TMT 2024 Comparisons

Metaverse Laws and Regulations

The metaverse is defined by the World Economic Forum as “a fully immersive digital reality”. Such multi-dimensional nature of the metaverse requires governance by several laws, each regulating a feature of this virtual world; but this new technology brings new uncertainties. Currently, there is no particular or unified legislation dealing with metaverse technology in Egypt. However, metaverse technology is generally dealt with under a number of legislations, which are set out below.

The Telecommunications Law

The Telecommunications Law No 10 of 2003, as amended (the “Telecommunications Law”) is the primary governing legislation overseeing the telecom sector in Egypt. It covers licensing regimes, frequency spectrum usage, powers and responsibilities of the National Telecommunications Regulatory Authority (NTRA), penalties, etc. The law establishes the NTRA as the authority for overseeing and improving communications services in Egypt.

Metaverse growth stems from combining small and large virtual worlds as a network of interconnected virtual worlds. Thus, collaborations between different service providers are inevitable; in law, certain provisions refer to interconnection and international collaboration.

The Telecommunications Law also provides a broad framework for telecommunications and technology services, on such issues as users’ data, consumer protection and competition rules between telecommunications service providers. This framework has resulted in the promulgation of numerous key legislations relating to technology, such as the E-Signature Law, the Data Protection Law and the Cybercrimes Law.

Key Legal Challenges to the Implementation of the Metaverse in Egypt

Intellectual property rights

The metaverse promotes itself as a space for innovative collaboration, providing enterprises and individuals with new avenues to expand and improve their services. Consequently, businesses and individuals may be concerned about safeguarding their intellectual property (IP) rights or enforcing their brand in such a virtual environment.

There is no tailored legislation for the protection of IP rights in the metaverse. However, several provisions under the Intellectual Property Law No 82 for 2002 (the “IP Law”) could apply to some IP challenges that may arise in metaverse technology.

There are three main types of IP protection under the IP Law:

• copyrights;
• patents; and
• trade marks.

All of these may be protected under the IP Law where the relevant registration requirements are fulfilled. However, in a virtual space such as the metaverse, potential IP infringements and disputes may occur, especially for non-IP holders. 

Questions of applicable law and jurisdiction are also fundamental when raising IP disputes in a metaverse context, and are decisive when allocating the rights of the parties in an IP dispute and for the relevant enforcement mechanism.

Data protection

The Egyptian Data Protection Law No 151 for 2020 (the “Data Protection Law”) established the necessary protections for data collected for the purpose of metaverse technology. The Data Protection Law further established the Data Protection Centre (DPC) as the regulatory authority for data protection.

However, questions remain on the applicability of privacy laws within the metaverse, and on whose jurisdiction will apply, particularly given the complicated cross-section of protections. As the metaverse should have no “owner”, no one legislation can apply, though a globally unified code is likely at this time.

Cybercrime

Due to the structure of the old regime, several cyber-activities have been criminalised but dispersed among different legislation. The Cybercrimes Law No 175 for 2018 (the “Cybercrimes Law”) encompasses all these crimes, which is particularly significant given how the metaverse enables the advancement of new cybercrimes such as crimes against children, disinformation, ransomware, online harassment, impersonation and financial crimes. 

The Cybercrimes Law criminalises several cyber-activities, including:

• unauthorised use of information technology systems;
• unauthorised access to websites, private accounts and information systems;
• altering, damaging or intercepting data, software or information systems; and
• hacking or encroaching on emails, websites, private accounts and information systems.

Although the Cybercrimes Law sets out a number of obligations to be observed by technology service providers (such as data storage, security and confidentiality), it is difficult to predict the application of the Cybercrimes Law in crimes committed using metaverse technology, due to the nature of such technology (which may be far more advanced than current technology schemes). Additionally, law enforcement measures in such crimes will require more advanced forensics and trained expertise than may be available at the time.

The current penalties for these cybercrimes range from a minimum fine of EGP10,000 to a maximum fine of EGP20 million, as well as imprisonment for a minimum of three months to a maximum of five years. These strict sanctions act as a frontline in cybercrime deterrence; however, questions remain on whether new crimes committed in the metaverse could escape this.

Obtaining licences

As metaverse platforms are created by combining multiple technologies, ensuring the competence of related service providers and setting clear guidelines is imperative. Thus, licence applications to the NTRA are necessary to evaluate an applicant’s capabilities and to set the conditions on which the licensee is to conduct their business. Accordingly, the NTRA issues various licences ranging from infrastructure to service provisions with specific obligations.

However, given the diverse technologies pertaining to the metaverse, the number of required licences could prove hectic for the licensee. In this regard, there are five types of licences related to the metaverse that are granted by the NTRA:

• operational licence;
• special permit;
• frequency usage licence;
• wireless services licence; and
• international services licence.

Each of these involves its own conditions and required procedures.

Cryptocurrencies

Money would be needed even in virtual reality; therefore, there is no escape from using cryptocurrencies that allow for direct user-to-user transactions, while non-fungible tokens (NFTs) function as a deed, proving ownership of digital assets in the metaverse. For this immersive experience to function in a manner allowing trade and sale of products, a sustainable e-economy and virtual space needs functional legislation. However, the New Banking Law has prohibited the issuance, dealing or promotion of cryptocurrencies, unless a CBE requisite licence is obtained.

For now, the lack of regulation brings with it the burden of uncertainty in cases where digital assets have been stolen, and uncertainty on whether victims trading in these prohibited currencies will find protection under the law. The suggestion that NFTs can prove true ownership is in much legal contention, as users believe that owning an NFT corresponding to a digital asset gives them absolute right of ownership. The issue arises straightaway, where users accept the terms and conditions of the metaverse platforms. Many metaverse and NFT platforms reserve the right to prohibit user access to digital property or to terminate it completely, at their sole discretion under their prescribed terms and conditions.

It is ambiguous whether Egyptian law extends its scope to protecting these digital assets, particularly if such trades are prohibited. However, for the time being, contractual relationships between the concerned parties could be the key to resolving these issues.

Laws and Regulations

The Telecommunications Law

The telecommunications sector is generally regulated under the Telecommunications Law. This law applies to all telecommunications services (including telecommunications networks’ installation and operation, use of telecommunications equipment, providing wired and wireless communications, connectivity, radio frequency, and broadband services) in addition to all types of information technology services.

The importance of the Telecommunications Law in the context of the digital economy can be seen in how it interjects with the regulatory framework applicable to digital services by using information technology. The Telecommunications Law also interjects, legally and practically, with other applicable laws in the digital economy field such as the E-Signature Law, the Consumer Protection Law, the Cybercrimes Law and the Media Law. Although these are regulated under special legislation, in practice the interjection between multiple laws in connection with the digital market can be unclear and complex.

The E-Signature Law

E-signatures and e-contracts are generally regulated under the E-Signature Law No 15 of 2004 (the “E-Signature Law”) and its executive regulations issued by Ministerial Decree No 109 of 2005 as amended. The E-Signature Law also established the Information Technology Industry Development Agency (ITIDA), which is the authority mandated to regulate and supervise e-signature activities and services in Egypt.

