By: Masaar – Technology & Law Community

Conceptualized and commissioned by Access to Knowledge for Development for the Fairwork project, in collaboration with the Oxford Internet Institute and the WZB Berlin Social Science Center, with support from the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ).

General context 

In July 2020, the President of the Republic ratified Law No. 151 of 2020 promulgating the Personal Data Protection Law, after nearly two years of discussing the Data Protection Draft Law by the House of Representatives Information and Communication Technology Committee. A number of companies operating in the communications sector and a limited number of Egyptian civil society organizations participated in the process.

Although the said Law is in accordance with the Constitutional Provisions stipulated in Article 57 of the Constitution, it was only restricted to protecting Personal Data and establishing a regulatory framework only for the protection of data processed electronically. Meanwhile, most of the daily transactions, whether in the governmental or the non-governmental sector, involved disclosing Personal Data not processed electronically on a regular basis. There are no other legislations that address non-electronic data protection or regulate sharing them with third parties.  

While drafting the Personal Data Protection Law, the Egyptian legislator adopted the rules stipulated in the General Data Protection Regulation of the European Union (GDPR). However, the Legislator has amended the said rules and redrafted some Law Provisions in a brief manner, especially the rules pertaining to the rights of persons whose Personal Data are shared with third parties and the guarantees of protecting the right to privacy of data owners. In addition, the Law has referred a considerable number of procedures related to enforcing the Data Protection Law to the Executive Regulations of the Law, which have not been issued yet. As a result of such delay, the application of the said Law has been stalled.    

During the process of drafting the Law, representatives of the Ministry of Interior, the Ministry of Defense and the Central Bank raised objections to being governed by the provisions of the Law. Such objections were taken notice of, and National Security Authorities, the Central Bank, and the Bodies affiliated thereto were exempted from the provisions of the Personal Data Protection Law.

Scope of Application 

The Personal Data Protection Law shall apply to any and all residents, Egyptians and foreigners, in the Arab Republic of Egypt. It may apply to residents outside Egypt in general provided that the act committed by a foreigner or an Egyptian residing abroad is punishable by the Law of the country in which the offense was committed. The Law shall further apply to electronically-processed Personal Data only, excluding other data. In addition, the scope of protection shall be restricted only to the electronically-processed data of natural persons, which means that the scope of protection shall not include data related to companies, bodies, and other entities.

The provisions of the Law shall not apply to the following cases:  

• Personal Data of third parties held by natural persons and processed for personal use. 
  
  
• Personal Data that is processed for the purpose of obtaining official statistical data or enforcing a Legal Provision. 
• Personal Data that is processed solely for media purposes, provided that the said data is valid and accurate and on condition that it is not used for other purposes, without prejudice to the legislations governing press and media.  
  
  
• Personal Data related to judicial records, investigations, and lawsuits.
  
  
• Personal Data that is held by National Security Authorities and other considerations at the said Authorities’ discretion.
  
  
• Personal Data that is held by the Central Bank of Egypt and Bodies under its control and supervision, except for money transfer companies and currency exchange companies.
  
  

The Personal Data Protection Law focuses mainly on governing the protection of electronically-processed personal data. Thus, the provisions of the Law apply to the majority of online commercial platforms or platforms that operate according to the platform economy model, as long as the activities of such involve handling Personal Data in any way. The law has set forth two types of Data as follows:

• Personal Data which is any data that relates to an identified natural person, or a natural person who can be identified directly or indirectly by linking such Personal Data to other data such as name, voice, picture, identification number, online identifier, or any data that reveals the psychological, medical, economic, cultural or social identity of a natural person.
  
  
• Sensitive Personal Data which is data that discloses psychological, mental, or physical health, genetic, biometric or financial data, religious beliefs, political views, or criminal records. In all cases, children-related data shall be considered Sensitive Personal Data.
  
  

On that basis, the Personal Data Protection Law shall apply to many platforms and companies that operate their business drawing upon information technology, including but not limited to, ridesharing companies, companies that provide logistic services such as food delivery companies, shipping companies, e-commerce companies, fintech companies, service platforms, freelance platforms, platforms that connect the service recipient to the service provider, digital marketing companies that draw upon communication technologies and internet, healthcare service companies including clinics and hospitals appointment reservations and medications delivery companies.  

