18th of July, 2020
Egypt’s First Data Protection Law
On 17 July, Egypt issued the first and long-awaited data protection law no. 151 of 2020 (the “DP Law”). The law as issued is not perfect, but then neither is the GDPR. At least now we have something we can work with. It is a good start.
The DP Law only covers personal data in digital form. The law excludes the Central Bank of Egypt (“CBE”), and most of the entities subject to the supervision of the CBE, from the scope of its application.
There is a minimum grace period of 21 months for companies to comply with the DP Law.
The DP Law includes an obligation on companies to appoint a data protection officer as an employee or else face financial penalties of up to 2 million Egyptian Pounds (around USD 125,000).
The law also imposes licensing requirements for data processing, data control, dealing in sensitive data, electronic marketing, and cross-border transfer of data.
These are the five key points you need to know about the DP Law:
- Imprisonment Sanctions
The DP Law reduced acts punishable by imprisonment from 13 in the initial draft to only 4. These acts are i) breach of the conditions for cross border transfer of data, ii) dealing in sensitive data without the explicit and written consent of the data subject or in breach of the relevant provisions under the DP Law, iii) any data processor or controller that deals in personal data in breach of the relevant provisions under the DP Law or without the consent of the data subject, when applicable, in exchange for a benefit or with the intent to expose the data subject to danger or harm; and iv) preventing the representatives of the data protection center from preforming their duties.
- Licensing Regime
Dealing in data requires a license. The benefit of requiring a license for dealing in data instead of following a simple registration or notification regime remains unclear. In Europe, regulators with GDPR moved away from pre-authorized data processing and introduced the accountability principle instead to replace it.
There is certainly a financial element to the introduction of a licensing regime. The amount of fees involved is not insignificant and it is not a secret that all African countries are looking for ways to finance their budget deficits.
Ultimately, what concerns big tech companies is whether the license will be purely a rubber stamping exercise, or whether there is a likelihood that a request for a license could be denied, or not renewed upon expiry. This effectively means that a company may be forced to exit Egypt, with obvious financial consequences, consequences for customer relationships and company brand.
Our assumption is that this is the last thing that the government would be looking to achieve. We are of the view that the rejection of a license request will only be used against specific companies and for clear and justifiable reasons.
- Data Localization
There is no data localization obligation in respect of cross border transfers of data, but the law does require a license for such transfer of data. The general rule is that data must be transferred to a jurisdiction that offers at least an equivalent level of protection to that provided under Egyptian law.
- Digital Marketing
The DP Law requires consent as a legal basis for direct electronic marketing. In addition, it grants data subjects the right to withdraw any previous consent. From experiences in Europe, we know that this requires quite advanced permission management processes for companies to manage this requirement efficiently. Relying on manual processes simply will not work in an online environment and may ultimately result in companies processing personal data without valid consent.
- Reporting Cyber Attacks
The original draft of the law required companies to report cyber-attacks within 24 hours. This is typically not realistic in practice. The GDPR requires 72 hours.
In the DP Law, companies must report cyber-attacks within 72 hours from the time of their knowledge of the attack. However, if the attack threatens national security, companies must report it immediately.
The concern of course is who defines what represents a national security threat and will this be apparent at the outset prior to detailed investigation and analysis? This needs to be clarified in the executive regulations expected to be issued within the next 9 months. We could assume that an attack that specifically targets any designated national critical infrastructure (NCI) entities in sectors such as energy, communications, water, or emergency services etc., would clearly threaten national security.
The executive regulations of the law will make it or break it. The devil is in the detail as they say, and the details are expected to be set out in the executive regulations and should include how the data protection center will implement these regulations.
One of the purposes of this law is to help Egypt become a digital hub, driving technology innovation, digital transformation, and job creation. For this to happen, the law must seek to support the tech industry while providing adequate protection for the personal data and rights of Egyptian citizens, and creating an economic environment where Egypt is able to trade effectively – including the need for cross-border data transfers – with regions like the EU and the US . We need to work as a business community with the government to ensure that our daily challenges are addressed in the executive regulations. In all fairness, this is a government that has already proved that it is willing to listen.
