Data Protection Law Ushers in Era of Privacy

June 6, 2021


Mohamed Mostafa, a retired mechanical engineer, receives several calls a day from real estate companies. “Mr. Mohamed,” they begin. “We have noticed your interest in properties in up-and-coming areas, and we have some locations we think you would like to see.”

Mostafa promptly turns down all these offers. While he has previously expressed interest in real estate, the frequency of calls has become bothersome. “I do not understand this as a sales strategy,” he says. “If I am looking for something, I will approach them. These callers do not know what size property I want or what my budget is.”

What’s more, he has never approached the companies and has no idea how they could have obtained his phone number.

Targeted marketing has been a trend for years, with consumers often feeling helpless to stop it. A new Data Protection law that took effect in June 2020, with a grace period until 2022, makes businesses collecting information legally liable for protecting it, notifying customers they have it, and allowing them access to it.

Global threats
Selling personal information that helps companies reach their target markets is a global problem that governments have been trying to regulate. It came into the spotlight in 2018 with the Cambridge Analytica scandal affecting Facebook. At the time, Facebook’s chief technology officer Mike Schroepfer revealed the British consulting firm harvested information for 87 million users without their consent intending to use it in political advertising. Under U.S. law, Facebook had a legal responsibility to inform its users of the breach. At the time, a Forbes article said, “It will be seen as the time when everything changed as to how consumer data is collected and used, by whom and to what ends.”

The Cambridge Analytica breach was just one of many scandals that have also involved such internet giants as Yahoo and Google. Egypt hasn’t reported any massive data breaches thus far, but it could happen as the technology already exists. According to DataReportal, a research portal, 49 million Egyptians used social media as of January, 7 million more than the previous year.

Regulating privacy
Real estate companies are not the only businesses in Egypt using personal data in their marketing strategy. Retail clothing stores are notorious for sending out bulk SMS messages about sales, and hotels follow a similar approach before peak holiday seasons. What these companies have in common is calling or sending SMSs to their target demographics.

However, recipients of texts and calls often claim they never consented to be approached. “SMS quickly evolved from being primarily used by families and friends to communicate with each other to a favored communication platform for businesses and their customers, encompassing an ever-increasing portion of the population,” said SMSBump, a marketing app for Shopify, in a January article.

According to the new Data Protection law, a phone number falls under the category of personal information, according to PricewaterhouseCoopers. Personal information is anything that identifies an individual, including “name, voice, picture, identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.” So far, companies in Egypt still are not legally obliged to protect personal information for another six months.

Egypt’s law takes a page from the General Data Protection Regulation (GDPR), seen as the European gold standard for data protection and privacy. According to Clyde & Co, an international law firm, the local law identifies principles that companies must abide by when working with personal information: data is for a specific purpose, collected using a modem, and kept updated and secure.

Additionally, the 2020 law addresses privacy concerns long held by consumers. It requires companies collecting personal client data to receive specific consent. It also gives consumers the right to update or edit their information, limit it to a particular purpose, or opt out from sharing their data.

Terms and conditions
The most prominent platforms for customized marketing, social media are not regulated by any existing Egyptian law. Setting up any social media account requires personal information: name, email address, age, gender, etc., and most users ignore their small-print, multiple-page “terms and conditions.” Dania Akkawi, a communications executive, says she has never read the terms and conditions of her accounts. Meanwhile, declining approval denies access to the platform.

As for what the platforms do with the data, Facebook, for example, states it does not sell data to third parties. But it does sell ads that allow companies to target particular demographics. Akkawi, for instance, sees lots of ads about fashion and e-commerce. She understands some people might consider these ads as an “invasion of privacy.” Yet, she doesn’t mind “getting ads that are suitable for me or that interest me because I learn new things.” While the idea of a stranger having her personal information is a little disconcerting, it’s not a deal-breaker because she doesn’t think it can cause much damage.

Facebook (which also owns Instagram) makes it possible to withhold certain information from advertisers. It also allows users to hide ads or opt-out of receiving personalized ads. Additionally, social media platforms are responsible for alerting users to any data breaches that could compromise their accounts.

Facebook announced a privacy-driven new look in 2019, after the Cambridge Analytica breach. The upgrade included a redesign of the app and consolidated encrypted messages across Facebook and Instagram. However, their reputation was still “in tatters,” Preston Gralla, author of over 40 books on tech, wrote in The Verge.

While there have been no reported data breaches since then, users have been trying to utilize Facebook’s privacy tools. However, these tools can be a confusing maze. “Researchers in the field have noticed the cognitive dissonance between Silicon Valley’s grand overtures toward privacy and the tools to modulate these choices, which remain filled with confusing language, manipulative design, and other features designed to leech more data,” Colin Gray, a human-computer interaction researcher at Purdue University, told Wired magazine.


Protect thyself
Nothing is legally wrong with gathering information for advertising purposes when individuals give their consent. Problems start when companies use data to manipulate the masses. The United Kingdom’s exit from the European Union was a case in point. In 2018, the BBC reported those in favor of leaving “spent more than £2.7 million ($3.8 million) on targeted Facebook ads. The U.S. social media giant has now released these ads to a committee of Parliament investigating fake news.”

Similar accusations came to light about how former U.S. President Donald Trump won the 2016 election. In 2017, the Association for Information Systems published a 14-page report on “How Trump Won: The Role of Social Media Sentiment on Political Elections.” And in October, Peter Suciu, a contributor to Forbes, examined how researchers following social media might predict the next president. “An extremely important consideration with social media during this election cycle is how it can reach the youth vote, which could certainly determine the outcome of the election like never before,” he wrote.

Gray’s research focuses on “dark patterns,” the prompting buttons that show up during browsing that try to influence choices. That includes phone apps that prompt users to turn on notifications without a clear option to refuse or boxes for newsletter subscriptions being preselected as you sign up for a website.

While he acknowledged attempts Facebook has recently made to protect data, he criticizes the “series of choices with brightly colored illustrations.” The checkboxes selected by default reveal as much as possible, and users facing many checkboxes might ignore them altogether. “If you have a hundred checkboxes to check, who’s going to do that?” Gray asked.

However, some data breaches aren’t a significant concern for people because they don’t deal with sensitive information like bank account information. The reality is that some don’t care all that much aside from the frequency of calls.

Until Egypt’s new Data Protection law takes effect, there’s no telling how domestic businesses will adapt. Companies are reluctant to share how they store information and will likely be more reluctant when they are legally responsible.

What is apparent is that while the data protection law will technically take effect in 2022, it likely will take longer than that for companies to reduce their use of information. In Italy, companies can keep and use personal records of clients for 365 days. According to the European Digital Rights network, loopholes could allow Italy-based businesses to retain data forever. Such loopholes might exist in Egypt’s version. Though full implementation would reveal if any exist.

What is certain is that it will decrease customization options for Facebook or Instagram users, by keeping a watchful eye on what information businesses have access to, thereby reducing the risk of it being misused. There is even anecdotal evidence, according to Mostafa, that if you ask companies to take your name off a list, they actually do.

Whether users or businesses are responsible, it is clear that as social media platforms continue to expand and become more sophisticated, so will companies trying to target and profit from illegally obtaining personal information.

Next year will prove to be vital for Egypt’s new privacy law. In its first year, the GDPR succeeded in notifying users of breaches. However, it failed to impose fines on companies that didn’t adequately protect data, according to Slate, an online magazine. However, two years after its implementation, the European Commission called it an “overall success,” adding it met “many of the expectations, even if a number of areas for future improvement have also been identified.”