Data protection & privacy laws in Libya (2026)

Articles 12 and 13 of Libya's 2011 Constitutional Declaration guarantee citizens' right to a private life and confidentiality of correspondence and communications, subject only to a judicial warrant. These provisions form the foundational constitutional privacy norm in the absence of a comprehensive statute.

Enacted in 2022, this law requires explicit consent before collecting personal data, mandates pre-processing transparency notifications identifying the controller, data type, purpose and security measures, grants data subjects access and correction rights, and sets cross-border-transfer adequacy conditions. It is the primary in-force source of data-protection obligations.

Enacted September 2022, the law criminalises unauthorised access, identity theft and related digital offences, and empowers NISSA to restrict content threatening 'public order and social peace'. Human Rights Watch and Article 19 have flagged overbroad provisions that could suppress legitimate expression.

The National Information Security and Safety Authority (NISSA), established by Ministerial Council decree in 2013, is responsible for ICT security and has published internal data-protection, acceptable-use and network-security policies. It is not a fully-fledged data-protection authority, and no independent DPA exists.

Act No. 4/1990 on the National System for Information and Documentation governs government collection of personal data for socio-economic research. The 1953 Penal Code penalises interference with private correspondence, including a minimum six-month prison term for public servants who violate communications confidentiality.

As of 2026, no draft comprehensive data-protection statute has been publicly tabled by either the Tripoli-based GNU or the eastern House of Representatives. Analysts attribute inaction to ongoing political fragmentation; reform remains possible but unscheduled.