Data Protection Center: Masaar’s Proposal on the Executive Regulations for the Data Protection Law

Introduction

Many suspicions surround the seriousness of implementing the Personal Data Protection Law since it was issued in 2020. So far, no practical steps have been taken by concerned bodies to initiate the process of completing the legislative structure and establishing the bodies concerned with implementing the law. This is in addition to the lack of executive regulations that haven’t been issued yet when this paper was prepared.

One of the bodies expected to be formed to implement the rules of the law is the Personal Data Protection Center, as per Article 19 of the law. The purpose of the Center is to protect personal data, regulate its processing and access, and assume all the competencies set by the law. The rules concerning the operations of the Center are considered the most crucial part of what the yet-to-be-issued executive regulations of the law are expected to deal with.

This paper seeks to present a practical proposal for the formation of the Personal Data Protection Center, which would be the responsible body for implementing the Personal Data Protection Law. The paper proposes standard frameworks for the rules that should be followed. It also points out the concerns that should be considered to ensure proper implementation of the law.

The paper also discusses the Center’s most important functions and the reports and technical regulations it should issue. Moreover, it covers the rules for international cooperation with similar bodies and the Center’s role in receiving and resolving requests and complaints.

The Egyptian Personal Data Protection Law was greatly influenced by the European General Data Protection Regulation (GDPR); thus, the paper seeks to take into account the most important rules concerning the European Data Protection Board that can be compatible with Egyptian law. The paper also proposes some recommendations for reinforcing these rules with explicit guarantees through which previous faults or experiences concerning the operations of Egyptian independent authorities can be avoided. These recommendations do not fail to take into consideration the legislative changes in other Egyptian laws that might influence or intersect the operations of the Personal Data Protection Center.


The Partial Failure to Implement the Personal Data Protection Law Due to the Delay of Issuing Its executive regulations

When preparing the Personal Data Protection Law, the legislator adopted a compartmentalization philosophy of the legal responsibilities related to data protection. The law has delegated some of these responsibilities to the executive regulations under the pretext that the delegated rules are only procedural; thus, the executive regulations should regulate them. This was one of the points criticized in the law, among others.

The law has expanded the number of cases where regulation of rules and procedures was delegated to the executive regulations, so there are more than 18 of them. Such expansion in delegation to the executive regulations that are not yet issued leads to the law being partially unimplemented.

The rules delegated to the executive regulations can be summarized in the following main points:

  • Categorizing licenses, permits, and approvals, determining their types, and setting the conditions for issuing each type.
  • Rules, conditions, procedures, and technical standards concerning licenses and permits for approving personal data collection activity.
  • Policies, procedures, and data collection standards, storage, and securing within and outside Egypt.
  • Conditions for registering personal data protection officers in the dedicated registry kept by the Data Protection Center.
  • Responsibilities and tasks of personal data protection officers who are hired by entities responsible for personal data collection and processing.
  • Efficacy of digital evidence based on personal data and criteria and technical conditions required for this evidence.
  • Policies, criteria, and checks concerning transferring, sharing, processing, or accessing personal data across borders.
  • Procedures, precautions, standards, and rules that are required to make personal data accessible to a controller or a processor outside Egypt.
  • Procedures and conditions for issuing and renewing forms used for licenses and permits.
  • Determining fees for issuing licenses, permits, and data collection and processing approvals.

Most of the rules delegated to the executive regulations are tightly related to the Data Protection Center operations. As per the Data Protection Law, the Center is the competent authority for the procedures of issuing work policies and rules and for issuing licenses for data protection officers. The Center is also responsible for monitoring and overseeing the implementation of these policies.


General Overview of the Data Protection Center Role

The Egyptian Personal Data Protection Law adopts a philosophy different from that of the European General Data Protection Regulation concerning the formation and role of the competent authority supervising law enforcement. The European regulation adopted the standard of a competent authority, that is, a “data protection commission.” However, Egyptian law was built around establishing the Data Protection Center as a public economic authority following the Minister of Communications.

The difference here is not about naming only. It necessarily extends to the issue of this authority’s independence, how tightly attached it is to executive authority, how guaranteed is the stakeholders’ representation, and dealing with it as an independent consultation body, and other roles and functions that will be affected by the way the law envisions this authority. This paper will try to rectify this fault by discussing the standards that should be adopted in the operations of this authority when preparing the executive regulations or when making amendments to the Data Protection Law in the future.

The Personal Data Protection Law has established a large number of functions and tasks for the Data Protection Center. The Center’s efficacy and competence are among the most important indices for measuring the quality and enforcement of the Personal Data Protection Law.

