Data Protection and Privacy Law Sources in Egypt

The Personal Data Protection Law issued under Law No 151 of 2020 (PDPL), together with its executive regulations issued by the Minister of Telecommunication and Information Technology Decree No 816 of 2025 (“Regulations”), constitute the primary legal source governing data protection and privacy in Egypt. The PDPL is further supported by constitutional provisions and other complementary legislation.

Constitutional foundation

The Constitutional foundation of the PDPL is based on three provisions:

• Article 28, stipulating that information-based activities are key components of the national economy, and that the State commits to protecting them and increasing their competitiveness;
• Article 31, stipulating that the security of information space is an integral part of the system of national economy and security; and
• Article 57, stipulating that private life is inviolable, which extends to electronic correspondence, the confidentiality of which is guaranteed. Furthermore, the State shall protect the rights of citizens to use all forms of public means of communication.

The Telecommunications Law

The Telecommunications Regulation Law No 10 of 2003 recognises the right to privacy within the telecommunications sector by reinforcing the confidentiality of communications, notably through Article 73, which criminalises the unlawful disclosure of the content of communications or information relating to users of telecommunications networks.

The Cybercrimes Law

The Cybercrimes Law No 175 of 2018 constitutes a complementary legislative source of the PDPL, as it establishes direct criminal protection for personal data and the right to privacy. In particular, Article 25 criminalises the unlawful disclosure or use of personal data and any conduct that violates individuals’ privacy without their consent, while Article 26 imposes enhanced penalties for the misuse of information technology in processing personal data in a manner that harms a person’s reputation or dignity.

Interaction Between Data and Privacy Laws Across Different Levels of the Legal System

Sector-specific laws, including the Telecommunications Law and the Cybercrimes Law, may intersect with the PDPL where personal data is processed, secured, retained or disclosed within regulated sectors. This intersection commonly arises in matters relating to confidentiality of communications, data security measures, data retention obligations and unlawful access or disclosure. In such cases, the PDPL establishes the general data protection principles, while sector-specific laws impose complementary or more detailed obligations, provided they remain consistent with the PDPL and the constitutional right to privacy.

Moreover, the PDPL excludes from its scope of application personal data retained by the Central Bank of Egypt and the entities falling under its jurisdiction (except for money transfer and currency exchange companies), as well as data retained or claimed by the Egyptian Presidency, Ministry of Interior, Ministry of Defence, General Intelligence Service and Administrative Control Authority. The PDPL also excludes personal data related to judicial seizure reports, investigations and lawsuits.

Extraterritorial Reach of the PDPL

The PDPL’s extraterritorial scope is based on nationality, residence and effects-based criteria, as set out in its second article of issuance.

Under this framework, the PDPL applies to Egyptian nationals who commit any of the offences stipulated therein, regardless of whether such offences are committed in Egypt or abroad. It also applies to non-Egyptian nationals residing in Egypt, irrespective of whether the offence occurs inside or outside Egypt.

Furthermore, it extends its arm to non-Egyptian nationals residing abroad, provided that the following conditions are met:

• one of the offences stipulated under the PDPL has been committed;
• the same act is punishable under the law of the country where it was committed, irrespective of its legal characterisation; or
• the personal data concerned relates to Egyptian nationals or to foreign nationals residing in Egypt.

General Principles and Requirements for Processing Personal Data

Licensing and approval requirements       

The collection and processing of personal data is subject to the requirement that the entity carrying out such activities be duly licensed as a data controller and/or processor. Approval must also be obtained from the Personal Data Protection Center for the mechanisms used to collect personal data, and for the method of obtaining the consent of the data subject.

General requirements

Personal data must be:

• collected for lawful, specific and declared purposes;
• accurate, valid and adequately secured;
• processed in a lawful and appropriate manner consistent with the purposes for which it was collected; and
• not retained for a period longer than necessary to achieve the specified purpose.

Furthermore, the processing of personal data must be made on one of the legal bases permitted by the law, which include obtaining the data subject’s consent, executing a contractual or legal obligation, pursuing a legal action, abiding by an order of a court of an investigation authority, or legitimate interest.

Data Subject’s Rights

Under Article 2 of the PDPL, personal data may not be collected, processed, disclosed or made available by any means except with the explicit consent of the data subject or in cases expressly permitted by law. In this context, the data subject is granted the following rights:

• the right to be informed of, access, review and obtain personal data held by any data holder, controller or processor;
• the right to withdraw consent previously given for the retention or processing of personal data;
• the right to request the correction, amendment, updating, addition or deletion of personal data;
• the right to limit the processing of personal data to a specific scope;
• the right to be informed of any breach or violation affecting personal data; and
• the right to object to the processing of personal data or its outcomes where such processing conflicts with the data subject’s fundamental rights and freedoms.

