In an era marked by rapid advancements in technology and an ever-expanding digital landscape, the significance of robust legal frameworks governing electronic transactions and data protection cannot be overstated. For Lebanese companies, the enactment of the Lebanese Law No. 81 of 2018 related to electronic transactions and personal data (Law No. 81/2018 or ‘Law’) represents a pivotal moment in their journey towards adapting to the demands and opportunities of the digital age. This legislation not only addresses the critical need for legal clarity in electronic transactions but also establishes essential safeguards for data protection in an environment characterised by evolving cyber security threats and heightened concerns about privacy.
Lebanon, like many nations worldwide, has been experiencing a digital transformation that has reshaped the way businesses operate, communicate, and engage with their customers. E-commerce, online banking, and digital marketing have become integral components of the Lebanese business landscape, offering companies new avenues for growth and innovation. However, the absence of comprehensive electronic transactions regulations had left many enterprises navigating this digital terrain without clear guidelines, resulting in uncertainty and potential legal risks.
The introduction of the Law No. 81/2018 in Lebanon seeks to rectify this situation by providing a structured legal framework that recognises the validity and enforceability of electronic contracts, signatures, and records. This legal recognition is vital for Lebanese companies as it instills confidence in digital transactions, facilitates online commerce, and promotes efficiency by reducing the reliance on traditional paper-based processes. Moreover, it streamlines business operations, enabling companies to save time and resources by conducting transactions electronically.
Furthermore, the law introduces critical provisions to safeguard the privacy and security of electronic data, a concern that has gained immense prominence in recent years. Lebanese companies have increasingly found themselves entrusted with vast amounts of sensitive personal and financial information, making data protection a paramount priority. With cyber attacks on the rise and international standards for data privacy becoming more stringent, the new legislation equips Lebanese businesses with the necessary legal tools to protect their customers’ information and ensure compliance with global data protection standards.
This article delves into the multifaceted impact of the Law No. 81/2018 on Lebanese companies. It explores the various ways in which this legislation empowers businesses in their digital endeavours, from streamlining transactions and enhancing efficiency to fortifying data protection measures. Furthermore, it examines the challenges and opportunities that lie ahead for Lebanese enterprises as they embrace the potential of this legal framework. In essence, the Law No. 81/2018 serves as a beacon of hope for Lebanese companies, guiding them towards a more secure, efficient, and prosperous digital future.
I. A NEW LEGAL FRAMEWORK RECOGNISING THE VALIDITY AND ENFORCEABILITY OF ELECTRONIC CONTRACTS, SIGNATURES, AND RECORDS
As part of its effort in keeping up with the rapid growth in the tech world, and in the aim of promoting a more efficient legal framework, the Lebanese Parliament took a vital step forward when tackling the issue of electronic communications while focusing on equating electronic documents with paper-based documents.
Here are some key conditions for recognising electronic contracts and signatures under Lebanese Law No. 81/2018:
1. Consent and agreement
Electronic contracts must be formed through the mutual consent and agreement of the parties involved. This means that all parties must willingly agree to the terms and conditions of the contract.
2. Electronic signature
An electronic signature is recognised as valid if it satisfies certain conditions set forth in said Law. These conditions include:
- It must be linked to the signatory and capable of identifying the signatory;
- It must be created using a reliable method that is within the signatory’s control;
- It must be suitable for the purpose for which it is used or required; and
- It must be accepted by the party receiving the electronic signature as a valid means of identification or authorisation.
3. Consent to use electronic communication
Before conducting electronic transactions or forming electronic contracts, the parties involved must agree to use electronic communication methods. This implies that both parties acknowledge and accept the use of electronic means for the transaction.
4. Recordkeeping
Parties are generally required to maintain electronic records of their transactions. These records may be subject to auditing or legal review if a dispute arises.
5. Reliability and integrity of electronic records
Electronic records must be maintained with the necessary safeguards to ensure their reliability and integrity. This includes protecting them from unauthorised access, alterations, or destruction.
6. Retention period
To date, the Law does not provide for a specific retention period pertaining to data protection, however, retention periods may be applicable under Lebanese laws, particularly in cases where they relate to tax or other regulatory requirements.
7. Notarisation and authentication
Certain types of contracts or documents may require notarisation or authentication by a competent authority for legal validity.
8. Compliance with other applicable laws
Electronic contracts and signatures must comply with other relevant laws and regulations in Lebanon, including those related to data protection and privacy.
9. Cross-border transactions
For cross-border electronic transactions, additional considerations related to international laws and agreements may come into play.
Based on the foregoing, electronic signatures under Law No. 81 of 2018 can carry the same legal weight and proof as paper-based signatures provided that they meet the required conditions and criteria outlined above. The key to the legal validity of electronic signature in Lebanon lies in ensuring that the signature can be linked to the signatory, is created using reliable methods, and is suitable for the intended purpose. If an electronic signature meets these conditions, it can then be considered legally equivalent to a traditional handwritten signature.
