Skip to main content

Personal Data Protection Regulation Issued by the Central Bank of Libya

Central Bank of Libya (CBL)

Research and Statistics Department – Central Bank of Libya (CBL).

Keynote Speaker

Counselor Rabie Al-Ragoubi, Consultant at the Central Bank of Libya and member of the technical committee that drafted the regulation.

Introduction

This workshop was held to shed light on the “Data Protection System and Executive Regulation” issued by the Central Bank of Libya under Circular No. 18, dated June 1, 2025.

Counselor Rabie Al-Ragoubi opened the session by explaining that the regulation aims to create a clear legislative and regulatory foundation for data protection within the Libyan banking and financial sector, addressing the previous lack of a specific legal reference. He noted that the drafting process involved six months of intensive work by a specialized committee to create a framework suited to the reality of Libya’s financial sector.

Workshop Pillars

Pillar I: General Framework and Objectives

The system regulates the handling of all types of data within financial institutions, including:

  • Personal Data: Information identifying individuals.
  • Financial and Credit Data: Account details, transactions, and credit history.
  • Sensitive Data: Information requiring a high degree of confidentiality.

The regulation covers the entire data lifecycle: collection rights, processing, storage, retention periods, protection measures, and secure disposal.

Pillar II: Scope of Application and Mandatory Timeline

The regulation becomes mandatory and binding for all entities under CBL supervision starting July 1, 2026. These include:

  • The Central Bank and commercial banks.
  • Foreign bank branches operating in Libya.
  • FinTech companies and electronic payment service providers.
  • Exchange companies and credit service providers.
  • Financial leasing companies.

Pillar III: Data Sovereignty and Local Storage (The Point of Contention)

This was the most debated topic. The regulation explicitly states: “It is prohibited to store personal, financial, credit, or sensitive data outside the borders of the Libyan state.”

  • Inquiry: Participants asked about using global Cloud services or storing encrypted backups abroad.
  • Response: Counselor Al-Ragoubi was firm—storage must be 100% domestic. He stated that the CBL conducted a market survey confirming that local data centers have sufficient capacity to cover the entire financial sector’s needs, with room for future expansion.

Pillar IV: Penalties and Violations

To ensure compliance, the regulation includes deterrent penalties:

  • A fine of 100,000 LYD for each violation. It was emphasized that this applies to each violation individually; for example, a breach affecting many customers could result in millions in fines.
  • Potential revocation of licenses for certain companies (like FinTechs) in cases of repeated gross violations.

Pillar V: Infrastructure and Local Expertise

Regarding concerns about local infrastructure:

  • Response: The Counselor dismissed the idea of a lack of local talent, noting that several Libyan companies (some present at the workshop) are capable of providing high-standard hosting. The regulation is expected to drive local market demand and growth. The CBL is currently compiling a list of certified tech companies authorized to serve the financial sector.

Pillar VI: Data Usage and Explicit Consent

The regulation mandates “explicit and prior consent” from the customer before their data is used for any secondary purpose (such as marketing). This consent must be optional and not a prerequisite for receiving the primary service.

Pillar VII: Legal Accountability and the “Data Officer”

To ensure implementation, every financial institution must appoint a Data Officer.

  • Requirements: Must be a Libyan national.
  • Role: Directly supervises the application of the regulation and acts as the liaison with the CBL.
  • Accountability: The Data Officer bears direct responsibility for any failure to implement the regulation’s provisions.

Conclusion and Recommendations

The workshop highlighted that this regulation represents a qualitative shift in Libya’s financial governance. Key takeaways include:

  • Absolute Compliance: The July 1, 2026 deadline is non-negotiable.
  • Sovereignty First: Domestic storage is the cornerstone of the regulation.
  • Strict Penalties: Non-compliance is designed to be extremely costly.

Primary Recommendation: Financial institutions must immediately begin developing compliance roadmaps, assessing their current infrastructure, and establishing partnerships with local service providers to meet the “in-country” storage and processing requirements.