In February 2019, the Egyptian government submitted to the parliament a draft law on the “Protection of Personal Data”. Some of the provisions of the draft law were not consistent with international best practices and standards (including the European GDPR).
With the support of M&P, the tech industry managed to kickstart a public consultation process with the government and parliament on the draft law. The industry engagement and public consultation on this matter was the first of its kind in Egyptian legislation history.
Key Concerns on Draft Law
The draft law submitted by the government followed the GDPR in setting strict rules and hefty obligations on companies in relation to personal data for individuals that is controlled or processed by such companies. The draft law imposed additional burdens and significant risks on companies that were seen as major showstoppers for doing business in Egypt. Some of the key concerns included:
·Criminal penalties: the draft law included several criminal penalties for different forms of violation for the obligations imposed by the law including minimal violations. The penalties were mainly imprisonment against the responsible employees of the companies.
·Breach notification: the draft law determined very broad notification obligation for any type of breach to the data privacy and very strict timelines for completing such notification.
·Licensing: the draft law created a new licensing regime that requires all data controllers and processors to obtain a license from the Egyptian Data Protection Authority established by the law - a regime that raised concerns on potential business disruption resulting from license issuance and renewal delay and potential revocation.
·Electronic marketing: the draft law included a requirement to obtain the explicit prior approval of the data subject before communicating any form of electronic marketing. The initial provision wording posed a significant threat on the use of existing database for marketing purposes without obtaining a new explicit consent by the registered data subjects.
·Cross-border transfer of data: the draft law required obtaining a separate license for the transfer of personal data outside of Egypt based on specific conditions in different scenarios. The new licensing burden would result in potential restrictions on cloud services flexibility and growth.
·Sensitive personal data in relation to children: the draft law determined the age of 18 as the threshold for defining children - which was not consistent with GDPR.
Following alignment on key issues of concern, the industry engaged in several consultation sessions with the Ministry of Communications and Information Technology (MCIT) and key national stakeholders to discuss the proposed draft law. The industry then engaged with the House of Representatives and organized a first of its kind parliamentary hearing that gathered more than 50+ companies from the tech sector and other industries. A written commentary on the draft law (with suggested recommendations) was submitted to the House of Representatives ICT Committee. Trade associations were mobilized to endorse the recommendations.
Engagement efforts succeeded in achieving an alignment between government, parliament and private sector on the issues of contention. Key industry recommendations were adopted by MCIT and the House of Representatives and amendments were introduced to the draft law – before its ratification.