Contributed By Shehata & Partners
Metaverse Laws and Regulations
The metaverse is defined by the World Economic Forum as “a fully immersive digital reality”. Such multi-dimensional nature of the metaverse requires governance by several laws, each regulating a feature of this virtual world; but this new technology brings new uncertainties. Currently, there is no particular or unified legislation dealing with metaverse technology in Egypt. However, metaverse technology is generally dealt with under a number of legislations, which are set out below.
The Telecommunications Law
The Telecommunications Law No 10 of 2003, as amended (the “Telecommunications Law”) is the primary governing legislation overseeing the telecom sector in Egypt. It covers licensing regimes, frequency spectrum usage, powers and responsibilities of the National Telecommunications Regulatory Authority (NTRA), penalties, etc. The law establishes the NTRA as the authority for overseeing and improving communications services in Egypt.
Metaverse growth stems from combining small and large virtual worlds as a network of interconnected virtual worlds. Thus, collaborations between different service providers are inevitable; in law, certain provisions refer to interconnection and international collaboration.
The Telecommunications Law also provides a broad framework for telecommunications and technology services, on such issues as users’ data, consumer protection and competition rules between telecommunications service providers. This framework has resulted in the promulgation of numerous key legislations relating to technology, such as the E-Signature Law, the Data Protection Law and the Cybercrimes Law.
Key Legal Challenges to the Implementation of the Metaverse in Egypt
Intellectual property rights
The metaverse promotes itself as a space for innovative collaboration, providing enterprises and individuals with new avenues to expand and improve their services. Consequently, businesses and individuals may be concerned about safeguarding their intellectual property (IP) rights or enforcing their brand in such a virtual environment.
There is no tailored legislation for the protection of IP rights in the metaverse. However, several provisions under the Intellectual Property Law No 82 for 2002 (the “IP Law”) could apply to some IP challenges that may arise in metaverse technology.
There are three main types of IP protection under the IP Law:
All of these may be protected under the IP Law where the relevant registration requirements are fulfilled. However, in a virtual space such as the metaverse, potential IP infringements and disputes may occur, especially for non-IP holders.
Questions of applicable law and jurisdiction are also fundamental when raising IP disputes in a metaverse context, and are decisive when allocating the rights of the parties in an IP dispute and for the relevant enforcement mechanism.
Data protection
The Egyptian Data Protection Law No 151 for 2020 (the “Data Protection Law”) established the necessary protections for data collected for the purpose of metaverse technology. The Data Protection Law further established the Data Protection Centre (DPC) as the regulatory authority for data protection.
However, questions remain on the applicability of privacy laws within the metaverse, and on whose jurisdiction will apply, particularly given the complicated cross-section of protections. As the metaverse should have no “owner”, no one legislation can apply, though a globally unified code is likely at this time.
Cybercrime
Due to the structure of the old regime, several cyber-activities have been criminalised but dispersed among different legislation. The Cybercrimes Law No 175 for 2018 (the “Cybercrimes Law”) encompasses all these crimes, which is particularly significant given how the metaverse enables the advancement of new cybercrimes such as crimes against children, disinformation, ransomware, online harassment, impersonation and financial crimes.
The Cybercrimes Law criminalises several cyber-activities, including:
Although the Cybercrimes Law sets out a number of obligations to be observed by technology service providers (such as data storage, security and confidentiality), it is difficult to predict the application of the Cybercrimes Law in crimes committed using metaverse technology, due to the nature of such technology (which may be far more advanced than current technology schemes). Additionally, law enforcement measures in such crimes will require more advanced forensics and trained expertise than may be available at the time.
The current penalties for these cybercrimes range from a minimum fine of EGP10,000 to a maximum fine of EGP20 million, as well as imprisonment for a minimum of three months to a maximum of five years. These strict sanctions act as a frontline in cybercrime deterrence; however, questions remain on whether new crimes committed in the metaverse could escape this.
Obtaining licences
As metaverse platforms are created by combining multiple technologies, ensuring the competence of related service providers and setting clear guidelines is imperative. Thus, licence applications to the NTRA are necessary to evaluate an applicant’s capabilities and to set the conditions on which the licensee is to conduct their business. Accordingly, the NTRA issues various licences ranging from infrastructure to service provisions with specific obligations.
However, given the diverse technologies pertaining to the metaverse, the number of required licences could prove hectic for the licensee. In this regard, there are five types of licences related to the metaverse that are granted by the NTRA:
Each of these involves its own conditions and required procedures.
Cryptocurrencies
Money would be needed even in virtual reality; therefore, there is no escape from using cryptocurrencies that allow for direct user-to-user transactions, while non-fungible tokens (NFTs) function as a deed, proving ownership of digital assets in the metaverse. For this immersive experience to function in a manner allowing trade and sale of products, a sustainable e-economy and virtual space needs functional legislation. However, the New Banking Law has prohibited the issuance, dealing or promotion of cryptocurrencies, unless a CBE requisite licence is obtained.
For now, the lack of regulation brings with it the burden of uncertainty in cases where digital assets have been stolen, and uncertainty on whether victims trading in these prohibited currencies will find protection under the law. The suggestion that NFTs can prove true ownership is in much legal contention, as users believe that owning an NFT corresponding to a digital asset gives them absolute right of ownership. The issue arises straightaway, where users accept the terms and conditions of the metaverse platforms. Many metaverse and NFT platforms reserve the right to prohibit user access to digital property or to terminate it completely, at their sole discretion under their prescribed terms and conditions.
