On July 13, Egyptian President Abdel Fattah el-Sisi ratified the Personal Data Protection Law (Law No. 151 of 2020) which aims to protect and regulate the collection and processing of personal data of Egypt’s citizens and residents. Except, perhaps it does not.
While the law provides a number of necessary legal safeguards to protect individuals’ personal data and information as they use the internet, we explain below why this new legislation — which will come into effect on October 15 this year — may be less about data protection than it is about data control.
What’s in the law? Scope and principles
The law defines personal data as “any information relating to any natural person that can be recognized directly or indirectly by reference to an identifier such as a name, voice, a picture, an identification number, an online identifier, or any other data specific to the phycological, health, economic, cultural, or social identity of that person.”
It applies to the personal data of Egyptian citizens as well as non-citizens who reside in Egypt. The law has an extraterritorial applicability as it prohibits the transfer or retention of personal data to a foreign country or territory unless that country or territory has adequate levels of personal data protection. The penalty for personal data breaches and violations of the law applies to Egyptian citizens living outside of Egypt, as well as non-Egyptians residing outside of Egypt if such breaches are punishable in the country where they reside, and the data belongs to Egyptian citizens or residents.
The law includes the following data protection principles:
- Personal data can be collected and processed only for specific, legitimate, and public purposes.
- Personal data processed must be accurate, correct, and secure.
- Personal data shall not be retained once the purpose of its collection and processing has been achieved.
- Data shall be processed for a lawful purpose, and in a manner suitable for its intended purpose.
What rights does the law grant users?
The law grants a number of binding rights for users to guarantee the protection of their personal data and information online, including:
- The right to give and withdraw consent to the collection and processing of their personal data.
- The right to know what personal data is being collected, processed, and accessed, and by whom. Users also have the right to request data processing entities to provide them with access to or a copy of their personal data that is being processed.
- The right to know when their personal data is illegally accessed or breached. Data breaches must be reported within 72 hours and users must be notified within three working days.
- The right to correct, delete, change, update, or add to their personal data.
- Finally, users have the right to protest the processing of their personal data and any results of such processing if it contradicts or violates users fundamental rights and freedoms.
Most notably, the law strictly prohibits the access, collection, processing, transfer, and retention of sensitive personal information, such as biometric data, unless there is an explicit and written consent from the user and it is licensed by the Personal Data Protection Center, a regulatory mechanism established by the law.
What are the legal obligations for data controllers and processors?
The law also obliges collectors and processors of personal data to ensure the safety and security of personal data. As stated above, so-called data controllers — for example, a social media company — cannot receive data without the person’s consent, or without what’s legally permissible. They must also delete this data once the purpose of its use has ended. They are also obliged to correct any mistakes in the personal data as soon as they are informed.
Both the data controller and processor must compile and maintain a Personal Data Log which registers the categories of personal data, the identity of those who have access to the data, relevant retention periods, any restrictions imposed on processing data, procedures for deleting and/or updating data, technical and organizational measures used to secure the data, and any cross-border transfers of data.
The law also requires any entity acting as a recipient, controller, or processor of personal data to appoint a Data Protection Officer whose responsibility is to ensure compliance with the law and its executive regulations. This designated person will be the official point of contact at the Personal Data Protection Center, a regulatory mechanism established by the law.
What are the shortcomings and potential pitfalls?
All of the above principles and provisions are positive. Unfortunately, the law has serious shortcomings that threaten to undermine the purpose of such legislation.
One major red flag is the exemptions carved out for a number of entities, including the Central Bank of Egypt (CBE) and — most worryingly — national security authorities. They include the President, the Ministry of Defence, the Ministry of Interior, and the General Intelligence Service. The law also exempts processing personal data for media purposes.
Here’s the problem: national security agencies in Egypt have perpetrated documented human rights abuse for decades. In recent years, Egyptian authorities have escalated online censorship, blocking websites and targeting human rights defenders and journalists, in the name of national security and fighting terrorism. These authorities should not be exempt from the obligation to protect users’ personal data and thereby safeguarding and upholding their right to privacy.
Further, while the new law appropriately places strict, clear obligations on data controllers and processors, such as telecommunications companies and internet service providers, the existing Cybercrime Law of 2018 requires that these companies store data on users’ online activity for 180 days, and grants authorities access to this data. The failure to comply with data retention provisions is punishable by hefty and disproportionate fines of 5 to 10 million Egyptian pounds (LE), while the failure to submit information to government authorities upon request is punishable by up to three months in prison and fines between LE200,000 and LE1 million.
A second red flag is that the Personal Data Protection Center — the data protection authority prescribed in the law, to be established under the Minister of ICT — will not be a truly independent entity. Its mandate is to regulate data protection, enforce compliance with the law, create further regulations for implementation, and to receive and investigate complaints. It should be overseeing implementation of the law across public entities and private companies with full independence. Yet the agency will have a board appointed by the Minister, and as stipulated by the law, the board must include representatives from the Ministry of Defence, the Ministry of Interior, and the Intelligence Services, among seven other members. That does not represent independent oversight of this regulatory function, especially since the board has decision-making authority.
In addition, the Personal Data Protection Center is tasked with issuing licenses and permits for processing personal data. In fact, both data collectors and processors in Egypt and overseas are required to obtain necessary licenses and permits to process data. The specification, conditions, and types of these licenses and permits are still unknown and should be outlined in the executive regulations of the law (to be issued in six months from the publication of the law).
What is particularly alarming about this is the high ceiling for licensing and permit fees, which hint at ulterior motives. The law stipulates such fees should not exceed 2 million LE while permits fees should not exceed LE500,000. These are large sums. In addition, data processors and collectors in foreign countries must obtain a license for cross-border data transfers, and must appoint a Data Protection Officer in Egypt for this purpose. According to a statement by the Ministry of ICT, there are strategic plans to host and localize data centers in Egypt, to “contribute to significant economic growth by attracting international investments in this field.” This statement suggests that authorities may plan to exploit licensing requirements for financial gain. That in turn suggests that the primary focus of the law may not be to protect people’s information but to give the state more capacity to exercise control over and monetize the use of that data. This stands in direct conflict with what a data protection law should do.
Data protection, or more smoke and mirrors?
We at Access Now have been urging national governments in the Middle East and North African region to adopt data protection laws that guarantee the protection of users’ internet data for many years. However, it is imperative that these laws put the privacy of users at their heart and center so that people can control what personal data they share and with whom.
In the current context of creeping digital authoritarianism in Egypt, this law could be leveraged by the authorities to further control and restrict access to information. To ensure the rights of Egyptian citizens to privacy, freedom of expression, and access to information, lawmakers must amend the Personal Data Protection Law, specifically to rescind the exemptions for national security authorities and ensure the independence of the future data protection authority. The state should also revoke the Cybercrime Law of 2018, which is already systematically used to silence dissent and censor free speech online.