Pursuant to the provisions of the Law and the regulatory rules stipulated and their application to companies and platforms that handle Personal Data and Sensitive Personal Data, there is an overlap between the responsibilities and obligations stipulated by the Law, especially with the presence of third parties that need to access the Personal Data to carry out their mandates.   

For example, most e-commerce companies, freelance platforms and gig economy platforms may need to outsource several mandates to third parties. This often takes place for the purposes of reducing the operations, benefiting from specializations that are not available in-house or using advanced technologies to carry out mandates relevant to data collection and processing. Examples of this overlap include the following:     

• Ridesharing companies collect Personal Data on end users and drivers. In the meantime, they use electronic payment platforms (as a third party) to make online payments, and navigation systems (as a third party) for transportation. They may use electronic marketing companies (as a third party) to target end users through targeted advertising. This means that ridesharing companies will handle Personal Data and Sensitive Personal Data whether through the company itself or by dealing with third parties. In such a case, the company and all third parties shall be governed by the Law.
  
  
• E-commerce platforms collect Personal Data on end users and vendors. In the meantime, they use electronic payment platforms (as a third party) to make online payments and shipping companies (as a third party) to deliver the purchases from the vendor to the end user. They may use electronic marketing companies (as a third party) to target end users through targeted advertising. This means that ridesharing companies will handle Personal Data and Sensitive Personal Data whether through the company itself or by dealing with third parties. In such a case, the company and all third parties shall be governed by the Law.
  
  
• Shipping companies. Due to the nature of their work, they have access to the Personal Data of several parties. An example of the overlap of data collection is that shipping companies that deal with e-commerce platforms have access to the Personal Data of end users, vendors and couriers. They may use navigation systems (as a third party) for delivery or an electronic marketing company (as a third party) to target customers through targeted advertising. In such a case, the company and all third parties shall be governed by the Law.
  
  
• Service platforms collect data on end users and service providers. In the meantime, they use electronic payment platforms (as a third party) to make online payments. They may use electronic marketing companies (as a third party) to target end users through targeted advertising. In such a case, the company and all third parties shall be subject to the Law.
  
  

As part of identifying the different parties that handle data, especially in the presence of outsourcing where third parties get to handle data, the Law has set three main categories that shall be subject to its provisions. 

• The Holder: any natural or artificial person who holds Personal Data in any manner, or by any means of storage, regardless of whether such person initially created the said Personal Data or it was transferred to such person by any means. Such is the case of server management companies where data is stored, or telesales companies, SMS marketing companies, and shipping companies.
  
  
• The Controller: any natural or artificial person who has the right to obtain Personal Data and specify the means and criteria of storing, processing or controlling such data according to a specific purpose or activity. Such is the case of ridesharing companies, and e-commerce and digital marketing platforms.
  
  
• The Processor: any natural or artificial person who is authorized by virtue of the nature of its work to process Personal Data for its own interest or on behalf of the Controller as agreed with and instructed by the Controller. Such is the case of shipping, digital marketing, and digital payments companies.
  
  

Obligations of the Controller, Processor, and Holder

The Law grants a number of guarantees pertaining to protecting the Personal Data of users. These guarantees are mirrored in the obligations of the Data Processor, Controller and Holder. The Law differentiates between the obligations of the Controller and the Processor; however, it neglects the obligations of the Holder. Article 4 stipulates a number of obligations as follows: 

• There are obligations on the Controller related to the rights of users. The Controller shall obtain the consent of the data owner to obtain the Personal Data or receive it from the Holder or a Competent Authority that provides such data, while also ensuring the validity, sufficiency and conformity of the Personal Data with the purpose of its collection, deleting any Personal Data held by the Controller upon fulfilling the designated purpose and correcting any error in the Personal Data immediately upon being notified or made aware of such error.
  