It is ambiguous whether Egyptian law extends its scope to protecting these digital assets, particularly if such trades are prohibited. However, for the time being, contractual relationships between the concerned parties could be the key to resolving these issues.
Laws and Regulations
The Telecommunications Law
The telecommunications sector is generally regulated under the Telecommunications Law. This law applies to all telecommunications services (including telecommunications networks’ installation and operation, use of telecommunications equipment, providing wired and wireless communications, connectivity, radio frequency, and broadband services) in addition to all types of information technology services.
The importance of the Telecommunications Law in the context of the digital economy can be seen in how it interjects with the regulatory framework applicable to digital services by using information technology. The Telecommunications Law also interjects, legally and practically, with other applicable laws in the digital economy field such as the E-Signature Law, the Consumer Protection Law, the Cybercrimes Law and the Media Law. Although these are regulated under special legislation, in practice the interjection between multiple laws in connection with the digital market can be unclear and complex.
The E-Signature Law
E-signatures and e-contracts are generally regulated under the E-Signature Law No 15 of 2004 (the “E-Signature Law”) and its executive regulations issued by Ministerial Decree No 109 of 2005 as amended. The E-Signature Law also established the Information Technology Industry Development Agency (ITIDA), which is the authority mandated to regulate and supervise e-signature activities and services in Egypt.
The E-Signature Law enables the use of technology in contract formation. It recognises e-signatures and established the evidence standard for electronic contracts by creating a means of validating e-signatures and e-writing to produce legal effects in civil, commercial and administrative dealerships. This was a major legislative step, since previously Egyptian evidence law did not recognise digital documents and signatures as legally effective.
In this respect, Article 18 of the E-Signature Law specifies the following proof criteria for e-signatures, e-documents and e-writing:
Verification and issuance of e-signature certificates under the E-Signature Law is permitted to licensed service providers. The licence is granted by ITIDA. The e-signature licensed service providers should comply with the e-signature services requirements provided under the E-Signature Law’s executive regulations, such as:
In practice, the use of e-signatures is a complex process and is only for companies that are licensed for their use.
The Consumer Protection Law
Consumer protection generally comes into play, especially when raising B2C transactions in digital market practice. Consumers are the ultimate end users of digital services and, therefore, having a strong legislative and regulatory system in place that enables building trustworthy relations between consumers and service providers is essential, especially in e-commerce.
In this respect, the new Consumer Protection Law No 181 of 2018 and its executive regulations were issued by the Cabinet of Ministers’ Decree No 822 of 2019 (the “Consumer Protection Law”), which extended consumer protection to online contracts.
The Consumer Protection Law incorporated novel terminologies to capture the application of consumer protection to online dealerships and digital services, such as:
The Consumer Protection Law stipulated numerous measures and protective rights for the consumer, such as the right of disclosure of pre-contractual and post-contractual information, and methods to restrict unfair impositions on a customer.
Additionally, the Consumer Protection Law provided a full chapter specifically dealing with online contracting. The chapter included a number of rights and important legal protections for the consumer, such as:
Nevertheless, online services under the Consumer Protection Law are excluded from the following activities:
These activities are subject to separate legal and regulatory applications, such as the media and banking laws.
Application of the Consumer Protection Law is mandated to the Consumer Protection Authority (CPA), which supervises and undertakes action against violations of said law.
Additionally, the NTRA also supervises consumer protection in telecommunications services. For this, the NTRA has issued general rules to protect the rights of users of telecommunications services. These rules have established several important guidelines to protect the rights of telecommunications service users by setting mandatory obligations on telecommunications service providers in providing telecommunications services. These obligations include:
The Data Protection Law
Egypt recently issued a data protection law in 2020. While the executive regulations of this law are still awaited, it is a key step towards applying the international standards required for online services and digital market transformation. In this context, the Data Protection Law No 151 of 2020 (the “Data Protection Law”) upholds the data protection rights for natural persons whose data and information are processed by digital means. The Data Protection Law generally regulates personal data gathered and processed digitally, and adopts broad definitions as regards extending the protection to data gathered digitally by online service providers. The following are worth noting:
Furthermore, the Data Protection Law sets out particular requirements for the use, collection and processing of personal data, including:
The Data Protection Law generally prohibits any direct digital marketing without obtaining the data subject’s prior consent. The digital marketing communication should include the name of the sender and location, and specify that the communication is for marketing purposes, enabling the data subject to reject or give their approval for the marketing communication.
Furthermore, the Data Protection Law establishes the Personal Data Protection Centre (PDPC), which is the authority mandated to license and regulate data processing in Egypt. The PDPC is not yet incorporated, and it is expected that the relevant executive regulations will be issued in 2024.
It is worth noting that the Data Protection Law upheld additional protection for the collection and processing of sensitive information, such as information relating to health, biometric and financial data, and criminal records. Information relating to children is by default considered sensitive information (sensitive data). The Data Protection Law prohibits the collection and processing of sensitive data except with prior permission from the PDPC – though this is yet to be incorporated.
The Cybercrimes Law
On 15 August 2018, the Cybercrimes Law came into force (see 1.1 Laws and Regulations). Its executive regulations, specifically No 1699 of 2020, regulate online activities and aim to penalise, inter alia, unlicensed online activity and content violations, such as accessing a site or a private account, using an authorised right to do so, and exceeding the limits of this right in terms of time or level of entry.
Service providers under the Cybercrimes Law have a number of obligations that protect service users, such as:
Thus, the Cybercrimes Law covers offences that significantly relate to the digital economy, such as offences violating confidentiality, the integrity and availability of computer data, computer-related offences, privacy infringements, and so on.
