Population: 102,334,403

Capital: Cairo

President: Abdel Fattah el-Sisi

2021 Freedom House Score: 18/100

Data protection law? Yes, but data protection authority not yet appointed

Privacy enshrined in Constitution: Yes.

DPA legislation:

Egypt passed the Data Protection Law on 13 July 2020 under Resolution No. 151 of 2020 (available only in Arabic here, and an unofficial English translation here) and it came into force on 16 October 2020. Data controllers and processers must be compliant within one year of the issuance of the executive regulations, which were expected to be released by 16 April 2021 but do not appear yet to have been.

Under the Law, the processing of personal data is prohibited unless the consent of the data subject is obtained, or it is authorised by law. The law provides data subjects with the right to know, inspect, access, correct, and determine the degree of processing of their personal data possessed by any data controller or processor. They also have a right to be informed of any data breach involving his or her personal data.

ICCPR: Ratified

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: No

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No

Personal data is defined as any data relating to an identifiable natural person. It also includes data relating to a natural person which may be, directly or indirectly, identifiable, by reference to any other data such as a name, voice, picture, an identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.

Sensitive personal data is data that reveals the mental health, physical health, genetic health, biometric data, financial data, religious beliefs, political opinions, or security status of a natural person. The personal data relating to children is also considered sensitive personal data.

In order to collect and process personal data, the data must be:

• used for legitimate, specific, and public purposes;
• correct and accurate; and
• held only for the period of time required to fulfil its specified purpose.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: Yes

Exceptions exist to breach notifications: No

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: No

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: No

Number of members in DPA: 10

Maximum term length for members of the DPA (years): Repeatedly renewable

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: No

Defines the requirements for consent: No

DPA is mandated to participate in policy formulation: Yes

Transferring or sharing personal data abroad requires a permit from the Centre, provided that the recipient country of the transfer has equal or greater data protection regulations. The processor or controller may allow another controller or processer to access personal data provided the objectives are similar or support a legitimate benefit to the controller, processor, or data subject.

Given explicit consent from the data subject, personal data can be transferred to a country without adequate protection to:

• protect the life of the data subject and to provide medical care;
• prove, claim, or defend a right before the judiciary;
• fulfil a contract for the benefit of the data subject;
• make a monetary transfer; or
• to fulfil a treaty of which Egypt is a member.

Provides a right not to be subject to automated decision-making: No