Possible Legislative Alternatives.. About the Executive Regulations of the Personal Data Protection Law

In July 2020, the Personal Data Protection Law was passed (No. 151 of 2020), a year after its publication, of which most of the rules stipulated are still suspended, for non–issuance of the executive regulations, where the law referred a large number of procedural aspects to the executive regulations, and even referred to the essential details related to some objective rules that the law cannot be applied without its approval. The release articles in the Personal Data Protection Law indicates the dates during which the executive regulations of the law must be issued, which are six months from its effective date1.

The law also specified the date of the law becoming effective after the lapse of three months from the day following the date of its publication2.

This means that the executive regulations of the Personal Data Protection Law were supposed to be issued in the second quarter of this year.

Masaar – Technology and Law Community has published a research paper on the Data Protection Law at the end of last year, where the paper referred to a set of key issues in the law, including;

The objective of the adoption of the Personal Data Protection Law, the expansion of exceptions to the protection of personal data, the guarantees and rights of users during the collection and processing of personal data and the procedures for making personal data available, the obligations of the controller, processor and holder, cross–border data sharing, and the powers and composition of a data protection center3.

This paper focuses on the repercussions and effects of the delay in issuing the executive regulations of the Personal Data Protection Law, with a quick reference to the contexts and circumstances associated with the process of drafting the implementing regulations for the law, especially in the absence of a serious societal dialogue, concerning the exit of an executive regulation that is acceptable to the various parties.

The law is suspended due to the executive regulations

The legislator has relied on a philosophy of segmentation of legal obligations related to data protection, where some of them have been referred to the executive regulations. That have been justified by the fact that the rules that have been referred were only procedural rules that the regulations were concerned with regulating them, which was one of the criticisms against the Personal Data Protection Law, in addition to a number of other criticisms, for example;

  • High fees for individuals to obtain their personal data.
  • No clear stating of the policies, standards and controls necessary for the cross–border transfer, storage, sharing, processing or making available of personal data.
  • The absence of clear procedural texts regulating the procedures for erasing, correcting and modifying personal data of the holder, controller or processor.

Such recommendations have been discussed in the commentary issued by Masaar – Technology and Law Community titled; “Personal Data Protection Law … Enhancing the Right to Privacy or Delusion of Improving the Legislative Environment?”4.

The law has expanded in referring large areas of the organization of rules and procedures, crossing eighteen different places, which can be considered one of the most important problems affecting the law, since putting the regulation of some rules individually in the hands of the executive authority – Ministry of Communications – makes the executive authority the only controller in the way the law is applied and many of its rules interpreted.

The rules of law lose the advantage of self-regulation and the ability to apply the rules of law without linking or commenting on decisions and regulations issued by the executive authority.

Such rules can be summed up as follows;

  • Rules, conditions, procedures and technical standards related to licenses and authorizations for personal data collection activity.
  • Classifying licenses, permits and accreditations, determining their types, and setting the conditions for granting each type.
  • Policies, procedures, and standards for collecting, processing, preserving and securing data inside and outside Egypt.
  • Conditions for registering and adding personal data protection officials in the designated register at the Data Protection Center.
  • Obligations and tasks of personal data protection officers, who are assigned to the bodies responsible for collecting and processing personal data.
  • The authenticity of the digital evidence derived from personal data, and the technical standards and conditions that must be provided in the guide.
  • Policies, standards and controls related to the cross–border transfer, sharing, processing or availability of personal data.
  • Procedures, precautions, standards and rules for making personal data available to another controller or processor outside Egypt.
  • The terms and conditions for issuing and renewing them, and the forms of licenses and permits used.
  • Determining the fees for granting licenses, permits and approvals to the entities that collect and process data.

A quick read of the aforementioned, indicates that it is impossible to actually implement the rules stipulated in the Data Protection Law before the completion of

approval of its executive regulations, as it also shows the delay in the work of the Ministry of Communications and Information Technology, being the authority entrusted with decision regarding the issuance of the regulation, especially since the philosophy followed by the legislator in the process of issuing the Personal Data Protection Law has resulted that most of the essential rules focus on the regulation, which has led to the disruption of the entire rules of the law as a result of the lack of approval of the regulation.