This is our previous article on the basic principles of data protection http://sharkawylaw.com/stay-informed/egypts-draft-data-protection-law-simplified/
To watch our webinar on Data Protection Law, click here.
To download full article, click here.
Author:
Ahmed El Sharkawy, Partner, Sharkawy & Sarhan
Thanks for the following experts for providing helpful comments on this article:
Dale Waterman, Partner, White Label Consultancy
Nicholai Pfeiffer, Managing Partner, White Label Consultancy
Naila Ramsay, Partner, Sharkawy & Sarhan
The DP Law only covers personal data in digital form. The law excludes the Central Bank of Egypt (“CBE”), and most of the entities subject to the supervision of the CBE, from the scope of its application.
There is a minimum grace period of 21 months for companies to comply with the DP Law.
The DP Law includes an obligation on companies to appoint a data protection officer as an employee or else face financial penalties of up to 2 million Egyptian Pounds (around USD 125,000).
The law also imposes licensing requirements for data processing, data control, dealing in sensitive data, electronic marketing, and cross-border transfer of data.
These are the five key points you need to know about the DP Law:
- Imprisonment Sanctions
The DP Law reduced acts punishable by imprisonment from 13 in the initial draft to only 4. These acts are i) breach of the conditions for cross border transfer of data, ii) dealing in sensitive data without the explicit and written consent of the data subject or in breach of the relevant provisions under the DP Law, iii) any data processor or controller that deals in personal data in breach of the relevant provisions under the DP Law or without the consent of the data subject, when applicable, in exchange for a benefit or with the intent to expose the data subject to danger or harm; and iv) preventing the representatives of the data protection center from preforming their duties.
- Licensing Regime
Dealing in data requires a license. The benefit of requiring a license for dealing in data instead of following a simple registration or notification regime remains unclear. In Europe, regulators with GDPR moved away from pre-authorized data processing and introduced the accountability principle instead to replace it.
There is certainly a financial element to the introduction of a licensing regime. The amount of fees involved is not insignificant and it is not a secret that all African countries are looking for ways to finance their budget deficits.
Ultimately, what concerns big tech companies is whether the license will be purely a rubber stamping exercise, or whether there is a likelihood that a request for a license could be denied, or not renewed upon expiry. This effectively means that a company may be forced to exit Egypt, with obvious financial consequences, consequences for customer relationships and company brand.
Our assumption is that this is the last thing that the government would be looking to achieve. We are of the view that the rejection of a license request will only be used against specific companies and for clear and justifiable reasons.
- Data Localization
There is no data localization obligation in respect of cross border transfers of data, but the law does require a license for such transfer of data. The general rule is that data must be transferred to a jurisdiction that offers at least an equivalent level of protection to that provided under Egyptian law.
- Digital Marketing
The DP Law requires consent as a legal basis for direct electronic marketing. In addition, it grants data subjects the right to withdraw any previous consent. From experiences in Europe, we know that this requires quite advanced permission management processes for companies to manage this requirement efficiently. Relying on manual processes simply will not work in an online environment and may ultimately result in companies processing personal data without valid consent.
- Reporting Cyber Attacks
The original draft of the law required companies to report cyber-attacks within 24 hours. This is typically not realistic in practice. The GDPR requires 72 hours.
In the DP Law, companies must report cyber-attacks within 72 hours from the time of their knowledge of the attack. However, if the attack threatens national security, companies must report it immediately.
The concern of course is who defines what represents a national security threat and will this be apparent at the outset prior to detailed investigation and analysis? This needs to be clarified in the executive regulations expected to be issued within the next 9 months. We could assume that an attack that specifically targets any designated national critical infrastructure (NCI) entities in sectors such as energy, communications, water, or emergency services etc., would clearly threaten national security.
The executive regulations of the law will make it or break it. The devil is in the detail as they say, and the details are expected to be set out in the executive regulations and should include how the data protection center will implement these regulations.