The E-Signature Law enables the use of technology in contract formation. It recognises e-signatures and established the evidence standard for electronic contracts by creating a means of validating e-signatures and e-writing to produce legal effects in civil, commercial and administrative dealerships. This was a major legislative step, since previously Egyptian evidence law did not recognise digital documents and signatures as legally effective.

In this respect, Article 18 of the E-Signature Law specifies the following proof criteria for e-signatures, e-documents and e-writing:

• the e-signature must be linked to the signatory only;
• the signatory has control over the electronic medium; and
• there is the possibility to detect any modification or replacement in the data provided in the e-document or e-signature.

Verification and issuance of e-signature certificates under the E-Signature Law is permitted to licensed service providers. The licence is granted by ITIDA. The e-signature licensed service providers should comply with the e-signature services requirements provided under the E-Signature Law’s executive regulations, such as:

• compliance with the data security system to preserve the information;
• management of PKIs and security;
• a secure custody system to preserve the e-signature creation data and e-certificates; and
• use of a contract service template with customers in the form approved by ITIDA.

In practice, the use of e-signatures is a complex process and is only for companies that are licensed for their use.

The Consumer Protection Law

Consumer protection generally comes into play, especially when raising B2C transactions in digital market practice. Consumers are the ultimate end users of digital services and, therefore, having a strong legislative and regulatory system in place that enables building trustworthy relations between consumers and service providers is essential, especially in e-commerce.

In this respect, the new Consumer Protection Law No 181 of 2018 and its executive regulations were issued by the Cabinet of Ministers’ Decree No 822 of 2019 (the “Consumer Protection Law”), which extended consumer protection to online contracts.

The Consumer Protection Law incorporated novel terminologies to capture the application of consumer protection to online dealerships and digital services, such as:

• online contracting – offering, buying or selling products by using an internet platform or any other means of visual, audio or print communication, or by telephone or other means;
• advertiser – any person who advertises a commodity or service, or promotes it by themselves or by others, using any means of media or advertising, including digital means; and
• supplier – any person engaged in a commercial, industrial or professional business providing a service to the consumer, producing, manufacturing, importing, exporting, selling, renting, displaying, circulating, distributing or marketing a commodity for the purpose of presenting it to the consumer or dealing or contracting with the consumer about it in any manner, including through electronic means and modern technology means.

The Consumer Protection Law stipulated numerous measures and protective rights for the consumer, such as the right of disclosure of pre-contractual and post-contractual information, and methods to restrict unfair impositions on a customer.

Additionally, the Consumer Protection Law provided a full chapter specifically dealing with online contracting. The chapter included a number of rights and important legal protections for the consumer, such as:

• the right to obtain all necessary information to a contract;
• the right to confirm the approval to contract within a specific period (ie, seven days);
• the obligation of the supplier to observe all duties and consumer rights provided under the Consumer Protection Law in remote contracts; and
• the right of the consumer to revoke the contract within 14 days from the date of receipt of the product.

Nevertheless, online services under the Consumer Protection Law are excluded from the following activities:

• banking and financial activities;
• capital markets trade;
• newspaper subscription;
• flight ticket reservations; and
• hotel reservations.

These activities are subject to separate legal and regulatory applications, such as the media and banking laws.

Application of the Consumer Protection Law is mandated to the Consumer Protection Authority (CPA), which supervises and undertakes action against violations of said law.

Additionally, the NTRA also supervises consumer protection in telecommunications services. For this, the NTRA has issued general rules to protect the rights of users of telecommunications services. These rules have established several important guidelines to protect the rights of telecommunications service users by setting mandatory obligations on telecommunications service providers in providing telecommunications services. These obligations include:

• the duty to use agreement templates approved by the NTRA;
• transparency;
• non-discrimination;
• preparing a database of users, and carrying out the necessary updates to this database; and
• obtaining NTRA approval on the applicable services fees, publishing these fees on the service provider website, specifying the means of collecting these fees and indemnifying users against any breaches or violations of the service agreement, including the service level duty.

The Data Protection Law

Egypt recently issued a data protection law in 2020. While the executive regulations of this law are still awaited, it is a key step towards applying the international standards required for online services and digital market transformation. In this context, the Data Protection Law No 151 of 2020 (the “Data Protection Law”) upholds the data protection rights for natural persons whose data and information are processed by digital means. The Data Protection Law generally regulates personal data gathered and processed digitally, and adopts broad definitions as regards extending the protection to data gathered digitally by online service providers. The following are worth noting:

• “personal data” means “any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking such personal data and other data such as name, voice, picture, identification number, online identifier or any data which determines the psychological, medical, economic, cultural or social identity of a natural person”;
• “processing” means “any electronic or technological operation to write, collect, record, save, store, merge, display, send, receive, circulate, publish, erase, change, edit, retrieve or analyse personal data using any electronic or technological medium whether partially or wholly”;
• “data subject” means “any natural person to whom electronically processed personal data is attributed which identifies them legally or factually and enables their identification from any other person”; and
• “electronic marketing” means “sending any message, statement, or advertisement or marketing content, via any technological means, which aims, directly or indirectly, to promote goods, services or commercial, political, social or charitable petitions or requests, addressed to specific persons”.

Furthermore, the Data Protection Law sets out particular requirements for the use, collection and processing of personal data, including:

• setting out the rights of the data subject and cases where the processing of personal data is deemed lawful;
• specifying the obligations of the data processor, data controller and data receiver;
• the express consent of the data owner to allow the data gathering and processing;
• the obligation to inform the data owner of the purpose for which the data is gathered/processed;
• the measures to secure and protect the gathered personal data; and
• restrictions on direct electronic marketing communications by imposing certain requirements, such as specifying the purpose of the marketing communication, obtaining the approval of the data subject and securing the personal data.

The Data Protection Law generally prohibits any direct digital marketing without obtaining the data subject’s prior consent. The digital marketing communication should include the name of the sender and location, and specify that the communication is for marketing purposes, enabling the data subject to reject or give their approval for the marketing communication.

Furthermore, the Data Protection Law establishes the Personal Data Protection Centre (PDPC), which is the authority mandated to license and regulate data processing in Egypt. The PDPC is not yet incorporated, and it is expected that the relevant executive regulations will be issued in 2024.

It is worth noting that the Data Protection Law upheld additional protection for the collection and processing of sensitive information, such as information relating to health, biometric and financial data, and criminal records. Information relating to children is by default considered sensitive information (sensitive data). The Data Protection Law prohibits the collection and processing of sensitive data except with prior permission from the PDPC – though this is yet to be incorporated.

The Cybercrimes Law

On 15 August 2018, the Cybercrimes Law came into force (see 1.1 Laws and Regulations). Its executive regulations, specifically No 1699 of 2020, regulate online activities and aim to penalise, inter alia, unlicensed online activity and content violations, such as accessing a site or a private account, using an authorised right to do so, and exceeding the limits of this right in terms of time or level of entry.