The following are the most essential functions of the Data Protection Center:

  • Inspection and monitoring of bodies subject to the Data Protection Law, with the Center’s employees being invested with judicial seizure power to enforce these tasks.
  • The issuance of licenses, permits, registration certificates, and the registry of data protection officers’ accreditation.
  • The issuance of administrative orders, instructions, and periodic directions, and training guides and training data protection officers.
  • Receiving reports and complaints, applying administrative penalties for breaches, and reconciling crimes related to implementing the Personal Data Protection Law.
  • Offering all kinds of expertise and consultation related to personal data protection, especially to investigation and judicial authorities.
  • Concluding treaties and agreement memos, coordinating, cooperating, and exchanging experience with international bodies related to the Center’s mandate.
  • Communication with national security agencies to delete or modify data in service providers’ custody. Reporting any breaches or violations related to national security protection considerations to competent authorities.

The Data Protection Center is responsible for enforcing the data protection laws and regulations. This includes investigating complaints, taking enforcement measures against companies violating the law, and educating the public about protecting their data.

The Data Protection Center can help ensure compliance with the law and hold companies and individuals accountable for their actions by protecting personal data. The Center can also help build a safer and more trustworthy working environment for companies and individuals.

The paper discusses in the following section the most important criteria that should be used to ensure this role.

Data Protection Center Independence and Main Competences

With every new legislation that establishes an authority or a council concerned with the enforcement of a law, there is always a debate about the independence of the concerned authority or council. In a political environment where the executive authority dominates all institutions of every color, it is difficult to refer to previous experiences that can be considered to have established independent bodies.

However, there are some standards that, if available, the Data Protection Center may enjoy some independence. This independence might be relative due to many other factors besides written roles that cast their shadows over the neutrality and independence of authorities and councils.

The Data Protection Law describes the Center as a “public economic authority.” This description contradicts the Center’s competencies, which are of a service rather than an economic nature.

This formulation reflects the legislative philosophy related to issuing the law. The legislator’s vision is limited to the economic role and return that can be obtained by managing the processes of data protection and access. This formulation ignores the central role the Center should have, which is ensuring the protection of individuals’ personal data and the enforcement of the Data Protection Law’s provisions.

The Law has depended on direct nomination from some administrative entities to choose the Data Protection Center’s board members without setting criteria or expertise for these members. The board’s formation is predominantly administrative without representation of stakeholders or civil society organizations working in the data protection field.

Additionally, almost half the board members are security agency representatives—four out of nine members. This can’t be understood given the exemption of national security agencies from being subject to the Personal Data Protection Law’s provisions. Also, the law’s provisions don’t explicitly set criteria for conflict of interest among the administrative jobs of the board’s members and their tasks related to the Data Protection Center.

All the above concerns make the Data Protection Center a non-independent authority, making it difficult to guarantee that no direct interference will occur in regulating such an essential process as protecting users’ data. Hence, there is a need for a legislative amendment to the current state of the Data Protection Center’s formation and competencies.

In the following section, the paper discusses some of the standards that may contribute to the Data Protection Center’s independence, the benefits of each’s availability, and the consequences of lacking them.

Ensuring representation of stakeholders in the formation of the Data Protection Center

The Data Protection Law’s executive regulations should require different stakeholders’ representation in forming the Data Protection Center. The Center’s formation must include companies and civil society organizations to develop and implement privacy protection policies. This would help establish a more comprehensive and efficient course of action for data protection.

An influential role in international cooperation and communication with similar bodies in different countries

An important aspect of the Data Protection Center’s independence and success is its cooperation with foreign bodies related to its functions. The Center may cooperate with judicial bodies, authorities concerned with data protection, or service providers in different countries; thus, it is crucial that the Data Protection Center practice this role independently from executive international cooperation entities.

What independence means here is that the Center should not be affected by Egyptian authorities’ policies. Its priority should be protecting users’ data, and any change in its policies should only be relative to how cooperating the foreign bodies are with the Center regarding protecting users’ data in Egypt.

On the other hand, the Center should seek to make data protection laws compatible with international standards and best practices, helping the state commit to its legal obligations. This role requires a continuous commitment to experience exchange, periodic knowledge of best practices, and performing periodic assessment tests. This can be achieved by requiring the Center to dedicate a section in its annual report for the developments of international cooperation methods and the successful experiences the Center sought to transfer according to precise plans.

Establishing rules to ensure the Center’s transparency in practicing its competencies

It should be stated explicitly that the Data Protection Center is committed to transparency. This can happen through preparing periodic reports and ensuring that these reports are published publicly. The Center must also adhere to the rules of proactive disclosure for the discussions and outcomes of its board meetings, planned decisions, activities related to cooperation with governmental and parliamentary bodies and the Council’s counterparts in foreign countries, and the results of investigations concerning big tech companies.

Adopting rules of neutral regulation

The Data Protection Center plays a vital role in issuing implementation rules and periodic instructions and guidelines related to the enforcement of the Data Protection Law. Accordingly, the Center plays a unique legislative role within its field of operation.

