Disclaimer : This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship.
As Egypt embarks on an era of digital transformation, the country’s House of Representatives has finally introduced its first legal framework for Data Protection on the 24th of February.
The issued Data Protection Law, which has been under discussion since 2017, is a regulatory evolution that aligns with data protection policies worldwide, while particularly following the footsteps of the GDPR (General Data Protection Regulation issued by the EU in 2018). The overall coherence between the law and GDPR appear to be striking and applauded by professionals, however, the law diverges from the GDPR at several points which will be further discussed in this article.
The law introduces strict requirements businesses must adhere to in order to be permitted to control and process personal data and thus businesses need to be acquainted with these obligations. It’s is declared that the issuing the executive regulations for the accompanying law within 6 months, and legal deadline according to which the addressees/stakeholdersadjust to its provisions is within one year from the date of issuance of the executive regulations.
The Purpose of the Law:
In a time where technology is a mega-trend and data is one of the most valuable assets for businesses, the law comes as a legislative breakthrough towards giving greater protection and rights to citizens. It intends to strengthen individuals control over their information, as well as regulate ways in which businesses and certain organisations can handle the information of their customers.
For that matter, the law differentiates two categories of data at hand which are: personal data and sensitive personal data. Personal data broadly means a piece of information that can be used to identify a person (name, address, picture, an identification number, while sensitive personal data could encompass genetic data, information about religious and political views.
It also distinguishes between the data controller and processor as two of the active elements dealing with personal data. This differentiation recognises that not all organisations involved in the processing of personal data have the same degree of obligations in compliance with regulators and obtaining necessary permits. The controller determines the purposes and means of the processing of personal data, while processor processes personal data on behalf of the controller.
Law Application:
The Law is set to apply to personal data of Egyptian citizens and non-citizen residents in Egypt processed, in whole or in part, by electronic means by a controller or processor. It will be enforced on non-Egyptians inside and outside Egypt as long as the data in question belong to Egyptian citizens or foreigners staying inside Egypt.
In order to do achieve the purpose of Data Protection, under article no. 19, the law stipulates the establishment of a general authority under the name “Personal Data Protection Centre” (PDPC), to protect personal data and regulate its availability and procession. This centre caries the responsibility of developing strategic plans, policies, and programmes required to protect personal data, and it will coordinate with all governmental and non-governmental bodies to execute protection measures. It shall also ensure that the institutions, entities and individuals controlling personal data appoint an official to protect personal data. The center is set to comprise representatives from ministries of justice and foreign affairs, General Intelligence Service, and the Administrative Control Authority. Businesses dealing with personal data are subsequently required to appoint an official to protect personal data, obtain any necessary license or permit from the PDPC to process personal data comply with any written instruction in relation to the processing of personal data from the PDPC and answer to individual rights on inquiries related to their data.
Individuals have a number of key rights under the Draft Law (1) the right to be informed whether a particular controller or processor processes their personal data (2) the right to request that the organisation provide them with access to/a copy of their personal data that is being processed, (3) the right to have that personal data corrected where it is inaccurate or out-of-date, and (4) the right to determine the extent to which the organisation may (continue to) process their personal data. However, a point of controversy arises in this section from the fact that individuals could be subject to as much as 20,000 Egyptian Pounds to request their personal data or correct them. This monetization of the request opens the door for higher data security for higher social classes, which in essence contradicts the public right for all individuals control over their data.
Data Breaching:
The Law enforces strong penalties on data breaching, that includes fine and imprisonment.
This is enforced through Articles no. 35, 36, and 37 which state that whoever collects, process, or discloses personal data without the consent of the individual concerned for other purposes other than legally authorised, shall be fined no less than EGP 100,000 and no more than EGP 1m. Also, whoever commits the previous violation for personal gain shall be imprisoned no less than six months or fined no less than EGP 200,000 and no more than EGP 2m, or given both punishments.
According to the Law, the ‘controller and processor’ of data are obliged to notify the centre of personal data protection of any breach within 72 hours of identifying it. And in the event that the breach affects national security, data controllers and processors must notify the centre within 24 hours and national security authorities.
Divergence from GDPR:
Although all aforementioned law details incorporate and conforms with the internationally accepted fundamental principles of data protection law, practice and procedure dictated by the GDPR, it diverges from it at several key points.
The provisions of the law exempt the Central Bank of Egypt (CBE) and all entities (including banks) subject to its supervision except for money transfer companies and exchange companies. This has been criticized on the premise than even though the banking sector has taken strong measures to protect the confidentiality of personal data, this should have been due to a legal text in this new law.
Another point is with regards to cross-border transfers. It is prohibited to carry out transfers, storage, or sharing of personal data that was collected or prepared for processing to a foreign country unless there is a level of protection no less than what is required by this law, and with a licence or permit from the centre for protecting personal data. Article 14 prohibits the transfer or sharing of personal data to a foreign country, except by a license from the centre. The law would fine any person between EGP 300,000 and EGP 3m.
How Can Businesses Prepare:
Even though implementation of data protection schemes could add to the company’s and businesses costs, it’s still in the best interest of companies as with growing awareness towards data rights and privacy, it is important for customer relationship to show high level of transparency and respect towards individuals’ rights. With the new law, any organization that holds or uses data on people, controllers and processors, is expected to take action during the period granted to adjust for the provisions to avoid future penalties.
Companies should ensure they have the consent of their clients for sending any material, advertisement, and newsletters. If the business outsource service providers who collect personal data on your behalf, it needs to ensure they comply to the PDPC. Most importantly, a clear and concise privacy policy needs to be set-up in order to ensure compliance.
Where Does this Law Provision Lead Us?
The Data Protection Law is an essential step in the country’s progress in digital transformation in an era of cyberattacks and data leaks. It reinforces Egypt’s efforts in keeping up with international frameworks and signifies how Egypt places high value on data security. The law could be seen that it falls short on including all institutions under the law, and, it doesn’t include clear statements on media regulated use of data. Nonetheless, the effectiveness of the law remains to be in the hands of the PDPC and law enforcement.
The law is expected to contribute to raising Egypt’s ranking in the human rights index, as well as, contribute to achieving more internal investment opportunities and attracting external investment, especially as the investment process is closely related to security and safety. Moreover, the similarity between the law and GDPR makes a positive international commercial and competitive advantage, and easier technological interfacing.
