Overview
Egypt’s Personal Data Protection Law was enacted on 15 July 2020 and took effect on 16 October 2020, marking place for data privacy in Egypt. The PDPL creates an all-inclusive framework for protecting personal data in both the public and private sectors. It generally prohibits processing personal data without the data subject’s explicit consent and grants individual’s rights to control their information.
The PDPL aims to regulate the collection, processing, storage, and transfer of personal data within Egypt. It applies to businesses, government agencies, and foreign entities that process data related to Egyptian citizens. The law introduces several obligations for businesses, grants new rights to individuals, and imposes strict penalties for non-compliance.
I. Legal and Regulatory Framework of PDPL
The PDPL is the core of Egypt’s data protection. It applies broadly to any e-processing of personal data by controllers or processors inside or outside Egypt involving Egyptian data subjects. The law distinguishes personal data i.e., any information relating to an identified or identifiable natural person and sensitive data like health, financial, biometric, religious or political information. The PDPL creates a new regulator, the Personal Data Protection Centre as a public authority under the Ministry of Communications and Information Technology to enforce the law. The PDPC will issue licenses, decrees, and guidelines, unify privacy policies, handle complaints, and coordinate with other agencies and international bodies on data protection.
Despite creating a unified framework, the PDPL sits atop several sector-specific laws that add privacy protections in crucial areas. For instance, the Telecommunications Law mandates that licensed operators protect the confidentiality of customer communications and private calls, effectively reinforcing PDPL safeguards for telecom data. Similarly, the legislation on cyber-crimes known as , Anti-Cyber and Information Technology Crimes imposes obligations on online service providers to keep logs for 180 days, secure user data, and only disclose information with judicial authorization. Egypt’s Penal Code criminalizes unlawful interception or disclosure of personal information, and the e-Signature Law requires secure systems to protect users’ personal data in digital signature services. Other regulations, from The National Telecom Regulatory Authority licensing rules to consumer-protection laws, further support data privacy in contexts like e-commerce and broadcasting.
II. Rights Under the PDPL
- Right to be informed & Right to know- Individuals must be told why their data is collected and how it will be used. Controllers must notify data subjects if any personal data breach occurs that affects them.
- Right of access- Data subjects can request and obtain a copy of any of their personal data held by a controller or processor.
- Right to correction and deletion- If personal data is inaccurate or no longer needed, individuals may demand that it be corrected, updated or erased, also called right to be forgotten.
- Right to restrict processing- Data subjects can limit processing to a specific purpose, or object entirely if processing would infringe on their rights and freedoms.
- Right to withdraw consent- Consent is revocable at any time, the law explicitly guarantees the right to withdraw prior consent to data processing.
- Right to data portability- The PDPL provides that citizens may obtain and reuse their data across services.
III. Organizational Obligations, Ensuring Compliance
You May Also Like this: Navigating Consent: What Egyptian Businesses Need to Know About Data Subject Consent Under the PDPL
Similar to GDPR as well as DPDP-
- Data Protection Officer (DPO)- Every controller and processor must appoint an internal DPO and register them with the PDPC. The DPO acts as liaison with the regulator, oversees compliance, updates records of processing, and ensures data subject requests are handled.
- Data Security- Entities must adopt appropriate technical and organizational measures to protect personal data. This means ensuring accuracy, confidentiality and integrity of data through encryption, access controls, secure storage and so on. The law expressly forbids excessive retention not for longer than necessary, and requires prompt correction of errors upon discovery.
- Consent Management- As consent is the default legal basis, controllers must obtain clear, explicit consent before processing personal data with limited exceptions. Consent must be specific and documented for sensitive data, written consent is required.
- Breach Notification- Controllers and processors must notify the PDPC of any personal data breach within 72 hours of becoming aware of it. The notification must describe the breach’s nature, scope, DPO details, consequences and mitigation steps. If the breach affects national security, immediate notification is required. Within 3 days of notifying the PDPC, the entity must also inform affected individuals of the breach and planned remedies.