Except for the right to be informed of data breaches, the exercise of these rights may be subject to a service fee payable by the data subject to the controller or processor, as determined by the Center and within the legally prescribed limit.

The practice of the Center in the future might lead to the generation of more specific rights for data subjects, based on its interpretation and the implementation method of the law.

Main Compliance “To-Dos” for Organisations

While it is difficult at this early stage of the PDPL’s implementation to make an exhaustive to-do list for organisations, the following actions require attention.

• Updating the existing privacy policies to meet the requirements of the Regulations – eg, specifying the scope of collecting and processing the data and the nature of collected data, implemented procedures in case of data breaches, and cross-border transfer of data.
• Collecting and recording the written and explicit consent of data subjects in readily accessible records that comply with the standards set out in the Regulations.
• Conducting a comprehensive assessment of the data held, in terms of relevance, accuracy and recency, deleting or anonymising unnecessary data to reduce regulatory risk, and documenting such actions. In case of deletion, there is a requirement to notify the data subject of such.
• Appointing a data protection officer (DPO) and providing appropriate legal and technical training, with a view to ensuring successful registration with the Personal Data Protection Center. The appointment should be made in writing and grant the DPO sufficient independence to effectively perform their duties.
• Appointing a local representative where operations are conducted in Egypt without an established corporate presence in Egypt.
• Reviewing and reorganising internal access controls, including defining data access rights, hierarchies and systems, to ensure that personal data is accessible only to authorised personnel.
• Developing and implementing a comprehensive data security policy, including technical and organisational measures, incident response procedures, access controls and periodic reviews, in line with the standards issued by the Center.
• Determining in advance the permits and licences required, and allocating the necessary resources while preparing the relevant documentation and supporting information.
• Designing a notification procedure to ensure compliance with the Regulations timelines for data breach notifications, whether within 72 hours or without delay, as applicable.
• Assessing how personal data is transferred, accessed, shared, circulated or stored outside Egypt, identifying local alternatives where feasible and, where not, ensuring that the hosting country has an adequate data protection framework and that the existing arrangements meet appropriate business, security and compliance standards.
• Introducing data consent and data protection compliance provisions into service agreements, employment contracts and any other agreements involving the sharing of personal data.
• Where applicable, concluding data processing agreements that clearly allocate responsibilities and liabilities between the parties.

The PDPL identifies certain categories of personal data as sensitive personal data, the processing of which is subject to additional obligations.

Sensitive personal data includes data revealing a person’s mental, psychological, physical or genetic health, biometric data, financial data, religious beliefs, political opinions or security status. Children’s data is also classified as sensitive.

General Requirements

All activities related to sensitive personal data must meet the following requirements:

• obtaining a permit or a licence from the Center;
• obtaining the explicit written consent of the data subject;
• collected data needs to be essential and necessary for the ultimate purpose of processing (ie, data minimisation), without causing any harm to the data subject;
• abiding by all the requirements and standards issued by the Center; and
• maintaining electronic and secure records of processing activities.

Special Requirements for Children’s Data

The PDPL imposes additional requirements for the processing of children’s data, as follows.

• If the child is under 15 years old, valid consent must be obtained from the child’s guardian in writing and in an explicit manner. Such consent must be limited in time, and may be revoked later on.
• If the child is at least 15 years old, the child, or their guardian, must give their written consent.
• If the child is to participate in a game or a competition, the requested data must be limited to what is strictly necessary. Moreover, such data may not later be used in any operations involving profiling, tracking or behavioural monitoring of children.

Processing of Data Relating to Criminal Convictions and Offences

The PDPL does not apply to criminal convictions and offences, as it expressly excludes personal data relating to judicial seizure records, investigations and judicial proceedings from its scope. Consequently, such data falls outside the regulatory framework of the PDPL.

Under the rules of criminal procedure, investigations conducted by the Public Prosecution are confidential by operation of law. Pursuant to Criminal Procedures Law No 174 of 2025, access to investigation materials and case files is restricted to legally authorised persons whose involvement is required for the conduct of the proceedings, and only to the extent permitted by law.

The anonymisation process is currently not regulated under the PDPL, but may be organised by the Center at a later date. However, data related to persons only constitutes “personal data” – and therefore becomes subject to the PDPL –where it relates to an identified or identifiable individual, including health data. Once such data no longer pertains to an identified or identifiable individual, it automatically falls outside the scope of the PDPL.