This role requires that the Center issue the implementation rules objectively and neutrally and avoid issuing rules of exceptional nature or bias toward entities that collect or process personal data. The Center should set general rules for legislation, which include, for instance, that rules should be abstract and always of a regulatory nature. The Center should also ensure consistent and fair enforcement of data protection regulations, ensuring that comparable situations are treated uniformly regardless of the parties concerned.

Accountability of the Data Protection Center

It was previously mentioned that the Data Protection Center should enjoy independence, which would help it practice its competencies and tasks. However, there are other considerations that are directly related to the concept of independence. Among these considerations is the Center and its board’s accountability for their activities and decisions. The Center’s decisions should be subject to judicial monitoring to ensure their legality and validity; a specialized court should hear appeals against the Center’s decisions.

Balancing the service and economic roles of the Data Protection Center

The Personal Data Protection Law focuses on the economic role of the Data Protection Center. The law closely monitors the Center’s financial operations, particularly how it earns revenue. Provisions in the law focus on the sources of the Center’s income, such as fees for issuing permits to entities engaged in data collection and storage activities. This focus suggests that the Center may be perceived primarily as a revenue-generating entity rather than a comprehensive data protection authority.

It is well understood that one of the functional roles of the Center is issuing permits to practice some activities. The primary purpose of this, however, is not to collect fees. Issuing permits is a preliminary step to ensure commitment to the rules set by the law. On the other hand, the philosophy of the law should be built so that the purpose of collecting fees is to ensure that the Center operates independently and not to produce revenue as an economic entity. Thus, there is a need to expand the service role of the Center when issuing the executive regulations of the law.

Financial independence and guaranteeing the existence of varied and sustainable financing channels

The Data Protection Center should have an independent budget that minimizes dependence on governmental funds as much as possible. This budget should be secured against executive authorities’ interference and set to allow the Center to carry out its tasks effectively. Sustainable mechanisms for financing the Center should be established, such as the fees collected from users or entities willing to get permits for practicing some activities and the fines applied to service providers.

Tenure period and limits

The regulating rules should determine the tenure period for the Data Protection Center’s board. This is done by setting fixed time limits for leadership positions within the Center to avoid uncalled-for effects and to reinforce the occupation cycle of the Center’s employees regularly. In all cases, the tenure of board members shouldn’t be more than two consecutive turns, each for no more than three years.

For the Data Protection Center to practice its job, its board members and some staff should have legal immunity against legal procedures that may result from performing their duties in good faith.

What is meant by legal immunity here is providing protection for the Center’s staff that allows them to perform their duties independently from any judicial seizure competencies that some of them might have.

Periodic follow-up mechanisms

The Data Protection Center’s independence necessarily means its ability to follow up on the implementation of the decisions, reports, and legislative recommendations it issues. This requires permanent and stable communication channels with the legislation and parliamentary bodies to consider the outcomes of the Center’s board.

The Personal Data Protection Law and its executive regulations should include rules ensuring the Center’s complete legal independence from executive authority. This means that executive authorities shouldn’t interfere with proposals to modify the Center’s structure or competencies. Thus, there should be a rule that requires the parliament and the executive authority to get the Center’s approval of any changes or the issuance of any legislation concerning its operation.

Protecting violation reporters

Egypt currently lacks a specific law safeguarding the rights and protections of individuals who report violations or act as witnesses in legal proceedings. Thus, a special provision in the Data Protection Law or its executive regulations should ensure the protection of violation reporters. This would enable the Center’s staff and others to report any attempted interference or political pressure without fear of retribution.

The Center’s Role in Enforcing Data Protection Principles

The work of the Data Protection Center shouldn’t be limited to playing executive or routine roles with no general objectives governing it. One of the most critical rules the Center should enforce is data minimization, in addition to other principles mentioned in the Data Protection Law.

The Center can investigate violations, issue warnings to companies, and apply administrative fines for not abiding by principles like data minimization. To enforce data minimization as much as possible, the Center may perform auditing or inspection processes of the data collection practices of companies, review privacy policies and contracts, review forms used to collect data from individuals, whether on paper or electronically, investigate complaints, and take enforcement measures as needed if companies collect or store personal data more than needed, or use them for purposes other than what was the concerned person informed with initially.

However, the Center’s enforcement power can’t be adequate unless it has enough resources, expertise, and independence to monitor companies’ practices and take strong measures against violations.


The Executive, Supervising and Monitoring Roles of the Data Protection Center

Ensuring companies’ commitment to the Data Protection Law

The Data Protection Center has many competencies that allow it to oblige those the law addresses to the rules it sets and other rules related to personal data protection.

For the Center to effectively enforce the law’s rules, it should have additional tools other than issuing and withdrawing permits and applying penalties. Below are some of the tools required to be set in the executive regulations to achieve this.

  • Special Investigations: The Data Protection Center may perform a special investigation if it has cause to believe that a service provider is not abiding by the Data Protection Law.
  • Guidance and Recommendations: The Center may issue recommendations that help companies understand the rules of the Personal Data Protection Law and how to abide by them.
  • Assessment of Data Protection Effect: Those addressed by the law should perform assessments of the data protection effect for some high-risk processing activities. The Center should also have the power to review such assessments to determine potential risks and ensure observation.

