DLA Piper Intelligence

Data Protection
Laws of the World

Law

Egypt
Egypt

Egypt does not have a law which regulates protection of personal data. However, there are some piecemeal provisions in connection with data protection in different laws and regulations in Egypt. Further, the Egyptian Parliament is currently discussing the data protection draft law (the “Data Protection Draft Law”), which has been under discussion since 2017 and is expected to be promulgated soon. 

The Data Protection Draft Law aims to capitalize on Article (57) of the Egyptian Constitution and shall be in conformity to its provisions to safeguard personal data and information of users/consumers. The Data Protection Draft Law aims at regulating the processing and storage of personal data by service providers in the sector of information technology and communications as well as avoid disclosure and processing of such data without consent of the respective individual. Further, the Data Protection Draft Law aims at establishing data security provisions and regulate data transfer cross-borders as well as regulate and monitor e-commerce. 

The Data Protection Draft Law provides, principally two types of data: (i) Personal data, which includes any data relating to an identified natural person or one who can be identified directly or indirectly by way of linking personal data to another such as: a name, a voice, a picture, an identification number, an online identifier, or any data which determines the psychological, physical, economical or cultural identity of that person; (ii) sensitive data, which includes data relating to mental, physical or psychological health, genetic data, biometric data, financial data, religious beliefs, political views, criminal records, and children’s data. 

Data Protection Draft Law excludes the following data from its scope of application and law enforcement:

  • Personal data processed for the national census or legal compliance;
  • Personal data that natural persons hold and process for personal purposes;
  • Personal data that national security authorities and Central Bank of Egypt hold; and
  • Personal data relating to law enforcement reports and public prosecution investigations, including terrorism and other criminal cases.

Failure to comply with the provisions of the Data Protection Draft Law may result in significant fines, which vary, from EGP 100,000 to EGP 5,000,000 and/or imprisonment from one (1) to three (3) years, depending on the severity of the violation.

Until the promulgation of the Data Protection Draft Law, privacy and personal data are governed by general principles found under the Egyptian Constitution and several other legislations, inter alia:

Constitutional principles concerning individuals’ right to privacy under the Egyptian Constitution as well as general principles on compensation for unlawful acts under the Egyptian Civil Code govern the collection, use and processing of personal data.

In addition, the Egyptian Penal Code no. 58/1937 imposes criminal punishment for unlawful collection of images or recordings for individuals in private places. Some other laws provide for protection and confidentiality on certain data, such as the Egyptian Labour Law no. 12/2003 (confidentiality of the employee’s file information including punishment and assessment) and the Egyptian Banking Law no. 88/2003 (confidentiality of client and account information). Egyptian Civil Status Law no. 143/1994 provides for the confidentiality of citizens’ civil status data. The Executive Regulations of Mortgage Finance Law no. 148/2001 issued by virtue of Cabinet Decree no. 1/2001 as amended by Prime Minister Decree no. 465/2005 has a similar clause which provides for the confidentiality of the data of the clients of mortgage finance companies. The Egyptian Telecommunications Law no. 10/2003 provides for the privacy of telecommunications and imposes penalties which account to imprisonment in some cases on the unauthorized violation of such privacy. Egyptian Penal Code no. 58/1937 and Physicians Code of Ethics provide for the privacy of the patient’s information and prohibition to disclose it without the patient’s prior consent. The violation of such prohibition could be penalized by imprisonment and/or minimal fines. The new Cyber Security Law No. 175 of 2018 provides that the service providers are under a duty to maintain the privacy of the data stored and not to disclose it without a reasoned order from a relevant judicial authority.

Article (57) of the Egyptian Constitution promulgated in January 2014 provides for the protection of privacy and secrecy of, inter alia, mails, phone conversations and other methods of communication. The aforementioned shall not be monitored, inspected or confiscated unless by virtue of a prior court order and for a limited period of time as regulated by the law. The Egyptian Constitution has not defined data protection. However, it refers to the legislative authority to regulate the communication of data in a manner that does not encroach upon the privacy of citizens, their rights and National Security.

