The Electronic Transactions and Data Protection Law in Lebanon: Empowering Lebanese companies in the digital age – Legal Business
Access the full range of Legal Business financial reports, including The LB100 and Global 100 – comprehensive coverage of the largest law firms in the world by revenue.
Head to the LB Disputes hub for focused Disputes coverage, including news, events, analysis, comment and the latest Disputes Yearbook.
Law firm coverage of crisis management amidst the Covid-19 pandemic
Private Practice Powerlist: Africa Specialists
The Arbitration Powerlist: Africa 2021
The Legal 500 law firm rankings: Africa
GC Powerlist: Greece and Cyprus 2022
The Legal 500 law firm rankings: Cyprus
GC Powerlist: China 2019
The Legal 500 law firm rankings: China
GC Powerlist: Germany 2023
The Legal 500 law firm rankings: Germany
The Legal 500 law firm rankings: Deutschland
GC Powerlist: Iberia 2022
Event: GC Powerlist Europe: Latin America Specialists 2023 – 26 October 2023
Event: Green Summit Portugal 2023 – 12 October 2023
The Legal 500 law firm rankings: Portugal
The Legal 500 law firm rankings: Spain
GC Powerlist: Ireland Teams 2023
Event: Legal Business and Addleshaw Goddard GC Forum Dublin – 19 October 2023
Event: Green Summit Ireland – 23 November 2023
The Legal 500 law firm rankings: Ireland
GC Powerlist: Israel 2023
The Legal 500 law firm rankings: Israel
GC Powerlist: Italy 2022
The Legal 500 law firm rankings: Italy
The Legal 500 law firm rankings: Malta
GC Powerlist: Middle East 2022
The Legal 500 law firm rankings: Middle East 2022
The Arbitration Powerlist: Nordics 2022
The Legal 500 law firm rankings: Europe
GC Powerlist: Switzerland 2023
The Legal 500 law firm rankings: Switzerland
Türkiye 2023
The Legal 500 law firm rankings: Turkey
The GCs and in-house legal teams in the Philippines making a major contribution to positive change, either at an industry or sector level
The most influential and innovative in-house teams working in Denmark…
In an era marked by rapid advancements in technology and an ever-expanding digital landscape, the significance of robust legal frameworks governing electronic transactions and data protection cannot be overstated. For Lebanese companies, the enactment of the Lebanese Law No. 81 of 2018 related to electronic transactions and personal data (Law No. 81/2018 or ‘Law’) represents a pivotal moment in their journey towards adapting to the demands and opportunities of the digital age. This legislation not only addresses the critical need for legal clarity in electronic transactions but also establishes essential safeguards for data protection in an environment characterised by evolving cyber security threats and heightened concerns about privacy.
Lebanon, like many nations worldwide, has been experiencing a digital transformation that has reshaped the way businesses operate, communicate, and engage with their customers. E-commerce, online banking, and digital marketing have become integral components of the Lebanese business landscape, offering companies new avenues for growth and innovation. However, the absence of comprehensive electronic transactions regulations had left many enterprises navigating this digital terrain without clear guidelines, resulting in uncertainty and potential legal risks.
The introduction of the Law No. 81/2018 in Lebanon seeks to rectify this situation by providing a structured legal framework that recognises the validity and enforceability of electronic contracts, signatures, and records. This legal recognition is vital for Lebanese companies as it instills confidence in digital transactions, facilitates online commerce, and promotes efficiency by reducing the reliance on traditional paper-based processes. Moreover, it streamlines business operations, enabling companies to save time and resources by conducting transactions electronically.
Furthermore, the law introduces critical provisions to safeguard the privacy and security of electronic data, a concern that has gained immense prominence in recent years. Lebanese companies have increasingly found themselves entrusted with vast amounts of sensitive personal and financial information, making data protection a paramount priority. With cyber attacks on the rise and international standards for data privacy becoming more stringent, the new legislation equips Lebanese businesses with the necessary legal tools to protect their customers’ information and ensure compliance with global data protection standards.
This article delves into the multifaceted impact of the Law No. 81/2018 on Lebanese companies. It explores the various ways in which this legislation empowers businesses in their digital endeavours, from streamlining transactions and enhancing efficiency to fortifying data protection measures. Furthermore, it examines the challenges and opportunities that lie ahead for Lebanese enterprises as they embrace the potential of this legal framework. In essence, the Law No. 81/2018 serves as a beacon of hope for Lebanese companies, guiding them towards a more secure, efficient, and prosperous digital future.
