Privacy and security of the personal data of Egyptian citizens and foreigner

The draft data protection law is concerned with the privacy and security of the personal data of Egyptian citizens and foreigner individuals who live in Egypt. It is Egypt’s version of the GDPR.

The draft law protects any personal data, if it leads to identifying an individual.  Examples include his/her name, address or photo.  The law provides an additional layer of protection to sensitive data, such as an individual’s religion and his/her medical information. It sets the rights of individuals in relation to their personal information, such as their right to ask that their data be deleted, and the obligations of organizations collecting or processing data.  

The main features of the draft law that may affect you as a business are:

  • Limitation on the ability of organizations to collect, use, transfer or retain personal data.
  • Duty to obtain a license and other compliance requirements, if data is controlled or processed (which is the case with all organizations).
  • Regulations addressing duties of companies’ carrying out direct marketing.

Who should worry and why?

Any person collecting, controlling, processing and/or holding personal data for uses that are non-personal.  This would basically include every business, company or other organization operating in Egypt.  The consequences for non-compliance are severe; ranging from imprisonment and fines and up to revoking data related licenses and publication of the criminal verdict in media outlets.

How much time do you have to set your house in order?

Those included within the scope of the law will be expected to comply within 18 months from the issuance of the law (that is if the executive regulations are issued on schedule).

What should you do?

The starting point is to track the data cycle from when your organization receives the data, processes, and stores it until the data is deleted.  Next, make sure you comply with each of the data protection principles as they have been emptied into legal obligations (see more on that below).   Document this in a policy and implement it.  Don’t forget to train your people.

Now you have an idea of the main highlights of the law and you want to understand more how data is handled under the law?  Deep dive into the below explanation of the data protection principles adopted by the law.

Seven key principles for data protection

These are set in stone under the GDPR and mirrored in the Law:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization  
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

We fleshed out three of the principles for you to get a clear idea: 

  1. Lawfulness, fairness, and transparency

The principle – You must not collect or keep any personal data in electronic or physical form, except for lawful purposes, such as one of the following purposes:

  • The person whose data is being collected has given his/her consent.
  • The relevant document is anonymized.
  • The company has a legitimate reason to keep the data.
  • There is a legal or contractual obligation.

You must reveal the purpose of the data collection and processing. 

How to comply? Ask yourself why you are collecting this data and if you are also processing it. Make sure your reasons are legitimate; where possible obtain the person’s consent. Inform the data subject.

Obtaining consent is the gold standard.  Usually, document anonymization is used in medical applications and research.

Example – think of a financial institution keeping personal data to comply with its Know Your Customer (KYC) requirements under anti-money laundry laws. 

  1. Accuracy

The principle – You must (i) ensure that the data collected is correct, and (ii) correct any inaccurate personal data.

How to comply? – Map your data; review it, make sure it is correct; and put in place workflows that allow data subjects to review their data and correct it.

Example – when a person’s address is part of the data collected, and the individual does not reside at that location anymore, you need to (i) correct the data; or (ii) include such address as the last known address/previous place of residence.

  1. Integrity and confidentiality (security)

The principle – You need to take the necessary technical and organizational measures for the protection of personal data to ensure there is no breach of confidentiality, hacking, destruction, alterations or damage to the personal data.  You also need to appoint a data protection officer, who shall be registered with the regulator. This officer must carry out regular evaluation and checks of the data protection systems and document that.

How to comply? – Appoint a data protection officer; review your systems and workflows; draft a data security policy and implement it; train your people; and report data leakages when they happen.

Example – A business should not only address cybersecurity risks; it should also put in place technical measures (e.g. a secure process for disposal of documents containing Personal Data; securing access to locations/premises containing documents/devices with access to personal data).  In addition, a business should take organizational measures (e.g. ensuring coordination between the relevant members of the organization on security processes like disposal of IT equipment which were used to store personal data).

What needs to change in the current draft?

Data protection is good and eventually leads to a better business environment for all of us. But, we are mostly worried about the imprisonment sanctions which, as currently drafted, are extraterritorial. This represents a personal threat to senior executives in Silicon Valley and Seattle. We see this as a disabling threat that may cause some companies to reconsider their investments in Egypt. The draft law is essentially borrowed from the GDPR. But on the sanctions part, we seem to have lost our sense of where the world is going and decided to go in the opposite direction.

Our Technology & Innovation team welcomes your questions: wael@waelbadawy.com



Comments are Closed