Recently, Egypt has adopted two new laws on cyber crime and consumer protection which can be seen as the first attempt by Egypt to regulate data privacy and security.
Specifically, the Law No. 175/2018 on Combating Information Technology Crimes and Law No. 181/2018 on Consumer Protection were adopted. The National Telecom Regulatory Authority ("NTRA") and the Egyptian Consumer Protection Agency respectively will be enforcing the new rules, and the Executive Regulations ("ER") that will be issued soon will be explaining the exact procedures of implementation.
What is changing?
The Combating Information Technology Crimes Law is the first Egyptian law that defines and penalizes various cyber crimes such as illegally logging into a website or private account, hacking or deactivating emails or websites, and illegally accessing credit card details. The law also clarifies that electronic data that is derived or extracted from various devices and sources may be considered as criminal evidence to prove the crimes stated in that law.. Before the issuance of this new law, all forms of data theft, misuse, hacking and theft of website content were governed by laws which did not address the specific nature of these crimes. Therefore, it was very difficult to prove those crimes and enforcement was quite inconsistent in many respects.
The law also imposes new duties and obligations on service providers (i.e., any natural or legal person that provides users with information technology and communication services, including those who process and store data themselves or through third parties). These obligations include storing user data (whether personal or not) for a consecutive period of 180 days and ensuring the confidentiality and security of the stored data. Service providers must also make their contact details and obtained licenses easily accessible to users.
As for the new Consumer' Protection Law, it grants consumers the right to not receive visits at their residences from sellers without their prior approval. The Consumer Protection Authority has indicated that this prohibition applies only to unsolicited sellers who physically approach residences. It does not relate to unsolicited electronic advertisement or unsolicited advertisement by post.
Implications of the new laws
From a consumer perspective, the new laws introduce some limited but welcome protections of personal data in the internet context.
- For music and media companies these new regulations will give them a clear and strong legal basis for fighting piracy through internet streaming and other crimes committed through the Internet that were not regulated before.
- An obligation on employers to further secure the data of their employees with non-compliance potentially leading to criminal liability.
- Liability of employees in relation to access to and usage of company information and passwords. Therefore, the internal regulations of companies need to differentiate clearly between the personal and professional device
- Increased obligations for banks and financial services providers to protect personal data.
What happens now?
According to Article 3 of the Consumer Protection Law and Article 44 of the Combating Information Technology Crimes Law, the ER will be promulgated during November 2018. The ER are expected to clarify the scope of the new laws and provide further details regarding their implementation.
Clients are advised to consider these laws closely in order to adjust their situation and conduct. Under the Combating Information Technology Crimes Law, businesses will have a one-year transitional period starting from 15 August 2018, during which they are required to take the necessary procedures/actions in order to adjust their position with this Law.