Fighting against “Nothing to hide” - Civil Society’s Experiences of Advocating for data protection in Lebanon
Introduction
“I once attended a training of an insurance company on the topic of how to best attract new customers. The trainer suggested we should make use of our personal network – ideally asking medical staff if they can’t provide access to some of their large patients’ databases. I was shocked, this practice goes against so many norms and laws regarding privacy rights! When I protested, the trainer only replied that if I don’t feel comfortable doing this, I should just not do it. But no, I mean, that’s not how it should be! We should have a discussion about this!”[1]
The question of how personal data should, and more importantly, should not be used has increasingly gained traction over the last years. [2] While surely not a new phenomenon, the possibilities to collect, store and process personal data by state as well as private actors has heavily increased due to technological advancement – and with it the concerns these new developments entail for the freedom and safety of people. As has been pointed long ago, access to large data-sets of personal information constitutes a prerequisite for social control, allowing those who hold such data to influence the behaviour of those whose data is being held (Stadler 2002, Solove 2008). Today, misuses of personal data range from private companies tailoring their marketing campaigns or trading personal data with third parties to states’ security agenda under the proclaimed need for enhanced surveillance through “bulk interception” of citizen’s data.[3] While these developments have put the topic of data protection on the public agenda in many countries, it remains “marginalized” in Lebanon as one respondent interviewed for this paper framed it. While much has been written about the way advocacy groups in the US and Europe have criticised such practices as violations of citizen’s privacy rights (Dencik et al. 2016, Löblich/Wendelin 2012), much less scholarship focuses on responses to dataveillance in non-Western contexts (Dencik et al 2017). As has been stated, civil society’s advocacy for improved privacy rights in the digital age has been influential in legislative changes strengthening individual privacy, with many countries adapting their privacy framework to new digital conditions.[4] The most recent and encompassing example is the European Union’s (EU) General Data Protection Regulation (GDPR) that went into force in Mai 2018, seen as the world’s most encompassing data protection legislations to date (Dencik et al 2016, Times 2018).[5]
Meanwhile – being a conflict- and terrorism-affected country in a fragile region – Lebanese security and government actors are deploying surveillance and data collection technologies that outpace the development of adequate legal protections for their citizens’ data (Privacy International 2018). In effect, Lebanon, with very little legislation regarding privacy rights to begin with, has not yet introduced legislation regarding the protection of personal data (ibid.). This motivated this research into the reasons civil society actors identify for its relative negligence. Specifically, this research is guided by the following questions:
- From the perspective of civil society actors in Lebanon, what are the reasons for a lack of data protection legislation in Lebanon and what barriers do they face in putting the issue of data protection and privacy rights on the public agenda?
- What is the general public opinion and awareness regarding data protection and privacy rights?
After outlining my methodology, I will give a short overview about the legislative framework regarding data protection and privacy rights in Lebanon. I will then go on discussing what civil society actors perceived as the main reasons for a lack of data protection and barriers of increased advocacy. I will present findings of a small-scale survey among young academics’ opinion regarding privacy, and discuss findings from both research strands.[6]
[1] Personal anecdote of one of the respondents
[2] Personal data is here defined as every information allowing the identification of an individual person (examples are name, home or email address, physical location etc.)
[3] This practice has been termed “dataveillance” (Haggerty and Ericson 2006).
[4]Privacy International lists 126 countries as having adopted privacy regulations regarding personal data https://medium.com/@privacyint/data-protection-across-the-world-fe66ca1e138f
[5] Available at https://eur-lex.europa.eu/eli/dir/2016/680/oj
[6] For the purpose of this research, civil society actors are defined as individuals and organizations from the non-governmental and non-commercial sector (Hintz and Milan 2009: 23) engaged in “mobilised networks of groups and organizations, who over a certain period of time try to induce, prevent or undo’ certain regulations and who apply political strategies in order to become integrated into the political process” (Kern, 2008: 13).