- Records and Accountability- Appointing an experienced DPO and building a compliance blueprint including security audits, employee training and updated privacy notices are essential first steps. While the PDPL does not explicitly require a data protection impact assessment, the spirit of the law implies that high-risk processing should be assessed and justified before launch.
Unique to PDLP-
- Licensing & Permits- Any entity collecting, storing, processing or transmitting personal data must first obtain a license or permit from the PDPC. Applications require detailed documentation, proof of technical security and financial capacity, and are judged within 90 days.
- Definition of Holder- The PDPL introduces the concept of a holder, referring to entities that possess personal data without necessarily processing it, by assigning them specific obligations concept.
IV. Cross-Border Data Transfers & Restrictions
Egypt’s PDPL places strict controls on transferring personal data outside the country. Cross-border transfers are generally prohibited unless the destination ensures protection equal to Egypt’s and the PDPC issues a license. Transfers may proceed if the data subject gives explicit consent despite lower protections, particularly for health emergencies, legal claims, contract fulfillment, or public interest matters. However, even in these cases, organizations must justify the transfer’s necessity and document the risk. Sector-specific laws impose added hurdles. Law No. 194 of 2020 on the Central Bank and the Banking Sector bars sharing financial data with foreign entities without regulatory clearance, and the Telecoms Law requires similar authorization for telecom-related transfers.
V. Sectoral Considerations
While the PDPL establishes a general framework, certain sectors face additional compliance requirements;
Cookies and Trackers
Egypt lacks a dedicated cookie law, but the PDPL applies general consent and transparency standards. Non-essential cookies, like those for analytics or ads, require explicit opt-in consent. Websites must clearly explain the cookies’ purpose, provide opt-outs, limit retention, and secure cookie-derived data. Organizations should treat cookies as regulated personal data processing.
Direct Marketing
Articles 17 and 18 prohibit direct electronic marketing unless the recipient has opted in. Senders must identify themselves, mark the message as marketing, provide opt-outs, and store consent logs for three years. The Consumer Protection Law complements this by requiring post-sale consent and transparent contract terms. In essence no spam and full accountability.
Employment Data
Employers may collect and use employee data only for specific, legitimate employment purposes such as payroll or performance review. Unrelated or excessive data collection is prohibited. Data must be accurate, securely stored, and accessible to employees, who retain full PDPL rights.
Mergers & Acquisitions
In M&A deals, personal data is a high-risk asset. Buyers should assess the target’s privacy posture, including data collection, security controls, and breach history. Share-purchase agreements must contain representations and indemnities ensuring lawful data use.
VI. Enforcement and Penalties
Although enforcement is still emerging, the PDPL prescribes serious sanctions. The PDPC has judicial-like authority to investigate violations and impose penalties. Unauthorized disclosure or denial of subject rights can lead to fines from Egyptian Pound 100,000 to 1 million. Operating without a license could attract fines up to EGP 5 million.
Managers can be held personally liable if their negligence results in violations. Criminal sanctions, including imprisonment, may apply in severe cases. While no major enforcement actions have occurred as of 2025, organizations should prepare for a more active regulatory stance. Data subjects also have the right to lodge complaints and pursue legal redress.
VII. Conclusion
Although Egypt lacks a standalone AI law, the 2023 Egyptian Charter for Responsible AI offers ethical guidelines aligned with international norms like OECD and UNESCO. These include transparency, human oversight, and fairness. Until AI-specific legislation is introduced, PDPL provisions govern personal data used in AI systems. Organizations using AI must ensure that data is collected lawfully, kept secure, retained appropriately, and used transparently. The National Telecommunications Regulatory Authority’s IoT Regulatory and the Consumer Protection Law also impose confidentiality obligations on smart devices and automated services.
Egypt’s PDPL is a growing and evolving stream, stern to protect privacy and citizenry. While regulatory enforcement is still ramping up, the stakes are high. Adopting best practices now across people, policies, and platforms can protect against reputational damage, financial penalties, and legal action. More importantly, embedding privacy into core business operations builds long-term trust with consumers, partners, and regulators. For any organization engaging with Egyptian data, PDPL compliance isn’t just mandatory it’s imperative.