Service providers under the Cybercrimes Law have a number of obligations that protect service users, such as:

• keeping and storing a record of the information system or any means of information technology, for a continuous period of 180 days;
• maintaining the confidentiality of the data that has been saved and stored;
• not disclosing the data without a justified order from one of the competent judicial authorities; and
• securing data and information in a manner that preserves its confidentiality, and not penetrating or damaging it, etc.

Thus, the Cybercrimes Law covers offences that significantly relate to the digital economy, such as offences violating confidentiality, the integrity and availability of computer data, computer-related offences, privacy infringements, and so on.

The FinTech Law

Law No 5 of 2022 regulating and developing the use of financial technology in non-banking financial activities (the “FinTech Law”) came into effect in February 2022. This law aims to reinforce the inclusion of the non-banking sector in the digital market and encourage the transition towards a cashless society. Non-banking financial activities are supervised and regulated by the Financial Markets Authority (FRA).

The FinTech Law specifically regulates the use of technology in non-banking financial activities. “Non-banking activities” are defined as “financial markets and non-banking tools supervised by the FRA, including capital markets, insurance, real estate finance, financial leasing, factoring, SMEs’ financing activities and consumer finance”.

Additionally, under the FinTech Law “financial technology” is defined as “any mechanism that utilises modern and innovative technology in the non-banking financial sector to support and facilitate financial services, financing and insurance activities using applications, software, digital platforms, artificial intelligence or electronic records”.

The FinTech Law lays out entity incorporation and activity licensing requirements. There are three main licensing requirements for companies operating in the field of non-banking financial activity using financial technology. These requirements include, in particular:

• determining the direct and indirect shareholding structure, as well as related parties of the applicant;
• that the required technological infrastructure, facilities, information technology and other security means must be availed by the applicant; and
• that the company’s activity is limited to those specified in the licence issued by the FRA – however, the FRA shall issue further regulations addressing such additional requirements pertaining to the shareholding structure, board of directors’ composition and conflict of interest regulations.

The New Banking Law

Egypt has issued the new Banking Law No 194 of 2020 (the “New Banking Law”), which replaces the old Banking Law No 88 of 2003 as a step towards integrating the banking system as part of digital economy growth. The New Banking Law recognises and introduces key innovative areas such as digital banks, cashless payments, payment service providers, payment systems operators, cryptocurrency and e-money.

The Central Bank of Egypt (CBE), in line with the New Banking Law, has permitted the use of financial technology and electronic payment services. This extends to enabling technical payment aggregators and payment facilitators, payment services using prepaid cards, and standards for the issuance and acceptance of contactless payments in the banking field.

The New Banking Law permits the use of financial technology in rendering banking services. Additionally, the New Banking Law sets out licensing conditions and outlines the main rules for operating a payment system, as well as outlining penalties for violations of payment service providers (PSPs) and payment systems operators (PSOs). The New Banking Law provides the following definitions:

• “payment systems” means “a set of means and procedures for the paying off, setting off or settlement of funds by transferring funds between two or more parties via an electronic system”;
• “financial technology” means “a business, application or financial product based on the use of technology”; and
• “payment services” means “all services related to account information or issuing or sending orders and payment operations, receiving such or executing such, whether in local or foreign currencies, including the issuance and management of payment tools and electronic money”.

According to the New Banking Law, natural and juristic persons are prohibited from conducting any activities related to operating payment systems or providing payment services, unless they have obtained a licence from the CBE. The CBE also further extends the licensing requirement to PSPs and PSOs operating inside Egypt or who target Egyptian residents from abroad.

The New Banking Law also requires licensed service providers to preserve an electronic copy of the registry, contracts, correspondence, commercial papers and documents relating to banking and payment transactions. These copies would have the same legal value as the original documents as long as these documents were preserved, processed and retrieved in the technical manner decided by the CBE (Article 203). 

Key Challenges

Although Egypt has witnessed a number of efforts to support growth of the digital market, in practice challenges remain in some areas, as discussed here.

Regulatory framework

The digital market involves numerous regulatory authorities, depending on the type of digital activity. This perhaps stems from the fact that there is no consolidated e-commerce law and e-commerce authority that regulates all e-commerce fields or provides adequate mechanisms of enforcement. In addition, the E-Signature Law (the main law dealing with digital transactions) was issued in 2004 and is significantly outdated considering current technology markets development, especially globally.

The current legislative platform in Egypt for dealing with e-commerce is also unclear as regards the conclusion and execution of electronic transactions, parties’ liabilities and rights, and the burden of proof. Egypt also remains slow in the enactment of an e-government regulatory framework to enable the digital transformation of government services, which would ease and support integration with the commercial digital market, especially on a local level. 

The regulatory framework was among the key issues raised under the national e-commerce strategy with UNCTAD in 2017, which aims to underline the key strategic and legislative reformations for developing the digital economy in Egypt (the “E-Commerce Strategy”). The E-Commerce Strategy highlighted the legislative and practical improvements needed in the e-commerce field. These include addressing the issue of intermediary liability of the internet service provider, e-procurement and the provision of adequate data protection enforcement mechanisms. Despite the enactment of the Data Protection Law, in practice its application remains unclear since the relevant licensing body is not yet established, and said law’s executive regulations are yet to be issued. 

Tax

The tax application regime in the digital market and in e-commerce remains a complex matter. Key challenges pertaining to tax application in e-commerce include identifying the permanent establishment (PE) subject to tax, determining tax liability, and enforcement.

Egypt has worked towards including e-commerce in the tax system. The Egyptian Minister of Finance issued Decree No 307 of 2020 incorporating an e-commerce department mandated to register e-commerce businesses for taxation purposes.

Subsequently, the Egyptian Tax Authority (ETA) issued Executive Circular No 89 of 2021, requesting commercial and non-commercial activities to register with the ETA. These activities include:

• e-commerce;
• audio-visual media content platforms; and
• publication and production of reading content.

The ETA classifies taxpayers’ registration under these activities into two categories:

• sole proprietorship (individuals); and
• companies (corporate).

Currently, e-commerce activities are subject to revenue and value-added tax (VAT). Revenue tax applies to direct income generated from online services, while VAT applies indirectly to services rendered to customers. The ETA also introduced the electronic invoice, which is mandatory for all merchants and business practitioners in Egypt, including in e-commerce. Application of the electronic invoice and reporting of tax in digital activities are quite novel and remain unclear in practice. 

Intellectual property

Finally, the IP Law (see 1.1 Laws and Regulations) did not allocate specific protection of IP and copyrights in online and digital markets. It is still unclear which authority is competent and how for protecting IP rights in the digital economy. The IP Law requires the registration of a trade mark and IP rights in order to gain the legal protection prescribed under said law in Egypt. Although major initiatives have been undertaken since, there is yet much room for enhancement, such as by granting ITIDA the authority to investigate related infringements via an online complaints system, and training officers for electronic evidence procurement.

Cloud and edge computing activities were recently introduced into the Egyptian market. These activities are broadly subject to a number of legislations in Egypt, including the Telecommunications Law, the Data Protection Law and the Cybercrimes Law. The Egyptian government opted for a cloud strategy in 2014 which aimed to move the governmental sector towards cloud technology and towards enacting e-government services. To date, however, this strategy has yet to be substantially realised.