The FinTech Law
Law No 5 of 2022 regulating and developing the use of financial technology in non-banking financial activities (the “FinTech Law”) came into effect in February 2022. This law aims to reinforce the inclusion of the non-banking sector in the digital market and encourage the transition towards a cashless society. Non-banking financial activities are supervised and regulated by the Financial Markets Authority (FRA).
The FinTech Law specifically regulates the use of technology in non-banking financial activities. “Non-banking activities” are defined as “financial markets and non-banking tools supervised by the FRA, including capital markets, insurance, real estate finance, financial leasing, factoring, SMEs’ financing activities and consumer finance”.
Additionally, under the FinTech Law “financial technology” is defined as “any mechanism that utilises modern and innovative technology in the non-banking financial sector to support and facilitate financial services, financing and insurance activities using applications, software, digital platforms, artificial intelligence or electronic records”.
The FinTech Law lays out entity incorporation and activity licensing requirements. There are three main licensing requirements for companies operating in the field of non-banking financial activity using financial technology. These requirements include, in particular:
The New Banking Law
Egypt has issued the new Banking Law No 194 of 2020 (the “New Banking Law”), which replaces the old Banking Law No 88 of 2003 as a step towards integrating the banking system as part of digital economy growth. The New Banking Law recognises and introduces key innovative areas such as digital banks, cashless payments, payment service providers, payment systems operators, cryptocurrency and e-money.
The Central Bank of Egypt (CBE), in line with the New Banking Law, has permitted the use of financial technology and electronic payment services. This extends to enabling technical payment aggregators and payment facilitators, payment services using prepaid cards, and standards for the issuance and acceptance of contactless payments in the banking field.
The New Banking Law permits the use of financial technology in rendering banking services. Additionally, the New Banking Law sets out licensing conditions and outlines the main rules for operating a payment system, as well as outlining penalties for violations of payment service providers (PSPs) and payment systems operators (PSOs). The New Banking Law provides the following definitions:
According to the New Banking Law, natural and juristic persons are prohibited from conducting any activities related to operating payment systems or providing payment services, unless they have obtained a licence from the CBE. The CBE also further extends the licensing requirement to PSPs and PSOs operating inside Egypt or who target Egyptian residents from abroad.
The New Banking Law also requires licensed service providers to preserve an electronic copy of the registry, contracts, correspondence, commercial papers and documents relating to banking and payment transactions. These copies would have the same legal value as the original documents as long as these documents were preserved, processed and retrieved in the technical manner decided by the CBE (Article 203).
Key Challenges
Although Egypt has witnessed a number of efforts to support growth of the digital market, in practice challenges remain in some areas, as discussed here.
Regulatory framework
The digital market involves numerous regulatory authorities, depending on the type of digital activity. This perhaps stems from the fact that there is no consolidated e-commerce law and e-commerce authority that regulates all e-commerce fields or provides adequate mechanisms of enforcement. In addition, the E-Signature Law (the main law dealing with digital transactions) was issued in 2004 and is significantly outdated considering current technology markets development, especially globally.
The current legislative platform in Egypt for dealing with e-commerce is also unclear as regards the conclusion and execution of electronic transactions, parties’ liabilities and rights, and the burden of proof. Egypt also remains slow in the enactment of an e-government regulatory framework to enable the digital transformation of government services, which would ease and support integration with the commercial digital market, especially on a local level.
The regulatory framework was among the key issues raised under the national e-commerce strategy with UNCTAD in 2017, which aims to underline the key strategic and legislative reformations for developing the digital economy in Egypt (the “E-Commerce Strategy”). The E-Commerce Strategy highlighted the legislative and practical improvements needed in the e-commerce field. These include addressing the issue of intermediary liability of the internet service provider, e-procurement and the provision of adequate data protection enforcement mechanisms. Despite the enactment of the Data Protection Law, in practice its application remains unclear since the relevant licensing body is not yet established, and said law’s executive regulations are yet to be issued.
Tax
The tax application regime in the digital market and in e-commerce remains a complex matter. Key challenges pertaining to tax application in e-commerce include identifying the permanent establishment (PE) subject to tax, determining tax liability, and enforcement.
Egypt has worked towards including e-commerce in the tax system. The Egyptian Minister of Finance issued Decree No 307 of 2020 incorporating an e-commerce department mandated to register e-commerce businesses for taxation purposes.
Subsequently, the Egyptian Tax Authority (ETA) issued Executive Circular No 89 of 2021, requesting commercial and non-commercial activities to register with the ETA. These activities include:
The ETA classifies taxpayers’ registration under these activities into two categories:
Currently, e-commerce activities are subject to revenue and value-added tax (VAT). Revenue tax applies to direct income generated from online services, while VAT applies indirectly to services rendered to customers. The ETA also introduced the electronic invoice, which is mandatory for all merchants and business practitioners in Egypt, including in e-commerce. Application of the electronic invoice and reporting of tax in digital activities are quite novel and remain unclear in practice.
Intellectual property
Finally, the IP Law (see 1.1 Laws and Regulations) did not allocate specific protection of IP and copyrights in online and digital markets. It is still unclear which authority is competent and how for protecting IP rights in the digital economy. The IP Law requires the registration of a trade mark and IP rights in order to gain the legal protection prescribed under said law in Egypt. Although major initiatives have been undertaken since, there is yet much room for enhancement, such as by granting ITIDA the authority to investigate related infringements via an online complaints system, and training officers for electronic evidence procurement.