Egyptian law does not provide for a unified or sector-specific regime governing the secondary use, sharing or reuse of health data comparable to the European Health Data Space Regulation. Instead, the applicable legal framework is limited to the general rules set out under the PDPL. As a result, the regulation of secondary uses of health data in Egypt, including the anonymisation of patient data for product development or scientific research, remains contingent on any future decisions, guidelines or regulatory frameworks to be issued by the Center.

Egypt does not currently have a standalone law regulating AI. Accordingly, the use of personal data in the training, development or operation of AI systems or models is governed by the PDPL and its Regulations.

Any processing of personal data in this context must comply with the general data protection principles set out under the PDPL, including lawfulness, purpose limitation, data minimisation, data accuracy, storage limitation, integrity and confidentiality, and accountability.

Specific AI-Related Requirements and Guidance

Under the Regulations, where personal data is used to train or operate AI models, the legal obligation imposed on data processors is limited to compliance with “locally, regionally, and internationally recognised standards”. This includes the Egyptian Charter for Artificial Intelligence, a soft law document issued by the National Council for Artificial Intelligence. This Charter includes the common international standards, such as human-centredness, transparency and explainability, fairness, security and safety, and accountability, and covers the use of AI in both the public and private sectors.

A personal data breach includes any unauthorised access, disclosure, copying, transfer, alteration or destruction of personal data during storage, transmission or processing. Once aware of a breach, both the controller and the processor must take immediate action.

Mandatory Notification

The Center must be notified within 72 hours of becoming aware of the breach. Where the breach relates to national security considerations, notification must be made without delay. Notification must be submitted through the designated channels and recorded in a secure breach register, and must include details of the breach, affected data, potential impact, mitigation measures and the DPO’s details.

Affected data subjects must be notified within three working days of notifying the Center, with information on the breach and the measures taken.

Required Actions

Organisations must:

• assess and contain the breach;
• notify the Center within the statutory timeframe;
• notify affected data subjects;
• document the breach and corrective actions;
• implement technical and organisational measures to prevent recurrence; and
• ensure oversight by the DPO.

Investigations and Liability

The Center may investigate breaches, request information and co-ordinate with national security authorities where applicable. Non-compliance may result in regulatory, administrative or criminal sanctions.

Personal Data Protection Center

The Personal Data Protection Center is the primary authority responsible for enforcing the PDPL and its Regulations. It regulates activities related to personal data processing, issues the required permits and licences, makes national policies and guidelines, and investigates violations.

However, as it was only established recently, and there is currently a grace period extending until 31 October 2026, the Center is not yet fully utilising its regulatory powers.

In all cases, the Center has the power to make investigations based on complaints it receives or at its own discretion. Moreover, the Center is duly authorised to effect settlements of claims and to enter into reconciliation agreements in respect of criminal proceedings with the parties concerned.

The Center co-ordinates domestically with sectoral regulators and national security authorities. It may also co-operate with foreign data protection authorities pursuant to international, regional or bilateral agreements or based on reciprocity, for the purposes of protecting personal data, verifying compliance by controllers and processors outside Egypt, exchanging information and assisting in the investigation of data breaches and related offences.

National Telecommunications Regulatory Authority (NTRA)

The NTRA is responsible for overseeing privacy and confidentiality obligations within the telecommunications sector in accordance with the Telecommunications Law. Its mandate includes ensuring that telecom operators comply with legal requirements relating to the protection of users’ communications and personal data.

Regulatory action by the NTRA may be triggered either by complaints submitted by users or through the NTRA’s own monitoring and supervisory activities. In this context, the NTRA is empowered to conduct audits and inspections of telecommunications operators and to impose regulatory or administrative sanctions where breaches are identified.

Authorities Responsible for the Enforcement of the Cybercrimes Law

As described in 1.1 Overview of Data and Privacy-Related Laws, the Cybercrimes Law contains some provisions that are related to data privacy, especially when concerned with an individual’s reputation and private life. In this regard, the authorities responsible for enforcing the Cybercrimes Law include the Public Prosecution, the economic courts and the NTRA.

As indicated in 1.7 Regulators, the Center is not currently utilising its full powers, due to the grace period extending until 31 October 2026.

The PDPL allows the Center to initiate investigations and enforcement actions under the PDPL. Proceedings may also be triggered by complaints submitted by data subjects, or data breach notifications filed by controllers or processors.

The Center may refer the cases it handles to the economic courts, which are the competent courts with respect to applying the criminal sanctions contained in the PDPL. This is without prejudice to the claimant’s right to request civil compensation.

The Center may also apply administrative sanctions. This starts by delivering a warning to the person found to be in violation of the PDPL, requiring them to comply with its provisions within a specified duration. If this duration lapses without such person having complied with the PDPL, the Center may deliver another warning, suspend or revoke the licence/permit, and subject the person concerned to its scrutiny.