One of the purposes of this law is to help Egypt become a digital hub, driving technology innovation, digital transformation, and job creation. For this to happen, the law must seek to support the tech industry while providing adequate protection for the personal data and rights of Egyptian citizens, and creating an economic environment where Egypt is able to trade effectively – including the need for cross-border data transfers – with regions like the EU and the US . We need to work as a business community with the government to ensure that our daily challenges are addressed in the executive regulations. In all fairness, this is a government that has already proved that it is willing to listen.
This is our previous article on the basic principles of data protection http://sharkawylaw.com/stay-informed/egypts-draft-data-protection-law-simplified/
To watch our webinar on Data Protection Law, click here.
To download full article, click here.
Author:
Ahmed El Sharkawy, Partner, Sharkawy & Sarhan
Thanks for the following experts for providing helpful comments on this article:
Dale Waterman, Partner, White Label Consultancy
Nicholai Pfeiffer, Managing Partner, White Label Consultancy
Naila Ramsay, Partner, Sharkawy & Sarhan
Key Contacts
Egypt’s First Data Protection Law
18 July, 2020
On 17 July, Egypt issued the first and long-awaited data protection law no. 151 of 2020 (the “DP Law”). The law as issued is not perfect, but then neither is the GDPR. At least now we have something we can work with. It is a good start.
The DP Law only covers personal data in digital form. The law excludes the Central Bank of Egypt (“CBE”), and most of the entities subject to the supervision of the CBE, from the scope of its application.
There is a minimum grace period of 21 months for companies to comply with the DP Law.
The DP Law includes an obligation on companies to appoint a data protection officer as an employee or else face financial penalties of up to 2 million Egyptian Pounds (around USD 125,000).
The law also imposes licensing requirements for data processing, data control, dealing in sensitive data, electronic marketing, and cross-border transfer of data.
These are the five key points you need to know about the DP Law:
- Imprisonment Sanctions
The DP Law reduced acts punishable by imprisonment from 13 in the initial draft to only 4. These acts are i) breach of the conditions for cross border transfer of data, ii) dealing in sensitive data without the explicit and written consent of the data subject or in breach of the relevant provisions under the DP Law, iii) any data processor or controller that deals in personal data in breach of the relevant provisions under the DP Law or without the consent of the data subject, when applicable, in exchange for a benefit or with the intent to expose the data subject to danger or harm; and iv) preventing the representatives of the data protection center from preforming their duties.
- Licensing Regime
Dealing in data requires a license. The benefit of requiring a license for dealing in data instead of following a simple registration or notification regime remains unclear. In Europe, regulators with GDPR moved away from pre-authorized data processing and introduced the accountability principle instead to replace it.
There is certainly a financial element to the introduction of a licensing regime. The amount of fees involved is not insignificant and it is not a secret that all African countries are looking for ways to finance their budget deficits.
Ultimately, what concerns big tech companies is whether the license will be purely a rubber stamping exercise, or whether there is a likelihood that a request for a license could be denied, or not renewed upon expiry. This effectively means that a company may be forced to exit Egypt, with obvious financial consequences, consequences for customer relationships and company brand.
Our assumption is that this is the last thing that the government would be looking to achieve. We are of the view that the rejection of a license request will only be used against specific companies and for clear and justifiable reasons.
- Data Localization
There is no data localization obligation in respect of cross border transfers of data, but the law does require a license for such transfer of data. The general rule is that data must be transferred to a jurisdiction that offers at least an equivalent level of protection to that provided under Egyptian law.
- Digital Marketing
The DP Law requires consent as a legal basis for direct electronic marketing. In addition, it grants data subjects the right to withdraw any previous consent. From experiences in Europe, we know that this requires quite advanced permission management processes for companies to manage this requirement efficiently. Relying on manual processes simply will not work in an online environment and may ultimately result in companies processing personal data without valid consent.
- Reporting Cyber Attacks
The original draft of the law required companies to report cyber-attacks within 24 hours. This is typically not realistic in practice. The GDPR requires 72 hours.
In the DP Law, companies must report cyber-attacks within 72 hours from the time of their knowledge of the attack. However, if the attack threatens national security, companies must report it immediately.