Issuing Licenses and Permits

The Data Protection Center has broad competencies in issuing permits and other forms of approval required for data collection, storage, or processing. According to the Data Protection Law, the Center has the power to “issue licenses, permits, approvals and temporary measures related to personal data protection and the enforcement of this law’s provisions (…) the accreditation of entities and individuals and giving them the required permits to provide consultation for personal data protection procedures.”

The law also mentions in Article 26 that licenses and permits issued by the Center cover the following activities:

  • Issuing licenses or permits to the controller or processor to perform data storage, handling, and processing operations.
  • Issuing licenses or permits for direct e-marketing activities.
  • Issuing licenses or permits for processing activities performed by associations, trade unions, or clubs over their members’ personal data.
  • Issuing licenses or permits related to video surveillance in public places.
  • Issuing licenses or permits for controlling and processing sensitive personal data.
  • Issuing licenses or permits for transferring personal data across borders.
  • Issuing licenses or accreditations to entities and individuals that allow them to provide consultations on personal data protection procedures and observe their rules.

It is evident from Article 26 that the law distinguishes between two types of licenses that the Data Protection Center issues:

  • Licenses: Documents issued only for legal persons for a renewable period of 3 years. They are issued to entities that practice data collection, processing, or storing professionally and regularly.
  • Permits: Documents issued for both natural and legal persons for a renewable period of one year. They are issued for carrying out a specific activity or task or for practicing e-marketing in particular.
  • Accreditation Certificates: Documents that state that a natural or legal person is qualified to provide consultations in the field of data protection. They have no specified expiry period.

On the other hand, the Data Protection Law has delegated a large regulation area concerning the competence for issuing licenses, permits, and accreditation certificates to its executive regulations. The following are the most essential points these regulations should include:

  • All licenses, permits, and accreditation certificates application forms.
  • Rectifying the law’s overlooking appeal process when denying issuing licenses, permits, or accreditation certificates.
  • Lowering fees for issuing permits and accreditation certificates as these activities do not depend on financial qualification for ensuring users’ data protection.
  • Omission of the statement “the Center may request other data or documents for processing the application, and it has the right to request additional guarantees for personal data protection if it discovers that the protection indicated by handed documents is not enough” in Article 27 of Data Protection Law. This statement opens the door for undetermined checks and conditions that can’t be verified.
  • Setting a procedural regulation that requires advanced conditions and technical and procedural checks concerning activities related to sensitive personal data.

Receiving Requests and Complaints and Conducting Investigations

Article 19 of the Data Protection Law gives the Data Protection Center the competence to receive complaints and reports related to the law’s provisions and to issue the necessary decisions in this regard. The law also details the conditions for filing these requests and complaints. Article 33 of the law specifies the cases where a complaint can be filed to the Center, which are:

  • Violations of the right to personal data protection or undermining it.
  • Failing to enable the data concerned person to practice their rights.
  • Orders issued by the processor’s or controller’s personal data protection officer related to requests filed to them.

In these cases, the complaint is handed to the Center, which takes the proper measures for conducting an investigation and issuing a decision within 30 working days after the complaint is filed. The Center must also notify the complainer and the target of the complaint with its decision. The target of the complaint is required to carry out the Center’s decision within seven working days after being notified of it and to inform the Center of the measures taken to implement it.

Although the law has explicitly set a time frame for the complaints’ filing process, it has delegated the procedural conditions to the executive regulations that haven’t been issued yet. The following are some points that should be included in the process of receiving complaints:

  • Complaints filing methods: It is important to state explicitly the different methods for filing complaints, whether in writing, verbally, or other filing tools. For instance, complaints can be filed at one of the offices/branches of the Data Protection Center, through email, or through electronic forms prepared for this purpose so that they can be filled in and sent through the Center’s website.
  • Preparing forms for requests and complaints: The executive regulations of the Data Protection Law should contain forms that include the data required in complaints, the types of requests according to violations, and a list of attachments that should be presented to verify the violation.
  • The Center’s commitment to providing technical support services: In many cases, the guiding models or written rules don’t satisfy the needs related to filing complaints. Additionally, in some cases, complaints need to be delivered verbally, or the complainer needs to follow up on the developments and trajectory of the complaint or inform the Center with any details that may help investigate the complaint. Thus, it is important that the executive regulations set clear regulations for help and technical support services in different forms.
  • The Center’s commitment to request completion of required information: Some complaints might require more information to be provided to investigate the complaint or to make a proper and clear decision. Thus, the competent department in the Center should request this information. Incomplete information shouldn’t lead to disregarding the complaint. Also, the request for completion of required information from the complainer should be made using the same method it was filed.
  • Notifying the complainer of developments of the investigation: The Data Protection Center is obliged to notify the complainer of the development of the complaint investigation. This includes, among other things, that the service provider was communicated, a reply was received from the service provider, a response to the complaint is in process, or a decision was made concerning the complaint along with an explanation of the said decision.
  • Giving reasons for disregarding a complaint: In case a decision is made to disregard a complaint, the Center should state the reason in clear statements, whether this was for procedural or technical reasons so that the complainer can refile their complaint or appeal the decision.
  • Appealing a decision to disregard a complaint: A procedure for appealing a decision to disregard a complaint should be explicitly set, and the regulatory deadline for filing an appeal should be set starting from the date the complainer knew of the decision.
  • Providing legal consultation in the pre-filing or pre-litigation stage of a complaint: The front desks and technical support channels should help orient the complainer in the pre-complaining stage. This service can save much of the effort needed to investigate the complaints before completing all required information. It also helps limit the number of complaints after explaining the situation to those asking for consultation regarding the validity of their complaint.
  • The Center’s competence to initiate an investigation without a complaint: The executive regulations should include a clear mechanism that allows the Center to initiate an investigation of some cases without the need to file a complaint.

