1st of October, 2019
Egypt’s Draft Data Protection Law Simplified
The draft data protection law is concerned with the privacy and security of the personal data of Egyptian citizens and foreigner individuals who live in Egypt. It is Egypt’s version of the GDPR.
The draft law protects any personal data if it leads to identifying an individual. Examples include his/her name, address, or photo. The law provides an additional layer of protection to sensitive data, such as an individual’s religion and his/her medical information. It sets the rights of individuals in relation to their personal information, such as their right to ask that their data be deleted, and the obligations of organizations collecting or processing data.
The main features of the draft law that may affect you as a business are:
- Limitation on the ability of organizations to collect, use, transfer, or retain personal data.
- Duty to obtain a license and other compliance requirements if data is controlled or processed (which is the case with all organizations).
- Regulations addressing duties of companies’ carrying out direct marketing.
Who should worry and why?
Any person collecting, controlling, processing, and/or holding personal data for uses that are non-personal. This would basically include every business, company, or other organization operating in Egypt. The consequences for non-compliance are severe; ranging from imprisonment and fines and up to revoking data related licenses and publication of the criminal verdict in media outlets.
How much time do you have to set your house in order?
Those included within the scope of the law will be expected to comply within 18 months from the issuance of the law (that is if the executive regulations are issued on schedule).
What should you do?
The starting point is to track the data cycle from when your organization receives the data, processes, and stores it until the data is deleted. Next, make sure you comply with each of the data protection principles as they have been emptied into legal obligations (see more on that below). Document this in policy and implement it. Don’t forget to train your people.
Now you have an idea of the main highlights of the law and you want to understand more how data is handled under the law? Deep dive into the below explanation of the data protection principles adopted by the law.
Seven key principles for data protection
These are set in stone under the GDPR and mirrored in the Law:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
We fleshed out three of the principles for you to get a clear idea:
- Lawfulness, fairness, and transparency
The principle – You must not collect or keep any personal data in electronic or physical form, except for lawful purposes, such as one of the following purposes:
- The person whose data is being collected has given his/her consent.
- The relevant document is anonymized.
- The company has a legitimate reason to keep the data.
- There is a legal or contractual obligation.
You must reveal the purpose of the data collection and processing.
How to comply? Ask yourself why you are collecting this data and if you are also processing it. Make sure your reasons are legitimate; where possible obtain the person’s consent. Inform the data subject.
Obtaining consent is the gold standard. Usually, document anonymization is used in medical applications and research.
Example – think of a financial institution keeping personal data to comply with its Know Your Customer (KYC) requirements under anti-money laundry laws.
- Accuracy
The principle – You must (i) ensure that the data collected is correct, and (ii) correct any inaccurate personal data.
How to comply? – Map your data; review it, make sure it is correct; and put in place workflows that allow data subjects to review their data and correct it.
Example – when a person’s address is part of the data collected, and the individual does not reside at that location anymore, you need to (i) correct the data; or (ii) include such address as the last known address/previous place of residence.
- Integrity and confidentiality (security)
The principle – You need to take the necessary technical and organizational measures for the protection of personal data to ensure there is no breach of confidentiality, hacking, destruction, alterations or damage to the personal data. You also need to appoint a data protection officer, who shall be registered with the regulator. This officer must carry out regular evaluations and checks of the data protection systems and document that.
How to comply? – Appoint a data protection officer; review your systems and workflows; draft a data security policy and implement it; train your people, and report data leakages when they happen.
Example – A business should not only address cybersecurity risks; it should also put in place technical measures (e.g. a secure process for disposal of documents containing Personal Data; securing access to locations/premises containing documents/devices with access to personal data). In addition, a business should take organizational measures (e.g. ensuring coordination between the relevant members of the organization on security processes like disposal of IT equipment which were used to store personal data).
What needs to change in the current draft?
There is little doubt that data protection is necessary and will eventually create a better business environment. However, jail sentences are not suitable for businesses. The ideal solution is to exclude incarceration.
The second issue is data localization. The draft law requires the regulator’s prior approval before transferring personal data across borders. Most businesses in Egypt use cloud-based solutions, which invariably include personal data. Since data centers for such cloud solutions are outside Egypt, all companies will need to obtain a license to use cloud-based solutions. This is cumbersome.
