Data protection & privacy laws in Lebanon (2026)

Law No. 81/2018 ('Electronic Transactions and Personal Data') is enacted and applying since 31 March 2019. It combines e-transactions/e-signature rules with a generally-applicable personal data protection regime, rather than being limited to specific sectors.

The law does not establish a dedicated, independent data-protection regulator. The Ministry of Economy and Trade acts as de facto overseer (issuing declarations/licences), but lacks specialised capacity and accountability mechanisms.

Collecting, processing and using personal data generally requires a prior declaration to the MoET. A licence (from the relevant minister) is required for sensitive categories such as national/state security data, criminal/judicial data, and health, genetic or sexual-life data; some processing is exempt.

The law affords rights including access to one's data, rectification of inaccurate data, objection/opt-out (notably to direct-marketing and automated processing), and review before the processing officer, though the scope is narrower and less precisely defined than under the EU GDPR.

Processing must rest on the data subject's consent (which the law does not formally define) and follow principles of purpose limitation, proportionality, accuracy, security and confidentiality. Transfers abroad are allowed where the destination offers adequate protection, safeguards or explicit consent exist, or government approval is obtained.

Sanctions for breaches are modest (fines roughly LBP 1m–30m) and, amid Lebanon's political and economic crisis, the MoET has not built out implementing procedures, staffing or filing channels — so the law is widely criticised as under-enforced and outdated in practice.