The concern of course is who defines what represents a national security threat and will this be apparent at the outset prior to detailed investigation and analysis? This needs to be clarified in the executive regulations expected to be issued within the next 9 months. We could assume that an attack that specifically targets any designated national critical infrastructure (NCI) entities in sectors such as energy, communications, water, or emergency services etc., would clearly threaten national security.
The executive regulations of the law will make it or break it. The devil is in the detail as they say, and the details are expected to be set out in the executive regulations and should include how the data protection center will implement these regulations.
One of the purposes of this law is to help Egypt become a digital hub, driving technology innovation, digital transformation, and job creation. For this to happen, the law must seek to support the tech industry while providing adequate protection for the personal data and rights of Egyptian citizens, and creating an economic environment where Egypt is able to trade effectively – including the need for cross-border data transfers – with regions like the EU and the US . We need to work as a business community with the government to ensure that our daily challenges are addressed in the executive regulations. In all fairness, this is a government that has already proved that it is willing to listen.
This is our previous article on the basic principles of data protection http://sharkawylaw.com/stay-informed/egypts-draft-data-protection-law-simplified/
To watch our webinar on Data Protection Law, click here.
To download full article, click here.
Author:
Ahmed El Sharkawy, Partner, Sharkawy & Sarhan
Thanks for the following experts for providing helpful comments on this article:
Dale Waterman, Partner, White Label Consultancy
Nicholai Pfeiffer, Managing Partner, White Label Consultancy
Naila Ramsay, Partner, Sharkawy & Sarhan
The DP Law only covers personal data in digital form. The law excludes the Central Bank of Egypt (“CBE”), and most of the entities subject to the supervision of the CBE, from the scope of its application.
There is a minimum grace period of 21 months for companies to comply with the DP Law.
The DP Law includes an obligation on companies to appoint a data protection officer as an employee or else face financial penalties of up to 2 million Egyptian Pounds (around USD 125,000).
The law also imposes licensing requirements for data processing, data control, dealing in sensitive data, electronic marketing, and cross-border transfer of data.
These are the five key points you need to know about the DP Law:
- Imprisonment Sanctions
The DP Law reduced acts punishable by imprisonment from 13 in the initial draft to only 4. These acts are i) breach of the conditions for cross border transfer of data, ii) dealing in sensitive data without the explicit and written consent of the data subject or in breach of the relevant provisions under the DP Law, iii) any data processor or controller that deals in personal data in breach of the relevant provisions under the DP Law or without the consent of the data subject, when applicable, in exchange for a benefit or with the intent to expose the data subject to danger or harm; and iv) preventing the representatives of the data protection center from preforming their duties.
- Licensing Regime
Dealing in data requires a license. The benefit of requiring a license for dealing in data instead of following a simple registration or notification regime remains unclear. In Europe, regulators with GDPR moved away from pre-authorized data processing and introduced the accountability principle instead to replace it.
There is certainly a financial element to the introduction of a licensing regime. The amount of fees involved is not insignificant and it is not a secret that all African countries are looking for ways to finance their budget deficits.
Ultimately, what concerns big tech companies is whether the license will be purely a rubber stamping exercise, or whether there is a likelihood that a request for a license could be denied, or not renewed upon expiry. This effectively means that a company may be forced to exit Egypt, with obvious financial consequences, consequences for customer relationships and company brand.
Our assumption is that this is the last thing that the government would be looking to achieve. We are of the view that the rejection of a license request will only be used against specific companies and for clear and justifiable reasons.
- Data Localization
There is no data localization obligation in respect of cross border transfers of data, but the law does require a license for such transfer of data. The general rule is that data must be transferred to a jurisdiction that offers at least an equivalent level of protection to that provided under Egyptian law.
- Digital Marketing
The DP Law requires consent as a legal basis for direct electronic marketing. In addition, it grants data subjects the right to withdraw any previous consent. From experiences in Europe, we know that this requires quite advanced permission management processes for companies to manage this requirement efficiently. Relying on manual processes simply will not work in an online environment and may ultimately result in companies processing personal data without valid consent.
