Egypt: Diving into Data Regulations


With the European Union (EU) General Data Protection Regulation (GDPR) coming into effect in May 2018, data became one of the world’s most essential assets. Many countries followed the EU example and replicated the GDPR model by gradually introducing data protection systems to protect their citizens’ data. 

Published on 15 July 2020, “Egypt’s Personal Data Protection Law” (the New Law) was introduced by the Egyptian government to protect Egyptian citizens’ data.

The New Law provides several requirements similar to the GDPR principles and imposes penalties on non-compliant companies. 


  • Scope and principles


Personal Data is defined under the New Law as “any data relating to an identifiable natural person, or is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, voice, picture, an identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.” 

A business collecting an Egyptian citizen’s or resident’s Personal Data should inform and obtain his or her explicit consent before processing any data related to him or her.  Moving forward, the user will have the right to opt-out from processing his or her data, the right to correct, modify, delete, add or update his or her Personal Data, the right to limit the processing of his or her Personal Data within a limited scope and the right to be notified about any data breach.

The New Law relies on the principles of: 

(1) lawfulness, fairness, and transparency, which means that the collected data should not be collected without the consent of the person who’s willing to give you his or her data;

(2) limitative data, which means the collected data should be limited to a specified, legitimate, and explicit to the purpose; and

(3) accuracy, integrity, and confidentiality.

Based on these principles, companies should ensure protection against unauthorized processing, accidental loss, destruction, or damage to the data and appoint a Data Protection Officer for that matter.


  • Sanctions and penalties


The New Law will establish the “Personal Data Protection Centre” (PDPC) to regulate data protection, enforce compliance with the New Law, create further implementing regulations and mechanisms to ensure data protection, and receive and investigate complaints. 

When requested to do so by an Egyptian national security authority, the PDPC should notify any controller or processor to amend, delete, withhold, make available, or circulate personal data for a defined period. 


Whenever the company faces a data breach scenario, controllers and processors should notify the PDPC of any breach of personal data within 24 hours of the violation. They are also required to follow up with a detailed report of the breach within 72 hours. The user has the right to be informed of any Personal Data breach within ten working days from the date the PDPC was notified.  

Failure to comply with these requirements will lead to fines and penalties, including imprisonment, depending on the nature of the breach.


  • Cross Border Transfers


Before any controller or processor can transfer personal data outside Egypt, they should obtain the PDPC’s consent. The New Law prohibits the transfer or retention of personal data to a foreign country or territory unless that country or region has a data protection framework that will provide equal or greater protection for personal data than the New Law.


Indeed, the New Law implements similar principles to those outlined in the GDPR. However, in Egypt, the New Law has serious shortcomings that authorities can use to further control and restrict access to information.

Amendments such as ensuring the independence of the PDPC and the inclusion of national security authorities in the New Law’s scope of application should be introduced to ensure that the Egyptians’ privacy and freedom of expression are protected.