Across the Middle East and North Africa (MENA), governments are increasingly adopting digital governance tools, from biometric identification to data-driven migration policies. These technologies are often promoted as mechanisms to enhance efficiency, transparency, and economic growth. However, their rapid and unregulated implementation has frequently reinforced existing inequalities rather than fostering inclusion. When deployed without robust legal protections and accountability measures, these technologies risk becoming tools of exclusion, state surveillance, and elite control.
Digital technologies across the MENA region are used to rapidly reshape power, governance, and individual rights, often in ways that concentrate surveillance, data extraction, and automated decision-making in the hands of states and private actors. Biometric screening at borders, algorithmic “risk-profiling” of incoming migrants, and monitoring tools create new levers of control that spill far beyond any single population. In the absence of robust data-protection frameworks, sensitive personal information is routinely harvested, traded, and weaponized, undermining trust not only for marginalized communities, but for journalists, activists, and everyday citizens alike.
Since the genie cannot be pushed back into the bottle, it is crucial to examine some of these impacts on end users—the individuals directly affected by the adoption of these new technologies. This article examines the consequences of some of the digital governance tools and technology being deployed in some of the countries across the MENA region, particularly for communities at risk of exclusion and repression. It explores the ways in which digital ID systems, artificial intelligence (AI), and surveillance technologies have been deployed without sufficient safeguards, leading to unintended, or in some cases deliberate, harms. Through examples from Lebanon, Tunisia, and beyond, we assess how donor-driven technology transfers and private-sector involvement in digital governance often prioritize efficiency over human rights. Finally, we offer recommendations for a rights-based approach to digital governance that centers transparency, accountability, and inclusivity.
Governance failures and digital vulnerabilities
While digital governance tools promise efficiency and transparency, weak regulatory structures, systemic corruption, and rushed implementations often create new vulnerabilities rather than solving existing governance challenges.
Lebanon’s journey with e-governance has faced the same pockmarked road as many legislative efforts in the country: systemic policy paralysis. For instance, the country’s flagship data protection law was subject to repeated revision and negotiation from 2004 to 2018, and even when enacted, it proved woefully incapable of managing and securing data across the public and private sectors. The legislation is only part of the picture: Lebanon’s Information and Communication Technology (ICT) infrastructure remains insecure, as evidenced during the recent conflict with Israel when digital warfare tactics were employed by the Israeli army against the population.
The development of proper ICT infrastructure is urgently needed. However, given the systemic inefficiency of public institutions and recent numerous data breaches exposing vulnerabilities in citizens’ data, introducing new ICT without establishing robust oversight will likely create further online insecurity, putting citizens’ data at risk. To avoid these difficulties, Lebanon must address key flaws in the 2018 law—most notably Chapter Five, which neglects the protection of citizens’ data by “concentrating power in the executive branch and failing to provide many standard safeguards.” The country’s new government should consider amending this chapter by instituting a separate oversight mechanism to review policies and raise awareness about data protection’s best practices modeled on frameworks like the European Union’s General Data Protection Regulation (GDPR) as well as other frameworks that protect personal data.
With regulatory gaps and chronic underfunding leaving citizens vulnerable to unchecked privacy violations, digital initiatives risk eroding trust rather than strengthening governance
Tunisia received $100 million from the World Bank in 2019 to implement a range of e-governance reforms, including the digitalization of its public sector, meant to bolster public trust. However, the rapid adoption of digital tools intended to enhance governance is being undermined by an outdated data protection framework. Established in 2004 for a very different technological landscape, Tunisia’s legal structure fails to meet modern data security standards. Moreover, the country’s independent data protection authority, the National Authority for the Protection of Personal Data, lacks the necessary resources and political support to enforce safeguards effectively. With regulatory gaps and chronic underfunding leaving citizens vulnerable to unchecked privacy violations, digital initiatives risk eroding trust rather than strengthening governance.
A prominent example of these systemic shortcomings is the highly contentious biometric ID bill and its associated biometric passport. Despite eight years of civil society advocating to embed robust data protections, the bill passed in parliament in 2024, largely in the face of sustained opposition. Critics argue that this legislative outcome will potentially threaten public data without stronger digital safeguards and will add broader challenges in ensuring accountability and transparency in the digital age. Moreover, the lack of clarity regarding the project’s implementation details—such as rollout plans, budget allocations, and responsible agencies—further undermines public trust, especially with its anticipated rollout in the second semester of 2025.
Similarly, the introduction of mobile ID systems, designed to streamline access to public services, carries the risk of exacerbating social inequalities. These technologies may inadvertently marginalize individuals who lack digital literacy or access to the necessary technological resources, thereby reinforcing existing disparities rather than alleviating them. Collectively, these examples underscore the urgent need for Tunisia to modernize its legal and regulatory frameworks to harness the full potential of digital tools while protecting its citizens’ rights.
Impacts on marginalized communities
The adoption and use of ICT is a double-edged sword. On one hand, these technologies have the power to bypass bureaucratic hurdles and streamline service delivery; on the other, in the absence of adequate infrastructure or legal oversight, they can become dangerous instruments of control. This is particularly concerning when such tools target already marginalized communities, who frequently find themselves subjected to heightened surveillance and legal exclusion. For asylum seekers, internally displaced persons, and refugees, the promise that ICT will enhance service delivery and protection can instead result in increased vulnerability.