Procedural controls that must be included in the executive regulations:

Masaar – Technology and Law Community confirms that there are some procedural controls that must be included in the executive regulations of the Data Protection Law, in addition to the places whose organization the law has referred to the executive regulations, for example;

  • Suitability of making personal data available:

The regulation must include some controls related to appropriately providing the personal data requested by the user, where the user has the right to select or choose from numerous methods and formats that are consistent with the user’s need.

  • A clear and consistent mechanism for reporting a breach, such as personal data leakage:

The list should include and explicit provision of a mechanism for informing the user of any violation of his personal data, together with the time period within which the user must be informed of the extent of the informational damage caused to the User’s personal data.

  • Organizing procedures for correcting, modifying or erasing data:

It is not sufficient to stipulate in the law the right of the user to erase or modify the data, since it is a matter where binding procedural rules must be set by the executive regulations, including the method of submitting the request, the dates for responding to it, and the limits of the responsibility of the processor or controller in the event that these procedures are not taken.

Consequences of the delay in issuing the executive regulations:

Delaying the issuance of executive regulations for laws is a widespread practice in the Egyptian legislative systems, as most of such legislations that were issued during the previous years, took a long time for issuing their implementing regulations.

The period between the approval of the law and the issuance of its executive regulations may exceed two years in some cases, during which the law remains partially or completely suspended, depending on the nature of the law and the rules included.

This is what happened, for example, with the issuance of the executive regulations of The Law Regulating the Press, Media, and the Supreme Council for Media Regulation (SCMR), Law No. 180 of 2018, as well as and the executive regulations for the Anti-Cyber and Information Technology Crimes Law, Law No. 175 of 2018.

This delay has many consequences for the application of laws in general, as we deal with the Personal Data Protection Law, there are two direct effects:

  1. Complete deactivation of the Personal Data Protection Act

The Personal Data Protection Law has fourteen separate chapters, of which the legislator has devoted twelve chapters to set the rules for basic tariffs, determining the responsibilities of the different parties for the process of collecting, processing and storing personal electronically processed data, and the role of the various authorities in implementing the law.

As for the last two chapters, they have been dedicated to the role of the control and investigation authorities, the penalties in case of violating the law, which means that the Personal Data Protection Law is more regulatory, hence, it needs regulations and organizational decisions to implement it.

The delay in issuing such regulations has completely suspended the law, including punitive texts, as their application is linked to the clarity of regulatory rules and their enforceability, for example, accountability of service providers for violations related to the implementing the law is initially related to determining the technical requirements and precautions that the service provider must abide by.

Moreover, the law is one of the newly developed laws that had not been previously regulated, meaning there are no repealed laws or regulations that may temporarily be in effect until the completion of the issuance of the executive regulations, plus, the weakness of protection forms in the legislative structure and its decline in regards to providing adequate safeguards for the rights of users to protect their personal data or to protect their right to privacy in general.

  1. Failure to initiate the formation of law enforcement agencies

The majority of laws related to personal data protection, have entrusted the procedures and controls to an independent body, by monitoring the implementation of the regulations included in the law. These bodies have various powers, beginning from the adoption of general policies related to the process of storing, processing and collecting data, moving to the issuance of the necessary licenses to entities that carry out data–related activities, ending with monitoring these bodies, train their employees, and receive complaints related to any violation that may occur in this framework.

The Egyptian Personal Data Protection Law has created a new relevant body, called the “Data Protection Authority” similar to the European Union’s General Data Protection Regulation (GDPR) on which the Egyptian legislator relied in setting the law, which has set the rules for forming this body and its terms of reference.

The law has established the rules for forming the device and its competencies, while none of the rules regulating this device was referred to the Executive Regulations of the Data Protection Law, which – theoretically – means the possibility of starting the formation of the device, however, the practical reality empties this formation of its content, as although the process of the formation does not require the approval of the regulation, the exercise of the authority’ s powers in full remains pending until the issuance of the regulation

The formation of the device – together with exercising its competence and powers – is an important indicator of the actual start of implementing the rules of law, as well as the shortcomings that may call for the need for legislative intervention to address them, therefore, the delay in forming such device and its executive regulations shows the possible lack of political will for the existence of a serious and effective law that contributes to strengthening personal data protection practices.

