Lebanon: It's time to turn your international position on privacy into action at the national level
Lebanon was part of the drafting committee for the Universal Declaration of Human Rights, and by co-sponsoring both UN General Assembly resolutions on the right to privacy in the digital age (December 2013 and December 2014), Lebanon has recently reaffirmed its commitment to its obligations to uphold the right to privacy.
And yet, Lebanon's progressive positions on the right to privacy at the UN could not be further away from the situation in the country itself.
Once seen as more liberal than its Middle Eastern neighbours, Lebanon has recently been the subject of troubling reports on attacks and threats against the right to privacy. These include the Cybercrime and Intellectual Property Rights Bureau's expansive monitoring, investigative powers oppressing online privacy and freedom of expression of Lebanese citizens, the lack of judicial authorisation and administrative oversight of surveillance conducted by the Internal Security Forces and increasing restrictions on journalists and activists, particularly in terms of their online engagement.
Lebanon is currently failing failing to constitutionally uphold the right to privacy, to enforce a legal framework to protect personal data and to ensure that laws, regulations, activities, powers, policies and practices related to communications surveillance adhere to international human rights law and standards.
The Social Media Exchange (SMEX), a registered Lebanese nonprofit that conducts training, research, and advocacy on strategic communications and human rights in the digital era, collaborated with Privacy International and the Association for Progressive Communication (APC), to submit a joint stakeholder report. The report raises shared concerns about the respect, protection and promotion of the right to privacy in Lebanon before the Human Rights Council for consideration in Lebanon’s up-coming review at the 23rd session of Universal Period Review in early 2016.
During the first cycle of the Universal Period Review of Lebanon in 2010, the issue of the right to privacy remained undiscussed, but given the concerning reports that have emerged recently, it is crucial that the Human Rights Council request further information and commitment from Lebanon to address reported unlawful interferences with and violations of the right to privacy.
The main issues raised in the joint submission include:
Constitutional protection of the right to privacy
The Constitution in Lebanon does not explicitly protect the right to privacy as only the inviolability of the home is protected under its Article 14. Whereas Law No. 140 (Telecommunication Interception Act of 27 October 1999) upholds the protection of secrecy of communications carried out by all means of communication, it is concerning that there is a lack of constitutional protection of the right to privacy more broadly, to reflect the protections enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR) which reinforces Article 12 of the Universal Declaration of Human Rights (UDHR).
Whilst the Law No. 140 seems to provide the necessary safeguards, in practice systematic failures to abide by the law are directly threatening the right to privacy of Lebanon's citizens. Main concerns expresed in the UPR submission included:
The failure to respect the existing legal provisions requiring judicial oversight and administrative authorisation of surveillance in accordance with Article 2, 3 and 9 respective of the Law No. 140;
The unauthorised bulk interception of communications data for prolonged periods of time and unrestricted access to the electronic communications data of all Lebanese citizens by the Internal Security Forces (ISF);
The United Nations International Independent Investigation Commission (UNIIIC), and the Special Tribunal for Lebanon (STL), permitting the ISF unregulated access to private data of Lebanese citizens from an array of sources including university archives, medical records, and mobile phone records;
The presence of PacketShaper installations, surveillance technology provided by US-based Blue Coat, which allows for the surveillance and monitoring of users’ interactions on various applications such as Facebook, Twitter, Google Mail, and Skype;
The lack of oversight of agencies permitted to conduct surveillance with concerns around the legal framework overseeing the activities of the Cybercrime and Intellectual Property Rights Bureau and the failure to respect Law No. 140 which limits the powers of the Ministry of Interior to wiretap; and
A 2013 order by the Public Prosecutor's office requested all internet service providers (ISPs), and some internet cafes that offer Internet access, to retain the data of their users' activity for a period of one year.
Lebanon does not have a law regulating the protection of personal data. With existing and emerging initiatives includingthe unique ID number e-government initiative, the impending deployment of biometric passports, and the E-transaction bill which, in its current state, would allow for warrantless search and seizure of financial, managerial, and electronic files, including hard drives, computers, etc., and the establishment of the Electronic Signature & Services Authority, a new regulatory and licensing body with practically unchecked powers, it is extremely concerning that Lebanon has yet to adopt strong legislation protecting data privacy.
In view of the aforementioned areas of concerns, SMEX, APC and PI submitted the following recommendations for the adoption by the UN Permanent Delegations who will intervene during the official review of Lebanon:
Recognise and take steps towards compliance with international human rights law and standards by ensuring the application of the following principles to communication surveillance as articulated in the International Principles on the Application of Human Rights to Communications Surveillance namely, legality, legitimacy, necessity, adequacy, proportionality and respecting process of authorisation from a competent judicial authority, with due process, user notification, transparency, public oversight and respect for the integrity of communications and systems as well as ensuring safeguards against illegitimate access and right to effective remedy;
Investigate claims that illegal communications interception and access to data is routinely undertaken by the security services and other state authorities; ensure that such practices are ended and responsible individuals held to account if the claims are verified, and victims are provided redress for the violation they experienced;
Ensure that there are appropriate controls to prevent the use of private surveillance industry products to facilitate human rights abuses;
Ensure that the state surveillance of online and offline activities is lawful and does not infringe on human rights defenders’ right to freedom of expression and ability to defend human rights, including through use of the information communication technologies;
Immediately enact data protection legislation that complies with international standards and establish an independent data protection authority
Make further efforts to ensure freedom of opinion and expression in the country, including by ensuring that blocked or filtered websites are based on lawful criteria.
From words to action
For the first time at the at the 21st session of the UPR earlier in 2015, some states were challenged over their surveillance practices and their lack of protection for their right to privacy, including Kenya, Sweden and Turkey.
Given Lebanon's commitment to protecting the right to privacy at the United Nations, we hope its UPR will provide it an opportunity to apply what it preaches in Geneva to its national context by ensuring the privacy of its citizens are protected from unlawful, disproportionate and unnecessary interference by the Lebanese government but also other state as well as the private sector.