Introduction
Since its enactment in 2020, Egyptian courts haven’t had the opportunity to comment on, interpret, or apply the Personal Data Protection Law. This is primarily because the executive regulations for the law have not yet been issued, rendering most of its provisions inoperable and unenforceable.
However, the Alexandria Economic Court recently issued a landmark ruling addressing the immediate applicability of the Personal Data Protection Law. This ruling is significant as it represents the first prominent judicial application concerning the accountability of telecommunications companies for violating user privacy. In reaching its decision, the court drew upon various modern legal frameworks, including the Anti-Cybercrime Law, the Personal Data Protection Law, and the Consumer Protection Law.
This paper analyzes the court’s reasoning and the key legal arguments it employed in interpreting the modern legislation. It also examines the new judicial principles established by the court regarding the responsibilities of telecommunications companies in protecting customer data.
Furthermore, the paper discusses how the court evaluated evidence, its reliance on expert reports and those from the National Telecommunication Regulatory Authority, and how it inferred moral and material damages linked to the defendant company’s negligence.
Additionally, this paper explores the legal implications of this ruling on telecommunications companies’ obligations and users’ rights, including why arguments of force majeure or technical difficulties can’t be used to avoid company responsibility. Finally, the paper highlights the importance of the judgment as a reference for judges, lawyers, and legislators.
Background of the Economic Court Case
In February 2025, the Alexandria Economic Court ruled that Orange Egypt Telecom would pay EGP 10 million in compensation to a woman whose personal data had been violated. This judgment stemmed from the company replacing the plaintiff’s phone SIM card without her consent. Consequently, the court mandated the company to compensate the plaintiff for the material and moral damages she incurred.
The case dates back to November 17, 2022, when the plaintiff was outside Egypt. During this time, unknown individuals illegally obtained a new SIM card for her mobile line without her knowledge or approval. As a result, these individuals managed to seize control of the plaintiff’s WhatsApp account and extort her into dropping lawsuits she had filed against a real estate company abroad.
The plaintiff filed a police report about the incident and requested a copy of her phone contract from Orange. However, the company refused to provide her with the document. This led the plaintiff to file a lawsuit with the Economic Court, seeking compensation for the damages she had suffered.
The Court’s Interpretation of Personal Data Protection Law Rules
The Economic Court relied on several constitutional and legal texts to safeguard the plaintiff’s right to privacy and to hold the company accountable for the violation. In its reasoning, the court clarified that personal data enjoys constitutional protection under Article 57 of the Egyptian Constitution, which stipulates the inviolability of private life and prohibits its infringement.
Additionally, the court referenced Article 12 of the Universal Declaration of Human Rights, considering it an integral part of human rights. The court further affirmed that any violation of personal data constitutes an assault on private life, which the Constitution criminalizes.
In support, the court cited Article 99 of the Constitution, which states that any infringement on private rights and freedoms is a crime for which the resulting legal action is not subject to a statute of limitations. This means the aggrieved party retains their right to compensation even after the passage of time.
After establishing this constitutional basis, the court proceeded to interpret the laws relevant to the case.
Anti-Cyber and Information Technology Crimes Law No. 175 of 2018
The court clarified that this law imposes several obligations on telecommunications service providers. Primarily, they must retain records of usage and information system servers for 180 consecutive days. This data includes user information, content of their communications, traffic data, and devices used. The law also mandates that companies protect the confidentiality of this data and prevent unauthorized access.
In establishing the confidentiality of customer data, the court relied on Article 2, Paragraph (2) of the Anti-Cybercrime Law. This article requires the service provider to “maintain the confidentiality of stored data and not disclose or make it available except by a reasoned judicial order.”
The court also cited Paragraph (3), which mandates technical security for data and information to prevent penetration or interception. The court determined that the defendant company breached these legal obligations by effectively allowing unauthorized access to the plaintiff’s data (her phone SIM card and associated services) without permission or oversight.
Personal Data Protection Law No. 151 of 2020
The court noted that the Personal Data Protection Law establishes a comprehensive framework for protecting individuals’ data. It prohibits the processing of personal data without the data owner’s explicit consent. The law also obliges data controllers to implement strict measures and controls to protect this data.
