Egypt finally implements data protection law after five-year delay

Five years after enacting Law No. 151 of 2020, Egypt published its long-awaited executive regulations for personal data protection. According to Executive Decree 816 of 2025, issued November 10 in the Official Gazette (Issue 244), the comprehensive implementing regulations establish detailed requirements for data controllers, processors, cross-border transfers, and enforcement mechanisms that had remained largely dormant since the legislation's passage.

The Ministry of Communications and Information Technology finalized the regulations under authority granted by the 2020 statute. Dr. Amro Sobhy Talaat signed the decree as minister, according to document signatures visible in the official publication. The delay exceeded most regional implementations—comparable frameworks in Israel advanced from legislation to operational requirements within months, while Egypt's implementation stretched across multiple years despite growing digital economy pressures.

The executive regulations span 42 articles covering registration requirements, data subject rights, breach notification procedures, and cross-border transfer mechanisms. Several provisions directly address challenges facing marketing professionals operating across jurisdictions, particularly regarding consent management, legitimate interest assessments, and accountability documentation.

Registration and fee structure

Data controllers and processors handling personal information face mandatory registration requirements with tiered fee structures. According to Article 19 of the decree, entities must obtain permits or licenses from designated authorities managing personal data protection. The registration fees vary substantially based on database size and organizational scale.

For individuals seeking registration, fees range from 200 EGP (approximately 5 USD) for databases containing 1-100,000 personal records to 1,000 EGP for databases exceeding 901,000 records. Organizations face higher thresholds—fees begin at 5,000 EGP for entity databases containing 1-25,000 records and escalate to 50,000 EGP for databases exceeding 5 million personal records, according to detailed tables in Article 19.

Additional charges apply for specific permit modifications. The regulations establish 5 EGP fees for associations and 10 EGP fees for syndicates. Private sector entities processing fewer than 50 members pay 20 EGP, while those exceeding 50 members pay 50 EGP for various permits. Organizations requiring specialized permits for sensitive processing activities face supplementary charges.

Entities must submit permit applications to designated authorities through specified procedures. According to Article 8, data protection officials are registered electronically through specialized record-keeping mechanisms that include restricted qualification criteria. The National ID serves as the identification reference for Egyptian nationals, with specific provisions for foreign applicants.

Cross-border transfer framework

International data transfer requirements represent significant operational considerations for multinational organizations. Article 16 establishes conditions for transferring personal information outside Egypt, including requirements for obtaining permits or approvals for processing activities conducted beyond Egyptian borders. The framework distinguishes between transfers to individuals within Egypt and those involving foreign jurisdictions.

Controllers must obtain authorization from competent authorities before transferring personal data internationally. The regulations permit transfers when recipient countries or international organizations provide adequate protection levels, when individuals consent explicitly after receiving appropriate information regarding transfer risks, or when transfers occur for contract execution purposes necessary for data subject interests.

Article 17 addresses specific circumstances permitting cross-border processing without standard authorization procedures. Transfers may proceed when necessary for public interest established by legislative provisions, when essential for legal claims establishment or defense, or when required for vital individual interests protection in cases where data subjects cannot provide consent.

Transfers outside Egypt for individuals or entities not maintaining establishments within Egyptian territory require specific permits issued by controlling authorities. According to Article 23, applications must include documentation establishing legal basis, nature and volume of transferred information, and transfer purposes aligned with statutory requirements.

Sensitive data protections

Special category data receives enhanced protection requirements throughout the regulatory framework. Article 14 defines sensitive personal information as data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification purposes, health data, or information concerning sexual life or sexual orientation.

Processing sensitive categories requires obtaining explicit consent or demonstrating alternative legal grounds under Article 2(1). Controllers must establish that processing serves necessary purposes without alternative means achieving stated objectives. The regulations prohibit using sensitive information for purposes incompatible with original collection rationale, establishing strict purpose limitation principles.

Legitimate interest processing cannot serve as legal basis for special category data under Article 9 GDPR-aligned provisions. Organizations relying on sensitive data processing must identify applicable exceptions or implement technical architectures avoiding special category information entirely, similar to German court interpretations regarding shopping cart data revealing health characteristics.

