{"id":643,"date":"2025-07-17T13:27:18","date_gmt":"2025-07-17T13:27:18","guid":{"rendered":"https:\/\/informatics.ly\/en\/?post_type=session&#038;p=643"},"modified":"2026-06-07T09:12:51","modified_gmt":"2026-06-07T09:12:51","slug":"personal-data-protection-regulation-session","status":"publish","type":"session","link":"https:\/\/informatics.ly\/en\/session\/personal-data-protection-regulation-session\/","title":{"rendered":"Personal Data Protection Regulation Issued by the Central Bank of Libya"},"content":{"rendered":"\n<p>Research and Statistics Department \u2013 Central Bank of Libya (CBL).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Keynote Speaker<\/h3>\n\n\n\n<p><strong>Counselor Rabie Al-Ragoubi<\/strong>, Consultant at the Central Bank of Libya and member of the technical committee that drafted the regulation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Introduction<\/h3>\n\n\n\n<p>This workshop was held to shed light on the <strong>&#8220;Data Protection System and Executive Regulation&#8221;<\/strong> issued by the Central Bank of Libya under Circular No. 18, dated June 1, 2025.<\/p>\n\n\n\n<p>Counselor Rabie Al-Ragoubi opened the session by explaining that the regulation aims to create a clear legislative and regulatory foundation for data protection within the Libyan banking and financial sector, addressing the previous lack of a specific legal reference. He noted that the drafting process involved six months of intensive work by a specialized committee to create a framework suited to the reality of Libya\u2019s financial sector.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Workshop Pillars<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Pillar I: General Framework and Objectives<\/h4>\n\n\n\n<p>The system regulates the handling of all types of data within financial institutions, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Personal Data:<\/strong> Information identifying individuals.<\/li>\n\n\n\n<li><strong>Financial and Credit Data:<\/strong> Account details, transactions, and credit history.<\/li>\n\n\n\n<li><strong>Sensitive Data:<\/strong> Information requiring a high degree of confidentiality.<\/li>\n<\/ul>\n\n\n\n<p>The regulation covers the <strong>entire data lifecycle<\/strong>: collection rights, processing, storage, retention periods, protection measures, and secure disposal.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Pillar II: Scope of Application and Mandatory Timeline<\/h4>\n\n\n\n<p>The regulation becomes mandatory and binding for all entities under CBL supervision starting <strong>July 1, 2026<\/strong>. These include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Central Bank and commercial banks.<\/li>\n\n\n\n<li>Foreign bank branches operating in Libya.<\/li>\n\n\n\n<li>FinTech companies and electronic payment service providers.<\/li>\n\n\n\n<li>Exchange companies and credit service providers.<\/li>\n\n\n\n<li>Financial leasing companies.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Pillar III: Data Sovereignty and Local Storage (The Point of Contention)<\/h4>\n\n\n\n<p>This was the most debated topic. The regulation explicitly states: <strong>&#8220;It is prohibited to store personal, financial, credit, or sensitive data outside the borders of the Libyan state.&#8221;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inquiry:<\/strong> Participants asked about using global <strong>Cloud services<\/strong> or storing encrypted backups abroad.<\/li>\n\n\n\n<li><strong>Response:<\/strong> Counselor Al-Ragoubi was firm\u2014storage must be <strong>100% domestic<\/strong>. He stated that the CBL conducted a market survey confirming that local data centers have sufficient capacity to cover the entire financial sector\u2019s needs, with room for future expansion.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Pillar IV: Penalties and Violations<\/h4>\n\n\n\n<p>To ensure compliance, the regulation includes deterrent penalties:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A fine of <strong>100,000 LYD<\/strong> for each violation. It was emphasized that this applies to <strong>each violation individually<\/strong>; for example, a breach affecting many customers could result in millions in fines.<\/li>\n\n\n\n<li>Potential <strong>revocation of licenses<\/strong> for certain companies (like FinTechs) in cases of repeated gross violations.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Pillar V: Infrastructure and Local Expertise<\/h4>\n\n\n\n<p>Regarding concerns about local infrastructure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response:<\/strong> The Counselor dismissed the idea of a lack of local talent, noting that several Libyan companies (some present at the workshop) are capable of providing high-standard hosting. The regulation is expected to drive local market demand and growth. The CBL is currently compiling a list of certified tech companies authorized to serve the financial sector.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Pillar VI: Data Usage and Explicit Consent<\/h4>\n\n\n\n<p>The regulation mandates <strong>&#8220;explicit and prior consent&#8221;<\/strong> from the customer before their data is used for any secondary purpose (such as marketing). This consent must be optional and not a prerequisite for receiving the primary service.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Pillar VII: Legal Accountability and the &#8220;Data Officer&#8221;<\/h4>\n\n\n\n<p>To ensure implementation, every financial institution must appoint a <strong>Data Officer<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Requirements:<\/strong> Must be a Libyan national.<\/li>\n\n\n\n<li><strong>Role:<\/strong> Directly supervises the application of the regulation and acts as the liaison with the CBL.<\/li>\n\n\n\n<li><strong>Accountability:<\/strong> The Data Officer bears direct responsibility for any failure to implement the regulation&#8217;s provisions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion and Recommendations<\/h3>\n\n\n\n<p>The workshop highlighted that this regulation represents a qualitative shift in Libya\u2019s financial governance. Key takeaways include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Absolute Compliance:<\/strong> The July 1, 2026 deadline is non-negotiable.<\/li>\n\n\n\n<li><strong>Sovereignty First:<\/strong> Domestic storage is the cornerstone of the regulation.<\/li>\n\n\n\n<li><strong>Strict Penalties:<\/strong> Non-compliance is designed to be extremely costly.<\/li>\n<\/ul>\n\n\n\n<p><strong>Primary Recommendation:<\/strong> Financial institutions must immediately begin developing compliance roadmaps, assessing their current infrastructure, and establishing partnerships with local service providers to meet the &#8220;in-country&#8221; storage and processing requirements.<\/p>\n","protected":false},"author":6,"featured_media":766,"parent":0,"template":"","meta":{"_acf_changed":false},"class_list":["post-643","session","type-session","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/informatics.ly\/en\/wp-json\/wp\/v2\/session\/643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/informatics.ly\/en\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/informatics.ly\/en\/wp-json\/wp\/v2\/types\/session"}],"author":[{"embeddable":true,"href":"https:\/\/informatics.ly\/en\/wp-json\/wp\/v2\/users\/6"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/informatics.ly\/en\/wp-json\/wp\/v2\/media\/766"}],"wp:attachment":[{"href":"https:\/\/informatics.ly\/en\/wp-json\/wp\/v2\/media?parent=643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}