Cloud and edge computing activities were recently introduced into the Egyptian market. These activities are broadly subject to a number of legislations in Egypt, including the Telecommunications Law, the Data Protection Law and the Cybercrimes Law. The Egyptian government opted for a cloud strategy in 2014 which aimed to move the governmental sector towards cloud technology and towards enacting e-government services. To date, however, this strategy has yet to be substantially realised.
In 2021, the NTRA issued the regulatory framework for establishing and operating data centres, and for the provision of cloud and data hosting services (the “Cloud Framework”). The Cloud Framework sets out the licensing and registration requirements for:
The requirements are summarised as follows.
Cloud Service Providers (CSPs)
CSPs are defined as companies that provide various cloud computing services of all types, whether through entirely owned data centres or via data centres leased from a public data centre. Examples of CSPs include Microsoft Azure, AWS, GCP Alibaba Cloud and IBM Cloud.
CSP services provided in Egypt would require prior registration with the NTRA. The registration would be valid for 15 years.
In order to obtain the approval of the NTRA on registration, the applicant should:
CSP service providers are required to evaluate their cybersecurity system and obtain a system tiering accreditation certificate from the NTRA for the purposes of cybersecurity system evaluation and data protection.
Registration as a CSP service provider would enable providing cloud computing services inside Egypt (for own use or for other users inside Egypt) and connecting to submarine systems via infrastructure service providers.
Public Data Centre Providers (PDCPs)
PDCPs are data centres established in Egypt for the purpose of hosting other service providers such as regards the cloud, content, Equinix, digital reality and internet exchange point (IXP). PDCPs are required to obtain the relevant licence from the NTRA. The licence’s duration is 15 years, and would enable a PDCP to:
Private Data Centres (PDCs)
PDCs are data centres established by a natural or juristic person for their own and sole use. PDCs do not require prior registration with or a licence from the NTRA, unless the PDC would be providing the service to other users. In this case, the PDC would transform into a PDCP, and the licensing requirements of the NTRA would apply.
Cloud and edge computing services are generally subject to the Data Protection Law in terms of licensing and processing, using and storing personal data, and ensuring application of the relevant security measures as clarified in 2.1 Key Challenges. Data subjects generally have the right to submit a complaint against the data processor or controller to the DPC in cases where there is any violation of the rights conferred under the Data Protection Law.
Conversely, the Data Protection Law excludes personal data with the CBE and entities that are supervised/regulated by the CBE – except remittance and exchange companies. Data protection and secrecy are among those customer rights provided under the New Banking Law. In February 2019, the CBE issued instructions in connection with protecting customers’ interests. These instructions included:
The CBE’s instructions consider all customer data (whether personal or financial) confidential and prohibit its use, disclosure or sharing without the prior consent of the customer. A complaint in connection with any banking service is generally assigned and dealt with by the customer protection unit of the CBE.
The main challenge encountered with cloud and edge computing activities occurs at both the regulatory and practical level. To date, there is no clear regulatory framework dealing with cloud and edge computing services. This is particularly problematic since the Data Protection Law’s executive regulations are not yet issued, and the DCP is also not incorporated. In practice, this leaves the licensing and reporting requirements for data protection violations and data collection rights enforcement uncertain and unrealised.
Laws and Regulations Relating to the Use of Artificial Intelligence
Artificial intelligence (AI), and in particular data-driven methods such as machine learning, heralds a fundamental change not only in the Egyptian economic and social systems but globally as well. The key importance of AI is that it helps people predict the future and thus enables them to make better strategic decisions.
Currently, AI is not regulated under specific Egyptian legislation. The telecommunications sector, however, has attempted to implement and enhance the use of AI technology in Egypt.
In this regard, the Cabinet of Ministers Decree No 2889 of 2019 was issued in November 2019 to establish the National Council for Artificial Intelligence (NCAI). The NCAI follows the Ministry of Telecommunications and is presided over by the Minister of Telecommunications. The NCAI is mandated to develop, implement and manage AI strategy through close collaboration with experts and stakeholders. The NCAI should co-ordinate national efforts, develop Egypt’s strategy for AI, develop various applications related to AI, recommend capacity-building programmes, and enhance the skills and knowledge of national cadres. Currently, the Egyptian government has upheld an AI strategy that aims to strengthen the Egyptian technology platform and economy, and to encourage international partnerships in that field.
Elements Relevant to AI Technology
Data protection and consumer protection
AI as a mechanism requires the collection of big data and learning the patterns of such data. In other words, large sets of data are combined for a specific task or mission through an intelligent collection process, where several patterns are found in the collected data; as a result, outcomes can be easily predicted for specific outputs.
In view of this, any collected and/or processed data for the purpose of AI technology is protected under Egyptian law. The Data Protection Law states that in order to collect, process and retain personal data, the following conditions must be met:
Further, the Consumer Protection Law states that a supplier must preserve the consumer’s information and data, and must not trade or disclose it in violation of the provisions of said law or the laws related to this matter, unless the consumer expressly agrees. A supplier must also undertake to take all necessary precautions to maintain the confidentiality and privacy of the data and information.
Intellectual property – inventor of the inventor
It is a well-known general principle that only those who hold a legal personality can be protected and regulated under the law, which means that AI inventors could certainly legally protect their patent rights where they comply with the required conditions stated under the IP Law and its executive regulations. The question arises, however, as to whether an AI machine could protect its own inventions, for it is highly expected that AI machines could reach such a high level of intelligence as to allow them to invent patents that would otherwise be protected if invented by a human being. The answer to this question is left open not only in Egypt but also worldwide, as AI technology is brutally evolving every day, while comparatively the currently applicable laws are standing still. The general approach in Egypt and worldwide is, nevertheless, to not grant patent rights to AI machines as they do not possess a legal personality “yet”.