The draft law protects any personal data if it leads to identifying an individual. Examples include his/her name, address, or photo. The law provides an additional layer of protection to sensitive data, such as an individual’s religion and his/her medical information. It sets the rights of individuals in relation to their personal information, such as their right to ask that their data be deleted, and the obligations of organizations collecting or processing data.
The main features of the draft law that may affect you as a business are:
- Limitation on the ability of organizations to collect, use, transfer, or retain personal data.
- Duty to obtain a license and other compliance requirements if data is controlled or processed (which is the case with all organizations).
- Regulations addressing duties of companies’ carrying out direct marketing.
Who should worry and why?
Any person collecting, controlling, processing, and/or holding personal data for uses that are non-personal. This would basically include every business, company, or other organization operating in Egypt. The consequences for non-compliance are severe; ranging from imprisonment and fines and up to revoking data related licenses and publication of the criminal verdict in media outlets.
How much time do you have to set your house in order?
Those included within the scope of the law will be expected to comply within 18 months from the issuance of the law (that is if the executive regulations are issued on schedule).
What should you do?
The starting point is to track the data cycle from when your organization receives the data, processes, and stores it until the data is deleted. Next, make sure you comply with each of the data protection principles as they have been emptied into legal obligations (see more on that below). Document this in policy and implement it. Don’t forget to train your people.
Now you have an idea of the main highlights of the law and you want to understand more how data is handled under the law? Deep dive into the below explanation of the data protection principles adopted by the law.
Seven key principles for data protection
These are set in stone under the GDPR and mirrored in the Law:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
We fleshed out three of the principles for you to get a clear idea:
- Lawfulness, fairness, and transparency
The principle – You must not collect or keep any personal data in electronic or physical form, except for lawful purposes, such as one of the following purposes:
- The person whose data is being collected has given his/her consent.
- The relevant document is anonymized.
- The company has a legitimate reason to keep the data.
- There is a legal or contractual obligation.
You must reveal the purpose of the data collection and processing.
How to comply? Ask yourself why you are collecting this data and if you are also processing it. Make sure your reasons are legitimate; where possible obtain the person’s consent. Inform the data subject.
Obtaining consent is the gold standard. Usually, document anonymization is used in medical applications and research.
Example – think of a financial institution keeping personal data to comply with its Know Your Customer (KYC) requirements under anti-money laundry laws.
- Accuracy
The principle – You must (i) ensure that the data collected is correct, and (ii) correct any inaccurate personal data.
How to comply? – Map your data; review it, make sure it is correct; and put in place workflows that allow data subjects to review their data and correct it.
Example – when a person’s address is part of the data collected, and the individual does not reside at that location anymore, you need to (i) correct the data; or (ii) include such address as the last known address/previous place of residence.
- Integrity and confidentiality (security)
The principle – You need to take the necessary technical and organizational measures for the protection of personal data to ensure there is no breach of confidentiality, hacking, destruction, alterations or damage to the personal data. You also need to appoint a data protection officer, who shall be registered with the regulator. This officer must carry out regular evaluations and checks of the data protection systems and document that.
How to comply? – Appoint a data protection officer; review your systems and workflows; draft a data security policy and implement it; train your people, and report data leakages when they happen.
Example – A business should not only address cybersecurity risks; it should also put in place technical measures (e.g. a secure process for disposal of documents containing Personal Data; securing access to locations/premises containing documents/devices with access to personal data). In addition, a business should take organizational measures (e.g. ensuring coordination between the relevant members of the organization on security processes like disposal of IT equipment which were used to store personal data).
What needs to change in the current draft?
There is little doubt that data protection is necessary and will eventually create a better business environment. However, jail sentences are not suitable for businesses. The ideal solution is to exclude incarceration.
The second issue is data localization. The draft law requires the regulator’s prior approval before transferring personal data across borders. Most businesses in Egypt use cloud-based solutions, which invariably include personal data. Since data centers for such cloud solutions are outside Egypt, all companies will need to obtain a license to use cloud-based solutions. This is cumbersome.
Egypt’s Draft Data Protection Law Simplified
1st of October, 2019
The draft data protection law is concerned with the privacy and security of the personal data of Egyptian citizens and foreigner individuals who live in Egypt. It is Egypt’s version of the GDPR.
The draft law protects any personal data if it leads to identifying an individual. Examples include his/her name, address, or photo. The law provides an additional layer of protection to sensitive data, such as an individual’s religion and his/her medical information. It sets the rights of individuals in relation to their personal information, such as their right to ask that their data be deleted, and the obligations of organizations collecting or processing data.
