Egypt finally implements data protection law after five-year delay

5 years after enacting Legislation No. 151 of 2020, Egypt revealed its long-awaited govt laws for private knowledge safety. In response to Govt Decree 816 of 2025, issued November 10 within the Official Gazette (Concern 244), the great implementing laws set up detailed necessities for knowledge controllers, processors, cross-border transfers, and enforcement mechanisms that had remained largely dormant for the reason that laws’s passage.

The Ministry of Communications and Data Know-how finalized the laws below authority granted by the 2020 statute. Dr. Amro Sobhy Talaat signed the decree as minister, in keeping with doc signatures seen within the official publication. The delay exceeded most regional implementations—comparable frameworks in Israel superior from laws to operational necessities inside months, whereas Egypt’s implementation stretched throughout a number of years regardless of rising digital economic system pressures.

The manager laws span 42 articles protecting registration necessities, knowledge topic rights, breach notification procedures, and cross-border switch mechanisms. A number of provisions immediately handle challenges dealing with advertising professionals working throughout jurisdictions, notably concerning consent administration, reputable curiosity assessments, and accountability documentation.

Registration and charge construction

Knowledge controllers and processors dealing with private data face obligatory registration necessities with tiered charge buildings. In response to Article 19 of the decree, entities should receive permits or licenses from designated authorities managing private knowledge safety. The registration charges range considerably primarily based on database measurement and organizational scale.

For people looking for registration, charges vary from 200 EGP (roughly 5 USD) for databases containing 1-100,000 private data to 1,000 EGP for databases exceeding 901,000 data. Organizations face greater thresholds—charges start at 5,000 EGP for entity databases containing 1-25,000 data and escalate to 50,000 EGP for databases exceeding 5 million private data, in keeping with detailed tables in Article 19.

Further prices apply for particular allow modifications. The laws set up 5 EGP charges for associations and 10 EGP charges for syndicates. Personal sector entities processing fewer than 50 members pay 20 EGP, whereas these exceeding 50 members pay 50 EGP for numerous permits. Organizations requiring specialised permits for delicate processing actions face supplementary prices.

Entities should submit allow functions to designated authorities via specified procedures. In response to Article 8, knowledge safety officers are registered electronically via specialised record-keeping mechanisms that embrace restricted qualification standards. The Nationwide ID serves because the identification reference for Egyptian nationals, with particular provisions for overseas candidates.

Cross-border switch framework

International data transfer requirements signify important operational concerns for multinational organizations. Article 16 establishes circumstances for transferring private data outdoors Egypt, together with necessities for acquiring permits or approvals for processing actions performed past Egyptian borders. The framework distinguishes between transfers to people inside Egypt and people involving overseas jurisdictions.

Controllers should receive authorization from competent authorities earlier than transferring private knowledge internationally. The laws allow transfers when recipient international locations or worldwide organizations present sufficient safety ranges, when people consent explicitly after receiving applicable data concerning switch dangers, or when transfers happen for contract execution functions essential for knowledge topic pursuits.

Article 17 addresses particular circumstances allowing cross-border processing with out customary authorization procedures. Transfers might proceed when essential for public curiosity established by legislative provisions, when important for authorized claims institution or protection, or when required for important particular person pursuits safety in instances the place knowledge topics can’t present consent.

Transfers outdoors Egypt for people or entities not sustaining institutions inside Egyptian territory require particular permits issued by controlling authorities. In response to Article 23, functions should embrace documentation establishing authorized foundation, nature and quantity of transferred data, and switch functions aligned with statutory necessities.

Delicate knowledge protections

Particular class knowledge receives enhanced safety necessities all through the regulatory framework. Article 14 defines delicate private data as knowledge revealing racial or ethnic origins, political beliefs, non secular or philosophical beliefs, commerce union membership, genetic knowledge, biometric knowledge for distinctive identification functions, well being knowledge, or data regarding sexual life or sexual orientation.

Processing delicate classes requires acquiring express consent or demonstrating different authorized grounds below Article 2(1). Controllers should set up that processing serves essential functions with out different means attaining said targets. The laws prohibit utilizing delicate data for functions incompatible with authentic assortment rationale, establishing strict goal limitation ideas.