Real danger persists for the displaced, in autocratic regimes as well as in democratic societies. For instance, throughout Europe, governments have employed ICT to access, scan, and analyze the mobile phone content of refugees—a practice that has been sharply criticized by civil society groups. In response, European laws have been amended to target privacy breaches, offering protection for citizens while leaving refugees more exposed.
In the absence of legally binding, context-specific safeguards and external oversight, what begins as a convenience can quickly become a tool for surveillance and exclusion
In Jordan, the World Food Program and UNHCR have introduced iris-scan technology provided by the UK-based company IrisGuard to speed up cash and food distributions for refugees—measures that, on paper, could enhance service delivery and reduce fraud. Both agencies emphasize that strict internal data-protection policies keep iris scans securely stored and away from authorities, and that refugees may decline enrollment without losing access to aid. Yet, by centralizing extremely sensitive identifiers in a single vendor’s system, these services still carry real risks. Many displaced people feel they have little choice but to submit their biometric data to receive basic aid, while civil society groups warn that opaque data-collection practices leave no guarantee against future policy changes or data breaches. In the absence of legally binding, context-specific safeguards and external oversight, what begins as a convenience can quickly become a tool for surveillance and exclusion.
These examples highlight the threats of unregulated digital technologies and underscore the urgent need for tech providers and private companies to prioritize user safety and security. Governments must adopt privacy-by-design principles and collaborate closely with affected communities and civil society organizations—such as digital rights advocates, government watchdogs, and data protection practitioners and experts—and ensure that technological innovations avoid becoming instruments of repression.
Donor-driven technology transfers and best practices
International donors, such as multilateral organizations like the World Bank and various development agencies, often support technology transfers aimed at modernizing public services, strengthening governance, and improving humanitarian responses. These initiatives might include deploying biometric identification systems, advanced data management tools, and other types of technologies. The underlying assumption is that these would be catalysts for efficiency and better governance, promising streamlined processes that simplify access to vital services.
However, the reality is that when these technologies are exported without sufficient contextual adaptation or robust safeguards, the consequences can be disastrous. A striking example is the mid-2024 data breach in Turkey, during which the personal information of approximately 3 million Syrian refugees residing in Turkey was exposed. Reportedly orchestrated by a 14-year-old who disseminated the data via social media, this breach undermined the intended benefits of enhanced data management and exacerbated xenophobia and violence against an already vulnerable community.
This incident underscores the gap between the intended outcomes of technology-driven initiatives, whether supported by external donors or led by domestic agencies, and their real world consequences. Humanitarian organizations often collect extensive data on refugee populations to improve service delivery, but without stringent security measures, breaches can expose vulnerable personal details. Such breaches can lead to identity theft, harassment, and targeted violence, ultimately turning humanitarian data into a tool for repression rather than protection.
To address these challenges, implementing agencies must ensure that any digital solution is accompanied by robust data protection measures, including state-of-the-art encryption, strict access controls, and regular security audits. Equally important is the adoption of a data minimization approach, or collecting only what is strictly necessary, to reduce the potential fallout of any breach. Moreover, practical mechanisms, such as community consultations, local advisory panels, participatory design workshops, and consultation with experts and civil society should be established to incorporate the perspectives of affected communities in the design and implementation of these technologies. Only through a rigorous commitment to these safeguards can donor-driven technology transfers truly serve their intended purpose of modernizing services and promoting equitable development, rather than inadvertently causing harm.
Resistance, risks, and the road ahead
Resistance against the misuse of digital technology has manifested in diverse and impactful ways, offering hope for a more accountable digital future. In Uganda, protests against the country’s social media tax eventually forced its repeal in 2021, demonstrating the power of collective mobilization. Similarly, in November 2014, Amnesty International, in partnership with human rights and technology organizations, launched Detekt, a tool designed to empower journalists and activists to detect government surveillance spyware on their devices.
What starts in a battlefield or border checkpoint could soon turn into surveillance, censorship, and private-sector data deals across the region
Collective action is more important than ever. This is critical in response to the recent use of AI-driven autonomous weapons in Gaza, leading to catastrophic civilian harm, which sends a clear warning on how the same machine-learning tools used for “precision” could also magnify indiscriminate violence. This alarming trend underscores why digital and human rights advocacy cannot remain siloed: what starts in a battlefield or border checkpoint could soon turn into surveillance, censorship, and private-sector data deals across the region.
To mitigate these risks and harness the positive potential of technology, comprehensive governance frameworks are essential. Policymakers in the MENA region should focus on establishing independent oversight bodies, enacting strict data protection and privacy laws, and fostering collaborative dialogue among governments, tech companies, civil society, and international organizations. While these measures are needed, their success hinges on overcoming entrenched challenges and issues like systemic corruption, political resistance, and weak institutions, which may be exacerbated by recent global trends and cuts in funding. However, with rising public demand for accountability, sustained effort and strategic collaboration, and renewed international commitment and targeted reforms, there remains a pathway to harness digital tools for improved service delivery and governance.
Kassem Mnejja is a Nonresident Fellow at TIMEP focusing on digital rights and cyberspace across the MENA region with a particular interest in internet shutdowns.
Drew Mikhael is a Nonresident Fellow at TIMEP focusing on migration and displacement across the MENA region.