However, it is important to note that the level of acceptance and recognition of electronic signatures may vary depending on the specific circumstances, the nature of the transaction, and the parties involved. Some contracts or documents may still require traditional handwritten signatures or notarisation for various legal or regulatory reasons. In addition to the foregoing, the Law is not yet sufficient to allow for electronic documents to be treated equally to paper-based documents in all respects especially that a decree is yet to be passed addressing the authentication process of e-signatures as well as the accreditation process of authentication service providers before the Lebanese Accreditation Council ie, COLIBAC. Until the enactment of the executive regulations, Lebanese courts retain the discretionary power to assess the evidentiary weight and reliability of all electronic signatures.
Consequently, consulting with legal experts or authorities in Lebanon is advisable when dealing with specific legal matters involving electronic signatures to ensure compliance with the latest legal requirements and standards.
II. DATA PROTECTION IN THE DIGITAL AGE: THE ROLE OF THE LAW NO. 81/2018 IN CREATING A SECURE LEGAL ENVIRONMENT FOR COMPANIES
Part V of the Law No. 81/2018, focuses on personal data protection. This part is a pivotal component of the legislation as it addresses the critical need for safeguarding personal data in a landscape marked by continuously evolving cyber security risks and increased focus on privacy concerns.
This part encompasses various provisions essential to data protection including:
Data protection principles: The Law establishes fundamental data protection principles that Lebanese companies, and in general data controllers, must adhere to when processing personal data. These principles include Lawfulness (Article 87 of the Law); Transparency (Article 87 of the Law); Accuracy (Article 87 of the Law); Data minimisation (Article 87 of the Law); Purpose limitation (Article 87 of the Law); Storage limitation (Article 90 of the Law); Security (Article 93 of the Law) and Confidentiality (Article 106 of the Law).
Controller and processor’s obligations: The Law imposes several legal obligations such as the safe collection of data for legitimate purposes as per Article 87; ensuring data safety as per Article 93; declaration requirements to the Ministry of Economy and Trade (MoET) as per Article 95; and obtaining licences for specific data collection including state security matters as per Article 97.
Consent: Consent is not defined in the Law; nor does the Law contain any specific provision in regard to the requirements/conditions of consent as a legal basis for the processing of personal data.
Data security: Organisations are required to implement robust security measures to protect personal data from distortion, damage, or unauthorised access.
Data transfers: The Law lacks provisions related to data transfers.
Data breach notification: The Law lacks provisions related to data breach notification.
Data subject rights: Data subjects are granted certain rights including access (Article 99 of the Law), rectification (Article 101 of the Law), erasure (Article 101 of the Law); and the right to object/opt-out to the processing of their personal data (Articles 86 and 92 of the Law). Legal recourse is also available for data subjects to ensure that these rights are upheld.
Sensitive data: While sensitive data is not explicitly defined, the Law does contain specific provisions related to the processing of data concerning health, genetic identity, and sex life of an individual as per Articles 91 and 97 of the Law.
Data protection authority: A notable omission is the absence of an independent authority responsible for supervising.
Data protection officer appointment: Another notable omission is the absence of specific provisions related to the appointment of a data protection officer.
While Part V of Lebanese Law No. 81/2018 recognises the importance of data protection in the digital era and attempts to create a safer legal framework for companies, it falls short in addressing key data protection concerns. Notably, it lacks provisions for appointing a data protection officer, establishing a data protection authority, and addressing cross-border data transfers. Consequently, the Law fails to set forth comprehensive guidelines and principles that companies must follow to ensure responsible and secure handling of personal data. This raises the question of whether Lebanese companies are currently required to be fully privacy compliant under the existing legal framework.
III. LEBANESE COMPANIES’ GLOBAL IMPERATIVE: ENSURING DATA PROTECTION COMPLIANCE BEYOND BORDERS
Notwithstanding the fact that the Lebanese Law No. 81 of 2018 has failed to create a data protection authority and that executive regulations pertaining to said Law are yet to be enacted, Lebanese companies are required to adopt privacy policies and abide by privacy regulations for several reasons including (1) being subject to data protection laws and regulations outside Lebanon such as the GDPR, and (2) practical necessity.
(1) The extraterritorial scope of data protection laws, including GDPR and its impact on Lebanese companies
In an interconnected world driven by digital globalisation, data knows no borders. The General Data Protection Regulation (GDPR), enacted by the European Union (EU), is a prime example of a data protection regulation with significant extraterritorial reach. Although GDPR is a European regulation, its impact extends far beyond the EU’s geographic boundaries. This extraterritorial scope has substantial implications for Lebanese companies and necessitates a diligent approach to data protection issues, both locally and internationally.
Understanding the extraterritorial scope of GDPR:
The GDPR’s extraterritorial scope primarily revolves around two key principles:
- Territorial applicability (Article 3): GDPR applies not only to organisations located within the EU but also to entities outside the EU that process personal data of individuals within the EU while offering goods or services or monitoring their behaviour. This extends its jurisdiction to businesses worldwide that interact with EU residents’ data.
- Data subject rights (Article 12-23): GDPR grants specific rights to data subjects (EU residents) concerning the processing of their personal data. This includes the right to access, rectify, erase, and portability of personal data, as well as the right to object to data processing. Lebanese companies processing the data of EU residents must comply with these rights.
