Parliament on Monday approved the long-awaited Personal Data Protection Law. The final vote was postponed due to lack of quorum of two-thirds of MPs in the Sunday’s session.
Ahmed Badawi, head of the telecommunication committee in parliament, said they have been working on the law in coordination with the Ministry of Communications and Information Technology and the Central Bank of Egypt (CBE).
The law aims to protect personal data on online markets, control e-shopping, and prevent data misuse on Facebook.
no legislation to regulate the protection of online personal data in terms of collection, storage, or processing.
The draft law was submitted by MP Ashraf Amara and 60 others, with the endorsement of about 10% of MPs. In August 2018, the cabinet approved the draft law.
Article 2 of the law has been through long discussion among the members of parliament.
During the Sunday’s session, MPs agreed that the CBE and its subsidiaries (except exchange companies) are not subject to the Personal Data Protection Law.
Parliament Speaker Ali
Abdel Aal said a major mission of the CBE is to maintain the confidentiality of personal bank accounts.
Badawi said the law includes 51 articles and was discussed in more than 62 sessions and it concerns everyone. Many local and international investors are waiting to hear for the law.
He stressed it encourages and supports the investment climate, and will attract more investments in the communications and information technology sector.
Badawi added it will work on improving Egypt’s investment indicators, and help the government work closer with European banks, hospitals, airlines, and other entities under the European General Data Protection Regulation (GDPR).
Ahmed Rafaat, a member of the telecommunications committee, said, “In light of the technological development that we live in now, everyone’s data and information have become available everywhere, so it was necessary to have a law that protects the privacy of citizens.” He added that the law has deterrent penalties, imprisonment or fining, for violators.
He also agreed with Badawi that the law will attract investments in the communications and information technology sector, creating new investment opportunities and jobs.
The law follows international standards in terms of the protection of personal data, and ensures the safety of national investments, especially those dealing with the European Union.
Amendments to the law
Article no. 19 of the law stipulates the establishment of a general authority under the name “personal data protection centre,” to protect personal data and regulate its availability and procession.
Parliament also amended article 2 to obligate the “controller and processor” of data to notify the centre of personal data protection of any breach within 72 hours of identifying it. And in the event that the breach affects national security, data controllers and processors must notify the centre within 24 hours and national security authorities.
This centre will develop strategic plans, policies, and programmes required to protect personal data, and it will coordinate with all governmental and non-governmental bodies to execute protection measures.
will comprise representatives from ministries of justice and foreign affairs, General Intelligence Service, and the Administrative Control Authority.
Article 14 of the law, concerned with cross-border personal data protection, was also amended. It stipulates that it is prohibited to carry out transfers, storage, or sharing of personal data that was collected or prepared for processing to a foreign country unless there is a level of protection no less than what is required by this law, and with a licence or permit from the centre for protecting personal data.
As for Article 17, concerned with direct electronic marketing, parliament removed the word “preconceived” to stipulate that it is prohibited to make any electronic communication with any person for the purpose of marketing unless the following conditions are met. Obtaining the target person’s approval.
The parliament also amended paragraph 8 of Article 20 to now stipulate that, instead of four, the centre of protecting personal data will be comprised of three members to be chosen by the concerned minister.
Article 32 stipulates, “the person concerned with the data and every person of direct nature and interest may submit to any holder, controller, or processor a request related to the exercise of his rights stipulated in this law, and the applicant is obliged to respond to it within six working days from the date of its submission to it.”
Articles no. 35, 36, and 37 state that whoever collects, process, or discloses personal data without the consent of the individual concerned for other purposes other than legally authorised, shall be fined no less than EGP 100,000 and no more than EGP 1m. Whoever commits the previous violation
for personal gain shall be imprisoned no less than six months or fined no less than EGP 200,000 and no more than EGP 2m, or given both punishments.