Liability and insurance
Were an AI machine (eg, a robot) to commit a certain act that results in damage to a certain person or thing, questions arise as to who should be liable (ie, the inventor of the robot or the robot itself).
One might argue that the inventor of the AI machine should be liable for whatever damage was caused by the AI machine unless such damage was unpredictable and inevitable. However, an AI machine evolves every time it interacts with human intelligence, which enables the AI to develop its own personality and reactions to various human interactions, making it nearly impossible to predict or contain an AI.
In this regard, the Egyptian Civil Code No 131 for 1948 states that whoever takes over the guardianship of objects whose protection requires special care, or the guardianship of mechanical machines, shall be responsible for the damage caused by those objects, unless it is proved that the occurrence of the damage was due to a foreign cause beyond their control. Therefore, an AI inventor could be held liable in the case where their invention caused damage, and such damage was predictable and could have been prevented.
In addition, the Consumer Protection Law states that a supplier shall be liable for any damage caused by the product if it is proven that the damage arose from a defect in the product due to its design, manufacture or installation. Also, the supplier shall be liable for any damage caused by the product due to using it in the wrong way, if it is proved that the damage is due to the supplier’s failure to take sufficient care to prevent the occurrence of damage, or to alert to the possibility of its occurrence. The supplier shall further be responsible for any damage caused by the product if it is established that the damage arose from a defect due to the method of preparing the product for consumption, preservation, packaging, circulation or display.
Regulations Relating to the Internet of Things
In view of the recent spread and steady growth of the internet of things (IoT) all over the world, Egypt, in line with its 2030 vision adopting the establishment of many smart cities such as the New Administrative Capital, has concentrated its attention on IoT and its related services. In January 2022, the NTRA issued the first regulatory framework concerning the IoT, pursuant to the Telecommunications Law, thus advancing the growth of IoT services in Egypt, as well as studying the obstacles facing the spread of these services and how to overcome them.
IoT is defined under this framework as a service that is based on the use of technical means to enable automatic communication between things or objects in order to exchange, analyse and process data between them and make it available to users. Things or objects are defined under this framework as any physical objects that are connected to a digital/electronic identity which enables them to make connections, such as refrigerators, cars, power stations and others.
In other words, IoT includes all devices, physical and digital components, and systems that are connected for the purpose of benefiting from the data collected by sensors and embedded systems in machines and other physical objects, and sharing that data across communication networks where it can be processed and used for various purposes.
IoT is divided under the NTRA IoT framework into five classifications, depending on the nature of use:
Data Protection
IoT technology mainly depends on the collection of data and its exchange, analysis and processing. Therefore, an IoT service provider is obligated to fulfil all necessary institutional and technical procedures and steps to protect the confidentiality of information and data of the service users, as per the general obligations prescribed by the NTRA IoT regulatory framework. Further, this framework is explicitly subject to the provisions of the Telecommunications Law and, in particular, the Data Protection Law.
Any collected and/or processed data for the purpose of IoT technology is therefore protected under Egyptian law. As per the Data Protection Law and its executive regulations, and the Consumer Protection Law, the conditions discussed under Data protection and consumer protection in 4.1 Liability, Data Protection, IP and Fundamental Rights must be met.
The Cybercrimes Law
See under The Cybercrimes Law in 2.1 Key Challenges.
The Cybercrimes Law covers offences that relate to IoT technology, such as offences violating confidentiality, the integrity and availability of computer data, computer-related offences and privacy infringements.
Machine-to-Machine Communications
Machine-to-machine (M2M) communications refer to services connecting devices with each other and transferring data between them either by wired or wireless connections, as per the above-mentioned NTRA IoT framework.
Since M2M applications and services are concerned with the process of connecting devices to each other, they are considered part of IoT applications and services.
Currently, mobile phone service providers or other companies operating in various commercial or industrial activities use M2M services according to one of the following methods:
Audio-visual services are generally regulated by Law No 180 of 2018 regulating press and media (the “Media Law”) and its executive regulations issued by Prime Ministerial Decree No 418 of 2020. The licensing requirements for media services are also set out in the President of the Supreme Media Council Decision No 26 of 2020 (the “Licensing Regulations”).
Regulatory application extends to all types of media, press and marketing content and broadcasting services, including content disseminated or generated via audio, video, satellite, electronic media, marketing, and internet platforms (media services). The Media Law establishes the licensing requirements for press, media, websites, online platforms and broadcasting activities. In this context, social media platforms and user-generated content would fall under the ambit of the Media Law. This inclusion aims to track content as well as income generated from these platforms for tax purposes.
The Media Law requires obtaining a prior licence from the Supreme Council for Media Regulation (SCMR). To obtain the SCMR licence, specific prerequisites for audio-visual media services should be met by an applicant.
The prerequisites and licensing requirements are as follows.
Prerequisites
Media
Media institutions are defined under the Media Law as “institutions that manage media means”. Media means are defined as “terrestrial and satellite television channels, and wired, wireless and electronic broadcasting stations”. The Media Law prohibits the incorporation or operation of any media means or websites, or advertising for these services, without a prior licence from the SCMR (Article 59). The Media Law also prohibits carrying out broadcasting services from outside accredited media locations except with the approval of the SCMR. In addition, the Media Law restricts broadcasting of any media means which include commercial materials, whether electronic, visual or audio, through smartphones or other types of equipment, except with the approval of the SCMR and subject to the applicant being a holder of a tax card.
