On 15 July 2020, the long-awaited Egyptian Data Protection Law No. 151 of 2020 (the “Law”) was finally promulgated and published in the Official Gazette to regulate the activities of personal data recipients, controllers, and processors, marking a new era for the personal data protection in Egypt. The Law differs slightly from the widely circulated Data Protection Bill, which was published earlier this year. The Law is largely based on the provisions of the General Data Protection Regulation (“GDPR”).
The Law will come into force 3 months following its publication in the Official Gazette, and the executive regulations should be issued within 6 months following the Law’s coming into effect (i.e., within 9 months of the Law’s publication). Those covered by the Law will be required to take the necessary measures to comply with the Law and regulations within one year of the regulations’ issuance. Put differently, the penalties section of the Law will only come into effect 21 months following the Law’s publication.
The Law targets all natural persons’ personal data, which is broadly defined as any information relating to a natural person that can be recognized directly or indirectly by reference to an identifier such as a name, voice, a picture, an identification number, an online identifier or any other data specific to the physiological, health, economic, cultural or social identity of that natural person (“Personal Data”). Moreover, the Law has set specific provisions to protect the data of minors by requiring written parental (or guardian’s) consent to the collection or use of a minor’s Personal Data.
For the purpose of monitoring the compliance with the provisions of the Law, a Personal Data Protection Centre (the “Centre”), subordinate to the Minister of Communications and Information Technology, will be established. Among the powers it will have, the Centre will issue all licenses, permits, and accreditations for regulated activities and persons, as well as determine their classifications/types and set conditions for granting each type or class of the aforementioned.
Furthermore, the Law requires any entity acting as a recipient, controller or processor of Personal Data to appoint a Data Protection Officer that will be responsible for the (i) protection of Personal Data; and the (ii) implementation of the provisions of the Law and its executive regulations.
The Law requires data controllers and processors to notify the Centre of any data breach within 72 hours of its occurrence, while also notifying the individuals whose Personal Data was breached within 3 business days thereafter.
The Law provides for custodial sentences and severe fines for violations of its various provisions.
For more information about the Law, please contact:
Tarek Badawy (Partner)
Salma Abdelaziz (Senior Associate)
Sarah Kamel (Associate)