- Reporting Cyber Attacks
The original draft of the law required companies to report cyber-attacks within 24 hours. This is typically not realistic in practice. The GDPR requires 72 hours.
In the DP Law, companies must report cyber-attacks within 72 hours from the time of their knowledge of the attack. However, if the attack threatens national security, companies must report it immediately.
The concern of course is who defines what represents a national security threat and will this be apparent at the outset prior to detailed investigation and analysis? This needs to be clarified in the executive regulations expected to be issued within the next 9 months. We could assume that an attack that specifically targets any designated national critical infrastructure (NCI) entities in sectors such as energy, communications, water, or emergency services etc., would clearly threaten national security.
The executive regulations of the law will make it or break it. The devil is in the detail as they say, and the details are expected to be set out in the executive regulations and should include how the data protection center will implement these regulations.
One of the purposes of this law is to help Egypt become a digital hub, driving technology innovation, digital transformation, and job creation. For this to happen, the law must seek to support the tech industry while providing adequate protection for the personal data and rights of Egyptian citizens, and creating an economic environment where Egypt is able to trade effectively – including the need for cross-border data transfers – with regions like the EU and the US . We need to work as a business community with the government to ensure that our daily challenges are addressed in the executive regulations. In all fairness, this is a government that has already proved that it is willing to listen.
This is our previous article on the basic principles of data protection http://sharkawylaw.com/stay-informed/egypts-draft-data-protection-law-simplified/
To watch our webinar on Data Protection Law, click here.
To download full article, click here.
Author:
Ahmed El Sharkawy, Partner, Sharkawy & Sarhan
Thanks for the following experts for providing helpful comments on this article:
Dale Waterman, Partner, White Label Consultancy
Nicholai Pfeiffer, Managing Partner, White Label Consultancy
Naila Ramsay, Partner, Sharkawy & Sarhan
Key Contacts
Insights
Update on IoT Regulations
18th of April 2022 Update on IoT Regulations By: Omar Elkhawas Keywords: Telecommunication, Media and Technology [...]
Egypt’s First Data Protection Law
18th of July, 2020 Egypt's First Data Protection Law Keywords: Technology, Media & Telecommunication, Data Privacy & Cybersecurity [...]
Egypt’s New Banking Law: Payments, Fintech & Electronic Evidence
6th of October 2020 Egypt's New Banking Law Payments Fintech Electronic Evidence By: Lamiaa Youssef Keywords: Technology, Media and Telecommunication [...]
Insights
Update on IoT Regulations
18th of April 2022 Update on IoT Regulations By: Omar Elkhawas Keywords: Telecommunication, Media and Technology [...]
Egypt’s First Data Protection Law
18th of July, 2020 Egypt's First Data Protection Law Keywords: Technology, Media & Telecommunication, Data Privacy & Cybersecurity [...]
Egypt’s New Banking Law: Payments, Fintech & Electronic Evidence
6th of October 2020 Egypt's New Banking Law Payments Fintech Electronic Evidence By: Lamiaa Youssef Keywords: Technology, Media and Telecommunication [...]
Disclaimer
The information included in this publication/client alert is not legal advice or any other advice. Publications and client alerts on this site are current as of their date of publication and do not necessarily reflect the present law or regulations. Please feel free to contact us should you need any legal advice related to the publication/client alert. Sharkawy & Sarhan (the “Firm”) will not be held liable for any compensatory, special, direct, incidental, indirect, or consequential damages, exemplary damages or any damages whatsoever arising out of or in connection with the use of the data, information or material included in this publication/client alert. This publication/client alert may contain links to third-party websites that are not controlled by the Firm. These third-party links are made available to you as a convenience and you agree to use these links at your own risk. Please be aware that the Firm is not responsible for the content or services offered by and of third-party websites, links as included in the Newsletter nor are we responsible for the privacy policy or practices of third-party websites links included therein.
Authorization of Use
The data, information, and material included in this publication/client alert are solely owned by the Firm. All rights related are reserved under the laws of the Arab Republic of Egypt. No part of this publication/client alert can be redistributed, copied, or reproduced without the prior written consent of the Firm.