Effective Enforcement of the PDPL

The most significant development has been the issuance and entry into force of the Regulations in November 2025, which triggered the grace period extending until 31 October 2025, while starting to implement the PDPL.

Launch of the Center’s Online Platform

The launch of the Center’s official online platform (pdpc.gov.eg) represents an important step in operationalising the data protection framework. The platform shall function as a central point for regulatory information, guidance, licensing-related updates, and communication with regulated entities, enhancing transparency and accessibility.

Issuance of Guidelines by the Center

The Center has published new guidelines and model forms, with the purpose of spreading awareness of the implementation of the PDPL. By way of illustration, the guidelines include an explanation of core concepts such as the data subject’s consent, the legal foundations for processing data, the role of a DPO, privacy policies, and permits and licences.

While these guidelines are not legally binding, they reflect the orientations of the Center in the implementation of the PDPL.

Privacy and data protection litigation in Egypt remains at an early stage. To date, judicial practices are limited. There has been a recent case before the Economic Court of Alexandria (see 2.2 Recent Case Law), but this still does not yet amount to a settled or consistent line of case law. However, it reflects an emerging judicial willingness to engage with privacy and data protection arguments, especially in regulated sectors that process large volumes of personal data.

Compensation for Non-Material Damage

Egyptian law expressly recognises compensation for non-material damage, including psychological, reputational and emotional harm arising from privacy violations. Such damage is considered compensable in privacy-related claims.

Non-material damage is assessed at the discretion of the court, taking into account the seriousness of the violation, the nature and sensitivity of the data involved, and the impact of the infringement on the claimant’s dignity, privacy and mental well-being.

Possibility of Privacy Claims

Affected individuals may file a complaint with the Center, and can also bring a civil claim directly before the competent courts seeking compensation, without prejudice to their right to pursue judicial remedies.

In September 2025, prior to the issuance of the Regulation, the Economic Court of Alexandria issued a landmark judgment ordering the defendant to pay EGP10 million in compensation for the unlawful compromise of a customer’s personal data. Although the case was brought against a telecommunications operator, it has significant implications in terms of data privacy laws.

The Court held that a company may incur civil liability for data protection violations, even during the previous absence of the Regulations. Liability was established by the Court under general tort law, and compensation was awarded without any statutory cap, as civil indemnification is not subject to the limits applicable to criminal fines.

Enforcement Through Custodian’s Liability

The Court characterised the defendant as the custodian (controller) of the claimant’s personal data and applied the doctrine of the custodian’s liability, which does not require proof of fault. Liability may only be avoided by proving an external cause beyond the custodian’s control. Allegations of fraud, employee error or technical failures were held insufficient to exempt the company from liability.

As a result, the company was deemed responsible for failing to prevent unauthorised access, misuse and manipulation of the claimant’s personal data, and was required to exercise a heightened duty of care reflecting its professional position.

Implications for Data Privacy

The judgment signals a shift in the judicial approach to the enforcement of the PDPL, with the following key implications:

• liability without fault may be imposed for personal data breaches on the basis of the custodian’s liability;
• defences are narrowly construed, and internal failures or third-party fraud may not absolve liability; and
• financial exposure is significant, with compensation awards potentially reaching millions of Egyptian pounds.

There is no general legislative framework allowing a claim to be brought on behalf of an undefined group of affected persons, including in privacy or data protection matters.

Procedural Alternatives to Collective Redress

Multiple claimants in a single action

Under the Civil and Commercial Procedures Law, multiple claimants may bring a single action where the subject matter or legal cause is common or closely connected. Each claimant must individually establish standing, damage and causation. This mechanism does not constitute collective redress in the technical sense.

Regulatory complaints

In data protection matters, data subjects may file complaints with the Center. The Center’s decisions are administrative in nature and do not amount to judicial collective redress or collective compensation.

Admissibility Criteria

All claims must satisfy the general requirements of standing and direct personal interest. Egyptian law does not provide a mechanism for certifying a representative claimant or aggregating claims of persons who are not formally parties to the proceedings.

Indicative Timelines

Actions involving multiple claimants follow the ordinary timelines of civil litigation. There are no expedited or special procedural rules for claims with a collective dimension, and proceedings may be lengthy, particularly where technical expertise is required.

Typical Relief

Available remedies include:

• monetary compensation, assessed individually for each claimant based on the damage suffered;
• injunctive or corrective orders to cease unlawful conduct; and
• regulatory or administrative measures imposed by competent authorities.

Egyptian law does not provide for collective or aggregate damages awarded to an undefined group.