  
• The Controller shall obtain a license or permit from the Data Protection Center to handle Personal Data. It shall set the means, manner, and standards for processing pursuant to the designated purpose. It shall ensure the alignment of the designated purpose of Personal Data collection with the processing purposes, adopt all technical and regulatory procedures, and apply the necessary standard criteria for protecting the Personal Data. It shall ensure its confidentiality and prevent any hack, damage, alteration, or manipulation through any illegitimate procedure. It shall maintain a record of Personal Data that includes a description of the categories of such at its disposal, and it shall determine the persons to whom such data shall be disclosed or made available along with the basis, duration, restrictions, and scope thereof, as well as the mechanisms of deleting or editing the Personal Data, or any other relevant data pertaining to Cross-Border Personal Data Transfer. The record shall, also, include a description of the technical and regulatory procedures of data security. It shall provide whatever is required to ensure compliance with obligations and give access to the Data Protection Center for inspection and control to ensure the said compliance.
  
  
• The Law has set forth a compulsory provision pertaining to the Data Controller outside the Arab Republic of Egypt, where the said provisions obligate the Controller to assign a representative thereof in the Arab Republic of Egypt.
  
  

General Features of Personal Data Protection Rules and Procedures

The Egyptian Personal Data Protection Law has set out a number of Rules and Procedures pertaining to protecting Personal Data in general. The said Rules and Procedures shall apply to all authorities and entities that handle Personal Data as long as they are not exempted by Law. Thus, all platforms and companies that handle Personal Data and sensitive Personal Data shall comply with the Personal Data Protection Rules and Procedures that are stipulated by the Law. Following is a summary of said rules and procedures:  

• The right to be notified of any breach or violation. The provisions of Article 2 of the Data Protection Law stipulate the users’ right to be notified and informed of any breach or violation of their Personal Data. Article 7 pertaining to the Controller’s and Processor’s obligations stipulates that the Data Protection Center only, not the data owner, shall be notified of any breach or violation of data within 72 hours. In case such breach or violation is related to National Security considerations, the Center shall be notified promptly. The Center in any case thereof shall notify the National Security Authorities of the event promptly.
  
  
• The right to be informed about the purposes of collecting data and reasons for processing such. The provisions of Article 2 of the Data Protection Law govern the users’ rights to know, review, access, and obtain their Personal Data held by any Data Holder, Controller, or Processor.
  
  
• The Rules and Procedures pertaining to giving access to, deleting, and editing the Personal Data. Giving users access to the data held by the Controller, Processor, or Holder is an important step towards granting users different rights to delete, correct, or edit the data and being informed of the reason for data collection and processing.
  
  

Cross-Border Personal Data Transfer

The Egyptian Personal Data Protection Law does not specify clear minimum standards to abide by in Cross-Border Personal Data Transfer, whether to governmental entities, companies, or organizations outside Egypt. Instead, by virtue of Article 14, the Data Protection Law has set out two conditions for transferring and giving access to data across borders:  

• First: the minimum protection level stipulated by Egyptian Law.
  
  
• Second: a permit obtained from the Data Protection Center to transfer data to foreign parties. 
  
  

The scope of service providers’ responsibility and the violation consequences thereof

The Personal Data Protection Law sets forth the responsibility of service providers, apart from the obligations of the Processor or the Controller stipulated by the Law. These responsibilities are as follows: 

• Providing what is necessary to ensure the service provider’s compliance with the provisions of the Law and giving access to the Data Protection Center for inspection and control.
  
  
• Reporting any breach or violation of the Personal Data at its disposal to the Center within 72 hours. In case such breach or violation is related to National Security considerations, the report shall be filed promptly.
  
  
• The legal representative of the artificial person, whether the Controller or the Processor, shall assign a competent employee to be responsible for protecting the Personal Data inside its legal entity and personnel structure. This employee shall be registered in the Data Protection Officers register at the Center.
  
  
• Violating the obligations and responsibilities is punishable by Law, especially if the violations are related to disclosing data, denying data disclosure requests or violating the provisions of electronic marketing. In such cases, the service providers shall incur penalties ranging from fifty thousand to five million Egyptian pounds or be sentenced to imprisonment for up to three years.