As part of a growing trend across the region, Egypt has introduced the new Personal Data Protection Law No. 151/2020 (PDPL). It was passed in July and entered into force in October.
In a manner similar to a number of other countries that followed the highwater mark set by the EU, the PDPL also bears a strong resemblance to the GDPR. Egyptian legislator very likely sought to create a data protection framework that facilitates data flows between these two markets to support economic and trade ambitions as a regional technology and digitisation hub.
The legislative process has not yet come to an end. The Competent Ministry is tasked with the issuing of Executive Regulations that will set out the specifics regarding the conditions for the application of the new law. April 2021 is currently being targeted for the Executive Regulations and a 12-month period will likely be extended to companies to become compliant.
Looking at our European experience, where 2 years passed from the date the GDPR was published until it entered into force, this 12-month deadline does appear to present some challenges to both local and foreign organisations. This is especially true for smaller Egyptian entities who are only setting out on their privacy journeys, unlike Europe which already had a baseline level of compliance and maturity upon which to build. And experience demonstrates that even larger European companies, are still struggling today with the actual operationalisation of effective privacy programs – more than 4 years after the publication of the GDPR.
My intention in this article is to offer an overview of the most prominent and interesting differences between these two data protection laws. This is not an exhaustive list but includes my thoughts on those aspects that I found to be the most interesting. My objective is that international organisations doing business in Egypt, or planning to enter the Egyptian market, will be given an insight into the potential updates they might have to introduce in their privacy governance programs and certain obstacles they might encounter.
Although the wording used by the Egyptian legislator is different to that used by the EU, the idea behind most of the terms are very similar. There is one difference that for some businesses may be crucial: the definition of sensitive data. In the PDPL, “sensitive data” encompasses also personal data belonging to minors and data related to criminal activity.
In practice, this will mean two things for data controllers and data processors: (1) they will need to obtain a license to process personal data of children (the PDPL requires this to lawfully collect and process sensitive personal data), and (2) they will need to obtain explicit written consent from the child’s legal guardian.
Data Subject rights
Under the PDPL, the data subjects enjoy similar rights to those granted by the GDPR. Controllers and processors do however need to be mindful of one important procedural distinction. According to the PDPL, notifying the concerned data subjects after a data breach is their statutory right.
This requires that any data breach must be notified to the data subjects within 3 days. It is not yet clear how this 3-day deadline is determined. However, and according to the wording of the relevant article, it is safe to assume that the clock starts from the moment when the data breach has been notified to the privacy authorities (the Centre, in Egypt). The Egyptian legislator therefore took an alternate route to the regime in the GDPR, where not all personal data breaches need to be notified to the authorities and individuals.
As a quick reminder, under the GDPR, the data breaches that must be notified to the concerned data subjects are the ones that are likely to result in a risk to their rights and freedoms. Moreover, there is no specific deadline to notify as the PDPL only mentions that it shall be done without undue delay.
Regarding the right to access the subject’s personal data – another prominent data subject right – a challenging deadline has been imposed. If a data subject submits a request to access his or her personal data, the controller must issue a decision within 6 days. If there is no decision issued within the prescribed deadline, silence shall be equated to a rejection.
Under GDPR the data subjects must be provided with a response within 30 days and, even if the answer is negative, the data controller must provide a reasoned response explaining the inability to fulfill the request.
I believe that, regarding the same access right as it is established in the PDPL, the data subjects are not really being empowered if an access request procedure can end with silence, keeping the data subject in the dark. It seems, then, that some practical issues may arise regarding the accountability of the data controllers and processors if the data subjects are deprived from information. Although data subjects still have the possibility to complain to the Centre about the rejection, it will prolong the whole process greatly.
The Regulations are still to be approved and published, so there is a possibility that additional guidelines and clarifications will follow.
Also, it is worth noting that the right of access can be exercised also against data processors, and not just against data controllers, as it is in the EU. Personally, I am curious to see how this will work in practice and whether the Regulations will shed additional light. In any case, I believe that an appropriate Data Processing Agreement (DPA) will be necessary between these two entities to clarify how they should cooperate regarding this matter.
Data Protection Officer
It seems that unlike under GDPR, all controllers and processors must appoint a Data Processing Officer (DPO). Moreover, both controllers and processors that are established outside Egypt must appoint an Egypt-based representative. I presume this applies to situations where controllers decide on the processing of personal data of Egyptian residents and processors that process such data on behalf of controllers. I think this will and should be clarified further in the Regulations.
