-
Population: 101,777,064
Capital: Cairo
President: Abdel Fattah el-Sisi
2020 Freedom House Score: 21/100
Data protection law? No
-
Egypt currently has a draft data protection law (Draft Law) that was approved by the Cabinet of Ministers and is being reviewed by Parliament.* The law will become effective three months from the date it is published and data controllers and processors must be compliant within one year of the issuance of the executive regulations, which should be issued within six months from the date of promulgation of the Draft Law.
Under the Draft Law, a data subject has the right to know, inspect, access, correct, and determine the degree of processing of their personal data possessed by any data controller or processor.
Explicit consent from the data subject is mandatory for processing, collection, and disclosure of personal data, and consent is rescindable at any time.
* The provisions in this summary are not currently in effect and may change before the final version of the law is passed.
-
Personal data is any data relating to an identifiable natural person, or is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, voice, picture, an identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.
Sensitive personal data is data that reveals the mental health, physical health, genetic health, biometric data, financial data, religious beliefs, political opinions, security status relating to the natural person.
All data relating to children is considered sensitive personal data.
-
In order to collect and process personal data, the data must be:
- used for legitimate, specific, and public purposes
- correct and accurate, and
- held only for the period of time required to fulfil its specified purpose
-
The Draft Law establishes a Personal Data Protection Centre to:
- regulate data protection
- create regulations and mechanisms to ensure data protection, and
- receive complaints
The Centre also will issue licenses and permits for:
- data controllers, data processers, consultants, direct marketing activities, organisations, unions, and clubs
- entities processing sensitive personal data
- entities seeking to perform visual surveillance of public spaces
- cross-border transfers
-
Transferring or sharing personal data abroad requires a permit from the Centre, provided that the recipient country of the transfer has equal or greater data protection regulations. The processor or controller may allow another controller or processer to access personal data provided the objectives are similar or support a legitimate benefit to the controller, processor, or data subject.
Given explicit consent from the data subject, personal data can be transferred to a country without adequate protection to:
- protect the life of the data subject and to provide medical care;
- prove, claim, or defend a right before the judiciary;
- fulfil a contract for the benefit of the data subject;
- make a monetary transfer, or
- to fulfil a treaty of which Egypt is a member
-
Data controllers and processors are required to notify the Centre of any breach of personal data within 24 hours from the time of the breach. They must also submit a detailed report of the breach within 72 hours. The Centre will then immediately notify national security entities. The controller and/or processer must also notify the data subject of the breach within 10 working days after notifying the Centre.