By Sharif Shihata
On July 13, 2020, Egypt’s first comprehensive Personal Data Protection Act (“PDPA”) was signed into Law under No. 151 for the year 2020. Based on the European Union’s General Data Protection Regulation (GDPR), the PDPA is the first Egyptian law to govern data privacy and protection across all business sectors (except for the banking and financial services sector, which is covered by the Banking Act).
Scope of application
The PDPA applies to all personal data processed or transferred electronically, in part or in full, in or from Egypt. It applies to both Egyptians and non-Egyptians inside Egypt, and outside Egypt if the data in question belongs to someone residing in Egypt and a person commits a violation of the Law in a country where the act is punishable in any form.
The PDPA shall come into force within three months of its publication in the Official Gazette (which occurred on July 15, 2020), but persons shall be obliged to comply with its provisions one year after the issuance of its Executive Regulations. The Executive Regulations shall be issued within six months of the date the PDPA comes into force.
Personal Data Protection Center
The PDPA sets up a new Personal Data Protection Center (the “Center”) under the Ministry of Telecommunications and Information Technology, which is charged with monitoring application of the PDPA and shall issue licenses and permits to allow persons and companies to lawfully collect, store, process, and transfer personal data of its data subjects electronically, or to partake in electronic marketing activities. The PDPA also allows for the licensing by the Center of Data Controllers, who are persons or companies granted the right to obtain personal data and to specify the method and criteria for retaining, processing, and controlling such data in furtherance of a specific purpose, and Data Processors, who are persons or companies granted the right to process personal data for their benefit or for the benefit of a Data Controller, by agreement with the Controller and in accordance with the Controller’s instructions. Where the Controller or Processor is a juristic entity, it shall appoint a Data Protection Officer, who shall be in charge of the protection of the personal data handled by the entity and its compliance with the PDPA, and shall act as a liaison with the Center, and whose name shall be recorded in a Register published by the Center.
In accordance with the PDPA, with limited exceptions, personal data may not be collected, processed, disclosed or transferred except with the explicit consent of the data subject. The data subject has the right to limit or reverse his consent and to correct, edit, or update his personal data. Personal data is defined as any data relating to an identified natural person or one who is identifiable based on the data, such as a name, voice, photograph, identification number, online identity, or any data referring to a person’s psychological, medical, economic, cultural or social identity.
A Controller or Processor is prohibited from collecting, storing, processing, or transferring sensitive personal data or granting access thereto, except by virtue of a license obtained from the Center and with the explicit consent of the data subject. Sensitive personal data is defined as data which discloses the psychiatric, psychological, physiological, or genetic health of a natural person, biometric data, financial data, religious beliefs, political persuasion, criminal or security status, and any data relating to children.
Transferring personal data to a foreign country shall require a license from the Center and, with some exceptions, shall be prohibited unless such country guarantees a level of data security at least as strong as that stipulated under the PDPA.
In the case of a personal data breach, the Controller and/or Processor of the data, upon becoming aware of the breach, shall inform the Center within 72 hours (or immediately if national security is threatened) and shall provide them with the specifics of the breach, potential ramifications, and proposed remedial measures. Within three working days of the notification, the Controller and/or Processor shall notify the data subject of the breach and the procedures undertaken in relation thereto.
The PDPA also regulates electronic marketing and states that any direct marketing to data subjects shall be prohibited unless the prior consent of the data subject is obtained, and such consent can be easily denied or retracted. In addition, the communication shall clearly indicate that its purpose is marketing, and shall include the identity of the sender and a valid address where he can be reached. The marketer shall not disclose the contact details of the data subject and shall maintain electronic records evidencing his consent to receive the marketing communications.
Violations of the PDPA
Violations of the provisions of the PDPA can lead to administrative action, such as suspension or revocation of a license or permit, and criminal action, including imprisonment for minimum periods of three or six months and/or fines ranging from EGP 50,000 to EGP 5 million, without prejudice to the data subject’s right to claim damages for any harm suffered as a result of the violation.
The PDPA is considered the first Egyptian legislation to comprehensively govern the protection and processing of personal data. It has a wide reach in terms of type of personal data and its migration. Therefore, the PDPA and its future ancillary regulations are anticipated to correct questionable existing practices that have so far been taking place in a regulatory vacuum.