A Suspended Law: Two years after the issuance of the Personal Data Protection Law, its executive regulations haven’t been issued


Press Release:

Although two years have passed since the Personal Data Protection Law (PDP) have been issued (July 2020), it is still suspended because its executive regulations weren’t issued yet, though issuance articles of the law have determined the date of issuing the executive regulations to be within 6 months of the coming into force of the law. This means that the PDP executive regulations should have been issued in the second quarter of 2021.

The executive regulations issuance delay led to suspending the PDP law, as its articles have delegated a great number of its procedural aspects to them, including essential details related to some of the objective rules that the law can’t be applied without their ratification. The legislator, when authoring the law, has used a legal responsibility distribution philosophy as related to data protection. It delegated some of these responsibilities to the executive regulations considering the delegated rules to be procedural and thus regulated by the executive regulations. This was one of the points criticized in the law, besides others like high fees for obtaining personal data, no explicit statement of the policies, criteria, and conditions required for transmission, storage, sharing, processing, or exposing personal data abroad, and absence of clear procedural articles regulating the procedures of deletion, correction or editing personal data kept by the storer, the controller or the processor.

The law has expanded in delegating regulatory rules and procedures to the executive regulations, up to more than 18 different points. Masaar had published a policy paper titled “Possible Legislative Alternatives: About the Executive Regulations of the Personal Data Protection Law.” The paper focused on the consequences and effects of delaying the issuance of the PDP executive regulations.

Despite the importance of issuing the executive regulations, the Ministry of Communications and Information Technology (CIT) hasn’t moved since the issuance of the law. The reasons behind this delay can’t be known, as PM Ayman Mehassab, has filed a request for information for the Prime Minister, and the Minister of CIT, in June 2021, concerning the delay in issuing the law’s executive regulations. Also, Senator Hassanin Tawfik, a member of the Education and Communication Committee in the Senate, has demanded of the Minister of CIT to expedite the issuance of the delayed executive regulations, emphasizing that the extended delay suspends the law and jeopardizes the protection of citizens’ data. PM Amira Al-Adly of the Parliament has filed a question for both the Prime Minister and the Minister of CIT to enquire about the reasons for delaying the executive regulations of the PDP law, which led to the suspension of the law, in violation of the law’s article determining a deadline for issuing the executive regulations in the second quarter of 2021. Finally, PM Maha Abdel Nasser, a member of the Parliament for the Egyptian Social Democratic Party, has also filed a request for information for both the Prime Minister and the Minister of CIT concerning the delay in issuing the executive regulation of the PDP law.

The parliamentarian moves were paralleled by a general orientation of the executive authorities, as the National Strategy for Human Rights, launched by president Abdel Fatah Al-Sisi in September 2021, has included an independent panel for discussing the issues of the right to privacy, thus the 9th item of the first axis “Political and Civil Rights,” was dedicated for the right to privacy. And the strategy has counted among the points of strength the issuance of a set of laws that reinforce the right to privacy, including the Personal Data Protection law.

The delay in issuing the executive regulations also has many consequences. Besides direct effects related to the suspension of the law and its reflection on constitutional rights, the delay has stopped the formation of the Data Protection Center, which is one of the important signs of the actual application of the law’s rules. The Center has the competencies of setting the general policies of storing, processing, and gathering data; issuing required licenses for the entities practicing data-related activities; and receiving complaints related to any violation committed within this framework. There are also high risks for critical economic sectors, especially the companies working in the CIT sector, with the rise of the likelihood of applying the penalties set for service providers. While the regulatory rules set in the PDP law are not in force due to the delay in issuing the executive regulations, the section concerning the penalties, applicable to service providers or the legal entities practicing data gathering or processing in general, is still in force. Any person who has incurred damage related to the application domain of the law can seek litigation, which may lead to severe costs for the companies due to the absence of clarity on the technical conditions and standards which define the limits of responsibility for service providers and other entities, besides the absence of economic exploitation of the data centers industry, and the related commission industries.

Accordingly, Masaar – Technology and Law Community demands the prompt issuance of the Personal Data Protection law executive regulations and the start of Personal Data Protection Center formation.