More Privacy Pyramids to Climb - Egypt Adopts Personal Data Protection Law
The pyramids in Egypt were built with smooth and angled sides to symbolize the rays of the sun. The sun light is shining today on a more recent development in Egypt. The Personal Data Protection Law (Law No. 151/2020) (PDPL) was approved by the Egyptian parliament on June 17, 2020 and endorsed by President Abdel-Fattah El Sisi and published in the official gazette on July 17, 2020. The new requirements will come into force three months after this publication date. The Ministry of Information and Communication Technology (MICT) is charged with issuing Executive Regulations (PDPL Regulations) within six months of the effective date of the PDPL. Companies subject to the PDPL will be required to comply with the new requirements of the PDPL one year after issuance of the PDPL Regulations.
Companies subject to the PDPL, whether located in or outside of Egypt, that process the personal data (PD) of residents of Egypt, whether Egyptian citizens or foreigners residing in the country, should familiarize themselves with these new requirements and begin implementing a PDPL compliance program or modifying their existing data privacy program. Although the PDPL borrows heavily from the GDPR, there are some important differences that companies will need to incorporate into their programs.
- Covered Entities
The PDPL will apply to companies ac ross all business sectors. It will not, however, apply to the Central Bank of Egypt (CBE) and entities subject to its control and supervision, with the exception of money transfer companies and currency exchange companies, provided these entities comply with the CBE’s rules regarding the handling of PD.
- Covered Data under PDPL
PD subject to the PDPL includes the following: (1) any data related to an identified natural person, or to a natural person identifiable, directly or indirectly, by reference to any other data, such as name, voice, picture, identification number, or online identifier, or (2) any data that identifies psychological, health, economic, cultural, or social identity. “Sensitive PD” includes any PD that discloses psychological, mental, physical or genetic health, biometric data, financial data, religious beliefs, political opinions, or any security situation. The PD of children is also deemed to be sensitive PD.
- Data Subject Consent for Processing Personal Data and Electronic Marketing
The PDPL prohibits the processing of PD except with the consent of the data subject or as otherwise permitted by law. The PDPL also prohibits any electronic communication with any data subject for the purpose of marketing unless consent to such marketing has been obtained from the data subject.
- Creation of Data Protection Center and Licensing Requirements
The PDPL establishes a new Data Protection Center (DPC) under the MICT, which will be responsible for, among other things, monitoring data controllers and data processors for compliance with the PDPL, authorizing data processing and data transfers, and overseeing compliance with the PDPL. Data controllers and data processers must obtain a license from the DPC.
- Data Subject Rights
The PDPL provides data subjects with the following rights:
Right to Know: The right to know what PD is being processed by whom and to access PD.
Right to Withdraw Consent: The right to withdraw consent for the processing of PD.
Right to Correct, Modify, Delete, or Add/Update PD: The right to correct, modify, delete, add, or update PD.
Right to Limit or Object to Processing of PD: The right to limit processing of PD within a limited scope and to object to the processing of PD or its results whenever such processing conflicts with fundamental rights and freedoms.
Right to Notification of Breach of PD: The right to be notified of any breach of PD.
In an interesting twist, the PDPL recognizes that businesses face significant expenses in implementing and maintaining a data subject access management program and in complying with data subject rights requests. With the exception of the last data subject right in the chart above, the PDPL permits a data controller or data processor to assess a fee, in an amount prescribed by the DPC, to the data subject for their services in complying with a rights request.
- Appointment of Data Protection Officer
Companies processing PD will be required to appoint a Data Protection Officer (DPO). Additional details on this requirement and the specific responsibilities of DPOs will likely be outlined in the PDPL Regulations.
- Personal Data Transfers Outside of Egypt
The PDPL generally prohibits the transfer of PD to recipients located outside of Egypt, except with the permission of the DPC and where the level of protection provided is not less than that provided under the PDPL. The PDPL Regulations will likely specify additional requirements and rules governing the cross-border transfers of PD.
- Data Breaches
Data controllers and data processers will be required to notify the DPC of any breach of PD within 72 hours. If the breach impacts national security, notification must be provided to the DPC and national security authorities within 24 hours.
- Fines, Penalties, and Criminal Sentences for Noncompliance
The PDPL prescribes various penalties for noncompliance, including fines and imprisonment.
The PDPL imposes new obligations on data controllers and data processors that process the PD of residents of Egypt. Companies that have already implemented robust data privacy programs to comply with the GDPR will have an easier climb to PDPL compliance. For those companies new to privacy program requirements, the development of a PDPL compliance program from scratch will be a steep climb. Others have already blazed the trail so it may be time to seek their help in building your company’s PDPL privacy program on a strong foundation that will stand the test of time at any angle of the sun.