There is no general legal framework governing the protection or processing of non-personal data, similar to the EU Data Act. The PDPL, its Regulations and the mandate of the Center are limited to personal data and do not extend to non-personal data.

Adoption and Scope of the Open Data Policy

Against this backdrop, Egypt has adopted an Open Data Policy (the “Policy”), issued by the National Council for Artificial Intelligence in 2025. The Policy defines open data as non-sensitive and non-personal data held by the governmental authorities and made available in an electronic-readable format, subject to minimal restrictions on its use or reuse. However, the Policy serves as a transitional regulatory instrument, pending the issuance of a comprehensive data governance law, its executive regulations, and the accompanying data classification framework; the Policy is expected to be superseded and replaced by such law, once enacted.

In this context, the Policy aims to support and promote the development of innovative digital services. It specifically regulates the availability of data not falling within the categories of personal data, data related to national security, and trade secrets. Once enacted, the anticipated data governance law and its executive regulations are expected to designate the Egyptian Data Governance Authority (which is not yet established) as the central co-ordinating authority, responsible for setting priorities, monitoring compliance, overseeing the availability of public data sets, and approving relevant strategic initiatives.

Overall, the Policy primarily addresses data access, use and reuse, rather than establishing rules governing the processing of non-personal data.

Internet of Things Regulatory Framework

The NTRA issued a dedicated internet of things (IoT) regulatory framework in Egypt in January 2022, setting out the key rules and procedures governing the provision and use of IoT services and expressly providing that the regulatory framework shall be implemented in accordance with, and abide by the terms of, the PDPL, its Regulations, the Cybercrimes Law and the Telecommunications Law. In addition, the framework expressly prohibits any user of IoT services from transferring IoT-related data outside Egypt.

In practice, IoT services may involve the access and sharing of data with the governmental authorities. Where such IoT-generated data does not relate to identified or identifiable individuals and does not qualify as sensitive data, it may be classified as non-personal, non-sensitive data. In such cases, access to and reuse of this data would be expected to fall within the scope of the Policy.

By way of example, data generated by the IoT sensors installed by a government authority to monitor traffic flow, air quality or energy consumption levels, where the data is aggregated and does not allow for identifying individuals, would generally be considered non-personal and non-sensitive, and may therefore be made available in accordance with the Policy.

Regulatory Framework for Cloud Services and Data Centres

With respect to cloud computing, Egypt has a multi-layered regulatory and policy approach. The NTRA has established a regulatory framework governing the establishment and operation of data centres and the provision of cloud computing services in Egypt. This framework aims to attract large-scale data centres and cloud service providers, and to support Egypt’s broader digital transformation objectives.

Cloud First Policy

In parallel, the Supreme Council of Digital Society (SCDS), formed under President Decree No 501 of 2017, adopted the Cloud First Policy in 2024. This guiding non-binding policy was developed and implemented in alignment with international standards and best practices.

The Cloud Policy is aligned with Egypt’s Vision 2030 and the Digital Egypt Strategy, and aims to highlight the pivotal role of cloud computing in building a secure and sustainable digital society. The Cloud Policy also contributes to promoting the adoption of cloud computing services across both the public and private sectors, leveraging their advantages in developing software, enhancing workforce capabilities and improving service efficiency. It also accelerates the pace of secure data migration and the use of data through public cloud computing systems.

Data Classification and Future Legislative Developments

Through its executive office and specialised committees, the SCDS continues to undertake efforts to prepare a draft law establishing binding rules and standards for the classification, availability and exchange of official data and information. In addition, the Cloud Policy emphasises that proper data classification is a core pillar of effective cloud computing governance. Given the significance of data classification, work is currently underway to prepare the draft law mentioned above. Pending the issuance of this legislation, the Cloud Policy adopts an interim data classification approach aligned with international standards, and classifies data into four levels: public, confidential, secret and top secret.

For the purposes of the Cloud Policy, public data refers to public data that held by the governmental authorities and available for general access. Accordingly, such data would fall within the scope of the Open Data Policy and be subject to its rules on access, use and reuse.

With respect to the legal basis and confidentiality of personal data, Egyptian law adopts a clear hierarchy. Where data processed under IoT or cloud computing frameworks qualifies as personal data, the legal basis for processing and the confidentiality obligations are governed solely by the PDPL and its Regulations. However, sector-specific frameworks (ie, IoT or cloud computing) do not create independent legal bases for processing personal data and instead defer to the PDPL.

Moreover, in the absence of a dedicated non-personal data protection regime in Egypt, non-personal data must meet specific requirements in order to be treated as a trade secret under the Intellectual Property Law No 82 of 2002. In particular, the data must:

• have commercial value as a result of not being publicly available;
• be known only to a limited group of persons; and
• be subject to reasonable measures taken by its holder to preserve its confidentiality, including the use of confidentiality agreements with employees and business partners.