Article 29 addresses licensing and permit requirements for sensitive data transfers through electronic marketing channels. Controllers must obtain designated authority approvals, with distinct fee schedules for modifications involving sensitive versus non-sensitive information categories.

Data protection officials

Organizations meeting specified thresholds must appoint data protection officials under Article 7. The regulations require applicants hold professional qualifications or academic credentials in relevant fields, including regulatory compliance, information security, or related disciplines as determined by governing boards managing protection frameworks.

According to Article 8, officials register through electronic systems maintained by controlling authorities. Each registration carries identification numbers with specified validity periods. Officials must submit renewal applications within 30 days of expiration, risking registration termination absent timely compliance. Authorities may reject applications or suspend existing registrations for failure meeting qualification requirements or violations of governing statutes.

Article 9 establishes registration procedures requiring electronic submission through dedicated portals. Officials create accounts using National ID credentials for Egyptian nationals, with passport provisions for foreign applicants. The system generates unique reference numbers tracking application status and documentation requirements.

Article 10 addresses termination and replacement procedures. Legal representatives may request official removal upon relationship termination, with controlling centers notifying affected parties within 15 days. Organizations must appoint replacement officials within similar timeframes. Authorities suspend official registrations upon receiving termination notices pending compliance verification.

Breach notification requirements

Controllers must report personal data breaches to supervising authorities according to Article 5. The regulations establish 72-hour notification deadlines from breach discovery, tracking similar requirements under European GDPR frameworks. Delayed notifications require documented justification explaining circumstances preventing timely compliance.

Article 5 requires breach notifications include affected data types, approximate numbers of impacted individuals, contact information for data protection officials or designated representatives, likely breach consequences, and implemented or proposed remediation measures. Controllers must maintain internal breach documentation regardless of whether incidents trigger regulatory notification thresholds.

Data subjects receive direct notification when breaches create high risks to rights and freedoms. Controllers must communicate using clear, plain language accessible to affected individuals without specialized technical knowledge. Notifications should explain breach nature, potential consequences, and protective measures individuals might implement to mitigate harms.

Article 6 permits controllers to avoid direct individual notification in specific circumstances. When controllers implement technical protection measures rendering breached data incomprehensible to unauthorized recipients, when subsequent measures eliminate high risks, or when individual notifications would require disproportionate effort, controllers may substitute alternative communication methods including public announcements through appropriate channels.

Individual rights provisions

Data subjects exercise multiple rights under the regulatory framework. Article 2 establishes fundamental principles including lawful processing requirements, purpose limitation, data minimization, accuracy maintenance, storage limitation, and integrity and confidentiality protections. These principles mirror international standards while reflecting Egyptian legislative particulars.

Individuals may obtain confirmation regarding whether controllers process personal information concerning them. Access rights enable data subjects to receive copies of processed data, information about processing purposes, data categories involved, recipient identities, retention periods, and rights availability including rectification, erasure, and restriction options.

Article 14 addresses children's data processing specifically. Controllers processing information concerning individuals under 15 years require verifiable parental or guardian consent. The regulations establish age verification obligations and enhanced protection requirements for minors' personal information across educational, recreational, or commercial contexts.

Rectification and erasure rights permit individuals to correct inaccurate information or request deletion under specified circumstances. Controllers must respond to requests within established timeframes, documenting decisions and providing justification when refusing compliance. The framework balances individual rights against legitimate processing interests including legal obligations, public interest functions, and freedom of expression considerations.

Enforcement mechanisms

The regulations establish administrative penalties for non-compliance. Article 19's fee structure operates independently from violation penalties, which can reach substantially higher amounts. According to fee tables, personal record volumes exceeding 5 million individuals incur base registration fees of 666,666 EGP, establishing the maximum fee threshold for routine licensing rather than punitive enforcement.

Article 12 addresses supervisory authority obligations. Officials must monitor organizational compliance, investigate complaints, and enforce regulatory requirements through available mechanisms. Authorities may order controllers to implement specific technical or organizational measures, restrict processing activities, or impose administrative penalties proportionate to violation severity.