The impact on Lebanese companies:
Global business expansion: Lebanese companies aiming to expand their business internationally, particularly into EU markets, must take into consideration GDPR compliance. Failure to do so may result in legal penalties, fines, and damage to their reputation.
Cross-border data transfers: Lebanese companies often engage in cross-border data transfers, collaborating with international partners or serving global clients. GDPR compliance is crucial when transferring personal data from the EU to Lebanon or other non-EU countries.
Data protection frameworks: Compliance with GDPR can serve as a foundation for implementing robust data protection practices internally. This benefits not only EU-related operations but also enhances data security and privacy for all stakeholders, including Lebanese customers.
Competitive advantage: Demonstrating GDPR compliance can be a competitive advantage, especially when dealing with international clients who prioritise data privacy and security. It can instill confidence in customers regarding data handling practices.
Alignment with global standards: GDPR aligns with international data protection standards, influencing global discussions on data privacy. Lebanese companies can benefit from being at the forefront of data protection initiatives.
Local and international data protection compliance:
To navigate the complexities of data protection, Lebanese companies are urged to adopt a comprehensive approach that encompasses both local regulations, such as Lebanon’s Law No. 81/2018, and international standards like GDPR. This approach includes:
Compliance assessment: Regularly assess data processing practices to ensure alignment with GDPR and local regulations.
Data mapping: Identify the flow of personal data within and outside the organisation, paying special attention to cross-border data transfers.
Employee training: Educate employees about data protection obligations and best practices, fostering a culture of data privacy awareness.
Data security measures: Implement robust data security measures, including encryption, access controls, and incident response plans.
Data protection officer (DPO): Appoint a DPO or data protection focal point responsible for GDPR and local data protection compliance.
Consent and transparency: Obtain clear and informed consent for data processing activities and maintain transparent data processing records.
Third-party contracts: Review and update contracts with third-party data processors to ensure GDPR compliance.
(2) Data protection compliance: A practical necessity of Lebanese companies
From a practical standpoint, data protection is critically important for Lebanese companies for several reasons as follows:
- Legal compliance: Companies are often subject to data protection laws and regulations, such as the GDPR in the European Union or local data protection laws like the Lebanese Law No. 81/2018. Compliance with these laws is not only a legal requirement but also helps avoid substantial fines and legal consequences.
- Customer trust: Data breaches and mishandling of personal information can severely damage a company’s reputation and erode customer trust. Demonstrating a commitment to protecting customer data can help maintain and enhance trust, leading to stronger customer relationships and loyalty.
- Data security: Protecting sensitive business data, including intellectual property, trade secrets, and financial information, is vital to a company’s success. Data breaches can lead to significant financial losses, intellectual property theft, and loss of competitive advantage.
- Avoiding data breach costs: Data breaches can be expensive to remediate. Companies may incur costs related to investigation, notification of affected individuals, legal fees, public relations efforts, and potential lawsuits. Investing in data protection measures can help mitigate these costs.
- Competitive advantage: Companies that prioritise data protection can use it as a competitive advantage. Highlighting robust data security and privacy practices can attract customers who prioritise privacy and security when choosing products or services.
- Data analytics and insights: Accurate and well-protected data is essential for data analytics, which can provide valuable insights for business decision-making. Protecting data ensures its quality and reliability for analytics purposes.
- Global expansion: If a company plans to expand internationally or do business with partners in other regions, it may need to comply with various data protection regulations. Being proactive in data protection can ease international expansion efforts.
- Employee trust: Companies often store personal information about their employees, including payroll and benefits data. Ensuring the privacy and security of employee data is crucial for maintaining a positive work environment and employee trust.
- Preventing insider threats: Data protection measures help safeguard against insider threats, where employees or contractors may misuse or steal sensitive information.
- Business continuity: Data breaches can disrupt business operations. Data protection measures, such as data backups and disaster recovery plans, can contribute to business continuity in the event of a breach or other data-related incident.
In summary, Lebanese Law No. 81/2018 takes key steps to address the legal challenges posed by internet technologies, providing increased legal security for both individuals and businesses. Nevertheless, it falls short of offering comprehensive protection for individuals regarding the collection, processing, and use of their personal data. The law’s effectiveness also hinges on the enactment of vital implementing decrees and regulations.
Yet, as previously emphasised, data protection is not solely a legal requirement but also an essential practical imperative for Lebanese companies navigating the modern digital landscape. It serves to uphold legal compliance, safeguard valuable data assets, maintain customer trust, and mitigate the financial and reputational risks associated with data breaches.
In essence, Lebanese companies are compelled to prioritise data protection beyond borders, aligning with international standards and relevant regulations. This approach is vital to ensure legal compliance and to enhance their competitive advantage in an increasingly data-conscious global marketplace.
For further information, please contact
Jenny Fares
Senior associate
E: jenny.fares@hnslegal.com
Marilyne Zgheib
Associate
E: marilyne.zgheib@hnslegal.com