Filing complaints is not vastly different from filing requests in terms of procedure. However, there is a significant difference between them in terms of content. Filing requests is considered the core of the Data Protection Law and the foundation upon which the way service providers work can be assessed. Nevertheless, the law doesn’t include clear rules for filing requests, which can be rectified in the executive regulations.

The executive regulations should contain a detailed chapter that includes some rules for filing requests. Guiding samples that can be used during filing requests should also be attached to the executive regulations for the following types of requests:

  • Requests related to the right to access data.
  • Requests related to the right to deletion: request for user’s data deletion.
  • Requests related to the right to corrections: request to rectify inaccurate or incomplete data.
  • Requests related to limiting processing: limiting the ways data is used.

Technical Reports Issued by the Data Protection Center

Most bodies concerned with data protection play a significant role in monitoring the processes of data collection, storage, and processing due to their importance. These bodies publicize their activities through reports targeted at the public, through which developments can be understood.

These reports can take the form of periodic (biannual/annual) reports or special reports that are issued from time to time dealing with specific issues that need explanation to the public, or reports dealing with exceptional cases whose details should be revealed and can’t wait till the next annual report.

In the Egyptian context, the Personal Data Protection Law doesn’t include precise details about the role of the Data Protection Center in issuing reports. The law only made a quick reference to this while enumerating the Center’s competencies. Article 19 states that among the Center’s tasks is “preparing and publishing an annual report about the state of personal data protection in Egypt.”

As there are no clear guidelines for these reports and their content, this paper will explore the most essential elements they should include in the upcoming section. The paper also discusses the patterns/forms of reports that can be issued. In this regard, the paper considers the rules included in the GDPR to align with the philosophy adopted by the Egyptian legislator in dealing with the European Regulation as a legislative reference for the Personal Data Protection Law.

Periodic (Biannual/Annual) Reports

The purpose of periodic reports is to support the transparency of service providers’ application of legal rules. They also reveal how the Data Protection Center carries out its role in consistently applying the law, monitoring its efficacy, and determining any issues that might need dealing with. Periodic reports are a preliminary step that can contribute cumulatively to stage reports related to the general assessment of the Data Protection Law.

Accordingly, there must be a legal obligation to the elements the periodic reports issued by the Center should include. The most important elements the periodic reports should include are:

  • Statistics of received data protection complaints, the ones resolved and those under investigation, and analysis of the tendency of complaints sizes and types.
  • Statistics of the number of cases the Center provided a technical opinion in, especially the complaints referred to specialized courts.
  • Statistics and models of issues related to the Center’s functional role in international cooperation with its counterparts in other countries.
  • Statistics of the entities applying for accreditation certificates and permits for practicing activities of personal data collection and processing and detailed data of entities that already obtained permits during the reporting period.
  • An executive summary of the exchanges between the Data Protection Center and international big tech companies and local communications service providers, which are the largest data collection entities.
  • Analysis of patterns of violations committed by service providers and how these violations have evolved since the previous report.
  • Statistics on the number of entities that went through training to better abide by the Personal Data Protection Law.
  • Recommendations and guidelines for users to point out the most critical violations related to the law application and how users may deal with them.
  • Follow up on the previous report recommendations. Later reports can follow up on the applied recommendations or the effects of those that were not dealt with. The follow-up shows the effect of Data Protection Center monitoring and the consultations it offers regarding the continuous enhancement of the data protection system.
  • The reports should be published publicly and prominently on the Data Protection Center’s website.
  • Embed specific, data-driven insights and information into data protection implementation instead of mere general data. The reports may refer to detailed statistics, case studies, or other data about how the law is enforced in practice. Tangible statistics help stakeholders understand the scene of data protection more clearly.
  • Reports can present the enforcement procedures that the Data Protection Center can take, how it deals with gaps in resources and expertise and other internal issues related to its supervision capabilities. This kind of transparency supports the accountability of the Center itself, not only of service providers and policymakers.