Alternatively, such data may be registered as a copyright, provided that it fulfils the legal and regulatory conditions.

In the absence of a clear legislative framework in Egypt governing the rights and obligations relating to the use of non-personal data, other than the Open Data Policy discussed in 3.1 Objectives and Scope of Data Regulation, and pending the issuance of the anticipated data governance law, the existing regulatory frameworks applicable to IoT and cloud computing primarily operate by reference to the rules governing personal data, to the extent that any personal data is involved.

Accordingly, the current rights and obligations under these frameworks largely relate to the use of personal data, as regulated by the PDPL, its Regulations and the guidelines issued by the Center. In this context, Article 2 of the PDPL establishes a set of fundamental rights granted to data subjects (see 1.2 Rights and Obligations for more detail). At present, the PDPL expressly provides for the right of access, while the remaining rights are not explicitly detailed. However, the Center is expected to further clarify and address such rights through the issuance of additional specific guidance.

Articles 4 and 5 of the PDPL and Articles 3 and 4 of its Regulations set out the core obligations applicable to personal data users, whether acting as controllers or processors. These provisions establish the main responsibilities governing the lawful use of personal data, including, in particular:

• obtaining the relevant licences or permits;
• the obligation not to unlawfully disclose personal data;
• the appointment of a DPO, where required;
• notifying data subjects of personal data breaches;
• compliance with enhanced obligations relating to sensitive personal data;
• specific protections for children’s personal data;
• restrictions and conditions on cross-border data transfers;
• obligations applicable to direct marketing activities;
• requirements governing the use of visual surveillance methods in public spaces; and
• the obligation to appoint a representative in Egypt, where applicable.

In Egypt, the competent authority responsible for enforcing the regulatory frameworks applicable to IoT and cloud computing services is the NTRA. In exercising its mandate, the NTRA co-ordinates with privacy and competition authorities by requiring compliance with the PDPL, its Regulations and, recently, the guidelines issued by the Center, as well as with the rules governing competition law in Egypt.

In addition, the NTRA and the Egyptian Competition Authority signed a memorandum of understanding to enhance co-ordination and strengthen the protection of free competition in Egypt’s telecom market through a joint executive committee. The co-operation aims to prevent anti-competitive and monopolistic practices, ensure fair regulation of the ICT sector, and maintain high-quality telecom services at fair prices for users. It also seeks to support digital transformation while attracting new investments and safeguarding existing ones.

From a competition perspective, Articles 2, 24 and 30 of the Telecommunications Law establish core principles for the protection of free competition in the telecommunications sector, including:

• the obligation for licensed operators to provide services under conditions of free and fair competition;
• the prohibition of cross-subsidisation of one service at the expense of another; and
• the requirement to provide services to users without discrimination.

The Telecommunications Law further entrusts the NTRA with determining the thresholds beyond which anti-competitive or monopolistic practices may arise within the sectors it regulates.

Recent regulatory trends in Egypt include the issuance of the Regulations of the PDPL and the launch of the official website of the Center, which provides practical guidance to stakeholders. These guidelines address key compliance areas, including but not limited to data subject consent, obligations of data users (controllers and processors), data protection principles, and the lawful bases for processing personal data. Collectively, these developments reflect a shift toward greater regulatory clarity, operational guidance and enforcement readiness in the data protection landscape.

Under the general principles of the PDPL, the use of online tracking technologies – including cookies, SDKs and other device identifiers – requires obtaining the prior, explicit and valid consent of the data subject. Where such technologies are used for marketing purposes, they are also subject to the rules on electronic direct marketing.

Consent must be obtained through fair and transparent means. Misleading consent practices, including dark patterns or interfaces designed to influence user choices, invalidate consent, as it cannot be considered freely given, explicit or informed.

Each electronic marketing communication must include a clear and effective “unsubscribe” mechanism. Where such a mechanism exists in form but is ineffective in practice, or where marketing communications are disguised as personal messages, the processing is unlawful.

Personalised or targeted advertising in Egypt is regulated under the PDPL as a form of direct electronic marketing whenever it is based on an individual’s data, behaviour or profiling.

Personalised or profiling-based advertising is prohibited without the data subject’s prior explicit consent. Marketing communications must:

• clearly identify the sender;
• state that they are sent for direct marketing purposes;
• include a valid contact address; and
• provide clear and easy mechanisms that allow the individual to refuse the communication or withdraw consent at any time.

