Egypt Passes Personal Data Protection Law

On February 24, 2020, Egypt’s Parliament passed the Personal Data Protection Law (“PDPL”). The law has many similarities to the European Union’s General Data Protection Regulation (“GDPR”).

Scope

The PDPL applies to Egyptian citizens and non-Egyptian citizens residing in Egypt. This is similar to GDPR, but slightly more limiting because GDPR applies to any person in the EU, regardless of whether they are a citizen of an EU country or whether they live in the EU.

Personal Data

The PDPL applies to “personal data” and takes the definition almost verbatim from GDPR. “any data relating to an identifiable natural person, or is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, voice, picture, an identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.”

Supervisory Authority/Cross-Border Transfers

The PDPL also creates a supervisory authority of sorts, called the Personal Data Protection Centre (the “Centre”), which is tasked with drafting regulatory guidance, in addition to issuing licenses and permits. These licenses and permits are something not required by GDPR, and under PDPL a license is required for controllers and processors to transfer personal data outside of Egypt.

Data Breach Notification

Controllers and processors must notify the Centre of any personal data breaches within 72 hours, similar to GDPR.

Rights of Data Subjects

Data Subjects have rights very similar to GDPR:

• Right to Know
• Right to Inspect
• Right to Access
• Right to Correct (GDPR: Rectify)
• Right to Determine the Degree of Processing (read: limited consent)
• Right to be Forgotten

 

Data Subjects are also afforded the opportunity to lodge a complaint with the Centre.

Penalties

Penalties for processing personal data without the Data Subject’s consent range from EGP 100,000 to no more than EGP 1 million. If the personal data is processed without the Data Subject’s consent and is used for personal gain that person will be imprisoned for a minimum of 6 months and fined no less than EGP 200,000 but not more than EGP 2 million.