Controllers demonstrate compliance through documentation maintained according to Article 3. Organizations must retain records of processing activities, legal basis determinations, data subject consent evidence where applicable, breach incident logs, and data protection impact assessments for high-risk processing operations.

Article 18 establishes obligations for electronic marketing activities. Direct marketing through electronic channels requires prior consent or demonstration of legitimate interest aligned with statutory provisions. Controllers must provide clear opt-out mechanisms and honor withdrawal requests without undue delay or administrative burden.

International comparison context

Egypt's framework arrives as jurisdictions worldwide navigate data protection simplification debates. While European regulators consider GDPR amendments to reduce administrative burdens, Egypt implements detailed requirements for organizations previously operating without comprehensive privacy oversight.

The regulations share structural similarities with GDPR including purpose limitation, data minimization, individual rights provisions, and cross-border transfer restrictions. However, Egypt's fee-based registration system differs from European approaches where most processing activities proceed without direct licensing requirements, though specific sectors face authorization obligations.

Regional implementations vary substantially. Israel's recent DPO guidance anticipated Amendment 13 requirements months before effectiveness dates. California's privacy framework operates through complaint-driven enforcement rather than comprehensive registration systems, though recent updates expand consent and transfer requirements effective January 1, 2026.

The five-year implementation gap created regulatory uncertainty for organizations establishing Egyptian operations during the interim period. While Law No. 151 of 2020 established fundamental principles, absent implementing regulations meant practical compliance requirements remained undefined until the November 2025 decree publication.

Marketing professionals operating across North African and Middle Eastern markets now face concrete compliance obligations. The registration requirements, consent management specifications, and cross-border transfer restrictions demand operational adjustments for organizations processing Egyptian resident data. Technology platforms offering services to Egyptian consumers must evaluate whether processing activities trigger registration thresholds and implement appropriate technical measures.

The regulations take effect immediately following publication in the Official Gazette. Controllers and processors must initiate registration procedures, appoint required data protection officials, and establish documentation systems demonstrating regulatory compliance. Organizations previously relying on general privacy principles must now align practices with specific statutory requirements including breach notification protocols and individual rights response procedures.

Timeline

• 2020: Egypt enacts Law No. 151 of 2020 establishing personal data protection framework without implementing regulations
• November 10, 2025: Ministry of Communications and Information Technology issues Executive Decree 816 of 2025 providing operational requirements for 2020 legislation
• November 10, 2025: Regulations published in Official Gazette Issue 244 (follow A) and enter immediate effect
• 2018: GDPR implementation creates unified privacy framework across EU
• November 2025: Germany proposes sweeping GDPR simplification measures beyond EU Commission proposals
• July 2025: Israel's Privacy Protection Authority releases DPO guidance draft anticipating Amendment 13 implementation
• January 2026: California privacy law updates take effect expanding consumer protection requirements

Summary

Who: The Egyptian Ministry of Communications and Information Technology, led by Minister Dr. Amro Sobhy Talaat, issued comprehensive implementing regulations affecting data controllers, processors, and data protection officials operating within Egyptian jurisdiction or processing Egyptian resident information.

What: Executive Decree 816 of 2025 establishes operational framework for Law No. 151 of 2020, including mandatory registration requirements with fees ranging from 200 EGP to 666,666 EGP based on database size, cross-border transfer authorization procedures, breach notification protocols, sensitive data protections, and individual rights enforcement mechanisms across 42 articles.

When: The regulations were signed November 10, 2025, and published in Official Gazette Issue 244 (follow A) of year 199 A.H., taking immediate effect five years after the foundational legislation passed in 2020.

Where: The framework applies to personal data processing activities occurring within Egypt and to controllers or processors established outside Egypt when offering goods or services to Egyptian residents or monitoring behavior of individuals located in Egyptian territory.

Why: The implementing regulations transform Law No. 151 of 2020 from legislative framework to operational compliance system, addressing five-year regulatory gap that left organizations without clear processing requirements, registration procedures, or enforcement mechanisms despite fundamental privacy legislation existence.