The PDPL also:

• requires marketers to limit the use of data to the specific marketing purpose for which consent was given;
• prohibits the disclosure of the data subject’s contact details; and
• obliges marketers to retain electronic records evidencing consent, its amendments or withdrawal for three years from the date of the last marketing communication.

Any use of profiling for marketing purposes falls within this regime and requires compliant prior consent. The use of sensitive personal data or children’s data for personalised or targeted advertising is subject to stricter legal restrictions and enhanced safeguards, and is generally high-risk and highly limited under Egyptian law.

There is no specific or settled guidance directly addressing the protection of employee and applicant data. However, based on the current legal framework and prevailing practice, the following principles apply.

Personal data collected during recruitment and job applications is protected under the PDPL even before an employment relationship is formed. Employers must:

• limit processing to recruitment purposes;
• define appropriate retention periods; and
• not reuse or share applicants’ personal data without a valid legal basis, in accordance with the PDPL and constitutional protections of privacy.

The existence of an employer–employee relationship does not remove the employee’s right to privacy. Employers act as data controllers and may process employee personal data only for lawful, specific and legitimate purposes, and only to the extent necessary and proportionate, in accordance with the PDPL.

Employee monitoring, including time tracking and attendance systems, is permitted where it is necessary for work organisation, wage calculation or legal compliance, provided employees are informed in advance. Hidden, excessive or continuous monitoring may be prohibited, as it could violate the principle of necessity under the PDPL.

Remote work does not expand the employer’s monitoring powers. Employers may monitor working hours or performance only to the extent required to perform the employment contract. Intrusive monitoring, constant surveillance or the use of cameras in the employee’s home is not permitted, as it interferes with the employee’s constitutionally protected private life and exceeds what is necessary under the PDPL.

Personal data processed through workplace IT systems, such as corporate email, HR platforms and task management tools, falls within the scope of the PDPL. Such data may be used only for the employment-related purposes for which it was collected, and may not be repurposed for broader surveillance or disciplinary objectives without a lawful basis and prior transparency.

Background checks are lawful only where they are directly relevant and necessary for the specific role. Collecting criminal, financial or other sensitive personal data without a clear job-related justification violates the PDPL’s restrictions on sensitive data processing and the non-discrimination principles under the Labour Law.

While the PDPL does not explicitly mention M&A transactions and asset deals, it is still applicable to such matters. The processing and transfer of personal data in this context may be based primarily on the legitimate interest legal basis, provided that the processing is necessary, proportionate and balanced against the rights of the data subjects.

During the due diligence phase, personal data may be disclosed only to the extent strictly necessary to assess the transaction, in accordance with the data minimisation principle. Access should be limited, and appropriate confidentiality and security measures must be implemented. Where the data involved qualifies as sensitive personal data, it may not be processed or shared unless the explicit and written consent of the data subject has been obtained, in addition to implementing appropriate confidentiality and security measures.

At the stage of change of control or asset transfer, the transfer of personal data constitutes a new processing activity and must be based on a lawful ground, and personal data may not be used for purposes exceeding those for which it was originally collected without a valid legal basis.

A change in the data controller triggers transparency and notification obligations, including informing data subjects of the change in control or processing purposes and complying with any mandatory notifications to the Center where required by the PDPL.

Following the closing and post-merger integration, the acquiring entity must review and align data processing activities, update privacy notices and policies, and ensure that databases are not merged or reused for new purposes without a lawful basis.

Cross-border transfers of personal data in Egypt are regulated under the PDPL and its Regulations. However, the PDPL and its Regulations adopt a broad concept of transfer, which covers any transfer, storage, sharing, disclosure, or making available of personal data, whether for processing, storage or any other purpose.

With respect to the mechanisms and assessments required for cross-border lawful transfers, the PDPL and its Regulations set out the key requirements applicable to any data controller or processor, as follows.

• As a general rule, the PDPL and its Regulations prohibit the transfer, storage or sharing of personal data outside Egypt unless the destination country ensures a level of data protection not less than the level prescribed under the PDPL and its Regulations.
• Notwithstanding the adequacy of the level of protection requirement, cross-border transfers to countries that do not provide an equivalent level of protection may be permitted subject to the explicit consent of the data subject (or their representative), and only in limited cases, specified under Article 15 of the PDPL.
• The controller or processor must obtain a licence or permit from the Center, based on its assessment of the adequacy of the level of protection in the destination country.
• The controller or processor must obtain the consent of the data subject for the cross-border transfer.
• Appropriate technical and organisational measures must be implemented to ensure an adequate level of protection for personal data during transfer, storage or sharing, in line with the scope and nature of the data and the terms of the licence or permit.
• Personal data may only be transferred to the country or countries specified in the licence or permit, and any addition of new countries requires an update of such licence/permit.