The court cited Article 4 of Chapter Three of the Data Protection Law, which enumerates the data controller’s obligations. Foremost among these obligations is the prohibition of making personal data available or processing it except in legally authorized cases or with the data owner’s consent. The article also stipulates taking all necessary technical and organizational measures to protect and secure personal data, maintain its confidentiality, and prevent its penetration or manipulation.
The court deemed the company’s replacement of the plaintiff’s phone SIM card without her consent as unlawful processing of her personal data, violating the law’s provisions. Furthermore, it considered the company’s failure to secure the plaintiff’s data and make it available to others as a grave breach of its legally imposed duty to protect data.
Consumer Protection Law No. 181 of 2018
The court also referenced the Consumer Protection Law, which obliges service providers to maintain the confidentiality of customer data and prevent its disclosure. Article 29 of this law mandates that suppliers contracting with consumers must protect the privacy of consumer data. They are prohibited from disclosing or disseminating this information unlawfully unless the consumer gives explicit consent. The same article also mandates that suppliers take all necessary precautions to safeguard the confidentiality of this data.
In light of this, the court determined that the telecommunications company failed to comply with the Consumer Protection Law by allowing the circulation of the plaintiff’s data and phone SIM card. The court also emphasized that the consumer’s right to data confidentiality has become essential to Egypt’s legal consumer protection system. It held that violation of informational privacy constitutes a form of harm to the consumer, necessitating compensation just like direct material harm.
Through this integration of constitutional provisions and relevant laws, the court presented a harmonious interpretation that supports personal data protection. On one hand, the Constitution establishes the general principle of the inviolability of private life and the right to compensation for its infringement. On the other hand, the laws impose specific duties on technology and telecommunications companies to ensure that inviolability. The court applied these provisions in its ruling, paving the way for establishing the company’s tortious liability, as will be clarified in the following sections.
New Judicial Trends Pursued by the Court
In addition to applying existing legal rules, the Economic Court’s judgment established a new judicial precedent, redirecting the judiciary’s understanding of telecommunications companies’ responsibilities. The most prominent of these trends are as follows:
Telecommunications Company’s Responsibility as a “Custodian” of Customer Data
The court considered Orange Egypt to be in the position of a “custodian of a hazardous object” regarding its customers’ personal data and phone lines. This legal analogy implies presumed liability without needing to prove fault. Article 178 of the Egyptian Civil Code states that the custodian of an object is responsible for any damage caused to that object unless they prove the intervention of an external cause beyond their control.
Relying on this article, the court concluded that the company exercises effective control over the operation of SIM cards and the associated data and communication infrastructure, thereby assuming the custodian role. On this basis, the company incurs strict liability for any damage resulting from the unauthorized disclosure, leakage, or misuse of customer data.
This interpretation represents a significant development in the legal understanding of service provider liability, effectively imposing a regime of presumed fault. Where a customer suffers harm due to service-related failures or breaches of data confidentiality, the company is deemed legally at fault without the need for the plaintiff to prove negligence. The burden of proof thus shifts to the provider, which must demonstrate the presence of a force majeure event that caused the harm.
In the context of the case against Orange, the company did not prove the existence of an external cause that would negate its responsibility; for instance, it did not claim an unexpected external incident led to the SIM card replacement without its knowledge. Consequently, the company’s liability was automatically established as the guardian of the plaintiff’s data.
In the present case, Orange failed to provide evidence of any such external cause. The company did not, for example, assert that an unforeseeable or extraordinary event led to the unauthorized SIM replacement. Consequently, the court held the company strictly liable as custodian of the plaintiff’s data.
Extent of the Company’s Obligation to Protect Personal Data and Prevent Unauthorized Access
The court’s ruling stressed that a telecommunications company has an affirmative responsibility to protect its customers’ data. This means it must take active, preventive steps to stop any unauthorized access. In the court’s view, simply not disclosing customer data isn’t enough; the company must secure its technical systems and close any vulnerabilities that could allow an attacker to access subscriber data.
