Data Privacy in The Middle East and North Africa’s Artificial Intelligence Ecosystems: A Glimpse on Egypt, Lebanon, and Tunisia

Written By: Farah Elbehairy

In recent years, several MENA countries have incorporated Artificial Intelligence into their national strategies for development.¹ These solutions require maximizing data availability, disclosing datasets in key sectors to enhance data quality, as well as adopting data policies and legal frameworks that enhance data protection and security. To this end, adopting adequate legislation for the technology is crucial.

The presence of online personal data and new technologies poses potential security threats for citizens’ personal data.² Therefore, policies that incorporate the users’ right to privacy are crucial. These policies should cover the (sensitive) data collected, the legal justifications and purposes for the data collection, the access of third parties to the data, measures relating to the transfer of personal data, as well as the procedures for data update and retention.³

Personal data protection laws that aim to protect and regulate the collection and processing of users’ data and information exist across the MENA region, albeit at a nascent stage.There is much room for the development and adaptation of these laws to better consider the emergence of data-heavy technological advancements.⁴ Moreover, in some countries, data protection laws may be more about data control rather than data protection. 

In Egypt, the Law 151/2020 on the protection of personal data regulates the collection, storing, processing, or controlling of Egyptians’ online personal data and information as they use the internet.⁵ The law requires entities processing personal data, — i.e. data recipients, collectors, controllers, and processors — to have data protection officers to ensure the implementation of the law.⁶ The law stipulates permissions for those entities and specifies that the collection and processing of personal data should be only for specific, legal, and public purposes.⁷ Additionally, users have the right to know what personal data is being collected, accessed, and processed, and by whom. They also have the right to ask data processing entities to give them access to or a copy of their collected and processed personal data.⁸

However, the law has some limitations, as it excludes some entities from the data protection obligations and does not cover the processing of personal data for media purposes. Moreover, no government entity is responsible for supervising the implementation of the law across public and private companies, and the specifications of permits to process the collected data are not outlined in the executive regulations of the law. In addition, the existing Cybercrime Law 175/2018 allows data companies to store data on users’ online activities for 180 days.⁹

In Lebanon, on the other hand, there are no clear legal interpretations that protect people’s right to privacy. In the Lebanese constitution, Article 14 grants protection only to the citizen’s place of residence. Indirectly, individuals’ right to privacy is slightly reflected in Article 8 which discusses individual liberty, and Article 13 which discusses freedom of expression.¹⁰ The Right of Access to Information Law 28/2017 allows limited protection for personal data by not allowing public institutions to distribute users’ data and information.¹¹ The law states that users are allowed to access their files and data previously collected by public authorities. In restricted situations, users may be allowed to access their information collected by private companies that are managed by the government or contracted to provide a public service.¹² The law also allows citizens to submit information requests related to the completion, updating, or deleting of their data.¹³

In 2018, Lebanon adopted a data protection law related to electronic transactions and personal information.¹⁴ This law, however, forbids individuals from taking back their consent to collect their data after it was formerly given. Their consent is also not taken into account in cases where the law requires their data to be collected.¹⁵ Moreover, the law does not set any time limits on data retention and does not control the processing of personal data and information.¹⁶ The law does not recognize users’ rights to be informed about violations of privacy or the right to understand how their data is being collected and processed.¹⁷ Additionally, the law does not command the establishment of an independent data protection authority—as such , there is no guarantee that it will be applied.¹⁸

In Tunisia, online privacy and the protection of personal data and information are still limited.¹⁹ The data protection law of 2004 is unable to address the issues arising from the development of new technologies.²⁰ For instance, the law defines personal data as “any information...relating to an individual”, with no indication of whether the definition includes the processing of personal data of online users. Although a national authority was established for the protection of personal data, it has no regulatory nature and cannot neither generate laws and regulations nor decide what actions constitute data violations. The authority’s mandate is to receive official complaints and recommendations on data protection issues, without having the power to implement the law to prevent violations of personal data. A new Tunisian draft law on the protection of personal data was introduced in 2018, including key guidelines of the EU’s General Data Protection Regulation (GDPR).²¹ The 2018 draft law expanded the definition of personal data to include online information and activities such as Internet Protocol (IP), GPS coordinates, email addresses, and biometric data. However, this definition still lacks any differentiation between personal data and public data. Strong data protection laws that meet international data protection rights standards should be a priority in Tunisia and should be reflected in Tunisians’ right to access information.²²

In short, MENA governments need to adopt data protection laws and security measures that center the privacy and security of users. These laws should guarantee the protection of their data and allow them to control what personal data they share and with whom. There are many advantages to the growing usage of AI technologies in MENA, but it is crucial to maintain the privacy of those who use them to create a more secure AI ecosystem in the region.

¹ Hashemite Kingdom of Jordan, 2020,
Jordan Artificial Intelligence Policy
Minsitry of Communications and Information Technology, 2021,
Egypt’s National Artifical Intelligence Strategy
OECD.AI Policy Observatory, 2022,
AI Policies in Tunisia
OECD.AI Policy Observatory, 2022,
Policies for Morocco
Ministry of Industry,
Lebanon's MoI’s AI Strategy

² Access Now, 2021,
Exposed and Exploited: Data Protection in the Middle East and North Africa

³ Access Now, 2021,
Exposed and Exploited: Data Protection in the Middle East and North Africa

⁴ United Nations Development Group (UNDG),
Data Privacy, ETthics and Protection Guidance Note on Big Data for Achievement of the 2030 Agenda

⁵ Access Now, 2020,
Egypt’s new data protection law: data protection or data control?

⁶ Access Now, 2020, Egypt’s new data protection law: data protection or data control?,
https://www.accessnow.org/egypts-new-data-protection-law-data-protection-or-data-control/ 

⁷ Ibid

⁸ Ibid

⁹ Legislation on-line Cyrilla Library, Egypt,
Law No. 175 of 2018 on Anti-Cybercrimes and Information Technology Crimes

¹⁰ Access Now, 2021,
Exposed and Exploited: Data Protection in the Middle East and North Africa

¹¹ The Tahrir Institute For Middle East Policy, 2021,
Lebanon’s Access to Information Law Has Been Amended… What’s New?

¹² The Tahrir Institute For Middle East Policy, 2021,
Lebanon’s Access to Information Law Has Been Amended… What’s New?

¹³ Ibid

¹⁴ Access Now, 2021,
Exposed and Exploited: Data Protection in the Middle East and North Africa

¹⁵ Ibid

¹⁶ Ibid

¹⁷ Ibid

¹⁸ Ibid

¹⁹ Ibid

²⁰ Ibid

²¹ The Tahrir Institute For Middle East Policy, 2021,
Lebanon’s Access to Information Law Has Been Amended… What’s New?

²² Access Now, 2020,
#DataProtectionDay in the MENA region: is there cause to celebrate?