Overview
In February 2019, the Egyptian government submitted to the parliament a draft law on the “Protection of Personal Data”. Some of the provisions of the draft law were not consistent with international best practices and standards (including the European GDPR).
With the support of M&P, the tech industry managed to kickstart a public consultation process with the government and parliament on the draft law. The industry engagement and public consultation on this matter was the first of its kind in Egyptian legislation history.
Key Concerns on Draft Law
The draft law submitted by the government followed the GDPR in setting strict rules and hefty obligations on companies in relation to personal data for individuals that is controlled or processed by such companies. The draft law imposed additional burdens and significant risks on companies that were seen as major showstoppers for doing business in Egypt. Some of the key concerns included:
·Criminal penalties: the draft law included several criminal penalties for different forms of violation for the obligations imposed by the law including minimal violations. The penalties were mainly imprisonment against the responsible employees of the companies.
·Breach notification: the draft law determined very broad notification obligation for any type of breach to the data privacy and very strict timelines for completing such notification.
·Licensing: the draft law created a new licensing regime that requires all data controllers and processors to obtain a license from the Egyptian Data Protection Authority established by the law - a regime that raised concerns on potential business disruption resulting from license issuance and renewal delay and potential revocation.
·Electronic marketing: the draft law included a requirement to obtain the explicit prior approval of the data subject before communicating any form of electronic marketing. The initial provision wording posed a significant threat on the use of existing database for marketing purposes without obtaining a new explicit consent by the registered data subjects.
·Cross-border transfer of data: the draft law required obtaining a separate license for the transfer of personal data outside of Egypt based on specific conditions in different scenarios. The new licensing burden would result in potential restrictions on cloud services flexibility and growth.
·Sensitive personal data in relation to children: the draft law determined the age of 18 as the threshold for defining children - which was not consistent with GDPR.
Industry Efforts
Following alignment on key issues of concern, the industry engaged in several consultation sessions with the Ministry of Communications and Information Technology (MCIT) and key national stakeholders to discuss the proposed draft law. The industry then engaged with the House of Representatives and organized a first of its kind parliamentary hearing that gathered more than 50+ companies from the tech sector and other industries. A written commentary on the draft law (with suggested recommendations) was submitted to the House of Representatives ICT Committee. Trade associations were mobilized to endorse the recommendations.
Outcome
Engagement efforts succeeded in achieving an alignment between government, parliament and private sector on the issues of contention. Key industry recommendations were adopted by MCIT and the House of Representatives and amendments were introduced to the draft law – before its ratification.
Cairo, 5 September 2020
Background
In February 2019, Moharram & Partners for Public Affairs and Strategic Communications (M&P) held the first private public dialogue on the Cybercrimes Executive Regulations of the Law no. 175 for the year 2018 on Combating Cybercrimes. Hosted by the Ministry of Communications and Information Technology (MCIT)/Information Technology Industry Development Agency (ITIDA), the workshop was attended by 35 + participants representing top Global/Regional ICT firms.
On August 27th 2020, HE the Egyptian Prime Minister Mostafa Madbouly issued the executive regulations' no. 1699/2020 (the “ER”) to the cybercrimes law no. 175/2018 (the “Law”). This comes in force after significant delay from the timeline determined under the Law.
General vs Critical Information Technology Services
Based on our initial review of the ER, we find the provisions of the regulations precise and brief. The ER introduces a differentiation between general information technology services and critical information technology services and stipulate two different sets of requirements to comply with the Law (Articles 2 and 3 of ER). The requirements stipulated for general information technology services provide the basic minimum standards that must be followed by any information technology service provider. These obligations include minimum security levels in the used systems.
With regard to critical information technology services, we note that the definition is broad and could capture a wide range of businesses whereby the ER provides the definition of Critical Information Infrastructure as: a set of systems, networks or basic information assets whereby the disclosure of their details leads to their break-down, the unlawful disruption of their operational method, unauthorized access, unlawful data and information that are saved or processed by such systems, any other unlawful act that affects the availability of the State’s services and its main utilities or causes national material economic or social losses. Critical Information Infrastructure specifically entails what is used for electric power, natural gas and petrol, telecommunications, financial entities and banks, different industries, transportation and civil aviation, education and scientific research, radio and television broadcasting, drinking water and sewage stations and water resources, health, governmental services and emergency services or other information and telecommunications utilities that may affect national security or national economy or public interest and the like”.
The obligations are more strict for service providers that are addressed under this category. The most challenging and expensive requirement in our view is the necessity of using certified e-signature certificates for all users of the system. The liability of service providers is mainly to satisfy the security requirements under Articles 2 and 3 of the ER.
Liability of Intermediary Service Providers
Concerning the liability of intermediary technology service providers in relation to content (Article 7 of the Law), the proper reading of the text concludes that regulators have limited it to responding and complying with investigation authorities requests validated by a competent court order for removing or blocking violating content as well as cooperating with courts/investigation authorities by providing encryption keys to assist with investigating and prosecuting cybercrimes under the Law (Article 11 of ER). Such decisions are communicated to the service providers through the National Telecommunication Regulatory Authority (NTRA).
How Does the Law Impact You?
If you use information technology systems for the provision of services to your users/customers, you shall identify the category of your business (general or critical information technology services). Your relevant team shall (i) review the technical requirements stipulated under the ER; (ii) prepare a gap analysis against your existing systems; and (iii) put in place an action plan for ensuring compliance with such requirements.