Last modified 14 Jan 2020
Law
Egypt

Egypt does not have a law which regulates protection of personal data. However, there are some piecemeal provisions in connection with data protection in different laws and regulations in Egypt. Further, the Egyptian Parliament is currently discussing the data protection draft law (the “Data Protection Draft Law”), which has been under discussion since 2017 and is expected to be promulgated soon. 

The Data Protection Draft Law aims to capitalize on Article (57) of the Egyptian Constitution and shall be in conformity to its provisions to safeguard personal data and information of users/consumers. The Data Protection Draft Law aims at regulating the processing and storage of personal data by service providers in the sector of information technology and communications as well as avoid disclosure and processing of such data without consent of the respective individual. Further, the Data Protection Draft Law aims at establishing data security provisions and regulate data transfer cross-borders as well as regulate and monitor e-commerce. 

The Data Protection Draft Law provides, principally two types of data: (i) Personal data, which includes any data relating to an identified natural person or one who can be identified directly or indirectly by way of linking personal data to another such as: a name, a voice, a picture, an identification number, an online identifier, or any data which determines the psychological, physical, economical or cultural identity of that person; (ii) sensitive data, which includes data relating to mental, physical or psychological health, genetic data, biometric data, financial data, religious beliefs, political views, criminal records, and children’s data. 

Data Protection Draft Law excludes the following data from its scope of application and law enforcement:

  • Personal data processed for the national census or legal compliance;
  • Personal data that natural persons hold and process for personal purposes;
  • Personal data that national security authorities and Central Bank of Egypt hold; and
  • Personal data relating to law enforcement reports and public prosecution investigations, including terrorism and other criminal cases.

Failure to comply with the provisions of the Data Protection Draft Law may result in significant fines, which vary, from EGP 100,000 to EGP 5,000,000 and/or imprisonment from one (1) to three (3) years, depending on the severity of the violation.

Until the promulgation of the Data Protection Draft Law, privacy and personal data are governed by general principles found under the Egyptian Constitution and several other legislations, inter alia:

Constitutional principles concerning individuals’ right to privacy under the Egyptian Constitution as well as general principles on compensation for unlawful acts under the Egyptian Civil Code govern the collection, use and processing of personal data.

In addition, the Egyptian Penal Code no. 58/1937 imposes criminal punishment for unlawful collection of images or recordings for individuals in private places. Some other laws provide for protection and confidentiality on certain data, such as the Egyptian Labour Law no. 12/2003 (confidentiality of the employee’s file information including punishment and assessment) and the Egyptian Banking Law no. 88/2003 (confidentiality of client and account information). Egyptian Civil Status Law no. 143/1994 provides for the confidentiality of citizens’ civil status data. The Executive Regulations of Mortgage Finance Law no. 148/2001 issued by virtue of Cabinet Decree no. 1/2001 as amended by Prime Minister Decree no. 465/2005 has a similar clause which provides for the confidentiality of the data of the clients of mortgage finance companies. The Egyptian Telecommunications Law no. 10/2003 provides for the privacy of telecommunications and imposes penalties which account to imprisonment in some cases on the unauthorized violation of such privacy. Egyptian Penal Code no. 58/1937 and Physicians Code of Ethics provide for the privacy of the patient’s information and prohibition to disclose it without the patient’s prior consent. The violation of such prohibition could be penalized by imprisonment and/or minimal fines. The new Cyber Security Law No. 175 of 2018 provides that the service providers are under a duty to maintain the privacy of the data stored and not to disclose it without a reasoned order from a relevant judicial authority.

Article (57) of the Egyptian Constitution promulgated in January 2014 provides for the protection of privacy and secrecy of, inter alia, mails, phone conversations and other methods of communication. The aforementioned shall not be monitored, inspected or confiscated unless by virtue of a prior court order and for a limited period of time as regulated by the law. The Egyptian Constitution has not defined data protection. However, it refers to the legislative authority to regulate the communication of data in a manner that does not encroach upon the privacy of citizens, their rights and National Security.

Last modified 14 Jan 2020
Definitions

Definition of personal data

There is no definition of personal data or private life under Egyptian law or the Constitution. However, Egyptian laws provide examples of the personal data that are protected such as the Labour Law. Article 77 of the Labour Law provides that the employees’ files that must be kept by the employer (as mentioned below) includes the employee’s personal data such as his name, job, professional skills when he joined the workplace, domicile, marital status, salary, starting date of his work, the holiday leave he takes, punishments imposed on him and the reports of his superiors on his work.

