Egypt’s Law on the Protection of Personal Data

Egypt’s Law on the Protection of Personal Data, also known as the Data Protection Law for short, is an Egyptian data privacy law that was passed in July of 2020. The Data Protection Law reflects many of the principles and provisions laid down by the EU’s General Data Protection Regulation or GDPR, as it pertains to the protection of personal data and in turn, privacy. As a result, the Data Protection Law “aims to establish various standards and rules which safeguard the rights of individuals in Egypt regarding their personal data”. Accordingly, the Data Protection Law outlines the legal framework through which personal data must be processed within Egypt.

What is the scope and application of Egypt’s Data Protection Law?

As it pertains to the personal scope of the law, the Data Protection Law is applicable to “any natural persons regarding the processing, controlling, or handling of personal data”. In terms of the material scope of the law, the Data Protection Law is also applicable to “any personal data that is subject to any electronic processing whether partially or entirely”. Alternatively, the territorial scope of the law applies to any person who processes personal data, permitting they:

• Are an Egyptian national inside or outside of the country.
• Are a non-Egyptian residing within Egypt.
• Are a non-Egyptian outside of Egypt, if the action that was taken by a said individual is punishable in any form in the country where said action occurred, and the data subject who was affected by the action is an Egyptian national or a non-Egyptian residing in Egypt.

What are the obligations of data controllers and processors under the Data Protection Law?

In regards to the obligations of data controllers and processors as it pertains to the protection of personal data, Egypt’s Data Protection Law sets four data protection principles. These data protection principles include:

• Data minimization– Personal data must be collected for legitimate, specific, and transparent purposes that are made known to data subjects.
• Accuracy and security– Personal data that is collected must be correct, valid, and secure.
• Lawfulness– Personal data must be treated in a manner that is both lawful and appropriate for the purposes for which it is collected.
• Storage limitation– Personal data must not be stored for any period longer than is needed to fulfill the purposes for which it was collected.

Furthermore, the Data Protection Law also places other common responsibilities on data controllers and processors, in accordance with the EU’s GDPR Law. These responsibilities include undertaking data protection impact assessments or DPIA’s, and ensuring that the collection, storage, transfer, and processing of the personal data of children is not conducted without first obtaining parental consent. Data controllers and processors are also required to appoint a data protection officer or DPO, as well as maintain detailed data processing records.

What are the rights of data subjects under Egypt’s Data Protection Law?

Egyptian citizens are guaranteed the following rights as it pertains to the protection of their personal and in turn their privacy:

• The right to be informed– Data subjects have the right to be informed concerning any personal data that a data controller or processor holds pertaining to them.
• The right to access– Data subjects have the right to access any personal data that a data controller or processor holds pertaining to them.
• The right to rectification– Data subjects have the right to request that a data controller or processor amend or rectify personal data pertaining to them.
• The right to erasure– Data subjects have the right to request that a data controller erase or delete personal data pertaining to them.
• The right to object/opt-out– Data subjects have the right to object to the collection and processing of their personal data, whenever such collection or processing would conflict with the fundamental rights and freedoms of said data subjects.
• The right to data limitation– Data subjects have the right to limit the collection or processing of their personal data to a specific scope and purpose.

In terms of punishment in relation to the violation of the law, data controllers and processors who are found to be non-compliant are subject to a variety of monetary fines and criminal penalties. For example, “any data holder, the data controller, or data processor who collects, processes, discloses, makes available, or circulates personal data by any means other than in the cases authorized by law or without the consent of the data subject, noting that this penalty shall incur imprisonment for a period not less than six months and a fine not less than EGP 200,000 ($12,324) and not more than EGP 2 million ($123,222) provided that the act was committed in exchange for a financial or moral benefit or with the intent of endangering the data subject”

As it pertains to data protection officers or DPOs, “a fine of not less than EGP 200,000 (,322) and not more than EGP 2 million (3,216) shall be imposed on any legal representative of a juristic person who did not appoint within the legal representative thereof a dedicated DPO”. What’s more, in terms of extraterritorial application of the law, a penalty of imprisonment of not less than three months and/or a fine of not less than EGP 500,000 ($30,801) and not more than EGP 5 million ($308,127) shall be imposed on any person who transfers personal data to any country that does not have any data protection laws or to a country with a data protection law that has a protection level that is less than the protection level of the Data Protection Law”.

With the passing of the Data Protection Law in 2020, Egyptian citizens can guarantee that their personal data privacy rights are protected at all times. Moreover, the penalties for non-compliance under the law are far steeper than many other privacy policies around the world, in terms of both scope and jurisdiction. As a result, the Egyptian government has succeeded in providing citizens of their country with a similar level of protection as is offered to citizens of EU member states under the General Data Protection Regulation or GDPR.