In recent years, data privacy has become a critical concern for individuals and organizations worldwide. This is no different for Egypt – Recognizing the importance of protecting personal information in the digital age, significant steps have been taken to establish a comprehensive data privacy framework. With the increasing prevalence of electronic processing and cybersecurity threats, the need for robust data protection measures has never been more pressing. Recent data breach incidents in the country have further highlighted the urgency of addressing these issues effectively.
The Egyptian data privacy law introduces key provisions to safeguard sensitive personal data and regulate its lawful processing. This article explores the legal space surrounding data protection in Egypt, examining the roles and responsibilities of data controllers, data protection officers, and the data protection authority. It delves into the requirements for data breach notification, the implementation of data protection impact assessments, and the enforcement of privacy regulations. By understanding these crucial aspects, organizations can better navigate the complexities of data protection and mitigate the risks associated with data protection violations.
Overview of Egypt's Data Protection Law
Egypt introduced the Personal Data Protection Law No. 151 of 2020, consisting of 49 articles divided into 14 chapters. This law aims to establish a comprehensive data privacy framework, aligning with international standards, particularly the European GDPR. It prohibits the processing of personal data without explicit consent and grants individuals rights such as restricting access, reversing consent, and being informed of data breaches. The law defines personal data as information related to an identified or identifiable natural person, while sensitive personal data includes health, financial, religious, and children’s data. Organizations processing personal information must appoint a Data Protection Officer and may need to obtain licenses for data processing.
Under the DPL, in principle, any digitally collected and/or processed data must meet the following conditions (the “General Conditions”):
- personal Data shall be collected for specific legitimate purposes announced to the Data Subject. Collected data must be accurate, reliable, and securely maintained;
- collected data must be processed in a legitimate manner and in compliance with the purposes for which it is collected;
- collected data must not be kept for longer than the period necessary to fulfil the purpose specified for it.
Understanding key roles & stakeholders
Data Controller:
Any natural or juristic person who has – by the nature of his activities – the right to obtain personal data and to specify the method and criteria of retaining, processing, or controlling such data according to a specific purpose or to his activities.
Data Processor:
Any natural or juristic person who processes personal data for their own benefit or for the benefit of the data controller. They must adhere to the controller’s instructions.
Data Subjects:
Any natural person to whom electronically processed personal data is attributed which identifies them legally or factually and enables them to be distinguished from any other person, whose personal data is processed has rights, including access, correction, and deletion of their data.
Regulatory Authority:
The Data Protection Center (DPC) oversees compliance, addresses complaints, and has enforcement powers.
Regulatory Authority and Enforcement
The Data Protection Center (DPC) serves as the key regulator for data privacy in Egypt. This authority sets policies, issues licenses, and monitors compliance with the data protection law.
Significant penalties for violating the law can be imposed, including fines ranging from EGP 100,000 to EGP 5 million, depending on the nature of the offense.
In cases of unauthorized disclosure of sensitive data, offenders may face imprisonment for a minimum of three months. The law also holds directors and managers personally liable for regulatory breaches, emphasizing the importance of strict adherence to data protection measures. These enforcement mechanisms aim to ensure robust protection of personal data and promote compliance with privacy regulations.
In order to achieve its objectives, the DPC may exercise all the competencies stipulated in the DPL, including the following:
- setting and developing policies;
- implementing decrees and procedures for the protection of personal data;
- unifying data protection and processing policies;
- co-ordinating with all government and non-government authorities to ensure the application of personal data measures;
- issuing licences, approvals and various measures related to the protection of personal data;
- receiving complaints related to the application of the DPL to issue the necessary decisions in this regard;
- monitoring those addressed by the DPL and taking the necessary legal measures;
- checking the conditions for cross-border data movement;
- concluding agreements and memoranda of understanding, co-operating, and exchanging experiences with the relevant international bodies; and
- preparing an annual report on the status of personal data protection in Egypt.
