New Personal Data Protection Law

Background:

Personal data protection as stated in the constitutional law article 57 of 2014 that the law protects private life and any source of communication. Moreover, the penal code no. 58 of 1994 considers any action that abuses the private places of the individual by recording or taking images as a crime. The cyber security law also stated the protection of the private data that they store. From this, on 15 July 2020 President Abdel Fatah el Sisi ratified the personal data protection law (PDPL) no.151 of 2020 and it was published in the official gazette which means that it came into force. The personal data protection law (PDPL) defines personal data as “any data that is related to an identified or indefinable natural person, directly or indirectly by reference to any other data such as name, voice, picture, identification number, online identifier or any data that determines the psychological, medical, economic, cultural or social identity”. The law provides requirements that should be known to protect personal data whether the corporate clients are Egyptian or a resident. In addition to this, this law stipulated tremendous criminal penalties.

Scope of the law:

This law specifies the processor and the controls that can apply this law. Moreover, the personal data protection law has extraterritorial applicability which applies to the Egyptian citizens and non-Egyptian citizens.

• What does the controller mean? Article 1 of the PDPL defines the controller as a natural or legal person who has the right to receive personal data and set the means, purposes, and criteria for keeping, processing, and controlling it due to the nature of their work.
• What does the processor mean? The PDPL stated that the processor is any natural or legal person who processes Personal Data for its advantage or on behalf of the Controller as agreed with and instructed by the Controller due to the nature of their work.
• Extraterritorial Applicability:

As mentioned above, this law applies to Egyptian citizens and non-Egyptians who are residents in Egypt. Therefore it applies extraterritorially intending to protect the data of the residents and the Egyptian citizens that are based in Egypt.

The PDP law granted the data subjects tremendous rights and excluded some data that does not fall under the personal protected data law which are the following:

1. Natural persons’ data is held for the benefit of others and their purpose.
2. Data that processed for official statistics or in the application of a legal provision
3. Data that is processed for media purposes.
4. Data that is related to judicial records, investigation and legal claims.
5. Data is held by national security authorities, as well as whatever else they decide for other reasons. The Center shall notify the controller or processor, under national security considerations, to change, delete, hide, make public, or circulate personal data within a set period upon request from national security authorities. The controller or processor must respond to the notification within the timeframe stated in the notification.
6. Data held by the Central Bank of Egypt and banks are subject to data protection laws and regulations enacted by the Egyptian banking laws and regulations.

Other than the data that is mentioned above shall be regulated by the personal protected data law. On the other hand, here are the rights that the PDPL provided to the data subject:

• to be knowledgeable of who is processing personal data and to have access to it
• revoke consent to the processing of personal data
• the right to correct, modify, amend, delete the personal data 
• Limit processing the personal data within a limited scope
• Be warned by any breaching of personal data.

Types of personal data:

The PDPL stipulated some activities that are regulated by personal protection law which are sensitive personal data and cross border data transfer, electronic marketing, and data that is performed safeguarding, handling and processing operation.

• Sensitive personal data:

This type of data includes the following:” psychological, mental, or physical health, or genetic, biometric or financial data, religious beliefs, political views, or criminal records and data related to children”. Egyptian legislators are prohibited from transferring, storing, saving or processing any data that is related to sensitive data unless the controller or the processor gets the consent of the data subject and authorization from the center.

• Cross border data transfer:

This type of data means that data shall transfer to the third party whether from Egypt to outside or vice versa. So this type is important for the organization that uses cross border data transfer like online IT services and cloud-based services.

To transfer the data to a third party requires the following conditions:

1. Explicit consent of the data subject or his representative is obtained and
2. The transfer shall be for one of the following:

• Preserve the life of the data subject
• The right to prove r claim or defend before the judiciary 
• To conclude or implement an agreement for the benefit of the data subject
• To handle the international judicial cooperation procedure 
• To protect the public interest
• To transfer money to another country
• If the transferor circulation is made by a bilateral or multilateral international agreement to which Egypt is a member.

• Electronic marketing:

This activity means sending any message, advertisement or marketing content by using any technological means. According to PDPL which states that this kind of direct marketing to the data subject is considered prohibited unless:

1. Acquiring the Data Subject’s consent.
2. Stating the identity of the sender.
3. The sender must provide a legitimate and full address to be reached.
4. An indication that the aim of communication is for marketing and
5. Establishing clear and simple ways for the Data Subject to opt out or withdraw his or her permission in this regard.

The sender shall preserve electronic records demonstrating the Data Subject’s consent to receive Electronic Marketing communications, including any amendments, or his/her non-objection to their continuation for three years from the date of the last communication. 

Data protection mechanisms:

To make sure that the people follow these rules, the law provides the authority to the data protection officer and the personal data protection center to enforce the law. The Data Protection Officer is in charge of enforcing the provisions of this Law, its Executive Regulations, and the Centre’s decisions, as well as supervising and monitoring the applicable procedures within its relevant entity and receiving requests for Personal Data following this Law’s provisions. The personal data protection center is affiliated with the Minister of communication and information technology and the aim of this center is to supervise and enforce the personal data protection law. Adding to these responsibilities, article 19 stipulated various responsibilities such as raising public awareness, encouraging the creation of Codes of Conduct, issuing licenses and permissions, and advising the government and parliament on proposed related laws and international treaties.

Procedures for disclosing personal data:

The PDPL granted the controller and processor the following procedures to request to disclose the personal data:

1. The request must be in writing and presented by the appropriate person
2. Ensuring that all the required essential documents are fulfilled and 
3. Within six (6) working days after the disclosure’s submission, a decision on the disclosure and its accompanying papers will be made. If the request is denied, the decision must contain the reasons for the denial. If the specified period passes without a decision, it will be regarded as a rejection.

Penalties and sanctions:

Personal data protection law imposed criminal liabilities for those who are going to breach this law. The kind of sanctions includes fines and imprisonment. Here are some criminal penalties examples that are stipulated in the law:

• Collecting, processing, disclosing, providing access to, or circulating Personal Data by any means other than with the Data Subject’s consent or as otherwise authorized by law (up to one year in prison and a fine of between EGP 100,000 and EGP 1,000,000 (about US$6,300 and US$63,000).
• A violation in disclosing personal information that electronically proceeds shall cause a fine not less than EGP 100,000 and not exceeding EGP 1000,000. Moreover, the imprisonment shall be for a minimum of 6 months and double the fine if such unlawful disclosure was against a benefit or to harm the data subject.
• Unlawful acts in the sensitive personal data, the penalty will be imprisonment for not less than 3 months and/or a fine not less than EGP 500,000 and not exceeding EGP 5000,000.
• Violation of the cross-border data transfer rule, Imprisonment for not less than 3 months and/or a fine not less than EGP 500,000 and not exceeding EGP 5000,000.
• Violation of the electronic marketing rules. A fine shall be not less than EGP 200,000 and not exceeding EGP 2000,000.
• The data protection officer (DPO) shall be fined 1,000,000EGP in case any breach of law occurs.

After stating some examples of the criminal offences and fines. The Egyptian legislator made the law tougher for the users and the businesses. In addition to this, the manager of the organization shall be liable if it is proven that the manager knows that the organization has violated the law.

In conclusion, the personal protection data law considers one of the latest laws that were established. It aimed to protect personal data by fulfilling the requirements to register at the center. Moreover, the law had mentioned who the law applies to by mentioning its rights and the data that the law excluded from it. In addition, the types of personal data and its requirements. Finally, the law stipulated the penalties and sanctions that the processor and the controller should avoid.