Definition of sensitive personal data

There is no definition of sensitive personal data under Egyptian law.

Last modified 14 Jan 2020
Authority

There is no national authority responsible for data protection in Egypt.

Last modified 14 Jan 2020
Registration

There is no requirement or facility to register data in a specific register.

Last modified 14 Jan 2020
Data Protection Officers

There is no requirement in Egypt for organisations to appoint a data protection officer.

Last modified 14 Jan 2020
Collection & Processing

According to the principles of the Egyptian Civil Code, the collection, use or processing of personal data is prohibited in case it violates the individual right to privacy and provided that such collection, use or processing constitutes a fault pursuant to the Egyptian Civil Code. A fault is defined by the judiciary as an act or omission that violates an obligation imposed by the law or assumed caution and care of the average man.

Only data which is considered pertinent to the data subject’s private life requires the consent of the data subject. The competent courts will determine whether specific data is considered pertinent to the private life of the data subject or not and whether the collection or processing of such data violates an obligation imposed by the law or assumed caution and care of the average man.

Collecting data about the employee is required by law (Article 77 of the Egyptian Labour Law) which provides that each employer must keep a file for each employee which includes their personal data. Only certain persons are authorised by the law to have access to such data.

Last modified 14 Jan 2020
Transfer

The same general principles applicable to data collection and processing mentioned above apply to the transfer of data. The data controller may not transfer data pertinent to the private life of the data subject except after obtaining the consent of the data subject, unless otherwise permitted by the law.

Last modified 14 Jan 2020
Security

Other than client and account data in banks, personal data controllers are not required by law to take specific measures against unauthorised or unlawful processing, accidental loss or destruction of, or damage to, personal data. The data controllers will be held liable according to the average man standard if their acts or omissions cause the processing, loss, destruction or damage to such personal data and this in turn results in damage being caused to the data subject.

Last modified 14 Jan 2020
Breach Notification

There is no mandatory legal requirement in the Egyptian law to report data security breaches or losses to the authorities or to data subjects.

Last modified 14 Jan 2020
Enforcement

As a general rule, civil liability may be raised in connection with violations against the individuals’ right to privacy. The prejudiced data subject should establish to the competent court the unlawful act, the damage occurred to them and the causation relationship between the unlawful act and the damage. Compensation is calculated on an 'actual damages' basis and is not punitive. Moral damages are also compensated.

Civil liability for data privacy infringement has not been frequently claimed before Egyptian courts.

Last modified 14 Jan 2020
Electronic Marketing

Egyptian law does not have any specific provisions which regulate Electronic Marketing.

Last modified 14 Jan 2020
Online Privacy

The Egyptian Constitution issued in 2014 provides that internet security is considered an essential part of the economic institution and national security and that the state is responsible for taking any required measures to maintain said security as regulated by the law. However, Egyptian law does not have any specific provisions which regulate online privacy.

There are number of draft legislations that are expected to be promulgated by Parliament in the coming period on state surveillance and the transfer and processing of data, including (i) draft law regarding the combat of the electronic and information crimes; and (ii) draft law regarding cyber security.

Also, please note that the Egyptian Computer Emergency Response Team, which is affiliated to the Ministry of Communication and Information Technology, has been established since April 2009 and is responsible for, inter alia, providing support to entities, banking and government sectors to tackle cyber security threats.

Further, Article 64 of the Telecommunication Law no. 10/2003 provides that the services provider or processor of telecommunications services must maintain, at its sole expense, all the technical capability which will allow the armed forces and the national security authorities to perform its competences within the limit of the law, without prejudice to the protection of private life of the individuals. This provision might be interpreted by the authorities to give them the right to have access to or surveillance on the data and information transferred or processed through telecommunication services in Egypt.

Last modified 14 Jan 2020
Contacts
Nevine Aboualam
Nevine Aboualam
Partner
T + (202) 2796 2042 (ext.111)
Last modified 14 Jan 2020