The licence will set out the duties of the licensee, which inter alia shall include:
Participating in and owning media means and online websites is permitted for Egyptian nationals, whether individual or juristic entities. Also, the Media Law requires that the prospective owner or participant not be subjected to crimes of dishonour or deprived of practising their political rights.
Furthermore, the Media Law requires that the owner of the media means that undertakes audio, visual or electronic broadcasting through use of the internet takes the form of a company (Article 51). The minimum authorised share capital for a media company is as follows (Article 54):
Foreigners, whether natural or juristic persons, may not own the majority of shares or acquire controlling rights in media institutions. Foreigners wishing to obtain a licence to provide media means should have a foreign media licence or a legal domicile abroad (Article 22 of the Licensing Regulations).
Websites
The Media Law defines a website as a “licensed electronic page, link or application through which press, media or advertising content is presented, whether it is textual, audio, visual, static, mobile or multimedia, and is issued under a specific name and has a specific electronic address and domain, and is created, hosted or accessed through the internet”.
The Media Law prohibits establishing or operating websites, or creating branches of websites, operated from abroad in Egypt without a prior licence from the SCMR.
Application to own or operate a website is permitted for Egyptian nationals, whether natural or juristic, as long as the applicant is not subjected to crimes of dishonour or deprived of practising their political rights. Corporate entities wishing to own a website and obtain the relevant licence should have a minimum share capital of EGP100,000. Foreign websites providing news, media or marketing content in Egypt also require a prior licence from the SCMR.
Licensing
Media
Media services require a prior licence from the SCMR. To obtain this, the relevant application form should be filled in and submitted to the SCMR, supported with the requisite information, as follows:
Websites
Websites, whether in the form of an application, platform or page, require a prior licence from the SCMR. The Licensing Regulations stipulate the licence requirements for websites by specifying those activities that fall within the category of “websites” as follows:
To obtain a website licence, the applicant should submit the relevant application to the SCMR supported with the necessary documents and information. These would include:
The telecommunications sector is regulated in Egypt mainly by the Telecommunications Law (see 1.1 Laws and Regulations). Additionally, the Ministry of Telecommunications and Information Technology has issued the following:
The Telecommunications Law defines telecommunications (telecom) as “any means of sending or receiving signs, signals, messages, texts, images or sounds of whatsoever nature, whether the communication is wired or wireless”. The Telecommunications Law also defines telecommunications services as “providing or operating telecom, whatever the means used.”
Telecommunications Services and Activities
Fixed services
These include:
Wireless services
These include mobile services, mobile networks, message services and VAS.
Satellite services
These include:
International services
This concerns establishing and operating an international telecommunications gateway.
Infrastructure leasing
These services are related to:
Telecommunications equipment
These services are related to using, assembling and manufacturing telecommunications equipment. Telecommunications equipment is defined under the Telecommunications Law as “any equipment, machinery or accessories used, or that could be used, in telecommunication services”. This includes wired, wireless and radio frequency telecommunications equipment.
Data hosting and cloud computing services
These services involve the following:
Licences and Permits
Launching and using telecommunications services in the Egyptian market requires the prior authorisation of the NTRA. The Telecommunications Law generally distinguishes between two types of NTRA authorisation: licences and permits. Licences are required for establishing or operating telecommunications networks, carrying out telecommunication services, using radio frequencies or passing international phone calls (Article 21 of the Telecommunications Law). Permits are required for importing, trading, manufacturing and assembling telecommunications equipment (Articles 44 and 48 of the Telecommunications Law).
Licences
A prior licence from the NTRA is required to provide telecommunication services in the Egyptian market. The Equipment Licensing Requirements further set out radio frequency licensing requirements. The licence to provide telecommunications services generally requires submitting the relevant application form to the NTRA, including but not limited to the following:
The licence will specify the scope, duration, territory, quality of service, secrecy of information and other obligations of the applicant.
In addition to the above, the Telecommunications Law establishes the interconnection and integration obligation between licensed telecommunications service providers (Article 28 of the Telecommunications Law). Interconnection is defined as “connecting the licensed networks of two or more providers with each other, enabling connection between users through whatsoever networks or services they use.”
In this context, the integration of telecommunications services in the Egyptian market requires obtaining the relevant licence from the NTRA and entering into an interconnection agreement with a licensed telecommunications service provider. For this, telecommunications service providers will have the duty to:
Consequently, and to ensure setting a clear framework for the provision of interconnection in Egypt, the NTRA issued the Interconnection and Wholesale Services Policy (the “Interconnection Policy”). The Interconnection Policy provides guidelines on entering into reference interconnection offers (RIOs) and service level agreements (SLAs) with Telecom Egypt (the state telecommunication operator and company controlling the telecommunications infrastructure in Egypt) and with other licensed telecommunications service providers in Egypt. The Interconnection Policy highlights the following aspects:
Permits
The Telecommunications Law requires obtaining a permit from the NTRA to import, assemble or manufacture telecommunications equipment and peripheral communications devices. The Equipment Licensing Requirements further set out the conditions for obtaining this permit.
Recently, the Telecommunications Law was amended by way of the Law No 172 of 2022 (the “Amended Telecommunications Law”). By way of this amendment, the penalty of possessing, assembling, using or marketing the telecommunications equipment without requisite NTRA permit would expose to a fine ranging between EGP2 million and EGP5 million in addition to imprisonment for between one and five years.
In addition to the NTRA permit, the acquisition, operation and use of portable or fixed transmission devices also requires approval from the SCRM, as highlighted in 6.1 Requirements and Authorisation Procedures.
