Partner at Sharkawy & Sarhan Law Firm
The House of Representatives was due to vote on the Data Protection Act in a plenary session last month before sending it to President Abdel Fattah El Sisi for ratification.
The 54-article bill lays out the ground rules for how businesses use personal information collected online. It enshrines users’ right to access their private data at any time as well as give them the right to take legal action against parties responsible for data breaches and misuses of private information.
It is the local version of the EU General Data Protection Regulation (GDPR).
The draft law protects personal data, such as a person’s name, picture, address, religion, and medical records. It also gives individuals the right to ask for their data to be deleted. It additionally sets limits regarding how organizations collect, use, transfer and retain personal data.
Companies that are collecting, controlling, or processing personal data must be licensed and should comply with national requirements, the draft law stipulates.
All organizations operating in Egypt are obliged to follow the new regulations. In addition, companies carrying out direct marketing are also significantly impacted.
Consequences for non-compliance are severe. Punishments can range all the way from imprisonment to fines and revoking licenses. Eligible companies are asked to comply within 18 months after the issuance of the law. Nevertheless, the draft excludes several categories of entities and some forms of processing from the scope of application of the new law. For instance, the Central Bank of Egypt and the entities falling under its supervision are not bounds by the requirements of the law.
What is the action plan?
Companies must track their entire data cycle starting from when they receive personal information to its deletion. Through every step, the organization must ensure it complies with the relevant regulation. (See more on that below.)
After documentation and policy implementation, training employees is crucial for a smooth transition.
The key principles
Principles such as lawfulness and transparency prevent companies from keeping an electronic record of individuals, except in certain cases. For example, if a person has given their consent or if the data collection is essential and necessary for the execution of a legal or contractual obligation. Yet, the company collecting the information must reveal why it is gathering its data and what it intends to do with it.
Moreover, a company must ensure the data collected is accurate and audited periodically. Such a procedure requires the organization to map its data, review it, check it and set up a system that allows authorized employees to make corrections. That system must also show the date of the last updates.
Companies must also take the necessary technical and organizational measures for the protection of personal data to ensure there is no breach of privacy, hacking, destruction, alterations, or damage to personal data. Accordingly, they must appoint a data protection officer to ensure integrity and confidentiality.
Additionally, a regulator must register both the data protection officer and the organization.
Lastly, the data access system must report data leakages as they occur.
For example, businesses should not only address cyber-security risks. They must have a secure process for the disposal of digital documents as well as physical mediums containing electronic personal data. That includes how to dispose of computers where this information was stored. Also, the organization must have stringent security procedures to access digital personal data records.
What needs to change in the current draft?
There is little doubt that data protection is necessary and will eventually create a better business environment. However, jail sentences are not suitable for businesses. The ideal solution is to exclude incarceration and increase financial penalties instead.
The second issue is data localization. The draft law requires the regulator’s prior approval before transferring personal data across borders. Most businesses in Egypt use cloud-based solutions, which invariably include personal data. Since data centers for such cloud solutions are outside Egypt, all companies will need to obtain a license to use cloud-based solutions. This is cumbersome. The GDPR, for example, requires no such approval provided that the country to which the data is transferred offers the same level of protection.