After several years of debate, the Egyptian government has introduced the Republic’s first standalone data protection law, which aims to regulate and protect citizens’ data online. On 15 July 2020, Resolution No. 151 of 2020 (the Law) (available in Arabic here) was published in the Official Gazette. The provisions under the new Law are modeled on the EU General Data Protection Regulation (GDPR) and the Law adopts similar concepts and definitions. It is hoped that the new Law will help Egypt attract foreign investment by increasing consumer confidence in electronic data processing and setting clear parameters for companies looking to capitalise on the growth of the digital economy.
The Law will enter into force three months from when it was published in the Official Gazette (namely, on 15 October 2020). As part of the new Law, the Minister of Communications and Information Technology will issue the Law’s Regulation (Regulation) within a further six months from the date on which the Law enters into force in Egypt. The Regulation will provide further detail on the role of the new regulator and how it will implement the new Law. Companies will have a 12-month grace period to comply with the Law from the date of publication of the Regulation (i.e., compliance is expected to be required within a minimum of 18 months from 15 October 2020, if the Regulation is issued effectively within 6 months. It may take longer to issue the Regulation).
In this alert we provide an overview of key provisions in order to help businesses prepare for the enforcement of the new Law.
- The Law is effective from 15 October 2020 and companies will have at least 18 months from this date to become compliant.
- The grace period allows Egyptian national companies a generous period of time to consider the Law’s impact and to put in place an appropriate compliance program, given that many of the requirements will be entirely new to them.
- The Law imposes obligations on both data controllers and data processors, although many of the obligations imposed directly on processors specifically reflect their more limited role in dictating the manner and means of personal data processing.
- Offences under the Law can be committed by:
(i) Egyptian companies operating in Egypt or overseas;
(ii) Foreign companies operating in Egypt; and
(iii) Foreign companies where the offence is punishable by law in the country where the perpetrator is based, and where it concerns a data subject resident in Egypt or a data subject who is a foreigner but who resides in Egypt.
- The Law introduces a breach reporting deadline equivalent to the GDPR. Specifically, data breaches must be notified to the Regulator (as defined below) by the controller or processor, as the case may be, within 72 hours.
- Foreign companies processing personal data in Egypt are obliged to appoint a representative in Egypt. Further details are to be published in the Regulation.
- All controllers and processors in Egypt must appoint a Data Protection Officer who is an Egyptian resident.
- The Law also imposes a licensing, permit and security accreditation framework for data processing, data control, dealing in sensitive data, electronic marketing, and cross-border transfer of data.
- Companies should monitor the publication of the Regulation, which will provide further detail on the key provisions under the Law such as its extraterritorial application.
To view the full alert, please click here or the download button below.
For further information, please feel free to contact one of the lawyers below or your usual Baker McKenzie contact.