In 2021, the NTRA issued the regulatory framework for establishing and operating data centres, and for the provision of cloud and data hosting services (the “Cloud Framework”). The Cloud Framework sets out the licensing and registration requirements for:

• cloud service providers;
• co-location/multi-tenant public data centre providers; and
• private data centres.

The requirements are summarised as follows.

Cloud Service Providers (CSPs)

CSPs are defined as companies that provide various cloud computing services of all types, whether through entirely owned data centres or via data centres leased from a public data centre. Examples of CSPs include Microsoft Azure, AWS, GCP Alibaba Cloud and IBM Cloud.

CSP services provided in Egypt would require prior registration with the NTRA. The registration would be valid for 15 years.

In order to obtain the approval of the NTRA on registration, the applicant should:

• fulfil and submit the relevant identification information to the NTRA (such as the name, address, telephone number and commercial register); and
• fulfil and submit activity information, particularly on the hosting system, data centres inside Egypt, address, contact details and website.

CSP service providers are required to evaluate their cybersecurity system and obtain a system tiering accreditation certificate from the NTRA for the purposes of cybersecurity system evaluation and data protection.

Registration as a CSP service provider would enable providing cloud computing services inside Egypt (for own use or for other users inside Egypt) and connecting to submarine systems via infrastructure service providers.

Public Data Centre Providers (PDCPs)

PDCPs are data centres established in Egypt for the purpose of hosting other service providers such as regards the cloud, content, Equinix, digital reality and internet exchange point (IXP). PDCPs are required to obtain the relevant licence from the NTRA. The licence’s duration is 15 years, and would enable a PDCP to:

• establish and operate data centres for providing hosting services;
• provide site rental (co-location) to customers in Egypt through the licensee’s data centres;
• provide cloud computing services for the licensee’s own use or for other clients inside Egypt; and
• directly connect with submarine cable systems through contracting infrastructure service providers to rent cables and relevant capacities.

Private Data Centres (PDCs)

PDCs are data centres established by a natural or juristic person for their own and sole use. PDCs do not require prior registration with or a licence from the NTRA, unless the PDC would be providing the service to other users. In this case, the PDC would transform into a PDCP, and the licensing requirements of the NTRA would apply. 

Cloud and edge computing services are generally subject to the Data Protection Law in terms of licensing and processing, using and storing personal data, and ensuring application of the relevant security measures as clarified in 2.1 Key Challenges. Data subjects generally have the right to submit a complaint against the data processor or controller to the DPC in cases where there is any violation of the rights conferred under the Data Protection Law.

Conversely, the Data Protection Law excludes personal data with the CBE and entities that are supervised/regulated by the CBE – except remittance and exchange companies. Data protection and secrecy are among those customer rights provided under the New Banking Law. In February 2019, the CBE issued instructions in connection with protecting customers’ interests. These instructions included:

• maintaining secrecy and protecting customers’ data;
• protecting customers in digital and electronic services; and
• payment and digital service providers’ duties towards customers.

The CBE’s instructions consider all customer data (whether personal or financial) confidential and prohibit its use, disclosure or sharing without the prior consent of the customer. A complaint in connection with any banking service is generally assigned and dealt with by the customer protection unit of the CBE.

The main challenge encountered with cloud and edge computing activities occurs at both the regulatory and practical level. To date, there is no clear regulatory framework dealing with cloud and edge computing services. This is particularly problematic since the Data Protection Law’s executive regulations are not yet issued, and the DCP is also not incorporated. In practice, this leaves the licensing and reporting requirements for data protection violations and data collection rights enforcement uncertain and unrealised.

Laws and Regulations Relating to the Use of Artificial Intelligence

Artificial intelligence (AI), and in particular data-driven methods such as machine learning, heralds a fundamental change not only in the Egyptian economic and social systems but globally as well. The key importance of AI is that it helps people predict the future and thus enables them to make better strategic decisions.

Currently, AI is not regulated under specific Egyptian legislation. The telecommunications sector, however, has attempted to implement and enhance the use of AI technology in Egypt.

In this regard, the Cabinet of Ministers Decree No 2889 of 2019 was issued in November 2019 to establish the National Council for Artificial Intelligence (NCAI). The NCAI follows the Ministry of Telecommunications and is presided over by the Minister of Telecommunications. The NCAI is mandated to develop, implement and manage AI strategy through close collaboration with experts and stakeholders. The NCAI should co-ordinate national efforts, develop Egypt’s strategy for AI, develop various applications related to AI, recommend capacity-building programmes, and enhance the skills and knowledge of national cadres. Currently, the Egyptian government has upheld an AI strategy that aims to strengthen the Egyptian technology platform and economy, and to encourage international partnerships in that field.

Elements Relevant to AI Technology

Data protection and consumer protection

AI as a mechanism requires the collection of big data and learning the patterns of such data. In other words, large sets of data are combined for a specific task or mission through an intelligent collection process, where several patterns are found in the collected data; as a result, outcomes can be easily predicted for specific outputs.

In view of this, any collected and/or processed data for the purpose of AI technology is protected under Egyptian law. The Data Protection Law states that in order to collect, process and retain personal data, the following conditions must be met:

• personal data must be collected for the legitimate, specific and declared purposes of the person concerned;
• collected data must be true, sound and secure;
• collected data must be processed in a manner that is lawful and appropriate to the purposes for which it was compiled; and
• collected data must not to be kept for a period longer than the period necessary to fulfil the purpose specified for it.

Further, the Consumer Protection Law states that a supplier must preserve the consumer’s information and data, and must not trade or disclose it in violation of the provisions of said law or the laws related to this matter, unless the consumer expressly agrees. A supplier must also undertake to take all necessary precautions to maintain the confidentiality and privacy of the data and information.

Intellectual property – inventor of the inventor

It is a well-known general principle that only those who hold a legal personality can be protected and regulated under the law, which means that AI inventors could certainly legally protect their patent rights where they comply with the required conditions stated under the IP Law and its executive regulations. The question arises, however, as to whether an AI machine could protect its own inventions, for it is highly expected that AI machines could reach such a high level of intelligence as to allow them to invent patents that would otherwise be protected if invented by a human being. The answer to this question is left open not only in Egypt but also worldwide, as AI technology is brutally evolving every day, while comparatively the currently applicable laws are standing still. The general approach in Egypt and worldwide is, nevertheless, to not grant patent rights to AI machines as they do not possess a legal personality “yet”.

Liability and insurance

Were an AI machine (eg, a robot) to commit a certain act that results in damage to a certain person or thing, questions arise as to who should be liable (ie, the inventor of the robot or the robot itself).

One might argue that the inventor of the AI machine should be liable for whatever damage was caused by the AI machine unless such damage was unpredictable and inevitable. However, an AI machine evolves every time it interacts with human intelligence, which enables the AI to develop its own personality and reactions to various human interactions, making it nearly impossible to predict or contain an AI.