Legit curiosity processing can’t function authorized foundation for particular class knowledge below Article 9 GDPR-aligned provisions. Organizations counting on delicate knowledge processing should determine relevant exceptions or implement technical architectures avoiding particular class data fully, much like German court interpretations regarding shopping cart data revealing health characteristics.

Article 29 addresses licensing and allow necessities for delicate knowledge transfers via digital advertising channels. Controllers should receive designated authority approvals, with distinct charge schedules for modifications involving delicate versus non-sensitive data classes.

Knowledge safety officers

Organizations assembly specified thresholds should appoint knowledge safety officers below Article 7. The laws require candidates maintain skilled {qualifications} or tutorial credentials in related fields, together with regulatory compliance, data safety, or associated disciplines as decided by governing boards managing safety frameworks.

In response to Article 8, officers register via digital programs maintained by controlling authorities. Every registration carries identification numbers with specified validity durations. Officers should submit renewal functions inside 30 days of expiration, risking registration termination absent well timed compliance. Authorities might reject functions or droop present registrations for failure assembly qualification necessities or violations of governing statutes.

Article 9 establishes registration procedures requiring digital submission via devoted portals. Officers create accounts utilizing Nationwide ID credentials for Egyptian nationals, with passport provisions for overseas candidates. The system generates distinctive reference numbers monitoring software standing and documentation necessities.

Article 10 addresses termination and substitute procedures. Authorized representatives might request official removing upon relationship termination, with controlling facilities notifying affected events inside 15 days. Organizations should appoint substitute officers inside comparable timeframes. Authorities droop official registrations upon receiving termination notices pending compliance verification.

Breach notification necessities

Controllers should report private knowledge breaches to supervising authorities in keeping with Article 5. The laws set up 72-hour notification deadlines from breach discovery, monitoring comparable necessities below European GDPR frameworks. Delayed notifications require documented justification explaining circumstances stopping well timed compliance.

Article 5 requires breach notifications embrace affected knowledge varieties, approximate numbers of impacted people, contact data for knowledge safety officers or designated representatives, seemingly breach penalties, and carried out or proposed remediation measures. Controllers should preserve inside breach documentation no matter whether or not incidents set off regulatory notification thresholds.

Knowledge topics obtain direct notification when breaches create excessive dangers to rights and freedoms. Controllers should talk utilizing clear, plain language accessible to affected people with out specialised technical information. Notifications ought to clarify breach nature, potential penalties, and protecting measures people would possibly implement to mitigate harms.

Article 6 permits controllers to keep away from direct particular person notification in particular circumstances. When controllers implement technical safety measures rendering breached knowledge incomprehensible to unauthorized recipients, when subsequent measures get rid of excessive dangers, or when particular person notifications would require disproportionate effort, controllers might substitute different communication strategies together with public bulletins via applicable channels.

Particular person rights provisions

Knowledge topics train a number of rights below the regulatory framework. Article 2 establishes basic ideas together with lawful processing necessities, goal limitation, knowledge minimization, accuracy upkeep, storage limitation, and integrity and confidentiality protections. These ideas mirror worldwide requirements whereas reflecting Egyptian legislative particulars.

People might receive affirmation concerning whether or not controllers course of private data regarding them. Entry rights allow knowledge topics to obtain copies of processed knowledge, details about processing functions, knowledge classes concerned, recipient identities, retention durations, and rights availability together with rectification, erasure, and restriction choices.

Article 14 addresses youngsters’s knowledge processing particularly. Controllers processing data regarding people below 15 years require verifiable parental or guardian consent. The laws set up age verification obligations and enhanced safety necessities for minors’ private data throughout academic, leisure, or business contexts.

Rectification and erasure rights allow people to right inaccurate data or request deletion below specified circumstances. Controllers should reply to requests inside established timeframes, documenting choices and offering justification when refusing compliance. The framework balances particular person rights towards reputable processing pursuits together with authorized obligations, public curiosity features, and freedom of expression concerns.

