Does Egypt have an adequate level of data protection in accordance with the EU General Data Protection Regulation, hereinafter GDPR?
GDPR entered into force on 24 May 2016 and is applicable since 25 May 2018. GDPR protects natural persons’ data, against both public and private entities, regarding the collection, processing, free movement, and transfer of such data whether inside or outside of Europe.
The transfer of personal data to and from the EU is essential when it comes to international companies. However, data flows from Europe to a country outside the EU hereinafter “third country” is prohibited unless the same level of data protection, provided by the GDPR, is guaranteed. For that reason, flows to a third country shall fully comply with the GDPR.
Data transfer compliance is a must for international companies since their business activities involve transfers of personal data between different countries, the non-compliance with the GDPR may lead to severe sanctions (up to 20 million Euros or 4% of the annual global turnover).
The transfer of personal data to a third country is possible with respect to the following cases:
- Adequacy Decision has been issued by the EU Commission. (Like Safe Harbor and Privacy Shield – USA adequacy decisions that have been withdrawn for not respecting the GDPR);
- Transfers are subject to appropriate safeguards (Standard contractual clauses or binding corporate rules); and
- Some limited circumstances in the absence of the above-mentioned transfer exceptions include explicit consent, necessary transfer to conclude a contract, public interest, vital interest, and public register data.
The adequacy decision is based on an assessment by the EU Commission to make sure that the third country has a level of data protection equivalent to that in the EU. The adequacy decision has the effect to allow data transfer from the EU to a third party without any necessary data protection safeguards.
Egypt published the law no.151 of 2020, regarding the protection of personal data, inspired by the GDPR rules and standards aiming to protect the right of individuals by safeguarding their personal data. Prior to the law, data protection in Egypt was governed through the Egyptian constitution, the penal code No.58 of 1937, and the law No.175 of 2018 on anti-cyber and information technology crimes.
This law protects the personal data by imposing the following rules and regulations, most of them being inspired by the GDPR:
- Prohibition of any collection, processing, disclosure or revelation of personal data, by any means except with the explicit consent of the data subject or where otherwise permitted by law;
- The data subject has the right to review, obtain/access to their own personal data, withdraw the prior consent, correct, edit, delete, update their personal data, to limit the processing to a specified purpose, to be notified of any infringement of their personal data and to object to the processing of personal data or its results whenever the same contradicts the data subject’s fundamental rights and freedom.
- Personal data shall be collected for legitimate, specific, transparent purposes to the data subject;
- Personal data shall be correct, valid, secured, processed in a legitimate manner and in compliance with the purposes for which it is being collected and not be retained for a period longer than that is necessary for the fulfilment of the purpose thereof.
- The controller and the processor need to meet certain obligations, imposed by the law, to guarantee the protection of personal data;
- In cases there are several processors or several controllers, all of them shall abide by the obligations stipulated in the law and the data subject may exercise his/her rights towards each controller separately;
- Notification in case of any data infringement;
- Data Protection Office obligations;
- Restrictions regarding the collection, processing, transfer, storage, or disclosure of sensitive data; and
- Any cross-border personal data transfer is prohibited unless the same level of data protection and security are guaranteed in the foreign country as stipulated under The Law.
There is a Personal Data Protection Center, a public economic authority tasked with the overall mandate of protecting personal data and regulating processing and availability. It shall practice all the competencies stipulated under the law for the purpose of achieving its objectives. The center shall issue licences, permits or certifications and may amend permits and licences conditions. The Center may also cancel the license, permit or certification after its issuance. The breach of the law is subject to severe financial sanctions that vary depending on the case.
Following the above law, do you think the European Commission may issue an Adequacy Decision for Egypt?