In this regard, the Egyptian Civil Code No 131 for 1948 states that whoever takes over the guardianship of objects whose protection requires special care, or the guardianship of mechanical machines, shall be responsible for the damage caused by those objects, unless it is proved that the occurrence of the damage was due to a foreign cause beyond their control. Therefore, an AI inventor could be held liable in the case where their invention caused damage, and such damage was predictable and could have been prevented.

In addition, the Consumer Protection Law states that a supplier shall be liable for any damage caused by the product if it is proven that the damage arose from a defect in the product due to its design, manufacture or installation. Also, the supplier shall be liable for any damage caused by the product due to using it in the wrong way, if it is proved that the damage is due to the supplier’s failure to take sufficient care to prevent the occurrence of damage, or to alert to the possibility of its occurrence. The supplier shall further be responsible for any damage caused by the product if it is established that the damage arose from a defect due to the method of preparing the product for consumption, preservation, packaging, circulation or display.

Regulations Relating to the Internet of Things

In view of the recent spread and steady growth of the internet of things (IoT) all over the world, Egypt, in line with its 2030 vision adopting the establishment of many smart cities such as the New Administrative Capital, has concentrated its attention on IoT and its related services. In January 2022, the NTRA issued the first regulatory framework concerning the IoT, pursuant to the Telecommunications Law, thus advancing the growth of IoT services in Egypt, as well as studying the obstacles facing the spread of these services and how to overcome them.

IoT is defined under this framework as a service that is based on the use of technical means to enable automatic communication between things or objects in order to exchange, analyse and process data between them and make it available to users. Things or objects are defined under this framework as any physical objects that are connected to a digital/electronic identity which enables them to make connections, such as refrigerators, cars, power stations and others.

In other words, IoT includes all devices, physical and digital components, and systems that are connected for the purpose of benefiting from the data collected by sensors and embedded systems in machines and other physical objects, and sharing that data across communication networks where it can be processed and used for various purposes.

IoT is divided under the NTRA IoT framework into five classifications, depending on the nature of use:

• consumer IoT apps – such as wearable devices and smart home systems through which users are able to monitor and manage their home;
• commercial IoT apps – such as intelligent transportation systems (ITS), surveillance systems and vehicle-to-vehicle (V2V) connections;
• industrial IoT apps – these include digital industrial control systems, smart agriculture and industrial indicator monitoring, which allows for automatic detection and control of malfunctions in industrial equipment and for taking appropriate action in emergency situations;
• infrastructure IoT apps – these include smart city applications, in which infrastructure sensors are used to monitor temperature, humidity and pollution levels, to control irrigation and lighting, to monitor vacant parking areas and to control waste; and
• governmental IoT services – these include applications related to services provided to citizens, such as applications for healthcare services and applications for public utilities such as water, electricity, gas, transportation, education and others.

Data Protection

IoT technology mainly depends on the collection of data and its exchange, analysis and processing. Therefore, an IoT service provider is obligated to fulfil all necessary institutional and technical procedures and steps to protect the confidentiality of information and data of the service users, as per the general obligations prescribed by the NTRA IoT regulatory framework. Further, this framework is explicitly subject to the provisions of the Telecommunications Law and, in particular, the Data Protection Law.

Any collected and/or processed data for the purpose of IoT technology is therefore protected under Egyptian law. As per the Data Protection Law and its executive regulations, and the Consumer Protection Law, the conditions discussed under Data protection and consumer protection in 4.1 Liability, Data Protection, IP and Fundamental Rights must be met.

The Cybercrimes Law

See under The Cybercrimes Law in 2.1 Key Challenges.

The Cybercrimes Law covers offences that relate to IoT technology, such as offences violating confidentiality, the integrity and availability of computer data, computer-related offences and privacy infringements.

Machine-to-Machine Communications

Machine-to-machine (M2M) communications refer to services connecting devices with each other and transferring data between them either by wired or wireless connections, as per the above-mentioned NTRA IoT framework.

Since M2M applications and services are concerned with the process of connecting devices to each other, they are considered part of IoT applications and services.

Currently, mobile phone service providers or other companies operating in various commercial or industrial activities use M2M services according to one of the following methods:

• M2M services related to mobile phone networks; and
• M2M services related to private networks for personal use only.

Audio-visual services are generally regulated by Law No 180 of 2018 regulating press and media (the “Media Law”) and its executive regulations issued by Prime Ministerial Decree No 418 of 2020. The licensing requirements for media services are also set out in the President of the Supreme Media Council Decision No 26 of 2020 (the “Licensing Regulations”).

Regulatory application extends to all types of media, press and marketing content and broadcasting services, including content disseminated or generated via audio, video, satellite, electronic media, marketing, and internet platforms (media services). The Media Law establishes the licensing requirements for press, media, websites, online platforms and broadcasting activities. In this context, social media platforms and user-generated content would fall under the ambit of the Media Law. This inclusion aims to track content as well as income generated from these platforms for tax purposes.

The Media Law requires obtaining a prior licence from the Supreme Council for Media Regulation (SCMR). To obtain the SCMR licence, specific prerequisites for audio-visual media services should be met by an applicant.

The prerequisites and licensing requirements are as follows.

Prerequisites

Media

Media institutions are defined under the Media Law as “institutions that manage media means”. Media means are defined as “terrestrial and satellite television channels, and wired, wireless and electronic broadcasting stations”. The Media Law prohibits the incorporation or operation of any media means or websites, or advertising for these services, without a prior licence from the SCMR (Article 59). The Media Law also prohibits carrying out broadcasting services from outside accredited media locations except with the approval of the SCMR. In addition, the Media Law restricts broadcasting of any media means which include commercial materials, whether electronic, visual or audio, through smartphones or other types of equipment, except with the approval of the SCMR and subject to the applicant being a holder of a tax card.

The licence will set out the duties of the licensee, which inter alia shall include:

• the type of service and broadcasting technology;
• duration of the licence;
• territory;
• quality of service requirements; and
• IP rights.

Participating in and owning media means and online websites is permitted for Egyptian nationals, whether individual or juristic entities. Also, the Media Law requires that the prospective owner or participant not be subjected to crimes of dishonour or deprived of practising their political rights.

Furthermore, the Media Law requires that the owner of the media means that undertakes audio, visual or electronic broadcasting through use of the internet takes the form of a company (Article 51). The minimum authorised share capital for a media company is as follows (Article 54):

• EGP50 million for TV, broadcasting and news channels;
• EGP30 million for specialised TV channels;
• EGP15 million for each radio station;
• EGP2.5 million for a TV station or digital TV channel; and
• EGP100,000 for online websites.

Foreigners, whether natural or juristic persons, may not own the majority of shares or acquire controlling rights in media institutions. Foreigners wishing to obtain a licence to provide media means should have a foreign media licence or a legal domicile abroad (Article 22 of the Licensing Regulations).

Websites

The Media Law defines a website as a “licensed electronic page, link or application through which press, media or advertising content is presented, whether it is textual, audio, visual, static, mobile or multimedia, and is issued under a specific name and has a specific electronic address and domain, and is created, hosted or accessed through the internet”.