As part of its effort in keeping up with the rapid growth in the tech world, and in the aim of promoting a more efficient legal framework, the Lebanese Parliament took a vital step forward when tackling the issue of electronic communications while focusing on equating electronic documents with paper-based documents.
Here are some key conditions for recognising electronic contracts and signatures under Lebanese Law No. 81/2018:
Electronic contracts must be formed through the mutual consent and agreement of the parties involved. This means that all parties must willingly agree to the terms and conditions of the contract.
An electronic signature is recognised as valid if it satisfies certain conditions set forth in said Law. These conditions include:
Before conducting electronic transactions or forming electronic contracts, the parties involved must agree to use electronic communication methods. This implies that both parties acknowledge and accept the use of electronic means for the transaction.
Parties are generally required to maintain electronic records of their transactions. These records may be subject to auditing or legal review if a dispute arises.
Electronic records must be maintained with the necessary safeguards to ensure their reliability and integrity. This includes protecting them from unauthorised access, alterations, or destruction.
To date, the Law does not provide for a specific retention period pertaining to data protection, however, retention periods may be applicable under Lebanese laws, particularly in cases where they relate to tax or other regulatory requirements.
Certain types of contracts or documents may require notarisation or authentication by a competent authority for legal validity.
Electronic contracts and signatures must comply with other relevant laws and regulations in Lebanon, including those related to data protection and privacy.
For cross-border electronic transactions, additional considerations related to international laws and agreements may come into play.
Based on the foregoing, electronic signatures under Law No. 81 of 2018 can carry the same legal weight and proof as paper-based signatures provided that they meet the required conditions and criteria outlined above. The key to the legal validity of electronic signature in Lebanon lies in ensuring that the signature can be linked to the signatory, is created using reliable methods, and is suitable for the intended purpose. If an electronic signature meets these conditions, it can then be considered legally equivalent to a traditional handwritten signature.
However, it is important to note that the level of acceptance and recognition of electronic signatures may vary depending on the specific circumstances, the nature of the transaction, and the parties involved. Some contracts or documents may still require traditional handwritten signatures or notarisation for various legal or regulatory reasons. In addition to the foregoing, the Law is not yet sufficient to allow for electronic documents to be treated equally to paper-based documents in all respects especially that a decree is yet to be passed addressing the authentication process of e-signatures as well as the accreditation process of authentication service providers before the Lebanese Accreditation Council ie, COLIBAC. Until the enactment of the executive regulations, Lebanese courts retain the discretionary power to assess the evidentiary weight and reliability of all electronic signatures.
Consequently, consulting with legal experts or authorities in Lebanon is advisable when dealing with specific legal matters involving electronic signatures to ensure compliance with the latest legal requirements and standards.
Part V of the Law No. 81/2018, focuses on personal data protection. This part is a pivotal component of the legislation as it addresses the critical need for safeguarding personal data in a landscape marked by continuously evolving cyber security risks and increased focus on privacy concerns.
This part encompasses various provisions essential to data protection including:
Data protection principles: The Law establishes fundamental data protection principles that Lebanese companies, and in general data controllers, must adhere to when processing personal data. These principles include Lawfulness (Article 87 of the Law); Transparency (Article 87 of the Law); Accuracy (Article 87 of the Law); Data minimisation (Article 87 of the Law); Purpose limitation (Article 87 of the Law); Storage limitation (Article 90 of the Law); Security (Article 93 of the Law) and Confidentiality (Article 106 of the Law).
Controller and processor’s obligations: The Law imposes several legal obligations such as the safe collection of data for legitimate purposes as per Article 87; ensuring data safety as per Article 93; declaration requirements to the Ministry of Economy and Trade (MoET) as per Article 95; and obtaining licences for specific data collection including state security matters as per Article 97.
Consent: Consent is not defined in the Law; nor does the Law contain any specific provision in regard to the requirements/conditions of consent as a legal basis for the processing of personal data.
Data security: Organisations are required to implement robust security measures to protect personal data from distortion, damage, or unauthorised access.
Data transfers: The Law lacks provisions related to data transfers.
Data breach notification: The Law lacks provisions related to data breach notification.
Data subject rights: Data subjects are granted certain rights including access (Article 99 of the Law), rectification (Article 101 of the Law), erasure (Article 101 of the Law); and the right to object/opt-out to the processing of their personal data (Articles 86 and 92 of the Law). Legal recourse is also available for data subjects to ensure that these rights are upheld.
Sensitive data: While sensitive data is not explicitly defined, the Law does contain specific provisions related to the processing of data concerning health, genetic identity, and sex life of an individual as per Articles 91 and 97 of the Law.
Data protection authority: A notable omission is the absence of an independent authority responsible for supervising.
