Sisi endorses law on personal data protection

CAIRO - 18 July 2020: President Abdel Fattah El Sisi endorsed on Friday Law No. 151 of 2020 on the protection of personal data.

 

The law is meant to promote the security of personal data, which is being processed and stored online. It also sets a legal framework to regulate data transmission with other countries.

 

In February, The Egyptian House of Representatives announced final approval to a draft law proposed by the Cabinet that seeks to secure personal data by a two-thirds majority.

 

The law prohibits gathering or processing individuals’ data or spreading them by any means without the permission of the concerned individuals, except in cases authorized legally.

 

The law will be imposed on Egyptians inside the country and expatriates alike. It will be also enforced on non-Egyptians inside and outside Egypt as long as the data in question belong to Egyptian citizens or foreigners staying inside Egypt.

 

Violators of the law will be punished by a minimum of one-year imprisonment and a fine of not more than LE 1 million ($64,222) and not less than LE 100,000 ($6,422), according to a statement released by the Cabinet earlier.

 

The law protects citizens’ fully or partially electronically treated personal data. It aims to improve the level of data security inside the country and to organize electronic marketing activities and data transfer, according to the statement.

 

The law will formulate obligations on both the data controller and the data processor as two of the active elements when dealing with personal data, whether by collecting, transferring, exchanging, storing, analyzing, or processing data in any way.

 

Securing privacy rights

 

Egyptian law criminalizes activities, including violations of an individual’s private life without their permission, and sentences the violator to prison in case he is proven guilty.

 

 

Taking photos of a person in a private place, transmitting a conversation in a private place, or overhearing a telephone conversation without permission may lead to a prison sentence of up to a year, according to Egypt’s penal code (309 bis, 309 bis A).

 

 

Moreover, an individual convicted of blackmailing someone by threatening to release their private conversation may face a prison sentence of up to five years.

 

 

The law also criminalizes the use of modern technology to commit such violations against an individual’s will, and orders the confiscation of the equipment used, and the subsequent deletion or destruction of recordings.

 

Amendments to the law

 

Article no. 19 of the law stipulates the establishment of a general authority under the name “personal data protection centre,” to protect personal data and regulate its availability and procession.

 

Parliament also amended article 2 to obligate the “controller and processor” of data to notify the centre of personal data protection of any breach within 72 hours of identifying it. And in the event that the breach affects national security, data controllers and processors must notify the centre within 24 hours and national security authorities.

 

This centre will develop strategic plans, policies, and programmes required to protect personal data, and it will coordinate with all governmental and non-governmental bodies to execute protection measures.

 

It will comprise representatives from ministries of justice and foreign affairs, General Intelligence Service, and the Administrative Control Authority.

 

Article 14 of the law, concerned with cross-border personal data protection, was also amended. It stipulates that it is prohibited to carry out transfers, storage, or sharing of personal data that was collected or prepared for processing to a foreign country unless there is a level of protection no less than what is required by this law, and with a licence or permit from the centre for protecting personal data.

 

As for Article 17, concerned with direct electronic marketing, parliament removed the word “preconceived” to stipulate that it is prohibited to make any electronic communication with any person for the purpose of marketing unless the following conditions are met. Obtaining the target person’s approval.

 

The parliament also amended paragraph 8 of Article 20 to now stipulate that, instead of four, the centre of protecting personal data will be comprised of three members to be chosen by the concerned minister.

 

Article 32 stipulates, “the person concerned with the data and every person of direct nature and interest may submit to any holder, controller, or processor a request related to the exercise of his rights stipulated in this law, and the applicant is obliged to respond to it within six working days from the date of its submission to it.”

 

Articles no. 35, 36, and 37 state that whoever collects, process, or discloses personal data without the consent of the individual concerned for other purposes other than legally authorised, shall be fined no less than EGP 100,000 and no more than EGP 1m. Whoever commits the previous violation.

 

for personal gain shall be imprisoned no less than six months or fined no less than EGP 200,000 and no more than EGP 2m, or given both punishments.