],” he said.
“Facebook, social media, smart cities, biometric data ... Instead of approving something that’s for 2004, we should look to 2030 and look at what will be available.
“But that’s the opposite of what happened. The only part that was relevant is the part on e-transactions.”
Gemayel and Sehnaoui both agreed that the exceptions were too broad and that the law is outdated.
Gemayel also added that he believes an independent body should make decisions on permits, instead of ministers. He said fixing these flaws was not a matter of amending one or two articles, but that a “full redo” of the law was necessary.
Both, however, insisted that having the law for now was better than having no law at all, with Gemayel characterizing it as “incomplete, but not negative” and Sehnaoui saying it was “100 percent an improvement” on the past. Najem disagreed.
“This law is actually worse than not having a law,” he said.
“It’s just giving [companies and the government] more legal power to collect our data and abuse our data, [and] the exemptions are broader than our current protections.
“User protection is not at the heart of this law,” he said.
“The heart of this law is ... an e-transaction law.” | |
|