Stage Reports for Assessment of the Suitability of Rules Application

The Data Protection Center should play a role in policy-making processes related to personal data protection. The Center’s opinion should also be consulted as it is the competent authority concerned with enforcing the Data Protection Law. The Center is the entity that can assess the practical issues related to law application and, consequently, the obstacles that prevent the Center from practicing its competencies.

Thus, there should be a mechanism through which the Center can relay its recommendations and views regarding applying the law. This can be achieved through issuing stage reports addressed to decision-makers in general and the Egyptian legislator in particular. The following are the most essential elements that should exist in stage reports:

  • A report issued every five years on the assessment and revision of the Data Protection Law, including its application.
  • Providing opinions on rules of conduct charters and the certificates provided to service providers.
  • Determining if there is a need for any modifications of bylaws to catch up with technological and societal evolution.
  • Stage reports should include the state of personal data protection in Egypt and any issues arising by law application through practice.
  • Summary of annual reports for the previous five years.
  • Recommended changes to Data Protection Law. If the Center determines ways to enhance the Data Protection Law to better keep up with technological and practical advances, it should recommend specific modifications or amendments to the government and the parliament. Reporting recommended modifications allows the continuous enhancement of data protection.
  • Issuing practical and workable recommendations. For the reports to be helpful for policymakers and companies, they should recommend specific and practical steps to enhance data protection.

Special/Topical Reports

Besides periodic reports that deal with the most important statistics related to law enforcement, it can be vital that the Data Protection Center issue topical reports about some issues related to data protection.

For instance, the Center may issue special reports on sensitive data protection, reports about crises involving users’ data leaks, or reports explaining changes in work methodologies or technical guidelines that are considered part of work permits or accreditation certificates.


Technical and Consulting Roles of the Data Protection Center

Setting rules and technical directives and monitoring their implementation

One of the most important roles of the Data Protection Center is the technical one. This role starts with preparing technical rules and general guidelines, goes through technical assessment of entities willing to obtain permits for practicing activities of personal data collection or processing, and ends with conducting investigations into violations. The following are the most critical technical responsibilities of the Center:

  • Issuing directive principles concerning the specific requirements of the Personal Data Protection Law, like data protection effects assessment, international data transfer operations, data breach notifications, etc. Such guidelines provide more detailed practical advice about how to abide by the Data Protection Law requirements.
  • Issuing executive decisions that help different entities implement the rules set by the Personal Data Protection Law and its executive regulations.
  • Providing general guidelines about personal data processing, the rights of concerned persons, data protection officers, and other issues to reinforce consistent interpretation of law requirements.
  • Setting technical standards for storing and processing personal data.
  • Issuing directive principles for securing personal data and preventing data violations.
  • Reviewing and approving data protection policies in governmental departments and private companies.
  • Monitoring the application of data protection rules and systems.
  • Receiving and replying to technical queries.
  • Issuing technical training guides and providing training based on them.

Issuing technical interpretations of the Data Protection Law

The integration and connection of the Data Protection Center’s functional roles should be considered when viewing how it works and its role. When it comes to obliging the Center to have an assessment role for the application of the Data Protection Law through periodic and stage reports, the authority responsible for both implementation and assessment should also be the one responsible for two supplementary roles:

First role: The Data Protection Center should be the entity that has the power to issue the executive decisions, directions, and interpretation memos required to apply the Data Protection Law rules. Tackling this role by the Center has its merits. For instance, the Center will have the technical and practical expertise on legal and technical levels that qualify it to interpret the general rules set by the law and its executive regulations.

Tackling this role is based on the Center’s understanding of the daily issues that need intervention with decisions, instructions or interpretive memos that may help best application of the law’s rules. Additionally, tackling the interpretation role helps avoid the existence of interpretations that hinder the application of the law. This is consistent with the Center’s idea of independence and the non-intervention by executive authorities in its work.

Second role: This role is considered to be closer to that of an executive legislator, which is a role imposed by reality. This role manifests in the time of legislative silence, which is the legislator’s failure to recognize some issues or the emergence of new facts that didn’t exist when the law was issued. The Center may intervene in such cases by issuing some decisions that seem externally to regulate or interpret decisions, if possible.

While acknowledging that concerns about the merger of executive and legislative roles are not unfounded and have valid reasons in the Egyptian context, the paper suggests that attempts to regulate the role may restrain its potential.

The process of the Data Protection Center’s participation in legislation is tied to two important points. The first is related to the ongoing changes taking place in the communications and information technology sectors. The law comes late to these changes after the initiation and stabilization of any technological advancement. Thus, practical necessity dictates a need to understand the nature of evolution and set legal rules related to it, in addition to the practical technical issues that experts deal with.