The Media Law prohibits establishing or operating websites, or creating branches of websites, operated from abroad in Egypt without a prior licence from the SCMR.

Application to own or operate a website is permitted for Egyptian nationals, whether natural or juristic, as long as the applicant is not subjected to crimes of dishonour or deprived of practising their political rights. Corporate entities wishing to own a website and obtain the relevant licence should have a minimum share capital of EGP100,000. Foreign websites providing news, media or marketing content in Egypt also require a prior licence from the SCMR.

Licensing

Media

Media services require a prior licence from the SCMR. To obtain this, the relevant application form should be filled in and submitted to the SCMR, supported with the requisite information, as follows:

• the signature of the applicant or the legal representative of the applicant (if the applicant is a juristic person);
• the name, nationality and address of the applicant;
• the name of the website or media means, its activity, financial resources, editorial and administrative structures;
• the name of the broadcasting responsible, the name of the programme manager, the budget and the broadcasting location;
• a copy of the identification card (if the applicant is a natural person), or a copy of the commercial register (if the applicant is a juristic entity);
• the name of the newspaper’s website and broadcasting location;
• proof of payment of the EGP50,000 application fee for the website and the EGP250,000 fee for media means; and
• compliance with the code of ethics issued by the SCMR.

Websites

Websites, whether in the form of an application, platform or page, require a prior licence from the SCMR. The Licensing Regulations stipulate the licence requirements for websites by specifying those activities that fall within the category of “websites” as follows:

• news;
• media;
• advertisement activities; and
• marketing content, whether for business, services, products or individuals using the internet inside Egypt (Article 13).

To obtain a website licence, the applicant should submit the relevant application to the SCMR supported with the necessary documents and information. These would include:

• a copy of the commercial register and tax card;
• a copy of ID(s) of the owner(s) of the website;
• a copy of the memorandum and articles of association (if the applicant is a juristic person);
• names of the board of directors, their nationality and IDs (if the applicant is a juristic person);
• the budget;
• financial statements (if the applicant is a juristic person);
• a trade mark registration certificate for the website;
• an undertaking to avoid transmitting content in violation of the applicable laws;
• a copy of the lease or title deed of the location for managing the website, duly notarised by the notary public; and
• payment of EGP50,000 in fees.

The telecommunications sector is regulated in Egypt mainly by the Telecommunications Law (see 1.1 Laws and Regulations). Additionally, the Ministry of Telecommunications and Information Technology has issued the following:

• Ministerial Decree No 667 of 2017 by the Minister of Telecommunications and Information Technology issuing contraventions and penalties regulations on communications service providers (the “Contraventions Regulations”); and
• Ministerial Decree No 258 of 2003 issuing wireless and radio frequency equipment licensing requirements (the “Equipment Licensing Requirements”).

The Telecommunications Law defines telecommunications (telecom) as “any means of sending or receiving signs, signals, messages, texts, images or sounds of whatsoever nature, whether the communication is wired or wireless”. The Telecommunications Law also defines telecommunications services as “providing or operating telecom, whatever the means used.”

Telecommunications Services and Activities

Fixed services

These include:

• landline services (fixed telephone and fixed virtual telephone) and data services (internet connectivity Class A & VOIP services);
• internet connectivity Class B services; and
• global peering services such as IPS, data content services, and Arabic internet domain services under international top-level domains (TLD) and “.Egypt” domains.

Wireless services

These include mobile services, mobile networks, message services and VAS.

Satellite services

These include:

• providing telecommunications services through satellite (VSAT – except for media content);
• providing global mobile communications by satellite (GMPCS system operator);
• providing mobile telecommunications satellite services (GMPCS service provider);
• providing satellite broadcasting services (eg, Nile Sat);
• wireless trunk services (TETRA);
• automated vehicle location services (AVL); and
• providing telecommunications services on aircraft and ships (maritime and aviation navigation services).

International services

This concerns establishing and operating an international telecommunications gateway.

Infrastructure leasing

These services are related to:

• establishing, operating and managing telecommunications infrastructure;
• use of frequencies;
• establishing and operating telecommunications towers;
• establishing, operating and leasing maritime cables and international infrastructure; and
• access to closed urban communities.

Telecommunications equipment

These services are related to using, assembling and manufacturing telecommunications equipment. Telecommunications equipment is defined under the Telecommunications Law as “any equipment, machinery or accessories used, or that could be used, in telecommunication services”. This includes wired, wireless and radio frequency telecommunications equipment.

Data hosting and cloud computing services

These services involve the following:

• cloud computing service providers (CSPs) – companies which provide various cloud services of all types, whether through fully owned data centres or through rented data centres from a public data centre provider licensee; and
• public data centres and co-location services – this concerns data centres which are established in Egypt for the purpose of hosting other data service providers.

Licences and Permits

Launching and using telecommunications services in the Egyptian market requires the prior authorisation of the NTRA. The Telecommunications Law generally distinguishes between two types of NTRA authorisation: licences and permits. Licences are required for establishing or operating telecommunications networks, carrying out telecommunication services, using radio frequencies or passing international phone calls (Article 21 of the Telecommunications Law). Permits are required for importing, trading, manufacturing and assembling telecommunications equipment (Articles 44 and 48 of the Telecommunications Law).

Licences

A prior licence from the NTRA is required to provide telecommunication services in the Egyptian market. The Equipment Licensing Requirements further set out radio frequency licensing requirements. The licence to provide telecommunications services generally requires submitting the relevant application form to the NTRA, including but not limited to the following:

• the name and details of the applicant;
• proposed pricing;
• financial and operational plans;
• market analysis; and
• any other requirements from the NTRA.

The licence will specify the scope, duration, territory, quality of service, secrecy of information and other obligations of the applicant.

In addition to the above, the Telecommunications Law establishes the interconnection and integration obligation between licensed telecommunications service providers (Article 28 of the Telecommunications Law). Interconnection is defined as “connecting the licensed networks of two or more providers with each other, enabling connection between users through whatsoever networks or services they use.”

In this context, the integration of telecommunications services in the Egyptian market requires obtaining the relevant licence from the NTRA and entering into an interconnection agreement with a licensed telecommunications service provider. For this, telecommunications service providers will have the duty to:

• disclose the technical specifications and data of the offered services that may be required for achieving interconnection;
• conclude agreements to achieve interconnection with reasonable terms that do not discriminate between any of the telecommunications service providers, and subject to these agreements being approved by the NTRA; and
• submit the data necessary to establish and prove the extent of harm that occurred to the telecommunications service provider as a result of an act by any subscriber of another telecommunications service provider network.

Consequently, and to ensure setting a clear framework for the provision of interconnection in Egypt, the NTRA issued the Interconnection and Wholesale Services Policy (the “Interconnection Policy”). The Interconnection Policy provides guidelines on entering into reference interconnection offers (RIOs) and service level agreements (SLAs) with Telecom Egypt (the state telecommunication operator and company controlling the telecommunications infrastructure in Egypt) and with other licensed telecommunications service providers in Egypt. The Interconnection Policy highlights the following aspects:

• regulatory – determining the agreement’s validity period, and the parties’ commitment to publishing the agreement, to not engage in monopolistic or discriminatory terms, to guaranteeing to protect the licensed telecommunications service provider network, and to abide by the IP rights of the parties;
• technical – specifying the type of services, parties’ responsibilities, location on interconnection points, network management, fault recovery method, service quality standards and protections of the licensee network; and
• economic – determining the interconnection charges, terms of payment, billing procedures and cost models (as approved by the NTRA).

