Schrems II – impact of the European Court of Justice ruling outside Europe and the US
Data Protection & Privacy
Egypt is the latest country in the Middle East to have issued a national data protection law. This article considers the scope of the new legislation and the compliance obligations that organisations operating in Egypt will now need to consider. It is likely that the law will not be fully enforced until 2022, but businesses should start preparing now.
On 13 July 2020, Egypt’s Government issued its long-awaited Data Protection Law¹ (the Law), which establishes various standards and controls governing the processing and handling of personal data. The Law was published in the Official Gazette on 15 July 2020.
The Law is part of a growing trend of countries enacting comprehensive data protection laws, which reflect the European General Data Protection Regulation (GDPR), now considered as the "gold standard" of data protection across the globe. The Law aims to safeguard the rights of individuals in Egypt in respect of their personal data and to place responsibilities on businesses in how they process personal data.
Prior to the introduction of the Law, the legal landscape relating to privacy and data protection in Egypt consisted of a patchwork of national legislations including: the Egyptian Constitution of 2014 which provides for the protection of privacy and secrecy in relation to communications; the Penal Code No. 58/1994 which imposes criminal sanctions for unlawful collection of images or recordings of individuals in private places; and the Cyber Security Law No. 175 of 2018 which places a duty on service providers to maintain the privacy of the data that they store. The enactment of the Law brings a new standalone data protection and privacy regime to Egypt.
The Law will come into force three months from the day following the date of its publication, on 16 October 2020, but a grace period of one year is provided from the date of the issuance of the Executive Regulations. The Executive Regulations are expected to be issued within six months from the effective date of the Law so it is likely to be early 2022 before the Law is fully enforced.
Egypt has no prior history of a data protection law of this nature, which will make compliance and enforcement a challenge for businesses and regulators respectively.
The Law applies to any person who has committed a breach of the Law, if they are:
The jurisdictional scope appears to apply in respect of any offences committed under the Law by or against nationals or residents of Egypt. It therefore seems to cast an extra-territorial net to include businesses outside Egypt who process the personal data of individuals based in Egypt.
The Law applies to "personal data" which covers not only data that can identify an individual (i.e. a data subject) directly (e.g. name, ID number, photograph, telephone number), but also data that together with other data could lead to the identification of that individual (e.g. data of birth, gender, hobbies, website searches). It also includes any data that could reveal an individual's psychological or physical health, economic status or cultural or social identity.
However, unlike the GDPR, the Law only applies to data that is processed either partially or entirely by electronic means by a Controller, Processor or Holder. The Law therefore does not appear to cover hard copies of data, including paper files or communications issued by post.
It also exempts a number of categories of data such as data processed for personal use, processed for media purposes only (as long as it is true and accurate and does not breach any press or media laws), and data held by the Central Bank of Egypt (as well as entities subject to its control and supervision).
Controllers, processors and holders
The Law operates using similar core concepts such as "Controller", "Processor" and "data subjects" as set out in numerous international data protection laws. A "Controller" is a natural or legal person who has the right, due to the nature of their work, to obtain personal data and to determine and control the process and criteria of processing personal data.
A "Processor", however, is any natural or legal person who processes personal data not only for the benefit of the Controller but also for its own benefit. The Law places almost identical obligations on Processors as it does on Controllers. In particular, Processors must process personal data in accordance with the written instructions of the Centre, the Controller or any relevant person. Processors should enter into an agreement with Controllers, although the Law does not specify what such an agreement should include; unlike the GDPR which prescribes a set of provisions that should be contained in processor agreements.
Alongside the definitions of "Controller" and "Processor", the Law also introduces the novel concept of a "Holder", which refers to any natural or legal person that "legally or factually" holds and retains personal data in any manner, regardless of whether that person collected that data initially or received it by way of a transfer. While the Law places obligations primarily on Controllers and Processors, Holders may also face certain sanctions if they breach the Law.
Data protection principles
As with the GDPR, the Law requires any processing of personal data to be conducted in accordance with specific principles, such as data minimisation (i.e. for a specific legitimate purpose as announced to the data subject); accuracy and security (i.e. personal data shall be correct, valid and secured); lawfulness and purpose limitation (i.e. in a legitimate manner and in compliance with the purposes for which they are collected); and storage limitation (i.e. not retained for longer than is necessary for the fulfilment of the purpose).
Conditions for processing
Compared to the GDPR's six legal bases for processing personal data, the Law sets out four conditions that must be applied to processing of personal data to be considered "legitimate and legal": (1) the data subject consents to the processing; (2) the processing is necessary for the performance of a contractual obligation, a legal action, the execution of an agreement for the benefit of the data subject, or to undertake any procedure to claim or defend the data subject's legal rights; (3) the processing is necessary to perform an obligation regulated by the Law, based on a court judgment or an order issued by regulatory authorities; and (4) processing is for the legitimate rights of the Controller or any relevant person unless it contradicts the basic rights and freedoms of the data subjects. Interestingly, the Law does not specify what constitutes valid consent. It refers to "explicit consent" in Article 2, but this is not repeated elsewhere in the Law.