Data protection officer appointment: Another notable omission is the absence of specific provisions related to the appointment of a data protection officer.
While Part V of Lebanese Law No. 81/2018 recognises the importance of data protection in the digital era and attempts to create a safer legal framework for companies, it falls short in addressing key data protection concerns. Notably, it lacks provisions for appointing a data protection officer, establishing a data protection authority, and addressing cross-border data transfers. Consequently, the Law fails to set forth comprehensive guidelines and principles that companies must follow to ensure responsible and secure handling of personal data. This raises the question of whether Lebanese companies are currently required to be fully privacy compliant under the existing legal framework.
Notwithstanding the fact that the Lebanese Law No. 81 of 2018 has failed to create a data protection authority and that executive regulations pertaining to said Law are yet to be enacted, Lebanese companies are required to adopt privacy policies and abide by privacy regulations for several reasons including (1) being subject to data protection laws and regulations outside Lebanon such as the GDPR, and (2) practical necessity.
In an interconnected world driven by digital globalisation, data knows no borders. The General Data Protection Regulation (GDPR), enacted by the European Union (EU), is a prime example of a data protection regulation with significant extraterritorial reach. Although GDPR is a European regulation, its impact extends far beyond the EU’s geographic boundaries. This extraterritorial scope has substantial implications for Lebanese companies and necessitates a diligent approach to data protection issues, both locally and internationally.
The GDPR’s extraterritorial scope primarily revolves around two key principles:
Global business expansion: Lebanese companies aiming to expand their business internationally, particularly into EU markets, must take into consideration GDPR compliance. Failure to do so may result in legal penalties, fines, and damage to their reputation.
Cross-border data transfers: Lebanese companies often engage in cross-border data transfers, collaborating with international partners or serving global clients. GDPR compliance is crucial when transferring personal data from the EU to Lebanon or other non-EU countries.
Data protection frameworks: Compliance with GDPR can serve as a foundation for implementing robust data protection practices internally. This benefits not only EU-related operations but also enhances data security and privacy for all stakeholders, including Lebanese customers.
Competitive advantage: Demonstrating GDPR compliance can be a competitive advantage, especially when dealing with international clients who prioritise data privacy and security. It can instill confidence in customers regarding data handling practices.
Alignment with global standards: GDPR aligns with international data protection standards, influencing global discussions on data privacy. Lebanese companies can benefit from being at the forefront of data protection initiatives.
To navigate the complexities of data protection, Lebanese companies are urged to adopt a comprehensive approach that encompasses both local regulations, such as Lebanon’s Law No. 81/2018, and international standards like GDPR. This approach includes:
Compliance assessment: Regularly assess data processing practices to ensure alignment with GDPR and local regulations.
Data mapping: Identify the flow of personal data within and outside the organisation, paying special attention to cross-border data transfers.
Employee training: Educate employees about data protection obligations and best practices, fostering a culture of data privacy awareness.
Data security measures: Implement robust data security measures, including encryption, access controls, and incident response plans.
Data protection officer (DPO): Appoint a DPO or data protection focal point responsible for GDPR and local data protection compliance.
Consent and transparency: Obtain clear and informed consent for data processing activities and maintain transparent data processing records.
Third-party contracts: Review and update contracts with third-party data processors to ensure GDPR compliance.
From a practical standpoint, data protection is critically important for Lebanese companies for several reasons as follows:
In summary, Lebanese Law No. 81/2018 takes key steps to address the legal challenges posed by internet technologies, providing increased legal security for both individuals and businesses. Nevertheless, it falls short of offering comprehensive protection for individuals regarding the collection, processing, and use of their personal data. The law’s effectiveness also hinges on the enactment of vital implementing decrees and regulations.
Yet, as previously emphasised, data protection is not solely a legal requirement but also an essential practical imperative for Lebanese companies navigating the modern digital landscape. It serves to uphold legal compliance, safeguard valuable data assets, maintain customer trust, and mitigate the financial and reputational risks associated with data breaches.
In essence, Lebanese companies are compelled to prioritise data protection beyond borders, aligning with international standards and relevant regulations. This approach is vital to ensure legal compliance and to enhance their competitive advantage in an increasingly data-conscious global marketplace.
Jenny Fares
Senior associate
E: jenny.fares@hnslegal.com
Marilyne Zgheib
Associate
E: marilyne.zgheib@hnslegal.com
hnslegal.com
International
© 2025 Legal Business Magazine
Legalease Ltd, 188 Fleet Street, London, EC4A 2AG
T: +44 (0)20 7396 9313 | E: subscriptions@legalease.co.uk