The main features of the draft law that may affect you as a business are:
- Limitation on the ability of organizations to collect, use, transfer, or retain personal data.
- Duty to obtain a license and other compliance requirements if data is controlled or processed (which is the case with all organizations).
- Regulations addressing duties of companies’ carrying out direct marketing.
Who should worry and why?
Any person collecting, controlling, processing, and/or holding personal data for uses that are non-personal. This would basically include every business, company, or other organization operating in Egypt. The consequences for non-compliance are severe; ranging from imprisonment and fines and up to revoking data related licenses and publication of the criminal verdict in media outlets.
How much time do you have to set your house in order?
Those included within the scope of the law will be expected to comply within 18 months from the issuance of the law (that is if the executive regulations are issued on schedule).
What should you do?
The starting point is to track the data cycle from when your organization receives the data, processes, and stores it until the data is deleted. Next, make sure you comply with each of the data protection principles as they have been emptied into legal obligations (see more on that below). Document this in policy and implement it. Don’t forget to train your people.
Now you have an idea of the main highlights of the law and you want to understand more how data is handled under the law? Deep dive into the below explanation of the data protection principles adopted by the law.
Seven key principles for data protection
These are set in stone under the GDPR and mirrored in the Law:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
We fleshed out three of the principles for you to get a clear idea:
- Lawfulness, fairness, and transparency
The principle – You must not collect or keep any personal data in electronic or physical form, except for lawful purposes, such as one of the following purposes:
- The person whose data is being collected has given his/her consent.
- The relevant document is anonymized.
- The company has a legitimate reason to keep the data.
- There is a legal or contractual obligation.
You must reveal the purpose of the data collection and processing.
How to comply? Ask yourself why you are collecting this data and if you are also processing it. Make sure your reasons are legitimate; where possible obtain the person’s consent. Inform the data subject.
Obtaining consent is the gold standard. Usually, document anonymization is used in medical applications and research.
Example – think of a financial institution keeping personal data to comply with its Know Your Customer (KYC) requirements under anti-money laundry laws.
- Accuracy
The principle – You must (i) ensure that the data collected is correct, and (ii) correct any inaccurate personal data.
How to comply? – Map your data; review it, make sure it is correct; and put in place workflows that allow data subjects to review their data and correct it.
Example – when a person’s address is part of the data collected, and the individual does not reside at that location anymore, you need to (i) correct the data; or (ii) include such address as the last known address/previous place of residence.
- Integrity and confidentiality (security)
The principle – You need to take the necessary technical and organizational measures for the protection of personal data to ensure there is no breach of confidentiality, hacking, destruction, alterations or damage to the personal data. You also need to appoint a data protection officer, who shall be registered with the regulator. This officer must carry out regular evaluations and checks of the data protection systems and document that.
How to comply? – Appoint a data protection officer; review your systems and workflows; draft a data security policy and implement it; train your people, and report data leakages when they happen.
Example – A business should not only address cybersecurity risks; it should also put in place technical measures (e.g. a secure process for disposal of documents containing Personal Data; securing access to locations/premises containing documents/devices with access to personal data). In addition, a business should take organizational measures (e.g. ensuring coordination between the relevant members of the organization on security processes like disposal of IT equipment which were used to store personal data).
What needs to change in the current draft?
There is little doubt that data protection is necessary and will eventually create a better business environment. However, jail sentences are not suitable for businesses. The ideal solution is to exclude incarceration.
The second issue is data localization. The draft law requires the regulator’s prior approval before transferring personal data across borders. Most businesses in Egypt use cloud-based solutions, which invariably include personal data. Since data centers for such cloud solutions are outside Egypt, all companies will need to obtain a license to use cloud-based solutions. This is cumbersome.
The draft law protects any personal data if it leads to identifying an individual. Examples include his/her name, address, or photo. The law provides an additional layer of protection to sensitive data, such as an individual’s religion and his/her medical information. It sets the rights of individuals in relation to their personal information, such as their right to ask that their data be deleted, and the obligations of organizations collecting or processing data.
The main features of the draft law that may affect you as a business are:
- Limitation on the ability of organizations to collect, use, transfer, or retain personal data.
- Duty to obtain a license and other compliance requirements if data is controlled or processed (which is the case with all organizations).
- Regulations addressing duties of companies’ carrying out direct marketing.
Who should worry and why?
