The Economic Court of Alexandria has issued a landmark judgment awarding the claimant EGP 10 million in compensation. Although the case was brought against Orange, the French telecommunication operator in Egypt, its implications extend to all companies, especially start-ups and tech companies, which exercise significant control over or process personal data.
By virtue of this judgment, tech companies might find themselves liable to pay compensation in millions of Egyptian pounds, due to violating a data subject’s right to privacy and security of their data. Moreover, unlike criminal fines, civil indemnification is not subject to any statutory cap. This liability can now be established on the basis of tort law, even with the absence of the executive regulations of the Data Protection Law.
Enforcing the Egyptian Data Protection Law through Tort Liability
As tech companies operating in Egypt are aware, personal data is regulated primarily by two laws:
- Cybercrime Law No. 175 of 2018 and its executive regulations
- Data Protection Law No. 151 of 2020 (“DPL”), whose executive regulations remain pending
The absence of executive regulations has effectively stalled enforcement of the DPL, raising the question of whether data subjects can rely on its protections, particularly in matters of privacy and security.
This is where the judgment comes into play, as it established a new judicial principle with broad implications for all technology companies acting as controllers or processors of personal data of Egyptian citizens or foreign residents in Egypt. The court held that Orange’s liability falls under “custodian’s liability,” a civil law doctrine imposing quasi-strict liability that (i) does not require proof of fault on the part of the custodian, and (ii) can be avoided only by demonstrating the existence of an objectively assessed external cause beyond the custodian’s control.
In other words, Orange, as the legal custodian (i.e., controller) of the claimant’s personal data, was held liable because it bore the responsibility to protect her privacy and the security of her personal data. Furthermore, t is obliged to take all necessary measures to prevent any manipulation, leakage, misappropriation, or unauthorized access. Moreover, Orange’s liability cannot be measured against that of an average person; its position requires it to be hyper-vigilant and even proactive in safeguarding the personal data under its control. Allegations such as fraud, employee’s mistake or negligence, or technical and security failures are not valid grounds to release it from liability.
Potential Implications for Tech Companies and Start-Ups under Egypt’s Data Protection Law
This judgment introduces a significant shift in how liability for personal data breaches may be assessed in Egypt. Start-ups and established tech companies alike should be aware of the following:
- Liability without fault: Courts may impose liability even where the company did not act negligently, on the basis of custodian’s liability.
- Limited defenses: Claims of technical failures, employee mistakes, or external fraud are unlikely to absolve companies from responsibility.
- Financial exposure: Awards of compensation can reach up to millions of Egyptian pounds, creating serious financial risks, particularly for start-ups with limited capital.
- Regulatory uncertainty: Until the executive regulations of the Data Protection Law are issued, courts may continue to rely on civil law and tort principles to enforce privacy and data security obligations.
For technology companies, this judgment signals that personal data must be treated as a high-risk area of operations, requiring robust preventive measures and compliance practices, regardless of the current regulatory vacuum.
Case Facts Summary
In February 2025, the Economic Court of Alexandria ordered Orange Egypt to pay EGP 10 million in compensation to a woman whose personal data had been unlawfully compromised. The judgment arose after the company replaced the claimant’s SIM card without her consent, which led the court to award compensation for both material and moral damages.
The events trace back to November 2022, when the claimant was outside Egypt. Unknown individuals obtained a replacement SIM card for her mobile line without her knowledge or authorization. As a result, they gained access to her WhatsApp account and used it to blackmail her into dropping lawsuits she had filed against a real estate company abroad.
The claimant filed a police report and requested a copy of her phone contract from Orange, in order to prover her ownership of the SIM card, which the company refused to provide. She subsequently brought a claim before the Economic Court, seeking damages for the moral and material harm she had suffered.