Data Breach Notification Requirements
Egypt’s data privacy law has established strict requirements for reporting data breaches. Both data controllers and processors have an obligation to notify the Data Protection Center (DPC) within 72 hours of becoming aware of any breach or violation of personal data. In cases related to national security, immediate reporting is mandatory. The law also requires notifying affected individuals within three working days from the date of reporting to the DPC. This notification should include details about the incident’s cause, affected data, consequences, and remedial actions taken. Failure to comply with these requirements can result in significant administrative fines of up to EGP 3 million and potential criminal penalties, as per Article 38 of the law.
Digging deeper into specific type of sensitive data
1. Sensitive Data:
The DPL categorizes sensitive data, including psychological, biometric, financial, religious, political, and children’s data. Processing such data requires prior licensing from the DPC and the data subject’s consent. Violations can lead to severe penalties, including fines of up to EGP 5 million and imprisonment.
2. Financial Data:
Financial data is also classified as sensitive. The Banking Law No. 194 of 2020 and Fintech Law No. 5 of 2022 impose strict confidentiality obligations on financial institutions. Customer data must remain confidential and can only be disclosed with the customer’s consent or through a court order. Digital payment service providers are required to implement robust security measures to protect customer data.
3. Health Data:
Health data is treated as sensitive under the DPL, and various laws protect its confidentiality, including the Penal Code and the Blood Operations Law No. 8 of 2021. Healthcare professionals face legal penalties for unauthorized disclosures. The Mental Health Law No 71 of 2009. ensures confidentiality for mental health patients, while regulations for persons with disabilities mandate the protection of their data.
Exploring other relevant laws
1. E-signature Law (Law No. 15 of 2004):
This law ensures the confidentiality of data related to electronic signatures and mandates that such data may only be disclosed or used for the purposes for which it was submitted. Key provisions include:
- Confidentiality Requirements: E-signature service providers must implement robust systems to protect customer data. This includes safeguarding electronic mediums and ensuring that data is not used beyond its intended purpose.
- Licensing Requirements: Providers must comply with specific licensing criteria, which include having adequate security measures in place to protect confidential information.
2. Consumer Protection Law (Law No. 181 of 2018):
This law emphasizes the protection of consumer data and privacy. Key aspects include:
- Data Preservation Obligations: Suppliers must preserve customer data and information and cannot disclose or share it without explicit consent. This applies to any information gathered during contract formation.
- Privacy Measures: Suppliers are required to implement necessary measures to ensure the confidentiality and security of consumer data. This includes adopting technical and organizational measures to prevent unauthorized access or breaches.
- Breach Notification: The law holds suppliers accountable for any breaches of consumer data, mandating that they take corrective actions and notify affected consumers as required.
3. Telecommunications Law (Law No. 10 of 2003):
The telecommunications sector is governed by specific guidelines to ensure user data protection. Key provisions include:
- Confidentiality Obligations: Licensed telecommunications service providers and their staff are required to protect the confidentiality of user data. This includes preventing unauthorized disclosures of telecommunications data and ensuring that conversations are not recorded or intercepted without legal authorization.
- Internal Security Procedures: Providers must establish internal protocols to secure telecommunications systems against breaches, cyber-attacks, and unauthorized access. This encompasses measures to safeguard both user data and the integrity of communications over their networks.
- Regulatory Oversight: The National Telecommunications Regulatory Authority (NTRA) enforces compliance with these guidelines, ensuring that service providers adhere to the required standards for protecting user privacy.
Frequently Asked Questions
Who oversees data protection regulations in Egypt?
In Egypt, the DPC, established under Article 19 of the DPL, acts as the data protection regulator. This Center is a public economic authority with its own legal identity and operates under the supervision of the Minister of Communications and Information Technology. The DPC has not been established to date.
Can you explain the right to privacy according to the Egyptian Constitution?
The Egyptian Constitution, ratified via referendum in January 2014, explicitly guarantees the right to privacy. Article 57 of the Constitution declares that private life is inviolable, protected, and must not be infringed upon.
What constitutes a breach of the Data Protection Act?
A breach of the DPL is defined any unauthorized or illegal access to Personal Data, or any other illegitimate operation to reproduce, transmit, distribute, exchange, transfer, or circulate which aims to expose or disclose such Personal Data, or damage or edit it while it is being stored, transferred or processed.