While the predominant aim of Libya’s new Electronic Transactions Law (Law No 6 of 2022) is to regulate electronic transactions, the law also brought into play new data protection requirements for entities handling personal data.
Introduction
In October last year, Libya passed the new e-Transactions Law (the “eTL”), officially Law No 6 of 2022. The eTL governs the validity and regulation of electronic transactions in Libya, and we released a blog post earlier this year that provided an overarching analysis of its key provisions. In today’s blog post, we will be examining the data protection effects of the eTL and how businesses can manage their data protection obligations under the new law.
When the eTL was passed, it introduced into law new requirements for any people or entities managing personal data, for example in relation to collecting and/or transferring data abroad.
However, it is still unclear to what extent the eTL’s provisions apply to private entities, and therefore, how far businesses must comply with its provisions on data protection.
Once new legislation is passed in Libya, it is usually followed by an executive regulation expanding on and clarifying the legislative provisions. In the case of the eTL, the government has not yet published such a regulation.
For entities questioning what their data protection obligations under the eTL may be, our team have evaluated the data protection standards contained in the law and, in this blog post, provide our perspective on potential routes to compliance at this time, until we gain further clarification on the eTL’s scope.
In brief, our view is that private companies may wish to consider whether their operations comply with best practices in data protection enshrined in the policies published by the National Information Security & Safety Authority in Libya (“NISSA”) or – even stronger – the data protection gold standard of the General Data Protection Regulation (“GDPR”).
Below we explain why, subject to your business’ individual circumstances, these could be viable routes to compliance with the eTL’s data protection requirements.
Comparison to the GDPR
The eTL takes a slightly different approach to data protection than the EU’s GDPR. Whereas the GDPR centres on enshrining data subjects’ rights, the eTL focuses instead on forbidding entities from actions that violate data protection principles. The data protection position under the eTL is therefore arguably different to the GDPR, focusing more on prevention than active protection.
If and when it is published, the executive regulation on the eTL may alter the eTL’s approach to align more with the individual-centred approach found in the GDPR, as the latter is seen as the more proactive data protection standard.
Indeed, there is nothing in the eTL itself, as it currently stands, that runs counter to the data protection provisions in the GDPR. Nor is it stricter than the GDPR in any way.
As a result, one can infer for the time being that companies whose Libyan operations are already GDPR-compliant will most likely be compliant with the data protection requirements under the eTL and are therefore unlikely to have to make any operational changes in light of the new law. We anticipate also that, for these companies, it is likely that no changes will need to be made under the forthcoming executive regulation to the eTL.
NISSA policies
Libya’s NISSA had, prior to the eTL, already published personal data protection policies in 2013.
Importantly, NISSA’s policies are binding only on Libyan state entities; they do not apply to the private sector. And even then, there is some ambiguity as to the enforceability of NISSA policies within the public sector.
Nevertheless, NISSA policies are the best indication of the Libyan government’s approach to data protection that we have at this time and can therefore be extrapolated for use by private entities.
(As a separate point, it is expected that the forthcoming executive regulation to the eTL will return to the question of NISSA’s scope and determine whether – going forward – the substance of NISSA policies will be binding on all entities operating in Libya, including the private sector.)
Our perspective, therefore, is that companies operating in Libya that do not already adhere to GDPR standards may wish to consider whether their operations comply with the substance of NISSA’s policies.
Summary/Conclusion
As the eTL was only recently enacted and its executive regulation is not yet issued, its applicability is untested.
Therefore, with some ambiguity on the issue, our perspective is that companies may wish to consider whether their data protection policies comply with either Libya’s NISSA policies (being the only domestic data protection guidelines available), or with the EU’s GDPR (widely considered a gold standard in data protection).
We will be looking out for the publication of the executive regulation to the eTL and will post an update once it has been published. In the meantime, we are happy to advise companies operating in Libya on any questions related to these data protection regulations.