Sat, 18 Jul 2020 - 01:39 GMT
President al-Sisi attends a press conference with his Russian counterpart in Cairo in 2017. KHALED DESOUKI/AFP/Getty Images
Amendments to the law
Article no. 19 of the law stipulates the establishment of a general authority under the name “personal data protection centre,” to protect personal data and regulate its availability and procession.
Parliament also amended article 2 to obligate the “controller and processor” of data to notify the centre of personal data protection of any breach within 72 hours of identifying it. And in the event that the breach affects national security, data controllers and processors must notify the centre within 24 hours and national security authorities.
This centre will develop strategic plans, policies, and programmes required to protect personal data, and it will coordinate with all governmental and non-governmental bodies to execute protection measures.
It will comprise representatives from ministries of justice and foreign affairs, General Intelligence Service, and the Administrative Control Authority.
Article 14 of the law, concerned with cross-border personal data protection, was also amended. It stipulates that it is prohibited to carry out transfers, storage, or sharing of personal data that was collected or prepared for processing to a foreign country unless there is a level of protection no less than what is required by this law, and with a licence or permit from the centre for protecting personal data.
As for Article 17, concerned with direct electronic marketing, parliament removed the word “preconceived” to stipulate that it is prohibited to make any electronic communication with any person for the purpose of marketing unless the following conditions are met. Obtaining the target person’s approval.
The parliament also amended paragraph 8 of Article 20 to now stipulate that, instead of four, the centre of protecting personal data will be comprised of three members to be chosen by the concerned minister.
Article 32 stipulates, “the person concerned with the data and every person of direct nature and interest may submit to any holder, controller, or processor a request related to the exercise of his rights stipulated in this law, and the applicant is obliged to respond to it within six working days from the date of its submission to it.”
Articles no. 35, 36, and 37 state that whoever collects, process, or discloses personal data without the consent of the individual concerned for other purposes other than legally authorised, shall be fined no less than EGP 100,000 and no more than EGP 1m. Whoever commits the previous violation.
for personal gain shall be imprisoned no less than six months or fined no less than EGP 200,000 and no more than EGP 2m, or given both punishments.