The NTRA permit would generally apply in the case of importing telecommunications equipment and is granted to companies manufacturing, assembling or trading in telecommunications equipment. To obtain this permit, an application for “type approval” from the NTRA is required. This approval is also requisite for the purposes of customs clearance in the case of importation. The “type approval” will attest to technical safety and suitability to import and use the equipment in the Egyptian market.
Technology agreements are recognised under Egyptian legislation in the context of the transfer of technology. To understand the challenges involved with transfer of technology agreements, it is important to first examine the related legal provisions. Transfer of technology agreements are dealt with under the Commerce Law No 17 of 1999 (the “Commerce Law”).
Article 73 of the Commerce Law defines a transfer of technology agreement as “a contract in which the supplier of technology undertakes to transfer, against payment, technical know-how to the importer of technology to use it in a special technical way, for the production or development of a specific commodity, the installation or operation of machines or equipment, or for the provision of services. The mere sale, purchase, lease or rental of commodities or trade marks shall not be considered a transfer of technology, unless this is set forth as part of, or is connected with, the transfer of technology agreement.”
The above definition incorporates the transfer of technology to agreements that entail the transfer of technical know-how against payment of consideration. Types of transfer of technology agreements would include:
In this context, agreements not dealing with the transfer of technical know-how (such as business know-how, marketing, and financial strategies) will not be considered a transfer of technology agreement. The term “transfer of technology” under Egyptian law is, however, very broad. It would extend to any agreement, whether standalone or part of another contract (Article 72-2). The Commerce Law provides that these provisions shall apply to each transfer of technology agreement used in Egypt notwithstanding the nationality of the parties, their place of residence, whether the transfer is international or national (Article 72-1), or whether the transfer is provided in an ancillary agreement.
The technology transfer agreement should be made in writing; otherwise, the agreement will be null and void. The transfer of technology agreement should also incorporate all the information in connection with the technical know-how and elements of knowledge being transferred (Article 74).
The supplier is under the obligation to disclose the following information to the importer, whether during the negotiations or in the contract:
In addition, the supplier must also submit to the importer information, data and other technical documents as required for the assimilation of the technology, as well as the necessary technical services requested by the importer for the operation of the technology, particularly expertise and training. The supplier must inform the importer of improvements to the technology during the validity period of the contract, and transfer these improvements to the importer if the latter so requests.
It should be noted that the Commerce Law upholds a protective approach towards the importer of technology. This is illustrated in its granting broad rights to such importer of technology, and grounds to annul the technology transfer agreement if these rights are breached. Article 75 of the Commerce Law prohibits provisions that would result in restricting the freedom of the importer in using, developing, acquainting with or announcing the production of the transferred technology. Such restrictions could result in invalidation of the underlying provisions.
More specifically, the Commerce Law lists a number of contractual provisions in the technology agreement that would be deemed of a binding and restrictive nature to the importer in the context of Article 75, as follows:
The inclusion of any of these conditions in the technology transfer agreement could ultimately result in nullifying the underlying provision.
Notably, Article 87 of the Commerce Law provides default jurisdiction of the Egyptian courts over disputes arising out of technology transfer agreements. Arbitration is permitted only if it is held in Egypt according to the provisions of Egyptian law. Any agreement to the contrary shall be null and void.
Key challenges in connection with the transfer of technology agreements essentially arise in relation to legislation. Proper observance of the restrictions and obligations imposed by the Commerce Law for transfer of technology agreements is important to avoid realisation of risks. These challenges and elements of consideration are summarised as follows.
Default Applicable Law and Jurisdiction
Perhaps the most remarkable risk is the mandatory application of Egyptian law which may not be derogated by the agreement of the parties. Article 87 of the Commerce Law grants default jurisdiction to the Egyptian courts in disputes arising in connection with the transfer of technology agreements used in Egypt. The Egyptian legislature has set out the conflict of law rule by making Egyptian law the only applicable law, and excluding jurisdictional considerations delimiting Egyptian courts’ jurisdiction in deciding on transfer of technology disputes, such as regards the nationality of the parties or their place of residency, or the type of transfer (national or international).
Although Article 87 of the Commerce Law permits resorting to arbitration to resolve disputes in transfer of technology agreements, the applicable law and seat of arbitration shall by default be those of Egypt. This position was upheld in a recent decision rendered by the Cassation Court in 2021 (Case No 10305/83) where the court decided that Article 87 of the Commerce Law is a mandatory rule of law. Accordingly, if a foreign licensor insists upon a foreign governing law and seat of arbitration in a transfer of technology contract with an Egyptian counterparty, such provision is likely to be declared null and void by the Egyptian courts.
The rule set out in Article 87 of the Commerce Law has long been debated. The current position is that this rule is of public order and may not be deviated from by the agreement of the parties, and consequently restricts the parties’ freedom to choose the applicable law and jurisdiction (seat) of their dispute.
Nullification
The Commerce Law provides a wide range of grounds for invalidating the technology transfer agreement prescribed under Article 73, which primarily aims to protect the importer’s rights. Egyptian law considers the importer the weak party in a transfer of technology agreement. This position grants Egyptian courts broad powers to classify and weigh the provisions of the technology transfer agreement.
Guarantee and Liability
Article 85 of the Commerce Law provides for liability of both the importer and the supplier of technology towards third parties in connection with damages that occur from the use or application of the technology.
Additionally, Article 85 provides that the supplier must guarantee:
This is deemed a default guarantee unless otherwise agreed upon in writing between the parties. Accordingly, it is important that the parties agree to the specifications and guarantees in the transfer of technology agreement to avoid the default application of the guarantee prescribed by law.