The court also pointed out that both the Anti-Cybercrime Law and the Personal Data Protection Law require companies to implement necessary safeguards against breaches or leaks. What’s notable here is how the court connected this general legal duty to the standard of tortious fault.
The court found that the company’s failure to prevent issuing a replacement SIM card without verifying the owner’s identity and consent amounted to clear tortious fault on the defendant company’s part. The court rejected common implicit justifications, such as claims that the perpetrators used deception or forgery.
Instead, the court believed the company’s duty required it to anticipate such fraudulent attempts and take strict verification measures. This could include multi-factor authentication, requiring the line owner’s personal presence, or a certified official authorization to prevent any unlawful exploitation of customer data.
With this judgment, the court raised the standard of due care expected from telecommunications companies. A mere breach or unauthorized impersonation implicitly means the company failed in its duty to protect. The ruling implies that the company is only exempt from liability if it can prove the breach or violation resulted from an external, irresistible force (like a natural disaster or a technical force majeure completely beyond its control), which the company did not claim in this case.
Distinguishing Between Technical Data and Contractual (Ownership) Records
One of the problematic points clarified by the judgment was the distinction between two types of data held by telecommunications companies and their respective obligations towards each:
- Technical Data or Usage Data: This category includes call traffic data, technical content, and information related to network usage. The Anti-Cybercrime Law obliges companies to retain this data for at least 180 days. After this period, some of this data (such as detailed usage data) may be deleted according to laws or company policies, unless legal justifications require longer retention.
- Contractual Data and Line Ownership: This refers to the subscriber’s (customer’s) personal data, their service subscription contract, and records of their ownership of the phone number. The court clarified that this type of data differs from technical usage data, and the company cannot dispose of it after six months, claiming its legal obligation to retain data is temporary. The court emphasized that contract and line ownership records must be kept throughout the contract’s validity period and possibly for subsequent years to protect subscribers’ rights and for reference in case of disputes.
Additionally, the court considered the company’s failure to retain the plaintiff’s line ownership records as an independent tortious fault, proving its civil liability. The case documents also revealed that Orange claimed it only retains customer data for six months according to the law, and therefore could not provide a copy of the plaintiff’s contract after that period. The court rejected this defense, deeming it legally incorrect.
The court explained that the provisions of the Telecommunications Regulation Law and the Consumer Protection Law oblige companies to securely retain subscriber contracts and line ownership records for future reference. This principle is fundamental because it closes a loophole some companies tried to exploit to evade responsibility by claiming they had deleted a customer’s contract or data after a few months under internal policies.
It is now clear that destroying or losing a subscriber’s contract without legitimate justification constitutes negligence that incurs liability. The ruling explicitly stated: “Failure to retain line ownership records is a default that establishes liability. And the claim of maintaining data for 6 months is incorrect, as contractual records must be kept.”
Ineffectiveness of “Technical Difficulty” or Force Majeure Arguments Without Concrete Proof
As is evident, the court effectively closed the door for telecommunications companies to rely on general excuses to justify negligence. The court rejected any argument that the incident might have resulted from an individual employee error or a fleeting technical glitch. It considered these matters to fall within the company’s responsibility, obliging it to train its employees and review its technical procedures continuously.
Consequently, a company is only exempt from liability by providing conclusive evidence of a genuine force majeure event or an external incident that was impossible to prevent. This does not apply to routine technical malfunctions, employee errors, or common fraudulent activities; these situations are not considered force majeure but rather shortcomings in security procedures. This judicial trend was evident in the judgment, as the court adopted the standard of Article 178 of the Civil Code, obliging the company to prove an external cause to avert its liability, which the company failed to do.
The Court’s Approach to Evidence Assessment and the Role of Technical Expertise
The court ruling demonstrated considerable effort in applying substantive rules concerning personal data protection. Additionally, the court addressed important procedural aspects in its decision. The handling of this case was characterized by a clear emphasis on collecting technical evidence and verifying the plaintiff’s claims, especially given the defendant’s absence from court.
It’s evident from the judgment that the court didn’t just rely on the initial documents submitted by the plaintiff. Instead, it took several steps to ensure it reached the complete technical truth:
Appointing an Expert in Telecommunications and Information Technology
At the plaintiff’s request, the court appointed a technical expert specializing in telecommunications and information technology. This expert was tasked with visiting Orange’s premises to examine its systems and records related to the disputed phone line.