Permits

The Telecommunications Law requires obtaining a permit from the NTRA to import, assemble or manufacture telecommunications equipment and peripheral communications devices. The Equipment Licensing Requirements further set out the conditions for obtaining this permit.

Recently, the Telecommunications Law was amended by way of the Law No 172 of 2022 (the “Amended Telecommunications Law”). By way of this amendment, the penalty of possessing, assembling, using or marketing the telecommunications equipment without requisite NTRA permit would expose to a fine ranging between EGP2 million and EGP5 million in addition to imprisonment for between one and five years.

In addition to the NTRA permit, the acquisition, operation and use of portable or fixed transmission devices also requires approval from the SCRM, as highlighted in 6.1 Requirements and Authorisation Procedures.

The NTRA permit would generally apply in the case of importing telecommunications equipment and is granted to companies manufacturing, assembling or trading in telecommunications equipment. To obtain this permit, an application for “type approval” from the NTRA is required. This approval is also requisite for the purposes of customs clearance in the case of importation. The “type approval” will attest to technical safety and suitability to import and use the equipment in the Egyptian market.

Technology agreements are recognised under Egyptian legislation in the context of the transfer of technology. To understand the challenges involved with transfer of technology agreements, it is important to first examine the related legal provisions. Transfer of technology agreements are dealt with under the Commerce Law No 17 of 1999 (the “Commerce Law”).

Article 73 of the Commerce Law defines a transfer of technology agreement as “a contract in which the supplier of technology undertakes to transfer, against payment, technical know-how to the importer of technology to use it in a special technical way, for the production or development of a specific commodity, the installation or operation of machines or equipment, or for the provision of services. The mere sale, purchase, lease or rental of commodities or trade marks shall not be considered a transfer of technology, unless this is set forth as part of, or is connected with, the transfer of technology agreement.”

The above definition incorporates the transfer of technology to agreements that entail the transfer of technical know-how against payment of consideration. Types of transfer of technology agreements would include:

• technical assistance;
• technical know-how;
• patents;
• utility;
• commodity; and
• grant of licence agreements.

In this context, agreements not dealing with the transfer of technical know-how (such as business know-how, marketing, and financial strategies) will not be considered a transfer of technology agreement. The term “transfer of technology” under Egyptian law is, however, very broad. It would extend to any agreement, whether standalone or part of another contract (Article 72-2). The Commerce Law provides that these provisions shall apply to each transfer of technology agreement used in Egypt notwithstanding the nationality of the parties, their place of residence, whether the transfer is international or national (Article 72-1), or whether the transfer is provided in an ancillary agreement.

The technology transfer agreement should be made in writing; otherwise, the agreement will be null and void. The transfer of technology agreement should also incorporate all the information in connection with the technical know-how and elements of knowledge being transferred (Article 74).

The supplier is under the obligation to disclose the following information to the importer, whether during the negotiations or in the contract:

• the risks that might occur from using the technology and in particular those connected with the environment, public health, or the safety of lives or property, and the funds and methods to avoid these risks;
• judiciary actions and other obstructions that might impede the use of technology-related rights, particularly those connected with letters patent; and
• the provisions of the local law concerning the authorisation for the export of technology.

In addition, the supplier must also submit to the importer information, data and other technical documents as required for the assimilation of the technology, as well as the necessary technical services requested by the importer for the operation of the technology, particularly expertise and training. The supplier must inform the importer of improvements to the technology during the validity period of the contract, and transfer these improvements to the importer if the latter so requests.

It should be noted that the Commerce Law upholds a protective approach towards the importer of technology. This is illustrated in its granting broad rights to such importer of technology, and grounds to annul the technology transfer agreement if these rights are breached. Article 75 of the Commerce Law prohibits provisions that would result in restricting the freedom of the importer in using, developing, acquainting with or announcing the production of the transferred technology. Such restrictions could result in invalidation of the underlying provisions.

More specifically, the Commerce Law lists a number of contractual provisions in the technology agreement that would be deemed of a binding and restrictive nature to the importer in the context of Article 75, as follows:

• the importer accepting the improvements introduced by the supplier to the technology, and paying their value;
• prohibiting the introduction of improvements or modifications to the technology to suit the local conditions or the conditions of the importer’s establishment;
• prohibiting the importer from acquiring another technology similar to or competing with the technology that is the subject of the contract;
• using specific trade marks to distinguish those commodities in whose production the technology was used;
• limiting the importer’s volume of production, its price, the method of its distribution or its export;
• participation of the supplier in running the establishment of the importer, or interference in choosing the permanent workers in said establishment;
• purchase of the raw materials, equipment, machines, apparatuses or spare parts for operating the technology, from the supplier alone, or from the establishments exclusively specified by the supplier; and
• restricting the sale of the production, or the delegation for its sale, exclusively to the supplier or the persons defined thereby.

The inclusion of any of these conditions in the technology transfer agreement could ultimately result in nullifying the underlying provision.

Notably, Article 87 of the Commerce Law provides default jurisdiction of the Egyptian courts over disputes arising out of technology transfer agreements. Arbitration is permitted only if it is held in Egypt according to the provisions of Egyptian law. Any agreement to the contrary shall be null and void.

Key challenges in connection with the transfer of technology agreements essentially arise in relation to legislation. Proper observance of the restrictions and obligations imposed by the Commerce Law for transfer of technology agreements is important to avoid realisation of risks. These challenges and elements of consideration are summarised as follows.

Default Applicable Law and Jurisdiction

Perhaps the most remarkable risk is the mandatory application of Egyptian law which may not be derogated by the agreement of the parties. Article 87 of the Commerce Law grants default jurisdiction to the Egyptian courts in disputes arising in connection with the transfer of technology agreements used in Egypt. The Egyptian legislature has set out the conflict of law rule by making Egyptian law the only applicable law, and excluding jurisdictional considerations delimiting Egyptian courts’ jurisdiction in deciding on transfer of technology disputes, such as regards the nationality of the parties or their place of residency, or the type of transfer (national or international).

Although Article 87 of the Commerce Law permits resorting to arbitration to resolve disputes in transfer of technology agreements, the applicable law and seat of arbitration shall by default be those of Egypt. This position was upheld in a recent decision rendered by the Cassation Court in 2021 (Case No 10305/83) where the court decided that Article 87 of the Commerce Law is a mandatory rule of law. Accordingly, if a foreign licensor insists upon a foreign governing law and seat of arbitration in a transfer of technology contract with an Egyptian counterparty, such provision is likely to be declared null and void by the Egyptian courts.