Enforcement mechanisms

The laws set up administrative penalties for non-compliance. Article 19’s charge construction operates independently from violation penalties, which may attain considerably greater quantities. In response to charge tables, private report volumes exceeding 5 million people incur base registration charges of 666,666 EGP, establishing the utmost charge threshold for routine licensing somewhat than punitive enforcement.

Article 12 addresses supervisory authority obligations. Officers should monitor organizational compliance, examine complaints, and implement regulatory necessities via obtainable mechanisms. Authorities might order controllers to implement particular technical or organizational measures, limit processing actions, or impose administrative penalties proportionate to violation severity.

Controllers reveal compliance via documentation maintained in keeping with Article 3. Organizations should retain data of processing actions, authorized foundation determinations, knowledge topic consent proof the place relevant, breach incident logs, and knowledge safety impression assessments for high-risk processing operations.

Article 18 establishes obligations for digital advertising actions. Direct advertising via digital channels requires prior consent or demonstration of reputable curiosity aligned with statutory provisions. Controllers should present clear opt-out mechanisms and honor withdrawal requests with out undue delay or administrative burden.

Worldwide comparability context

Egypt’s framework arrives as jurisdictions worldwide navigate data protection simplification debates. Whereas European regulators take into account GDPR amendments to scale back administrative burdens, Egypt implements detailed necessities for organizations beforehand working with out complete privateness oversight.

The laws share structural similarities with GDPR together with goal limitation, knowledge minimization, particular person rights provisions, and cross-border switch restrictions. Nevertheless, Egypt’s fee-based registration system differs from European approaches the place most processing actions proceed with out direct licensing necessities, although particular sectors face authorization obligations.

Regional implementations range considerably. Israel’s recent DPO guidance anticipated Modification 13 necessities months earlier than effectiveness dates. California’s privateness framework operates via complaint-driven enforcement somewhat than complete registration programs, although latest updates increase consent and switch necessities efficient January 1, 2026.

The five-year implementation hole created regulatory uncertainty for organizations establishing Egyptian operations through the interim interval. Whereas Legislation No. 151 of 2020 established basic ideas, absent implementing laws meant sensible compliance necessities remained undefined till the November 2025 decree publication.

Advertising and marketing professionals working throughout North African and Center Jap markets now face concrete compliance obligations. The registration necessities, consent administration specs, and cross-border switch restrictions demand operational changes for organizations processing Egyptian resident knowledge. Know-how platforms providing companies to Egyptian customers should consider whether or not processing actions set off registration thresholds and implement applicable technical measures.

The laws take impact instantly following publication within the Official Gazette. Controllers and processors should provoke registration procedures, appoint required knowledge safety officers, and set up documentation programs demonstrating regulatory compliance. Organizations beforehand counting on normal privateness ideas should now align practices with particular statutory necessities together with breach notification protocols and particular person rights response procedures.

Timeline

Abstract

Who: The Egyptian Ministry of Communications and Data Know-how, led by Minister Dr. Amro Sobhy Talaat, issued complete implementing laws affecting knowledge controllers, processors, and knowledge safety officers working inside Egyptian jurisdiction or processing Egyptian resident data.

What: Govt Decree 816 of 2025 establishes operational framework for Legislation No. 151 of 2020, together with obligatory registration necessities with charges starting from 200 EGP to 666,666 EGP primarily based on database measurement, cross-border switch authorization procedures, breach notification protocols, delicate knowledge protections, and particular person rights enforcement mechanisms throughout 42 articles.

When: The laws had been signed November 10, 2025, and revealed in Official Gazette Concern 244 (observe A) of 12 months 199 A.H., taking quick impact 5 years after the foundational laws handed in 2020.

The place: The framework applies to non-public knowledge processing actions occurring inside Egypt and to controllers or processors established outdoors Egypt when providing items or companies to Egyptian residents or monitoring conduct of people positioned in Egyptian territory.

Why: The implementing laws remodel Legislation No. 151 of 2020 from legislative framework to operational compliance system, addressing five-year regulatory hole that left organizations with out clear processing necessities, registration procedures, or enforcement mechanisms regardless of basic privateness laws existence.