Egypt Personal Data Protection Law (Law No. 151 of 2020)
Egypt's Personal Data Protection Law (Law 151 of 2020) is the country's first comprehensive data protection law, requiring explicit consent, data subject rights, a data protection officer, and licenses or permits for activities such as cross-border transfers and direct marketing.
Egypt Personal Data Protection Law (Law No. 151 of 2020)
Egypt's Personal Data Protection Law, Law No. 151 of 2020, is the country's first comprehensive statute dedicated to protecting personal data. It was issued and took effect in 2020, with the law published in mid-July and entering into force in October 2020, while full operational enforcement awaited issuance of the executive regulations and establishment of the Personal Data Protection Center. The law draws on GDPR concepts adapted to the Egyptian context.
Who It Applies To
The law applies to personal data that is electronically processed, whether wholly or partly, by controllers and processors. It has extraterritorial reach, covering Egyptians and foreigners residing in Egypt and, in defined circumstances, processing carried out abroad that relates to Egyptian data subjects. Certain data, such as that held by the central bank or for national security purposes, is excluded. The Personal Data Protection Center, under the Ministry of Communications and Information Technology, is the regulator.
Key Requirements
Processing requires the data subject's explicit consent unless a legal exception applies, and data must be collected for legitimate, specified purposes and kept accurate and secure. Data subjects have rights to be informed, to access, to correct, to erase, to withdraw consent, and to object to processing. A distinctive feature is a licensing and permit regime: controllers, processors, and entities that conduct direct marketing or cross-border transfers may need licenses or permits from the Center. Controllers and processors must appoint a data protection officer. Cross-border transfers require an adequate level of protection in the destination and a permit.
Penalties for Non-Compliance
The law imposes significant administrative fines and criminal penalties, including imprisonment and monetary fines that escalate for violations involving sensitive data, unlawful cross-border transfers, or processing without required licenses. Penalties can reach into the millions of Egyptian pounds depending on the offense.
How to Comply
Obtain explicit consent and process data only for specified purposes. Honor data subject rights and appoint a data protection officer. Determine which activities require licenses or permits from the Personal Data Protection Center, including direct marketing and cross-border transfers, and obtain them. Implement security measures and ensure lawful mechanisms for international transfers.
Practical Notes
Egypt's licensing and permit regime is unusual and easy to overlook: activities such as cross-border transfers and direct marketing may require specific permits from the Personal Data Protection Center. Full operational enforcement has depended on the issuance of executive regulations and the Center's establishment, so organizations should track these developments while implementing consent, DPO, and security baselines now.
Building a Durable Program
Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.