In relation to the positioning of the DPO, the PDPL makes it very clear that a DPO must be an employee of the controller/processor. The wording of the PDPL leaves no doubt: outsourcing such role will not be a possibility. This may pose a challenge for smaller organisations who are required to appoint a DPO. Due to their size, they may not be able to allocate a full-time employee to the role or attract a qualified new employee to take the role. This may result in the DPO role being assigned to an existing in-house resource with other responsibilities. It is here where I would like to call out that other responsibilities that may pose a potential conflict of interest, making the selection of the person for the DPO critical. In Europe, this matter has been dealt with by allowing organisations to appoint external DPOs that can provide organisations access to experienced and dedicated data protection resources and also resources with no conflicting interest. I would recommend that organisations seek guidance in this regard.
This is further complicated by the fact that DPOs may be penalised for violations regarding personal data if the harm or negligence arises from the lack of the expertise required by law. The PDPL lists the requirements that DPOs must comply with (“job description”) and opens the door for personal liability and punishment if non-compliance of the DPO legal requirements for that position results in negligence or harm.
This is a new concept for those privacy professionals familiar with GDPR and indeed something to consider. It would appear that DPOs in Egypt will have to be subject to professional insurance schemes (like lawyers in many countries) to cover their potential financial liability
Another divergence from the GDPR – and I think the most significant one – is the obligation to apply for a license or permit that allows for the handling of personal data. This departure from the GDPR’s accountability principle, means that no company can lawfully collect any personal data without the approval of the local data protection authorities. These licenses and permits will not be free of charge, but the pricing policies remain undisclosed. I assume this matter is among those that will be further clarified by the Regulations that will be published.
It will be interesting to see if/how certain aspects are further specified, namely whether (1) this requirement will have retroactive effect or only apply to new controllers/processors and new processing activities, and whether (2) one license will be enough or whether controllers and processors will have to make separate applications for different aspects of processing of personal data. Article 26 seems to indicate that organisations will require multiple licences or permits, for example, for processing personal data, electronic marketing, public surveillance and cross-border data transfers. It will therefore be interesting to see how the pricing of the licenses is determined, as it will be a source of revenue for the newly created Personal Data Protection Center.
Ultimately it is also fascinating to see how the Center will handle the licensing as an administrative task, seeing that a license will most likely be required of every Egyptian company and majority of those doing business in the country, or providing services to its residents.
The introduction of a licensing regime with the PDPL is a remarkable approach taken by the legislator. It is an approach that will be questioned. It takes Egypt in a different direction to the one selected by Europe with GDPR, where the policymakers abandoned the notion of prior approvals and concessions for data processing, and instead introduced the accountability principle requiring all data controllers and processors to have their house in order – and to be able to document it.
Cross-border data transfers
The sharing of personal data across borders is another aspect of personal data processing that requires a relevant license or permit from the Egyptian authorities. It remains to be seen which countries will be formally designated as adequate. The EU and countries with similar privacy laws are likely to be placed on an adequate list, as this would support the rationale behind introducing this PDPL i.e. facilitating data flows between Egypt and other countries in support of trade and the development of Egypt as a regional technology hub. However, the requirement for a license to transfer data across borders exists irrespective of whether you are seeking to export data to a country whose legal framework is declared adequate or not.
There are some likely exceptions to the rule mentioned above. In essence, with the direct consent of data subjects you may transfer personal data abroad to countries that do not have adequate levels protection. That said, what is important to emphasise that even with the direct consent of the data subject, it appears that a license will still be required in order to transfer data across borders. What consent facilitates, as an exception, is the transfer to countries that do not have adequate levels of protection, although a license will always be required.
With regards to sanctions, besides regular financial penalties for not complying with the PDPL, there are some major differences between Egyptian and European approaches, although the former one is also found in other similar laws worldwide. In Egypt, the law foresees short imprisonment for the most severe violations, mostly intentional actions, including intentional transfer of personal data outside of Egypt while non-conforming with the law.
I hope that this short summary offers companies already present in the Egyptian market or those that wish to enter it a useful introductory overview of some of the crucial aspects and differences with the GDPR.