There is no breach notification requirement in Libya.
Currently, there is no specific data protection law in Libya. However in recent years, Libya has witnessed a significant transformation in its legal framework with the introduction of pivotal legislation addressing data protection, cybercrime and electronic transactions. Law No. 5/2022 regarding Combating Cybercrime and Law No. 6/2022 concerning Electronic Transactions not only marks a significant step in adapting to the evolving digital landscape but also strengthens the overall data protection framework within the country. Articles 12 and 13 of the Constitution 2011 guarantee the right to a private life for citizens and the confidentiality of correspondence, telephonic conversations and other forms of communications except where required by a judicial warrant respectively. In other words, there is no detailed information concerning privacy systems in Libya that protect individuals when their data is processed. With regard to privacy protection, there are some provisions in the Libyan Penal Code (1953) that provide general protection for private correspondence and homes from any interference by others. These articles provide that the public servants who commit an offence against private correspondence will face imprisonment of no less than six months. Also, there are some articles in the Act No 4 (1990) on the National System for Information and Documentation, which governs the government’s collection of personal data for conducting research for social and economic reasons. This Act provides some provisions which require government entities to take some steps to protect the collected data, such as prohibiting the government from forcing individuals to give their data in order to conduct its research. However, these articles do not provide protection to personal data when individuals process their data. Also, the Central Bank of Libya regulated general criteria for protecting personal data which is available online. However, this is applicable to only Libyan banks.
While Libyan Law does not explicitly provide a specific definition for personal data, the National Information Security and Safety Authority (NISSA) Policy Manual offers a comprehensive understanding of personal information, categorizing it into three distinct categories. It is worth noting however that NISSA policies are only binding on the public sector at the moment, rather than the private sector.
Definition of Confidential Data
Information that is classified as confidential or restricted includes data that can be catastrophic to one or more individuals and / or organizations if compromised or lost. Such information is frequently provided on a “need to know” basis and might include:
Personal data, including personally identifiable information such as Social Security or national identification numbers, passport numbers, credit card numbers, driver's license numbers, and medical records.
- Financial records, including financial account numbers such as checking or investment account numbers.
- Business material, such as documents or data that is unique or specific intellectual property.
- Legal data, including potential attorney-privileged material.
- Authentication data, including private cryptography keys, username password pairs.
Definition of Sensitive Data
Information that is classified as being of medium sensitivity includes files and data that would not have a severe impact on an individual and / or organization if lost or destroyed. Such information might include:
- Email, most of which can be deleted or distributed without causing a crisis (excluding mailboxes or email from individuals who are identified in the confidential classification).
- Documents and files that do not include confidential data.
- Anything that is not confidential. It can include most business data, because most files that are managed or used day-to-day can be classified as sensitive.
Definition of Public Data
Information that is classified as public includes data and files that are critical to business needs or operations. This classification can also include data that has deliberately been released to the public for their use, such as marketing material or press announcements. In addition, this classification can include data such as spam email messages sorted by an email service.
There is no data protection authority as per Libyan Law. However, through an inclusive approach involving the government, private sector, academia, and civil society organizations, the National Information Security & Safety Authority (NISSA) was established to dynamically safeguard the confidentiality, integrity, availability, and resilience of information and communication technologies (ICT) infrastructure, resources, services, and data by providing high-quality information security and safety services. It is also positioned as an authoritative source for trusted information security expertise in the Libyan region.
Despite NISSA's policies on personal data protection, which are applicable only to Libyan state entities, private entities may consider these as indicators of the government's approach to data protection.
There are no registration requirements relating to personal data.
There is no data protection officer requirement as per Libyan Law.
In Law no. 6/2022 regarding Electronic Transactions, there are provisions relating to data collection and processing which are as follows:
Any public entity and any authentication service provider may collect personal data directly from the person whom the data is collected about or from someone else, only after the explicit consent of this person and only for the purposes of issuing, maintaining, or facilitating a certificate.
Data may not be collected, processed, or used for any other purpose without the explicit consent of the person from whom the data was collected.
Except for the previous article, obtaining, disclosing, providing, or processing personal data is legitimate if it is:
- Necessary for the purpose of preventing or detecting a crime based on an official request from investigative bodies.
- Required or permitted under law or a court decision.
- For the assessment or collection of any tax or fee.
- To protect a vital urgent interest of the person whose data was collected.
