After a long wait, preparation, and as a tangible initial step, Egypt has finally issued and published its first Data Protection Law on the 15th of July 2020 “the Law”; covering natural persons digital personal data, excluding some data out of the scope of application, as enclosed in article 3 of the Law, including personal data processed for official statistics or in the application of a legal provision, personal data related to judicial reports, investigations and claims, as well as the Central Bank of Egypt (“CBE”), and most of the entities subject to its supervision.
The Law shall come into force on the 14th of October 2020, where its Executive Regulation is planned to be issued within 6 months of the Law’s issuance (approximately by April, 2021).
2. Compliance time-frame
All entities to which the Law is addressed i.e. Corporates processing personal data in Egypt, or outside Egypt in respect of individuals in Egypt, should fully comply with the Law’s requirements; within “a year as of the date of the Executive Regulation issuance”.
3. Data protection principles
Generally, the Law introduces a variety of compliance requirements as well as some significant criminal penalties in return; incorporating and following several internationally accepted fundamental principles of data protection law, practice and procedure. These principles will govern the practices of organisations in Egypt that collect, process and store personal data. The law imposes licensing requirements for data processing, data control, dealing in sensitive data, digital/electronic marketing, and cross-border transfer of data. The Law generally prohibits the processing of personal data except with the consent of the data owner/whom the data is relevant thereto, or where otherwise permitted by law.
4. Personal data
The Law defines “Personal Data” as any data related to an identified natural person, or to a natural person identifiable, directly or indirectly, by reference to any other data, such as name, voice, picture, identification number, online identifier, or any data that identifies psychological, health, economic, cultural or social identity.
It further defines “sensitive Personal Data” separately as Personal Data that discloses psychological, mental, physical or genetic health, biometric data, financial data, religious beliefs, political opinions or security situation; considering Personal Data relating to children is deemed to be sensitive personal Data.
5. Data owners’ rights
Data owners/ whom the data is relevant thereto have various rights under the Law; including:
• The right to know what personal data is being processed, by whom, and to access same;
• The right to withdraw their consent in respect of processing personal data;
• The right to correct, modify, delete, add or update his/her personal data;
• The right to limit processing of his/her personal data within a limited scope; and
• The right to be notified of any personal data breach involving his/her personal data.
6. Holders, Controllers and Processors
The Law assigns different titles to entities based on how they process personal information/personal data (classifying them into holders, controllers and processors, all defined in the Law); where these titles affect the specific obligations imposed thereon aside, since in addition to the core data protection principles imposed by the Law, a number of explicit obligations are imposed on each of the controllers and processors regarding the personal data they have.
The Law prescribes establishing an Egyptian Data Protection Centre/authority; to regulate data protection, enforce compliance with the law, and create further implementing regulations and mechanisms to ensure data protection, and receive and investigate complaints.
Such centre’s aim is to develop strategic plans, policies, and programs required to protect personal data, where it will coordinate with all governmental and non-governmental bodies to execute protection measures. It will comprise of representatives from many authorities including Information Technology Industry Development Authority, National Telecommunications Regulatory Authority, the Administrative Control Authority, as well as ministries of Defence, Interior, Foreign affairs, and General Intelligence Service Agency. In addition, the centre is tasked with issuing licences or permits authorising certain restricted types of personal data processing; as prescribed in the Law.
8. Data protection officer
The Law obliges entities processing personal data (either as Controllers or Processors, as both defined in the Law) to appoint a Data Protection Officer to be responsible for i.e. monitoring the organization’s compliance with the law, conducting regular inspections and acting as a point of contact with the Data protection center on issues relating to compliance; such officer shall be registered at the (yet to be established) Egyptian Data Protection Centre/authority, or else these entities shall be exposed to financial penalties of up to 2 million Egyptian Pounds.
9. Data breach reporting
The law requires the addressed entities to report cyber-attacks within 24 hours; however, if the attack threatens national security, companies must report it immediately.
