The long anticipated Egyptian Personal Data Protection Law No. 151/2020 was issued on 15 July 2020 (the “Law”). Since the issuance of the draft law in February 2019, extensive engagement and discussions have taken place between Parliament, Government and key stakeholders in the technology and telecommunication industry aiming to attract investment and to provide strong protection to the privacy of individuals.
The Law imposes explicit obligations on different businesses to respect the privacy of individuals and to ensure compliance with privacy obligations. The Law extends regulation to electronic marketing and introduces a mandatory opt-out mechanism and to cloud service providers, which are required to abide by the cross-border transfer of personal data set forth under the Law
1. Types of Data
The Law stipulates for the protection of two types of data:
- Personal data which includes any data related to a natural person whether directly or indirectly such as: name, voice, picture, identification number etc…
- Sensitive data which includes psychological, mental, physical, genetic, financial data, religious, political beliefs and/or data related to children.
The Law excludes from its scope of protection (a) personal data held by natural persons for personal purposes; (b) data processed for official statistics; (c) data processed for media purposes, provided that such data is accurate and valid; (d) data obtained for the purpose of investigations and lawsuits; (e) personal data held by national security authorities; and (f) data held by the Central Bank of Egypt and the entities subject to its supervision and control. Money transfer and exchange companies are not, however, excluded from the application of the law.
2. Impact on Businesses
The Law imposes several obligations on businesses that are considered data “controllers” or “processors”. The obligations include: (i) obtaining a license or permit from the personal data authority to undertake “controller” or “processor” activities; (ii) maintaining the appropriate systems and controls for the protection of personal data privacy; (iii) appointing a data protection officer; (iv) notifying the personal data authority of any breach relating to personal data; and (v) satisfying certain conditions for electronic marketing. Foreign businesses that control or process data for individuals residing in Egypt are also required to obtain a license and appoint a local representative for ease of communication.
The Law stipulates for criminal penalties for the violation of its provisions whereby failure to comply with the Law may result in imposing significant fines and, in certain cases, imprisonment.
4. Effective Date
The Law is effective as of 15 October 2020. A grace period of one year from the issuance of its executive regulations is granted for compliance.
For the English translation of the law, please click here.
For an overview on the law, please click here.
For an overview on the industry engagement in the law making process, please click here.