On the 15th of July 2020, Egypt enacted the Data Protection Law No. 151 of 2020 (hereinafter the “DPL” or the “Law”), the first of its kind for the state, to govern the activities related to personal data recipients, controllers, and processors. The DPL will come into effect three months following its publication in the official gazette, where it has been decreed that the Executive Regulations shall follow within six months after said publication. However, companies are required to comply with the DPL no later than a year after the Executive Regulations have been published.
Given the global dependency on digitalization, the DPL has been long called for, in order to ensure that users’ (the “Data Subjects”) rights, privacy and data are protected when being processed, stored and/or transferred. Under the DPL, personal data encompasses any data related to an identified natural person or identifiable, either directly or indirectly, through a connection made between this data and any other data; such as a name, voice, photo, identification number, online information identifiers, or any data identifying psychological, genetic, economic, cultural or their social identity.
Data Subjects have a right to be informed of when their personal data will be processed, stored and/or transferred, and the purpose behind carrying out these aforementioned actions. The Law also requires prior consent for such uses, which may be withdrawn at any point by the Data Subject.
DPL’s territorial scope extends beyond the borders of the Arab Republic of Egypt with respect that it applies to anyone who commits a crime stipulated in the law, whether the perpetrator is an Egyptian inside or outside Egypt, or a non-Egyptian residing inside Egypt, or non-Egyptians outside Egypt if the act is punishable in the country in which it occurred and the Data Subject to the crime is an Egyptian or foreigners residing in Egypt.
One of the key aspects of the Law is the establishment of a data protection center (the “Center”). The Center will be the entity tasked with laying the groundwork for data protection regulations, procedures, policies and the overall national plan. The Center will have oversight on matters and breaches dealing with data protection.
Compliance with the new Law will likely be clearer after the issuance of the DPL’s Executive Regulations; however, certain compliance criteria is already evident. Entities storing, processing, collecting and/or transferring Personal Data will have to: (1) have a Data Protection Officer (the “DPO”), (2) the DPO must be licensed by the Center, (3) the DPO must provide the Center with regular reports as well as report any breaches and (4) the DPO is to remain independent of the corporate body he/she works for.
Failure to comply with the Law exposes the organization to criminal liability; this is besides the administrative penalties such as warnings, suspensions and/or withdrawal of the license. Depending on the crimes committed, penalties may range from small to substantial fines to as harsh as imprisonment.
Thus, the key takeaways from the DPL is the establishment of the Center, the appointment of a DPO, the Economic Courts being the court of competence and that criminal liability and harsh monetary fines may arise out of breaches in compliance of the Law.
How we can help
Under the DPL, companies processing, storing, controlling and/or transferring the personal data of Egyptians and Residents will need to comply.
Eldib Advocates’ dedicated a Data Protection Team comprising of IP, IT and Compliance lawyers who would be happy and are ready to assist your organization, be it a startup, SME, or large enterprise, to comply with these new requirements prior to them coming into effect. The Law imposes onerous fines and penalties for non-compliance; thus, our goal is to enable you to conduct your business in compliance with said Law with confidence, clarity and accuracy.
We can support clients in a variety of industries and sectors; i.e. Shipping/Transportation, Telecommunication and Media, Hospitality, Insurance, Retail, Real Estate, and Financial Entities such as exchanges, private money transfer companies, etc.
Please feel free to reach out to email@example.com should you have any questions or require any assistance in this regard.
Fake News, Personal Data and Internet Safety: Egyptian Parliament takes measures to secure internet users and aims to curb information technology crimes by issuing new Laws
Cybercrime is a fast-growing concern around the world. More and more criminals are exploiting the speed, convenience and anonymity of the Internet to commit a diverse range of criminal activities that know no borders, either physical or virtual, causing serious harm and posing very real threats to internet users.
Several discussions have taken place in the Egyptian Parliament regarding measures to police the misuse of the internet, and from those discussions, they’ve drafted the law No. 175 which indicates the penalties imposed to each crime.
Egyptian President Abdul Fattah al-Sisi ratified Law No. 175 of 2018 on Combating Information Technology Crimes, after being approved by the parliament.
With regard to the crimes of the misusage of telecommunications and information services and technology, the law provided the imprisonment penalty for a period of no less than 3 months and a fine of no less than EGP 10,000 and not more than EGP 50,000 or one of those two penalties in the case of unlawfully benefiting by the network of the information system or any of the means of IT or a telecommunications service or an IT means of communication service or a service of audio or video broadcasting services.
For the crime of exceeding the limits of the right of entry, the law provided the imprisonment penalty for a period of no less than 6 months and a fine of not less than EGP 30,000 and does not exceeding EGP 50,000 or one of those two penalties for any person who enters on a website or a private account or information system through exceeding his authorized right to do so.
The law provided the imprisonment penalty for a period of no less than one year and a fine of no less than EGP 50,000 and no more than EGP 100,000 or one of those two penalties towards any person who intentionally entered or entered by mistake and remained unlawfully on a site or on a private account which resulted in damage, erasure, alteration, copying or reprinting of data or information on that site, private account or information system. The penalty for such a crime shall be imprisonment for a period no less than two years and a fine no less than EGP 100,000 and not exceeding EGP 200,000 or one of these penalties.
The penalties include unlawful possession to any information or data, attacks on the integrity of data, information and information systems, hacking e-mail, websites or private accounts, hacking the design of a website, hacking on the integrity of the information network and hacking on the nation’s information systems, or circulation of any designed, developed or modified, as well as hardware, software, code or other similar data without the authorization of the National Telecommunications Regulatory Authority. As a new law, it has yet to be in practice, and our firm aims to keep a close eye on its development and manners in which the Law will be enforced.
Regarding the crimes of fraud and assault on bank cards, services and electronic payment tools, the law provided the imprisonment penalty for a period of no less than 3 months and a fine of no less than EGP 30,000 and not exceeding EGP 50,000 or one of those penalties for anyone who used the information network or any of the means of information technology to improperly access numbers or data bank cards and services or other electronic payment tools, for the purpose of stealing the funds of others or the services it provides. Such an act shall be punishable by imprisonment for a term of no less than 6 months and a fine of noless than EGP50,000 and not exceeding EGP 100,000or one of these two penalties. The penalty shall be imprisonment for a period no less than one year and a fine which is no less than EGP 100,000 and does not exceed EGP 200,000or one of these two penalties if he concludes that the seizure of himself or others to those services or the money of others.
The penalties also included crimes related to the creation of websites, special accounts and e-mail, falsification of a natural or legal person, infringement of private privacy and illegal information content, whether by sending many e-mails to a specific person without his consent (spamming) or giving personal data to a system or website promoting goods or services without the persons’ consent or by publishing on the Internet or by any means of information technology, news, pictures of a person without their consent; or the violation of the privacy of any person without their consent, whether the published information is truthful or incorrect.
Anyone who intentionally uses an information or information technology program to process personal data for others to associate it with content that is contrary to public morality or improperly displays it in a way that would prejudice him or his honor will be found as violating other users rights and shall be incriminated under the Law No. 175 of 2018 on Combating Information Technology Crimes.
By Ahmed Sharabash
for Eldib Advocates