Any person collecting, controlling, processing, and/or holding personal data for uses that are non-personal. This would basically include every business, company, or other organization operating in Egypt. The consequences for non-compliance are severe; ranging from imprisonment and fines and up to revoking data related licenses and publication of the criminal verdict in media outlets.
How much time do you have to set your house in order?
Those included within the scope of the law will be expected to comply within 18 months from the issuance of the law (that is if the executive regulations are issued on schedule).
What should you do?
The starting point is to track the data cycle from when your organization receives the data, processes, and stores it until the data is deleted. Next, make sure you comply with each of the data protection principles as they have been emptied into legal obligations (see more on that below). Document this in policy and implement it. Don’t forget to train your people.
Now you have an idea of the main highlights of the law and you want to understand more how data is handled under the law? Deep dive into the below explanation of the data protection principles adopted by the law.
Seven key principles for data protection
These are set in stone under the GDPR and mirrored in the Law:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
We fleshed out three of the principles for you to get a clear idea:
- Lawfulness, fairness, and transparency
The principle – You must not collect or keep any personal data in electronic or physical form, except for lawful purposes, such as one of the following purposes:
- The person whose data is being collected has given his/her consent.
- The relevant document is anonymized.
- The company has a legitimate reason to keep the data.
- There is a legal or contractual obligation.
You must reveal the purpose of the data collection and processing.
How to comply? Ask yourself why you are collecting this data and if you are also processing it. Make sure your reasons are legitimate; where possible obtain the person’s consent. Inform the data subject.
Obtaining consent is the gold standard. Usually, document anonymization is used in medical applications and research.
Example – think of a financial institution keeping personal data to comply with its Know Your Customer (KYC) requirements under anti-money laundry laws.
- Accuracy
The principle – You must (i) ensure that the data collected is correct, and (ii) correct any inaccurate personal data.
How to comply? – Map your data; review it, make sure it is correct; and put in place workflows that allow data subjects to review their data and correct it.
Example – when a person’s address is part of the data collected, and the individual does not reside at that location anymore, you need to (i) correct the data; or (ii) include such address as the last known address/previous place of residence.
- Integrity and confidentiality (security)
The principle – You need to take the necessary technical and organizational measures for the protection of personal data to ensure there is no breach of confidentiality, hacking, destruction, alterations or damage to the personal data. You also need to appoint a data protection officer, who shall be registered with the regulator. This officer must carry out regular evaluations and checks of the data protection systems and document that.
How to comply? – Appoint a data protection officer; review your systems and workflows; draft a data security policy and implement it; train your people, and report data leakages when they happen.
Example – A business should not only address cybersecurity risks; it should also put in place technical measures (e.g. a secure process for disposal of documents containing Personal Data; securing access to locations/premises containing documents/devices with access to personal data). In addition, a business should take organizational measures (e.g. ensuring coordination between the relevant members of the organization on security processes like disposal of IT equipment which were used to store personal data).
What needs to change in the current draft?
There is little doubt that data protection is necessary and will eventually create a better business environment. However, jail sentences are not suitable for businesses. The ideal solution is to exclude incarceration.
The second issue is data localization. The draft law requires the regulator’s prior approval before transferring personal data across borders. Most businesses in Egypt use cloud-based solutions, which invariably include personal data. Since data centers for such cloud solutions are outside Egypt, all companies will need to obtain a license to use cloud-based solutions. This is cumbersome.
Insights
Disclaimer
The information included in this publication/client alert is not legal advice or any other advice. Publications and client alerts on this site are current as of their date of publication and do not necessarily reflect the present law or regulations. Please feel free to contact us should you need any legal advice related to the publication/client alert. Sharkawy & Sarhan (the “Firm”) will not be held liable for any compensatory, special, direct, incidental, indirect, or consequential damages, exemplary damages or any damages whatsoever arising out of or in connection with the use of the data, information or material included in this publication/client alert. This publication/client alert may contain links to third-party websites that are not controlled by the Firm. These third-party links are made available to you as a convenience and you agree to use these links at your own risk. Please be aware that the Firm is not responsible for the content or services offered by and of third-party websites, links as included in the Newsletter nor are we responsible for the privacy policy or practices of third-party websites links included therein.
Authorization of Use
The data, information, and material included in this publication/client alert are solely owned by the Firm. All rights related are reserved under the laws of the Arab Republic of Egypt. No part of this publication/client alert can be redistributed, copied, or reproduced without the prior written consent of the Firm.