The second point concerns the over-legislation of issues and topics related to the communications sector. The Data Protection Center is a regulator that can curb the expansion of any legislation that harms the data protection process.

The legislative pattern can be pointed out for more explanation to understand this point. There can be in the issuance articles or the preamble of some laws statements line “referring to the Data Protection Law,” or “with no prejudice against the regulations of the Data Protection Law,”

These statements are understood to express that the legislator realizes that the rules of the law may intersect with the protection set for personal data. However, what often happens is the opposite. In many cases, such laws include provisions that might be considered an assault on data protection rules.

Thus, provisions requiring the legislator to consult the Data Protection Center are a basic guarantee that a clear legislative course for dealing with data protection rules exists. It is also essential to have an entity capable of clearly objecting to provisions that may represent an assault against data.

The Data Protection Law includes a statement that emphasizes this. Article 19 states that one of the Data Protection competencies is “providing its opinion as for laws drafts and international treaties whose provision regulates or affects, directly or indirectly, personal data.” However, this formulation is defective and makes the statement rather ambivalent.

The statement “provides its opinion” indicates that the Data Protection Center’s role is consultative but is not binding. This means that the Center doesn’t have a real prerogative.

Two mechanisms can be used to make the Center’s opinions binding. First, the consultative role represented by providing its opinion can be kept by adding a right for the Center to veto laws’ drafts. This can be done through a clear veto mechanism and with time limits during which the objection’s aspect and suggested resolutions can be clarified. The second could be to require the legislator to get the Center’s approval before passing a law.

These two mechanisms ensure serious and actual participation in law-making. However, these attempts are not a replacement for societal dialogue about laws in general or exploring the views of stakeholders in particular.

Providing technical consultation in courts

Article 19 of the Data Protection Law states that one of the Data Protection Center’s competencies is “providing all kinds of expertise and consultation concerning personal data protection, especially to investigation authorities and courts or law.”

The law doesn’t include precise details about the mechanisms through which technical support or consultation services can be provided. Thus, the executive regulations should include more specific details about this role to respond to the following points:

  • Preparing experts and technicians registry: The executive regulations of the Data Protection Law should allow the Data Protection Center to create a registry recording the experts working for the Center and independently whom investigation authorities and courts can use their services or for preparing alternative reports to the ones issued by different parties. The provisions should also determine the conditions and checks for registration.
  • Authority of technical reports issued to investigation authorities and courts: The Data Protection Law doesn’t include any precise details about the expertise works, the authority of the technical opinions issued by the Center, and how they can be appealed. The general rules set by other laws, like the Criminal Procedures Law, may be used. It should, however, be noted that this would contradict the philosophy adopted by the legislator that sought to have a comprehensive law that regulates all the details related to personal data. Thus, it is better to have a particular chapter in the executive regulations for procedural rules, including the authority of technical reports, how they can be appealed, and the ability to acquire the help of experts.
  • Technical independence and non-intervention in the work of experts: The Egyptian legislator’s stance concerning bodies of expertise in communications and information technology should be clear. There are already experts in the National Telecommunications Regulatory Authority, and there will be experts in the Data Protection Center. More bodies will emerge with time. Thus, it is crucial to have a comprehensive vision for expert bodies, their roles, how they work, and the rules of their administrative accountability.
  • Separation of the Center’s roles of filing reports of misconduct and as a body of expertise: The Data Protection Center has different roles. Among them are a monitoring role, issuing permits and accreditation certificates, and the role in investigating reports of misconduct and complaints. On the other hand, the Center has a role as a body of technical expertise. Thus, there is a need to set rules related to the complete separation of the departments that provide technical opinion as a body of expertise and those related to investigating complaints.

The Data Protection Center’s Role As a Guidance Provider

Preparing methodologies and guides for training companies and individuals

It is essential to see the different roles and competencies of the Data Protection Center as integrated. There should be no separation between one role and another. Thus, besides the monitoring and procedural roles related to issuing permits and accreditation certificates, the center should be a guidance provider for governing the activities of using personal data. This role is an important part of the personal data governance process.

The Center’s lack of guidance role means that every person or entity licensed to practice activities related to personal data would work differently. Additionally, the Center’s role in publishing educational courses and training guides would have a direct effect on limiting unintentional violations of personal data, especially those that can happen due to a lack of expertise.

Also, law enforcement entities other than the Center, such as security agencies, investigation authorities, and courts, should be provided with enough knowledge to help them carry out their roles related to enforcing the Data Protection Law effectively and efficiently.

Despite the Center’s important guidance role, the Data Protection Law doesn’t give it enough care. The law has just quickly addressed this role in Article 19, which regulates all the Center’s competencies.