Taking into account the previous article, the authentication service provider must follow appropriate procedures to ensure the confidentiality of the personal data in his custody while performing his duties. He may not disclose, transfer, declare, or publish such data for any purpose whatsoever without prior consent from the person whose data was collected.
Any person who controls personal data by virtue of his work in electronic transactions must, before processing such data, inform the person from whom the data was collected by a special notification of the procedures he follows to protect personal data. These procedures must include identifying the person responsible for the processing, the nature of the data, the purpose of its processing, methods and locations of processing, and all the necessary information to ensure secure data processing.
The authentication service provider must enable the person from whom personal data has been collected to access and update it. This right includes access to all personal data sites related to the person from whom the data was collected. Therefore, he must provide appropriate technological means to enable electronic access.’
Additionally, there are some articles in Law No. 4/1990 on the National System for Information and Documentation, which governs the government’s collection of personal data for conducting research for social and economic reasons. This Law provides some provisions which require government entities to take some steps to protect the collected data, such as prohibiting the government from forcing individuals to give their data in order to conduct its research. However, these articles do not provide protection to personal data when individuals process their data. Also, the Central Bank of Libya regulated general criteria for protecting personal data which is available online. However, this is applicable to only Libyan banks.
There are no provisions relating to internal data transfer. However, there are provisions relating to international data transfer which are specified in article 78 of Law no.6/2022 which states:
If necessary to transfer personal data outside of Libya, due consideration must be given to an appropriate level of protection, specifically:
- The nature of the personal data.
- The source of the information included in the data.
- The purposes for which the data is to be processed and its duration.
- The country to which the data is being transferred, its international commitments, and the applicable law therein.
- The relevant rules in that country.
- The security measures taken to protect the data in that country.’
There is no breach notification requirement in Libya.
It should be noted that recently, the Libyan House of Representatives enacted Law No.5 2022 concerning Combating Cyber Crimes in September 2022. In accordance with this law cybercrime is defined as “every act committed through the use of computer systems, the international information network, or other information technology means in violation of the provisions of this law.”
This law has brought in some form of enforcement regarding breaches of copyright, with fines and prison sentences to be enacted in such a case. The sentence for copyright infringement is a prison sentence of no less than one year, and a fine of no less than 1,000 Dinars.
Furthermore, Law no.6/2022 regarding Electronic Transactions has also bought in some enforcement procedures relating to data protection. Article 79 states ‘Entities collecting personal data according to Article 73 of this law are prohibited from sending electronic documents to the person from whom the data was collected if he explicitly refuses to accept them.
Processing of personal data by the person who collected it is not allowed if he explicitly refuses to accept it. Additionally, processing is not allowed if it causes harm to the individuals from whom the data was collected, or infringes upon their rights or freedoms. The data may also not be used for any other purposes than those agreed upon unless consent is obtained from the data owner.’
Articles 81-84 of this law state:
Without prejudice to any stricter penalty stipulated by the Penal Code or any other law, anyone who commits any of the acts stipulated in Articles 79 ….. of this law shall be punished with imprisonment for a period not less than one year and a fine of not less than three thousand dinars and not exceeding ten thousand dinars.
The penalty will be imprisonment and a fine of not less than ten thousand dinars if these acts were committed to disrupt electronic transactions related to the government or military or security institutions or banks.
Without prejudice to the individual criminal liability of the perpetrator of the crime, the legal representative of the legal person shall be punished with the same penalties prescribed for the acts committed in violation of the provisions of this law, if it is proven that his failure to perform his duties contributed to the occurrence of the crime.
The legal person shall be jointly responsible for any financial penalties or compensations if the crime was committed on his behalf or in his name or for his benefit.
Without prejudice to any stricter penalty stipulated by the Penal Code or any other law, anyone who exploits the weakness or ignorance of a person in electronic operations by compelling him to commit, presently or in the future, in any form, shall be punished with imprisonment for a period not less than one year and a fine not less than five thousand dinars and not exceeding ten thousand dinars, provided that it is proven from the circumstances that this person is unable to distinguish the dimensions of his commitments and obligations.
Without prejudice to the rights of bona fide third parties, in all cases, the devices, programs, or means used in committing any of the crimes stipulated in this law or the funds obtained from them shall be confiscated.
It also provides for the closure of the shop or the site where any of these crimes are committed and the cancellation of its license if the crime was committed with the owner's knowledge.
The closure is either complete or for the period determined by the court.'
There is no specific law governing electronic marketing.
There is no specific online privacy legislation.