10. Data cross-border transfer
The Law recognises that transfers of personal data to other countries can give rise to risks for the data, the individual and the transferring organisation, that’s why, subject to certain exceptions, the Law contains a general prohibition on the transfer of personal data to recipients located outside Egypt except with the permission of the (yet to be established) Egyptian Data Protection Centre/authority; and where the level of protection provided in the country where the data is to be transferred is not less than that provided in Egypt, pursuant to the Law. The Executive Regulation shall specify the policies, standards, guidelines, and rules necessary for transferring personal data across borders.
11. Digital/Electronic Marketing
The Law includes electronic/digital marketing in its provisions in relevancy with data protection; providing specific requirements governing same. It requires prior license and consent as a legal basis for direct electronic marketing. In addition, it grants data owners/who the data is related thereto the right to withdraw any previous consent.
12. Individuals’ rights
As with most modern data protection laws that take a principles-based approach, the Law grants individuals a number of rights in relation to their personal data. Individual rights under data protection law are designed to enable individuals to exercise control over how their personal data may be processed. In addition to the access rights, the data owner/to whom the data is related, shall have the right to submit a request to the holder, controller and/or processor regarding the former’s practice of his/her rights under the data protection law; where the party whom the request is submitted to shall reply within 6 working days of the request. Also, notwithstanding the right to refer the matter to litigation, the data owner/to whom the data is related and/or whoever has the capacity shall be entitled to submit a complaint before the yet to be established Data protection centre; where the opponent shall comply with the centre’s decision within 7 days.
13. Sanctions and Penalties
The Law also provides for a variety of criminal offences, with a range of penalties – including fines reaching EGP 3,000,000 and imprisonment; for, without limitation:
• Collecting, processing, disclosing, providing access to, or circulating personal data, by any means, other than with the consent of the data owner/to whom the data is related, or as otherwise permitted by law;
• Processing personal data other than in accordance with the personal data protection law;
• Preventing a data owner/to whom the data is related from exercising rights granted pursuant to the Personal Data Protection Law;
• Failure of a data controller or data processor to comply with specific obligations, and notification/reporting requirements, as specified in the Law;
• Failure to appoint a Data Protection Officer, or to provide the same with essential requirements to perform duties;
• Failure of a Data Protection Officer to perform duties as specified in the Law;
• Transferring personal data in a way not in accordance with the Law; and
• Failure to comply with electronic/digital marketing requirements pursuant to the Law.
In this regard, the Law determines acts punishable by imprisonment specifically as follows:
i) breach of the conditions for cross border transfer of data,
ii) dealing in sensitive data without the explicit and written consent of the data owner/to whom the data is related or in breach of the relevant provisions under the Law,
iii) any data processor or controller that deals in personal data in breach of the relevant provisions under the Law or without the consent of the data owner/to whom the data is related, when applicable, in exchange for a benefit or with the intent to expose the data owner/to whom the data is related to danger or harm; and,
iv) preventing the representatives of the data protection centre from preforming their duties.
The Law also specifically allows for reconciliations or settlements outside of court with the aggrieved individual(s) and/or the yet to be established Data protection Centre.
The yet to be established Data protection Centre is also empowered to issue warnings for instances of non-compliance and to suspend or revoke any license or permit previously issued to the offending controller or processor.
Ultimately, one of the purposes of the issuance of this data protection law is to help Egypt provide adequate protection for the personal data and rights of Egyptian citizens, creating a healthy economic environment where Egypt is able to trade effectively – including the need for cross-border data transfers.
The said Law should also work throughout the upcoming period to enhance the attractiveness of Egypt to foreign investors by providing a clear framework for processing personal data; after the issuance of its executive regulation.
The executive regulation is expected to include the explanation of all the details of implementing the provisions enclosed in the Law; including without limitation the mechanism the data protection centre shall work with.
For more information please contact firstname.lastname@example.org