With no unified data protection or cybercrime laws, the current legislative environment in Egypt leaves internet and information technology service providers as well as information technology users vulnerable to cybercrimes and violations of privacy. With a Data Protection draft law being currently reviewed and discussed before the Egyptian parliament, a New Media law that has been issued not a few days ago and the Cybercrime law (175/2018) issued on14 August (the “Law”), 2018 is expected to be the golden year for data and privacy legislative reforms in Egypt.

Although not explicitly stated under the Law, we understand from the text of the Law that the competent entity supervising the correct application of the Law, which will also be issuing further regulations in connection with the Law, is the National Telecommunications Regulatory Authority (“NTRA”).

The Cybercrime Law imposes several restrictions on both the users and service providers that serve to protect all stakeholders’ interests and national security. With wide investigatory powers granted to governmental authorities, a balance between privacy concerns and national security might be at stake.

Are You A Person Of Concern To This Law?

The Law affects two main categories, (i) Service providers, (ii) Users.

The Law defines service providers as any person (whether juristic or natural) providing users with telecommunication and information technology services, including processing and storing of information whether by itself or by its delegate in respect of any of such services or information technology (the “Service Provider”). Users protected under the Law are defined as any person (whether juristic or natural) using or benefiting from information technology services through any means (the “User”).

I- SERVICE PROVIDERS OBLIGATIONS, WHAT IS AT STAKE?

One of the main purposes of the Law is to regulate the relationship between the Service Providers and Users, imposing an obligation on Service Providers constituting the following.

First: Data Collection and Storage Obligations

Every Service Provider must maintain a system of records (i.e. logs) and must keep any such logs and other information technology data for 180 consecutive days. These data should include:
– User information sufficient to identify the user;
– Information related to the content of the operating system dealt with if this is under the Service Provider’s control;
– Data related to communication movement (i.e. traffic data);
– Data on peripheral communication devices.
– All other data as shall be prescribed by NTRA.

Second: Data Protection

Service Providers shall be obliged to save and store the Information System record or any Information Technology method for a consecutive duration of 180 days. This information should include Users’ identification Information, logs, and traffic data.

Service Providers are further required to protect and refrain from disclosing any stored data except by virtue of a reasoned decision issued by the competent judicial bodies; these include investigation authorities, (e.g. general prosecution and the state security prosecution in specific cases) and competent courts (e.g. criminal courts).

Service Providers are also required to secure and protect the stored data against hacking or destruction.

It’s worth noting that only Service Providers and their affiliated marketing agents and distributors may obtain the Users’ data.

As an exception to the previous obligation of non-disclosure of data, the law provides for the competent investigation authorities to issue a justified order to the competent law enforcement officers, for a duration, not more than thirty days, renewable only once for another equivalent duration, while investigating a cybercrime specified under the Law, allowing access to data available to the Service Provider.

Third: Visibility

The Service Provider shall be obliged to clearly disclose and make available his identification information to his Users and competent authorities. This information should include:
1- Name and address of the Service Provider;
2- Contact information;
3- Licensing Information;
4- Other information as shall be required by NTRA.

II- REGULATORY OBLIGATIONS

1. Access to Service Provider Technology

Notwithstanding the rights protected under the Egyptian Constitution 2014 (i.e. the right to privacy), Service Providers and their affiliates shall be obliged to enable competent authorities (i.e. national security agencies stated below) upon request, to use the available technology that enables them to perform their functions as per the law. It is worth noting that the law does not limit this right to a specific duration, nor does it allow for compensation for such usage. Furthermore, this right is provided directly to national security agencies namely, the President, Armed Forces, Ministry of Interior, General Intelligence Agency, and the Administrative Control Authority, without the need to recourse to a court or issue a judicial decision.

The non-compliance of IT Service Providers with the above-mentioned obligation will be punishable by a minimum of 3 months imprisonment and/or a fine not less than 200,000EGP and not exceeding 1million EGP.

2. Blocking Websites

In accordance with article 7 of the Law, the Service Provider shall, upon a court decision or an NTRA notification, block any website or content constituting a cybercrime threatening national security.

In case of non-compliance, the Service Provider shall be punishable by a minimum of one-year imprisonment and/or a fine not less than 500,000 EGP and up to 1 million EGP. The law also provides for an aggravated penalty in case such non-compliance resulted in the death of one or more persons.

III- LEGISLATIVE PROTECTION FROM CYBERCRIMES AND RECOGNIZING E-EVIDENCE

i- Cybercrimes

A total of 23 cybercrimes are punishable under the Law. These are classified in the law into six main categories including:

1- Cybercrimes;
2- Cyber-enabled crimes;
3- Breach of personal privacy;
4- Crimes committed by a website manager;
5- Service Providers non-compliance (stated below);
6- Selling, obtaining, importing, or manufacturing of programs or IT for committing any cybercrimes.

Criminal fines ranging from a minimum fine of ten thousand Egyptian pounds and could reach ten million Egyptian pounds and imprisonment ranging from a minimum of three months up to a maximum of five years are stipulated upon under the Law.

ii- E-evidence

Under the previous regime, and due to their nature, several cyber-enabled crimes are penalized under various legislations, mainly the Penal Code. However, providing admissible evidence before criminal courts has always been an issue. In addition to explicitly adding several cyber-related crimes, this Law gives e-evidence the same legal effect as that of physical evidence. However, for this to take place, such e-evidence must meet specific requirements, which will be set under future executive regulations.

IV- EXTRA-TERRITORIAL APPLICATION OF THE PROVISIONS OF THE LAW.GOING CROSS-BOARDER

As an exception to the principle of territoriality adopted by the Egyptian Penal Code, the Law stipulates that in specific cases prescribed within, the provisions of such law shall apply to any non-Egyptian person committing, outside the Arab Republic of Egypt, a crime penalized under the Law, provided that the action is punishable in the country where the action took place. Perhaps the most relevant cases are where the crime was prepared, planned, directed, supervised or funded in Egypt, or if the defendants or one of them is Egyptian, or if the criminal was found in the Arab Republic of Egypt, following the commitment of the crime, and was not extradited. Other cases are mentioned in the Law.

Furthermore, it is worth noting that, while applying jurisdiction over other provisions of the Law, in particular the obligation to block national threat websites/contents as stated above, the obligation to block is not limited to sites hosted in Egypt, it is further extended to sites hosted outside Egypt.

Finally, the Service Providers and the addressees of the Law shall abide by the provisions of the law and its obligations and shall take the necessary measures for regularization within one year as of the effective date of the Law (i.e. 15 August 2019).