The rule set out in Article 87 of the Commerce Law has long been debated. The current position is that this rule is of public order and may not be deviated from by the agreement of the parties, and consequently restricts the parties’ freedom to choose the applicable law and jurisdiction (seat) of their dispute.

Nullification

The Commerce Law provides a wide range of grounds for invalidating the technology transfer agreement prescribed under Article 73, which primarily aims to protect the importer’s rights. Egyptian law considers the importer the weak party in a transfer of technology agreement. This position grants Egyptian courts broad powers to classify and weigh the provisions of the technology transfer agreement.

Guarantee and Liability

Article 85 of the Commerce Law provides for liability of both the importer and the supplier of technology towards third parties in connection with damages that occur from the use or application of the technology.

Additionally, Article 85 provides that the supplier must guarantee:

• the conformity of the technology and the documents attached to it with the conditions prescribed in the transfer of technology agreement; and
• the production of the commodity, or the performance of the services agreed upon according to the specifications prescribed in the transfer of technology agreement.

This is deemed a default guarantee unless otherwise agreed upon in writing between the parties. Accordingly, it is important that the parties agree to the specifications and guarantees in the transfer of technology agreement to avoid the default application of the guarantee prescribed by law.

The parties should also be aware of the technology services requirements, especially from the standpoint of consumers, data privacy and cybersecurity. In this sense, proper consideration should be given to consumer and data protection rights and cybersecurity requirements under Egyptian law, as this may involve liability or other implications for the parties when performing their duties under the technology transfer agreement. These requirements could also differ depending on the use of the transferred technology and activities related thereto. For instance, data secrecy and security in the banking sector are subjected to additional requirements and more stringent monitoring under applicable laws. 

Secrecy

Article 83 of the Commerce Law recognises how the duty of secrecy in a transfer of technology agreement differs depending on a party’s position in the agreement. For instance, the importer has the duty to preserve the secrecy of the improvements introduced by the importer to the technology, and where these improvements are transferred to the supplier as per the agreement. Breach of this duty would trigger the liability of the importer to indemnify the supplier against losses resulting from breach of that duty, whether or not this breach occurred during the negotiation phase or after the signature of the transfer of technology agreement.

Conversely, the supplier’s duty of secrecy towards the importer only covers improvements introduced by the importer to the technology as per the transfer of technology agreement’s provisions. Therefore, it is important for the parties to review their respective confidentiality duties and rights in the transfer of technology agreement. Parties should also take into consideration particular confidentiality and protection factors regarding IP rights.

Duration

Article 86 of the Commerce Law permits the parties to a technology agreement to request termination or amendment of the terms of the transfer of technology agreement upon the lapse of five years from the date of the agreement. It is thus important for parties to expressly agree on the duration and rights for termination or review of the terms of the transfer of technology agreement, to avoid this default application under Article 86.

Trust services, the use of e-signatures and digital identity schemes are mainly all regulated under the E-Signature Law and its executive regulations. The E-Signature Law falls under the auspices of the Telecommunications Law, which regulates the telecommunications sector.

The E-Signature Law was further issued in light of the Evidence Law No 25 of 1968, and the Protection of Intellectual Property Rights Law No 82 of 2002.

The key purpose for issuing the E-Signature Law was to regulate e-signatures (defined below) and to establish an authority (ie, ITIDA) responsible for regulating the activity of e-signature services and other activities in the field of electronic transactions and the information technology industry (see The E-Signature Law in 2.1 Key Challenges).

On 4 March 2021, ITIDA issued a general “Certificate Policy” (CP) guideline, which is pursuant to the E-Signature Law and its executive regulations. The CP guideline established that ITIDA shall operate the Egyptian Root-CA, which issues certificates for certification service providers (CSPs) issuing digital certificates for e-signatures and electronic seals. The Egyptian Root-CA therefore serves as a trust anchor for all e-signatures based on certificates that are issued in Egypt. There is a limited number of licensed CSPs in Egypt and, in addition to the Government Electronic Certification Authority (Gov-CA), the following are the licensed companies in the Arab Republic of Egypt:

• The Egyptian Co. For Digital Signature & Information Security SAE (Egypt Trust);
• El Delta Electronic Systems;
• Fixed Misr; and
• Misr for Central Clearing, Depository, and Registry (MCDR).

Moreover, the New Banking Law No 194 of 2020 expressly provides that licensed banking entities and representative offices of foreign banks in Egypt must keep electronic copies of records, contracts, correspondences, commercial papers and documents related to banking transactions and payment services, for the periods legally specified for keeping their originals.

These copies shall have the same evidential powers as the original documents when their retention, circulation and retrieval have been carried out in accordance with the rules and technical standards determined by the board of directors of the Central Bank of Egypt.

Elements Relevant to the E-Signature Law

Fundamental rights

As per the E-Signature Law, e-signatures and electronic documents, within the scope of civil, commercial and administrative transactions, shall have the same evidentiary effect as given to written signatures and official and customary documents in the provisions of Egyptian evidence law in civil and commercial materials, as long as the conditions stipulated in the E-Signature Law are fulfilled (see 2.1 Key Challenges).

Further, a copy from an official electronic document has the evidential effect of being identical to the original of the document, as long as the official electronic document and the e-signature are present on an electronic back-up.

Data protection

Without prejudice to the general protections conferred under the Data Protection Law, the E-Signature Law also reinforces data protection in all data related to e-signatures. In particular, the E-Signature Law states that e-signature data and all electronic information provided to an entity authorised to issue electronic certificates (ie, a CSP) is confidential, and the person to whom it was presented or who was contacted, by virtue of their work, may not disclose it to others or use it for a purpose other than that for which it was presented.

Intellectual property

In furtherance to the IP Law, the E-Signature Law is eager to protect those entitled to IP rights, and grants ITIDA the authority to deposit and register the original copies of computer programs and databases submitted by entities or individuals who publish, print and/or produce them, in order to preserve their IP rights and any other rights.

Jurisdiction

According to the E-Signature Law, ITIDA is the authority responsible for licensing and supervising e-signatures. The E-Signature Law confers a number of powers on ITIDA, including:

• the issuing and renewing of licences necessary to engage in e-signature services, and in other activities in the field of electronic transactions and the information technology industry;
• determining the standards of the e-signature system;
• deciding on complaints relating to e-signature activities;
• providing technical advice on disputes that arise between parties in e-signature activities;
• providing technical advice to entities working in the field of information technology activities; and
• registering the original copies of computer programs and databases submitted by entities or individuals who publish, print and/or produce them, in order to preserve their IP rights and any other rights.

Moreover, the E-Signature Law authorises ITIDA to revoke or suspend a licence if the licensee (ie, CSP) violates the licensing conditions.

Liability

As regards liability, there are mutual obligations on both ITIDA and on CSPs that aim to ensure the legally binding effect of e-signatures and electronic seals.

A CSP must first obtain the relevant licence from the competent authority under the control of ITIDA, and use said licence within the scope of its issuance – that is, issuing digital certificates for e-signatures and electronic seals. The validity of a certificate issued by a CSP must not exceed that of the CSP licence.

ITIDA must comply with the E-Signature Law and its executive regulations when licensing CSPs.