The court precisely defined the expert’s mission, which included verifying the relationship between the plaintiff and her phone line, how the SIM card was replaced, whether the plaintiff still owned the line, or if ownership had changed to someone else. In the latter scenario, the court asked the expert to determine the procedures followed in issuing the replacement SIM card and their validity.
This step reflected the court’s commitment to conducting a neutral technical examination rather than merely accepting the parties’ claims, especially since the defendant company failed to appear to defend itself. Indeed, the expert examined the company’s records and uncovered detailed information about the SIM card replacement process, revealing the company’s failures in verifying the identity of the person requesting the replacement.
Reliance on the National Telecommunication Regulatory Authority Report
The case file included a report by the National Telecommunication Regulatory Authority (NTRA). The report stated that Orange failed to follow regulatory rules for securing SIM cards and preventing the issuance of replacements without proper verification.
NTRA confirmed that the company’s procedures in this incident violated regulations. The expert’s report, supported by the NTRA report, together formed strong evidence of the company’s fault.
Defendant’s Absence – Orange Company
Orange did not attend the sessions despite being legally notified. Consequently, it did not present any defenses or provide defensive evidence. Although the defendant’s absence might theoretically ease the plaintiff’s task, the court did not rely solely on this. Instead, it sought to build a solid conviction through technical evidence, ensuring its judgment was based on objective certainty.
The Court’s Reasoning on Moral and Material Damages and Their Link to the Company’s Negligence
A prominent aspect of this judicial ruling is its acknowledgment of moral (non-material) damages resulting from personal data breaches, alongside direct material damages, and its decision to mandate compensation for both. The court followed a meticulous approach in assessing and inferring these damages, as evident from the following points:
Proving the Three Elements of Tortious Liability
The court clarified that it found the three elements of tortious liability present in the lawsuit: fault, damage, and causality. The fault lay in Orange’s breach of its legal and security obligations towards the plaintiff by effectively allowing an unauthorized person to obtain her phone SIM card, leading to the subsequent violation of her privacy.
The damage was dual in nature: material damage encompassed potential losses or costs incurred by the plaintiff (such as being forced to take legal action or the impact on her interests due to blackmail in her work or other lawsuits). Moral damage was represented by her psychological suffering, the pressures of blackmail, and the violation of her privacy. The causal link was clear: had it not been for the company’s negligence in protecting data and changing the SIM card without authorization, the damage would not have occurred in the first place.
Judicial Discretion in Assessing Reparative Compensation
After establishing liability, the court moved to assess the financial compensation due to the plaintiff. It exercised broad discretionary authority, referencing a recent ruling by the Egyptian Court of Cassation (Appeal No. 10111 of Judicial Year 89, Session dated 5/12/2024), which affirmed that damage valuation is within the trial court’s purview, based on the severity of harm and its circumstances.
Based on this principle, the court awarded compensation of EGP 10 million for the total damages. The court’s assessment of a relatively large sum reflects its view of the seriousness of the violation against the plaintiff. Granting access to private communication and facilitating blackmail constitutes a severe violation of dignity and privacy, warranting deterrent compensation.
Furthermore, the court’s compensation ruling against Orange likely aimed to deter the company and others, serving as a disciplinary measure. Although Egyptian law does not explicitly recognize punitive damages, choosing the maximum compensation commensurate with the damage achieves the goal of general deterrence.
Detailing the Link Between Damage and the Company’s Negligence
In its judgment, the court was keen to detail the aspects of damage and how they directly resulted from the company’s actions. For instance, the court noted that the perpetrators’ seizure of the plaintiff’s WhatsApp account enabled them to access her conversations and photos, causing her psychological distress and violating her family and social privacy, causing severe moral damage.
The company’s failure also affected the plaintiff’s professional reputation and may have undermined her legal position in disputes with the foreign real estate company. Under coercion, she was pressured to forgo certain rights or, at the very least, faced pressure to do so, amounting to both moral and material damages. Orange’s refusal to provide a copy of the contract further weakened her legal standing, forcing her to incur additional costs and efforts to prove SIM ownership and pursue litigation. These are material damages.