Establishing a specialized department in the Center to carry out the guidance role can maximize its effectiveness. The following are some of the activities that this department can practice:

  • Direct training programs: Organizing and conducting workshops, seminars, and online courses about different aspects of data protection specifically designed for different sectors and professions. These programs provide employees with the practical skills of dealing with personal data securely and according to professional rules.
  • Certification programs: Developing and offering certification specialized in data protection for people working in high-risk fields. These programs provide in-depth knowledge and prove competence in data protection practices.
  • Educational cooperation: The Data Protection Center may cooperate with universities, professional associations, and training institutes to develop and provide data protection courses. This helps raise awareness of data protection in education and training programs.
  • Awareness campaigns: The Data Protection Center may need to organize awareness campaigns that target specific industries or groups of data protection officers. These campaigns can raise public awareness of data protection rules and encourage responsible practices in dealing with data.
  • Developing practical guides: These guides seek to answer practical common questions about specific data protection topics, like data collection, requests for access, data violations, and data protection officers’ monitoring. These resources provide employees with easily accessible information in addition to best practices for abiding by the law.
  • Issuing guidelines for the sector: The Data Protection Center needs to create specialized guiding documents addressing specific sectors like healthcare, finances, or education. These guidelines discuss the challenges and threats of data processing related to these sectors.
  • Preserving resources through the Internet: The data protection Center should create specialized websites that include comprehensive information about data protection laws, charters, and best practices. These websites would be valuable resources for employees to consult and stay informed about data protection developments.

Issuing warnings and special newsletters for data breaches

One of the most important jobs of the Data Protection Center is to issue public warnings and newsletters related to occurrences of data breaches. This role is tied to general users’ trust in the seriousness of the Center’s work. Thus, the executive regulations should include some conditions for the process of publishing warnings. Among these:

  • Fast publishing of preliminary information about the size and nature of breached data.
  • Continuous publishing of developments and the measures taken by the Center concerning the breach.
  • Preliminary guidelines that users or third parties affected by the breach should follow.
  • Guiding users to legal procedures they may follow.
  • Avoiding to publish unclear or ambivalent information about breaches.
  • Publishing preliminary estimations of what the Center thinks to be the causes of the breach.
  • Rising the level of warnings in case the breached data was of a sensitive nature.

The Center’s Role in Domestic and International Cooperation

Rules of international cooperation with counterpart entities

The unique nature of the Data Protection Center competencies requires its communication and coordination with counterpart entities in the state, unions, or organizations concerned with data protection. This communication is necessary for exchanging experiences or investigating some complaints.

The Center should have the required transparency aspect to carry out this important role. International cooperation can take any of the following forms:

  • Technical cooperation treaties and protocols.
  • Preliminary decisions and final outcomes of cross-border investigations (joint investigations)
  • Two-party treaties concluded for exchanging information related to data protection or reciprocal aid requests.

The Data Protection Center needs to follow some obligatory rules in the above-mentioned forms of international cooperation. Among these are:

Voluntary publishing

Rules should require the Center to voluntarily publish information without the need to file a request. This applies to all the Center’s major activities but, in particular, the main information about international cooperation activities. Publishing information should also be as prompt as possible and in a clear place/section dedicated to international cooperation activities news. Additionally, treaty texts and joint investigations should be published.

Clarity of published information

The Data Protection Center should avoid silence concerning international cooperation activities, publishing only brief news about forms of cooperation, or slacking in the publishing process, which would lead to weak users’ trust in the Center’s work.

Announcements and continuous publishing of joint investigations

Continuous publishing of cross-border joint investigations should be clearly required. It shouldn’t be limited to the preliminary reports related to the initiation of investigation but should also expand to publishing their developments in different stages and full publishing of final outcomes.

Wide publishing of violations reported by counterpart entities

One of the international cooperation forms is notifying competent authorities concerned with data protection of each other of breaches, especially ones related to big tech companies’ activities. In such cases, the Egyptian Data Protection Center should promptly and widely publish the preliminary information related to breaches in addition to publishing information and guidelines about how to deal with the issue.

Publishing summary of international cooperation activities in periodic reports

The Data Protection Law or its executive regulations should include a regulatory statement requiring the Center to have a section in its periodic and stage reports that includes the most important developments of international cooperation activities. These reports should also include the challenges the Center faced while working in this field and its plans for cooperating with counterpart entities.

Building partnerships with different stakeholders

The Data Protection Center is the coordinator among the different parties practicing activities related to personal data. An integrative part of the Center’s tasks depends on its ability to communicate with these parties.

Thus, there should be mechanisms supporting continuous communication between the Center and different stakeholders. These mechanisms include relevant industry chambers, like the Information Technology Industry Chamber, and any form of organization that groups relevant professionals, like professional associations and syndicates, and legal persons representing service users, like consumer protection associations and other entities.

To accomplish this, it should be explicitly stated that an office should be designated or a department established in the Center whose job is to communicate periodically with different stakeholders, receive their recommendations and complaints and hold periodic biannual meetings for different parties to exchange views about the state of data protection issues, and listen to any developments that may affect their activities. Minutes of those meetings should also be published in a dedicated section on the Personal Data Protection Center.