Lebanon Law 81/2018

Law No. 81 of October 10, 2018 on Electronic Transactions and Personal Data

Flag of LB
Republic of LebanonOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 31, 2019
Enacted
October 10, 2018
Enforcing Authority
Ministry of Economy and Trade (no dedicated data protection authority)
Consent Model
Opt-in
Applies To
All data controllers operating within Lebanon

Overview

Lebanon's Law 81/2018 is a combined electronic transactions and personal data law — not a standalone comprehensive data protection framework. It was enacted in October 2018 and effective from March 2019. The law lacks a dedicated supervisory authority, with the Ministry of Economy and Trade serving as de facto overseer without specialized capacity. A formal definition of consent is notably absent, creating legal uncertainty.

What This Means for Your Website

  • Consent is required for personal data processing, though the law does not formally define what constitutes valid consent
  • There is no dedicated data protection authority — the Ministry of Economy and Trade oversees enforcement
  • Criminal penalties apply for unauthorized data access and electronic document forgery
  • The law's gaps and Lebanon's political and economic crisis mean practical enforcement is minimal
  • Data security measures are mandatory
  • The opt-in consent requirement applies in theory, but enforcement mechanisms are weak

Key Requirements

The Ministry of Economy and Trade oversees the law without specialized data protection capacity. Criminal penalties apply for severe breaches including unauthorized access and electronic document forgery. The law establishes principles of purpose limitation, lawfulness, transparency, accuracy, proportionality, storage limitation, security, and confidentiality. The absence of a formal consent definition creates uncertainty about what constitutes valid consent under Lebanese law.

How ConsentStack Handles This

ConsentStack applies opt-in consent collection for Lebanese visitors, providing a clear consent mechanism despite the law's gaps in defining consent formally.

Penalties

Criminal penalties including imprisonment for severe breaches. Fines for unauthorized access, electronic document forgery, and IT system misuse. Suspension of processing activities.

Key Requirements

  • Consent required for personal data processing (though not formally defined)
  • Principles of purpose limitation, lawfulness, transparency, and accuracy
  • Data subjects have rights of access, correction, and objection
  • Data security measures mandatory
  • Criminal penalties for unauthorized data access and electronic document forgery

Notable Provisions

  • NOT comprehensive — combined with electronic transactions law
  • No dedicated data protection authority
  • No formal definition of consent creates a legal gap
  • Political and economic crisis delays development and enforcement

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.

Frequently Asked Questions

Does Lebanon have a dedicated data protection authority?

No. The Ministry of Economy and Trade serves as de facto overseer, but there is no dedicated data protection authority with specialized capacity.

Why is consent undefined in Lebanon's law?

Law 81/2018 combines electronic transactions and data protection without providing a formal definition of consent, creating a legal gap that has not been addressed.

Is enforcement active in Lebanon?

Practical enforcement is minimal. The law's gaps, combined with Lebanon's ongoing political and economic crisis, have significantly delayed development and enforcement.

Stay compliant with Lebanon Law 81/2018

ConsentStack helps you implement Opt-in consent for Republic of Lebanon automatically.

Get started free