Licences and permits
The Law will establish a new regulatory authority for personal data protection (the Centre).
Unlike the GDPR, which does not contain any registration requirements, Controllers and Processors have to obtain a licence or permit from the Centre to process personal data. The Executive Regulations are intended to set out the types of licences required and conditions to apply. However, Article 26 specifies that a licence would be required for activities such as:
A maximum fee payable for a licence shall be 2,000,000 Egyptian Pounds (approximately US$125,000), which is a significant amount, particularly if organisations are required to obtain more than one licence.
The GDPR sets out specific situations where it is mandatory for a Controller or Processor to appoint a data protection officer (DPO): where the organisation is a public authority; where the core activities of the organisation consists of regular or systematic monitoring of data subjects or the processing of sensitive data on a large scale.
The Law, however, requires all organisations that act as Controllers or Processors to appoint a "competent employee to be responsible for the protection of Personal Data" as DPO. The employee will have to be registered with the Centre.
Records of processing
Controllers and Processors have to record their processing activities. As under the GDPR, they must prepare records that include information such as: type of processing activities, duration of the processing, mechanisms for erasure or editing of personal data and a description of technical and organisational procedures related to data security.
Data subject rights
Data subjects are provided with a number of rights in relation to how their personal data is processed by organisations. These rights, set out at the beginning of the Law in Article 2, are based largely on the GDPR and include the right to:
The organisation receiving the request will have to provide a response within six working days from the date of submission of the request. This is considerably lower than the one month for responding to requests under the GDPR. If the six working day period lapses, this will be considered a rejection.
With the exception of personal data breach notification, data subjects are required to pay a fee to the Controller or Processor in respect of exercising their rights. The fee shall not exceed 20,000 Egyptian Pounds (approximately US$1,250).
Cross border transfers
Subject to a number of exceptions, the Law contains a general prohibition on the transfer of personal data (including sharing and storing of personal data) to a foreign country unless a licence has been obtained from the Centre and where the level of protection is not less than that provided under the Law. The Law, however, does not provide a list of "adequate regimes" unlike other data protection laws; as such, it is not clear how the level of protection would be determined. Further criteria, policies and regulations for cross border transfers are intended to be specified in the Executive Regulations.
Data breach notifications
The Law requires Controllers and Processors to notify the Centre of a personal data breach within 72 hours of becoming aware of the breach. If national security is threatened by the breach, such notification must be made immediately. Controllers and Processors must also notify the affected data subject three days from the date of notification to the Centre. Unlike the GDPR where the Processor has to notify the Controller if there is a breach, under the Law, both Controllers and Processors are responsible for notifying the Centre and data subjects of the breach.
The Law prohibits electronic marketing unless a number of conditions apply, which includes obtaining the consent of the data subject and setting clear and uncomplicated mechanisms to allow the data subject to refuse the communication or withdraw his or her consent. The sender of electronic marketing communications will have to maintain electronic records evidencing the consent received from data subjects. This indicates that businesses may need to obtain "opt-in consent" (i.e. a positive action such as ticking a box or responding "yes") versus "opt-out consent" (i.e. passive consent such as not unticking a box).
Alongside issuing licences and permits, the Centre has a wide range of powers and responsibilities under the Law, including dealing with any complaints from individuals and supervising, monitoring and inspecting any individual or entity dealing with personal data.
The Centre can impose significant fines and/or criminal sanctions for breaches of the Law, such as:
Additionally, the DPO can be held liable and subject to a maximum fine of 1,000,000 Egyptian Pounds (approximately US$60,000) for the violation of any of its obligations under the Law.
Managers of an organisation can be penalised with the same sanctions as the organisation (and held jointly liable if an employee commits the violation under his or her name and for his or her account and benefit), if it is proven that the manager knew about the organisation's violation of the Law and if his breach of duties imposed by the organisation contributed to such violation.
Given the serious penalties and onerous obligations arising under the Law, businesses should start preparing as soon as possible. While the grace period allows businesses potentially until April 2022 to prepare, they may need to implement significant and numerous measures and procedures to ensure compliance which can take time to arrange and embed within their organisations. Egypt has no prior history of a data protection law of this nature, which will make compliance and enforcement a challenge for businesses and regulators respectively.
Businesses should start by documenting what personal data they hold, where it comes from and with whom they share it. This could help them identify the type of licences that they may need while they wait for further guidance to be issued by the Centre.
Businesses will need to carefully consider who to appoint as a DPO as this employee and the business itself could be held liable for any failure to comply with the Law.
Other key procedures and policies that businesses may consider implementing include:
Please contact the authors for further information about the Law.
¹Law No. 151 of 2020; English translation of the Law at https://www.privacylaws.com/media/3263/egypt-data-protection-law-151-of-2020.pdf