Author: Praveen Joseph, FIP, CISSP, CIPM, CIPP/E, ISO 27k1 LA, ISO 31k LA, CPISI; Principal – Cyber Security and Privacy Services at Ingram Micro
Digitization has emerged as a critical factor affecting businesses’ abilities to survive the new business realities of the Covid-19 era. Globally, organizations are reinventing business models with the strategic view to digitizing the way they reach and interact with their customers.
Whilst the traditional benefits of digitization such as elimination of inefficiencies and expansion of markets still hold true, digitization when unregulated may not necessarily be good news in the context of an oft-ignored notion – Privacy.
Online business platforms have over the years tightened their grip on people’s digital lives. Abilities for internet businesses to monitor their customers’ online behavior, map them against troves of mostly personal data, amassed over years of business interactions have increased at meteoric proportions. This is due in part to advances in practical implementations of Artificial Intelligence, Big Data and Data Analytics.
End-users of these technologies who, ironically, are the focal point of all the data analytic action, are seldom briefed on the consequences of their choices and actions when they use online products.
This is why the introduction of Egypt’s new Personal Data Protection Law is well timed.
Data Protection Landscape in Egypt
Ever since the EU General Data Protection Regulation (GDPR) set the context for stringent enforcement of privacy and data protection, the global privacy landscape has witnessed a sea change. As of today more than 80 countries worldwide have implemented some form of data protection regulation or the other. Enforcement and tracking, however, remain at varying degrees of maturity.
Even before the onset of GDPR, Egypt had several laws that address the protection of Personal Data. These include the Anti-Cybercrime Law, Telecoms Law, Labour Law, etc. The Constitution protects the private lives of citizens. Egypt has also pledged allegiance to the Universal Declaration of Human Rights.
The Personal Data Protection Law No. 151 of 2020 was issued on 13 July, 2020 and came into effect three months later. The Law defines and protects personal data pertaining to natural persons, and processed electronically, either partially or completely.
Applicability of the Law
The Personal Data Protection Law applies to personal data which is processed electronically, in part or in full. This all-encompassing definition has significance in its inclusivity of all forms of personal data that a digitized business may store, process or transmit about an individual (data subject). This significance is further expounded by the broad definition of what constitutes personal data. Any data related to any natural person, as long as it identifies or supports the identification of that person is considered personal data.
Penalties for violation of the provisions of the Law apply to Egyptians, whether they are within Egypt or abroad. This also extends to non-Egypt nationals residing in Egypt, or located abroad as long as the victim of the crime (the data subject) is within Egypt (either an Egyptian or otherwise), and the crime has occurred in a country which has also penalized it.
Highlights of the Law
- Data Controller Obligations:
Data controllers must process personal data on the basis of consent of individuals concerned (data subjects) or legitimate interests. Explicit consent is needed to process sensitive personal data. Additionally, they must ensure data quality and accuracy, refrain from data retention beyond its useful lifetime, maintain records of processing, etc.
- Data Subject Rights:
Data subjects have the right to access their personal data available to a Data controller. Additionally, they have the right to withdraw their consent to data processing, object to processing, request changes to their personal data, etc.
- Cross-Border Data Transfers:
The Law does not permit transfer of Personal Data to a foreign country unless the country provides an equivalent level of data protection and there is an authorization from the appropriate regulatory entity.
- Personal Data Protection Officer:
The Personal Data Protection Officer is responsible for implementing the provisions of the Law, monitoring compliance, co-operating with regulatory bodies, responding to requests from data subjects concerning their personal data and managing breach response and notifications.
Penalties for non-compliance are specified in different forms such as withdrawal of licenses, fines and prison terms. The highest fine runs to the tune of Egyptian Pound 5 million (USD 381,302). Prison terms range from three months to three years.
The Law holds the promise of a new era of data protection implementation in Egypt.
The Law will position Egypt as a favored destination for cross-border transfers of personal data from more stringent data protection regimes including the European Union. Many of the GDPR conditions for transferring personal data outside of the EU will become more readily accepted and satisfactorily actioned by Egyptian companies. This will stimulate and boost foreign trade and commercial activity in Egypt.
Also, in stark contrast with the GDPR, the Personal Protection Law applies only to electronically processed personal data. This demonstrates an acknowledgment of the threats that unregulated digitalization poses towards individuals’ privacy. With digitization being implemented rapidly in the wake of Covid-19, the timing of the Law is relevant and in fact crucial.