Moreover, onward transfers are permitted only where the activities of the relevant controllers or processors are compatible or integrated, or serve a legitimate interest of the parties or the data subject, and provided that the level of legal and technical protection applied by the controller or processor located abroad is not less than the level applicable in Egypt.

The PDPL and the Regulations set out the conditions, procedures and applicable fees for obtaining a licence or permit from the Center to transfer personal data across borders. However, as a general rule, a licence/permit authorises the data controller or processor to transfer personal data that has been collected or prepared for processing from within the geographic territory of Egypt to outside its borders.

In addition, the Regulations set out the conditions for the cross-border transfer of personal data for both legal persons and natural persons. With respect to legal persons, obtaining a licence/permit for the cross-border transfer of personal data is subject to specific requirements, including, in particular:

• identification of the destination country;
• information on the nature of the activities of the foreign controller or processor;
• a description of the categories and nature of the personal data involved;
• details of the applicable security measures, storage locations (temporary and final) and data protection safeguards during transfer;
• confirmation of compliance with the applicable cross-border transfer standards and requirements;
• specification of the purpose of the transfer; and
• sufficient information regarding data volumes, retention periods, and storage arrangements, in accordance with the templates issued by the Center.

With respect to natural persons, obtaining a permit for the cross-border transfer of personal data requires the following:

• providing information on the nature and description of the personal data to be transferred, its volume, and the purpose of the transfer;
• identifying the destination country and the applicable retention period;
• setting out the security measures, temporary and final storage locations, and safeguards adopted to protect the data during transfer; and
• demonstrating compliance with the applicable standards, rules and requirements for cross-border data transfers, and providing sufficient details regarding storage arrangements in accordance with the templates issued by the Center.

As part of the licensing process, the procedure for obtaining a licence/permit for the cross-border transfer of personal data, whether for legal persons or natural persons, requires the submission of an application to the Center through the designated electronic portal. The application must include all required information and supporting documents. The Center examines the application and notifies the applicant of its decision, whether approval or rejection, within 90 working days from the date on which all required information and documents are duly submitted.

Any cross-border transfer of personal data is prohibited unless it is carried out in accordance with the conditions expressly set out in the PDPL and its Regulations, and subject to obtaining the required licence or permit from the Center.

In addition, the SCDS’s Cloud Policy, including data localisation requirements, has entered into force and recommends that data classified as “top secret” or “secret” be hosted exclusively within Egypt. This applies to data related to national security or sensitive operations, and aims to ensure maximum protection against unauthorised access, breaches or manipulation.

Blocking statutes and foreign judgment control rules are not commonly recognised under Egyptian law in the same manner as in some other jurisdictions. Egypt is not a party to the Hague Evidence Convention, which governs how courts in one state request evidence located in another. In this regard, the analysis below refers to the closest existing legal concepts under Egyptian law that address similar issues.

Judicial Co-Operation and Mutual Legal Assistance

Under the Criminal Procedural Law, judicial authorities may co-operate with their foreign counterparts in the investigation and prosecution of crimes through mutual legal assistance requests. In this regard, the Criminal Procedural Law provides that a request for judicial assistance submitted by a foreign authority may be granted only where it relates to an offence punishable under the law of the requesting state, and where the execution of such a request does not prejudice Egypt’s security, sovereignty, public order, public morals or national security interests.

Foreign Discovery and Cross-Border Disclosures

In relation to foreign discovery, for example, Egypt and the United States are parties to a mutual legal assistance agreement in criminal matters, which provides that where one of the two States requests data relating to the identity or location of individuals, the requested State is obliged to provide such information in accordance with the terms of the agreement.

Sanctions Compliance

From a sanctions compliance perspective, the Criminal Procedural Law allows Egyptian authorities to refuse a request for judicial assistance where the offence forming the subject of the request is not punishable under Egyptian law.

Interaction With the PDPL and Judicial Co-Operation Exceptions

The PDPL expressly provides that its provisions do not apply to personal data relating to judicial records, investigations or judicial proceedings.

For personal data that enters into the scope of application of the PDPL, the transfer, sharing, exchange or processing of personal data to a foreign country that does not provide an adequate level of protection is permitted with the explicit consent of the data subject or their legal representative, in the following cases:

• where the transfer is carried out for international judicial co-operation; or
• where the transfer or exchange is implemented pursuant to a bilateral or multilateral international agreement to which Egypt is a party.

The Regulations were issued in November 2025, setting out the requirements, procedures and applicable fees for cross-border transfers of personal data. Looking ahead, the Center is expected to issue specific guidelines addressing cross-border data transfers, to further clarify the applicable requirements.