These details confirmed the direct causal link between Orange’s negligence and the harmful consequences suffered by the plaintiff, thereby weakening any attempt (had the company appeared) to argue that the intervention of a third party severed that link. The court concluded that Orange’s misconduct created the conditions for the harm, and the resulting damages were foreseeable and natural consequences of that failure.
This judgment has raised the ceiling for compensation in digital privacy violation cases in Egypt to an unprecedented level. While compensation for moral damages was historically symbolic or limited, this judgment shows a clear judicial trend: moral damage in data breaches is serious and significant, justifying compensation in millions of pounds rather than simple thousands. This undoubtedly represents a positive development consistent with the growing value of personal data and the need to protect it.
Potential Legal Implications of the Ruling for Telecom Companies and User Rights
This ruling carries significant legal and regulatory implications that will likely influence the future behavior of telecommunications companies and strengthen user rights against violations. It also tests the effectiveness of traditional defenses like force majeure arguments in such cases. Here are the most notable impacts:
Stricter Obligations for Telecommunications Companies
The Economic Court’s judgment could be a turning point in how telecom companies handle customer data. It will likely prompt them to review and update their internal policies, aligning them with the heightened expectations for legal and security compliance standards regarding personal data. For instance, companies might tighten identity verification procedures for subscribers when issuing replacement SIM cards by requiring in-person presence or implementing additional verification methods to avoid potential liability in identity theft cases.
This ruling may also push them to re-evaluate their policies for retaining customer contracts and data, potentially leading to extended retention periods or enhanced digital archiving processes to ensure records are available when needed. Similarly, companies may find it necessary to strengthen their information security systems, given the ruling’s indication that technical failures do not absolve responsibility.
This could lead to greater investments in cybersecurity and employee training on anti-fraud techniques. It’s also probable that companies will pay more attention to contractual terms and usage policies to manage potential legal risks. While the effectiveness of some protective clauses might be limited when facing mandatory laws or in cases of gross negligence, the ruling could prompt companies to review their contractual language more thoroughly in anticipation of future disputes.
Enhanced User Rights Under Data Protection Laws
Conversely, the ruling provided strong support for the rights of users and customers when dealing with companies regarding their data. The personal data protection principles stipulated in Law No. 151 of 2020 and other related laws have now become directly enforceable in court by affected individuals, not just through regulatory mechanisms or administrative complaints. Here are the most significant impacts in this regard:
- Any user whose data with a telecom company has been leaked or violated can now reference this judgment as a precedent and demand full compensation for any damages incurred. The current judgment will also serve as a reference in lawyers’ briefs and documents in similar cases in the future.
- The ruling confirmed that moral damage resulting from privacy violations is recognized and compensable once the company’s responsibility is proven. This guarantees users the right to compensation for the psychological and moral harm they may suffer due to their data being leaked.
- The judgment also affirmed the user’s right to obtain a copy of their contract and subscription documents from the company. If the company refuses to provide these, as Orange did, this refusal will be considered evidence against the company, not the customer. Users can report this to regulatory bodies or the judiciary to compel the company to hand over the documents. This enhances transparency and gives the consumer leverage to prove their rights.
- The judgment shows that the Personal Data Protection Law can be enforced in court, even without its executive regulations or the full powers of the Personal Data Protection Center. Through general principles and tort liability rulings, the judiciary has bridged this gap and protected the disputed right. This lays an essential foundation for when administrative mechanisms (such as fines and penalties stipulated in the law) are activated, allowing them to integrate with civil compensation.
In conclusion, the Alexandria Economic Court’s ruling marks a turning point in protecting digital private life. The judgment enshrined the principle of serious accountability for telecommunications service providers regarding any action that infringes upon fundamental user rights.
It also linked the provisions of modern laws with the spirit of the Constitution in protecting the human dignity of citizens in cyberspace. Furthermore, the ruling established the ability to rely on the Personal Data Protection Law, which has been inactive since its issuance in 2020 due to delays in issuing its executive regulations.