OneTrust DataGuidance confirmed, on 4 November 2019, with Dr. Mohamed Hegazy, Head of Regulations and Laws Committee, Ministry of Communications and Information Technology, that the Egyptian House of Representatives had approved, in principle, on 3 November 2019, the draft of Egypt’s first law on data protection (‘the Draft Law’), which is estimated to enter into force by the end of 2019. In particular, the Draft Law includes consent requirements for the collection, processing and disclosure of personal data, provisions on data transfers and fines for violations, which can also be found in the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Moreover, the Draft Law also contains unique provisions regarding, among other things, the lawfulness of data processing and the processing of special categories of personal data.
Mohamed Hashish, Partner at Soliman, Hashish & Partners, told OneTrust DataGuidance, “This is the first time for Egypt to have a special law protecting personal data. […] Despite the fact that the GDPR was taken as a base for the Draft Law, the level of drafting and protection adopted under the GDPR is not comparable with the Draft Law […]. The GDPR puts great emphasis on the transparency principle relating to processing of personal data, while the Draft Law does not follow the same level of emphasis [and] […] exempts [from its scope] the Central Bank of Egypt (‘CBE’) and all entities (including banks) that are subject to CBE’s supervision. […] [Moreover], the Draft Law does not allow the processing of personal data when the same is necessary for the purpose of legitimate interest of the controller or by a third party, […] [and] does not restrict the processing of special categories of personal data […] and/or personal data related to criminal convictions and offences, which is the case in the GDPR.”
The Executive Chairman may issue actions [such as] warnings of suspension of licensing, authorisation or accreditation.
Furthermore, the Draft Law contains different data transfer requirements than the GDPR. While Article 49 of the GDPR contains a list of exemptions under which data transfers are allowed, such as explicit consent of the data subject, the performance of a contract between the data subject and the controller, important reasons of public interest or the establishment, exercise or defence of legal claims, the Draft Law provides for one, two-fold exception.
Hashish highlighted, “Article 14 of the Draft Law prohibits any act of transfer, storage and/or sharing of personal data which was collected or prepared for processing to any foreign State unless […] [there is a] protection level that is not less than the one adopted by the Draft Law and a license by the Personal Data Protection Centre (‘the Centre’) is obtained. […] It is not clear yet how the licensing process will work, however, […] [it] will depend on a number of factors including, inter alia, the country to which the personal data will be transferred, national security concerns, and whether or not the said country allows the transfer of personal data to Egypt.”
Moreover, the Draft Law also introduces enforcement powers to ensure the data protection within Egypt, in addition to the provisions of civil and criminal liability. In particular, Article 29 of the Draft Law vests the Executive Chairman of the Centre, in case of any breach of the provisions of the Draft Law, with the authority to remove the violation’s causes and effects.
Esraa Mohamed, Attorney at Youssry Saleh & Partners, told OneTrust DataGuidance “[…] [In particular, the Executive Chairman may issue actions [such as] warnings of suspension of licensing, authorisation or accreditation, in whole or in part, for a specified period, [as well as] suspensions or withdrawals, in whole or in part, [of] the license, permit or accreditation […]. [Moreover, the Executive Chairman can] publish a statement of the violations that have been proven in one or more mass media at the expense of the violator [and] subject the controller or processor to the technical supervision of the Centre [in order] to ensure the protection of personal data at their expense […].”
LEA BUSCH Privacy Analyst