Last review date: January 2025

☒   omnibus – all personal data

☒   sector-specific

☒   constitutional

Last review date: January 2025

The primary laws relevant to privacy and data protection are:

• Law 151/2020 Promulgating the Personal Data Protection Law (“PDPL”)
• Constitution of the Arab Republic of Egypt (“Constitution”)
• Law 58/1937 Promulgating the Penal Code (“Penal Code”)
• Law 175/2018 on Anti-Cyber and Information Technology Crimes (“Cybercrimes Law”)
• Executive Regulations 1699/2020 to the Cybercrimes Law (“Cybercrimes Executive Regulations”)

The Constitution establishes an inviolable right to privacy, as well as freedom of communications and a right to privacy in a person’s home, and there are criminal offences relating to defamation, unauthorized monitoring or disclosure of communications and unauthorized disclosure of secrets obtained by a person by virtue of his profession or position (Articles 302 to 310, Penal Code). The PDPL creates a more substantive framework for personal data protection that incorporates many of the key principles and concepts contained in international data protection laws, but is not yet currently being enforced pending the issuance of its implementing regulations.

Last review date: January 2025

While the Cybercrimes Law primarily establishes a range of technology-enabled and technology-related criminal offences (and associated sanctions), it also includes certain obligations and duties on “Service Providers” in relation to information security. For these purposes, “Service Providers” include any party that provides others with information and communication technology services.

The obligations include retention of identity data, traffic data and other information; confidentiality and non-disclosure of preserved and stored data; provision of certain information to consumers and government bodies; provision of technical support upon to national security agencies; and collection of user data.

The Cybercrimes Executive Regulations provide for different standards to be applied depending on whether the services are general or critical IT services. There are higher standards for providers of critical information infrastructure.

Last review date: January 2025

The Cybercrimes Law contains cybersecurity obligations on ICT service providers and establishes a range of cyber offences that are not specific to personal data.

In addition, various sectoral regulations impose obligations on different categories of data. For example, the Internet of Things Framework published by the National Telecom Regulatory Authority (“NTRA”) and other telecoms sector regulation imposes obligations relating to retention, disclosure and protection of traffic data, content and technical data. In the financial services sector, the Central Bank and Banking System Law 194/2020 (“Banking Law”) obliges licensed financial institutions to provide secure systems that ensure the integrity and confidentiality of customer data and accounts.

Last review date: January 2025

The key anticipated development in Egypt is the issuance of the executive regulations under the PDPL. As per the PDPL, the Minister of Telecommunications & Information Technology should have issued such regulations within six months from the effective date of the law. The executive regulations will, among other things, establish rules for breach notifications, DPO appointments, sensitive personal data processing, data transfers and electronic marketing, as well as the categories and procedures for licensing and permits required under the PDPL. Importantly, affected parties will have a period of one year from the date of issuance of the executive regulations to ensure compliance with the PDPL.