The parties should also be aware of the technology services requirements, especially from the standpoint of consumers, data privacy and cybersecurity. In this sense, proper consideration should be given to consumer and data protection rights and cybersecurity requirements under Egyptian law, as this may involve liability or other implications for the parties when performing their duties under the technology transfer agreement. These requirements could also differ depending on the use of the transferred technology and activities related thereto. For instance, data secrecy and security in the banking sector are subjected to additional requirements and more stringent monitoring under applicable laws.
Secrecy
Article 83 of the Commerce Law recognises how the duty of secrecy in a transfer of technology agreement differs depending on a party’s position in the agreement. For instance, the importer has the duty to preserve the secrecy of the improvements introduced by the importer to the technology, and where these improvements are transferred to the supplier as per the agreement. Breach of this duty would trigger the liability of the importer to indemnify the supplier against losses resulting from breach of that duty, whether or not this breach occurred during the negotiation phase or after the signature of the transfer of technology agreement.
Conversely, the supplier’s duty of secrecy towards the importer only covers improvements introduced by the importer to the technology as per the transfer of technology agreement’s provisions. Therefore, it is important for the parties to review their respective confidentiality duties and rights in the transfer of technology agreement. Parties should also take into consideration particular confidentiality and protection factors regarding IP rights.
Duration
Article 86 of the Commerce Law permits the parties to a technology agreement to request termination or amendment of the terms of the transfer of technology agreement upon the lapse of five years from the date of the agreement. It is thus important for parties to expressly agree on the duration and rights for termination or review of the terms of the transfer of technology agreement, to avoid this default application under Article 86.
Trust services, the use of e-signatures and digital identity schemes are mainly all regulated under the E-Signature Law and its executive regulations. The E-Signature Law falls under the auspices of the Telecommunications Law, which regulates the telecommunications sector.
The E-Signature Law was further issued in light of the Evidence Law No 25 of 1968, and the Protection of Intellectual Property Rights Law No 82 of 2002.
The key purpose for issuing the E-Signature Law was to regulate e-signatures (defined below) and to establish an authority (ie, ITIDA) responsible for regulating the activity of e-signature services and other activities in the field of electronic transactions and the information technology industry (see The E-Signature Law in 2.1 Key Challenges).
On 4 March 2021, ITIDA issued a general “Certificate Policy” (CP) guideline, which is pursuant to the E-Signature Law and its executive regulations. The CP guideline established that ITIDA shall operate the Egyptian Root-CA, which issues certificates for certification service providers (CSPs) issuing digital certificates for e-signatures and electronic seals. The Egyptian Root-CA therefore serves as a trust anchor for all e-signatures based on certificates that are issued in Egypt. There is a limited number of licensed CSPs in Egypt and, in addition to the Government Electronic Certification Authority (Gov-CA), the following are the licensed companies in the Arab Republic of Egypt:
Moreover, the New Banking Law No 194 of 2020 expressly provides that licensed banking entities and representative offices of foreign banks in Egypt must keep electronic copies of records, contracts, correspondences, commercial papers and documents related to banking transactions and payment services, for the periods legally specified for keeping their originals.
These copies shall have the same evidential powers as the original documents when their retention, circulation and retrieval have been carried out in accordance with the rules and technical standards determined by the board of directors of the Central Bank of Egypt.
Elements Relevant to the E-Signature Law
Fundamental rights
As per the E-Signature Law, e-signatures and electronic documents, within the scope of civil, commercial and administrative transactions, shall have the same evidentiary effect as given to written signatures and official and customary documents in the provisions of Egyptian evidence law in civil and commercial materials, as long as the conditions stipulated in the E-Signature Law are fulfilled (see 2.1 Key Challenges).
Further, a copy from an official electronic document has the evidential effect of being identical to the original of the document, as long as the official electronic document and the e-signature are present on an electronic back-up.
Data protection
Without prejudice to the general protections conferred under the Data Protection Law, the E-Signature Law also reinforces data protection in all data related to e-signatures. In particular, the E-Signature Law states that e-signature data and all electronic information provided to an entity authorised to issue electronic certificates (ie, a CSP) is confidential, and the person to whom it was presented or who was contacted, by virtue of their work, may not disclose it to others or use it for a purpose other than that for which it was presented.
Intellectual property
In furtherance to the IP Law, the E-Signature Law is eager to protect those entitled to IP rights, and grants ITIDA the authority to deposit and register the original copies of computer programs and databases submitted by entities or individuals who publish, print and/or produce them, in order to preserve their IP rights and any other rights.
Jurisdiction
According to the E-Signature Law, ITIDA is the authority responsible for licensing and supervising e-signatures. The E-Signature Law confers a number of powers on ITIDA, including:
Moreover, the E-Signature Law authorises ITIDA to revoke or suspend a licence if the licensee (ie, CSP) violates the licensing conditions.
Liability
As regards liability, there are mutual obligations on both ITIDA and on CSPs that aim to ensure the legally binding effect of e-signatures and electronic seals.
A CSP must first obtain the relevant licence from the competent authority under the control of ITIDA, and use said licence within the scope of its issuance – that is, issuing digital certificates for e-signatures and electronic seals. The validity of a certificate issued by a CSP must not exceed that of the CSP licence.
ITIDA must comply with the E-Signature Law and its executive regulations when licensing CSPs.
Cairo Business Plaza
North Tower
Second Floor
Unit 204
New Cairo, Cairo
Egypt
+20 28135682
info@shehatalaw.com https://shehatalaw.com