The impact of the absence of community participation in developing the executive regulations of the Personal Data Protection Law:

Generally, there is minimal societal participation in the process of passing the law and the implementing regulations, nor here is complete transparency in the approval processes, therefore, there is not enough information why issuing the regulation is being delayed, with the exception of brief statements that bear some contradictions;

  • In early April 2021, the Minister of Communications issued a statement: “The Personal Data Protection Act was passed last year, and work is underway to issue its executive regulations, which includes the establishment of an apparatus to regulate and legalize data circulation in Egypt”5. This is relatively consistent with the statements issued by the Head of the Communications Committee in the Parliament in March 2021, that it has been expected that the executive regulations of the law would be issued within 30 days6.
  • Statements later changed, as the Minister of Communications and Information Technology confirmed – at the end of May 2021 – that the “The executive regulations of the Personal Data Protection Law will take more time than specified to be issued for societal dialogue with companies and civil society organizations, till it comes out in a way that protects the data of citizens and companies.7”.
  • Against the background of this delay, a member of Parliament submitted a request for a briefing, due to the delay in issuing the executive regulations of the Personal Data Protection Law8. Masaar – Technology and Law Community was unable to find any official responses to the request for quotation.
  • The reasons cited by the Egyptian Minister of Communications as a reason for the delay- on top of which came the societal dialogue – have opened the door to questions regarding how to manage this dialogue, the different parties that would participate in it, and what the points around which the discussion revolves, would be.
  • In general, it is not possible to draw clear features of the societal dialogue referred to by the Minister of Communications, where the statements by the Ministry of Communications in this regard have addressed conducting a dialogue with representatives from the ICT sector in Egypt, including “Facebook”, “Twitter”, “Amazon”, “Microsoft” and “IBM”, together with the four mobile network operators in Egypt (Vodafone Egypt, Orange Egypt, Etisalat Egypt, Telecom Egypt), in order to discuss the draft executive regulations of the law, without specifying the topics of this dialogue. Also, no other parties that participated in this dialogue were mentioned, such as: the concerned civil society organizations, specialized chambers of industries, academic and legal experts and others related to this law.
  • The absence of representation of the different groups from the societal dialogue has been reflected in the discussion axes, as the outcomes of this discussion focused on the concerns of the authorities responsible for the data collection and processing process only, rather than the rights of users and respecting and empowering the right to privacy. The information available in the Egyptian media has indicated that there were reassurances for the companies participating in the dialogue, thanks to the presentation of proposed formulations for some articles of the executive regulations of the law, especially after some companies had submitted a proposal for the executive regulations that express the priorities and concerns regarding the impact of Data Protection Law on their work9.

Recommendations

The problems discussed in this paper, from the delay in the process of issuing the executive regulations of the Personal Data Protection Law, to the circumstances related to the approval process, have depended on two main points:

First: The necessity of having a specific and announced time frame, to finish the process of approving the executive regulations of the Personal Data Protection Law, and the necessity of implementing the rules and standards of transparency about the stages of approving the regulation, and the various obstacles that may accompany that, and publicly announcing any changes in the schedule.

Second: The necessity of conforming the societal dialogue with serious rules and the involvement of all the different groups in the process of drafting the regulations, in order to correct the errors that occurred during the process of developing the Personal Data Protection Law, where some parties were selectively and exclusively invited to discuss the regulations. Moreover, this participation lacked the prior announcement of its holding, as well as announcing the outcomes of the meetings and the different opinions that were put forward during them.

footnotes

1 Article 4 of the Personal Data Protection Law No. 151 of 2020, published in the Official Gazette No. 28 bis H on July 15th, 2020: “The Minister of Telecommunications and Information Technology shall issue the executive regulations of the annexed law (the “Executive Regulations”) within six 6 months from the effective date of this law.”
2 Article 7 of the Personal Data Protection Law No. 151 of 2020, published in the Official Gazette No. 28 bis H on July 15th, 2020: “Each of the Controller and the Processor, as the case may be, shall notify the Center with any Personal Data Infringement, within 72 hours of such infringement. In the event that such infringement relates to national security protection concerns, the notification shall be immediate. In all events, the Center shall immediatelynotify the National Security Authorities with the infringement and provide them, within 72 hours from being aware of the Infringement, with the following: 1. description of the nature of the infringement, the form and the reasons thereof as well as the approximate number of Personal Data and their records; 2. the information of the Data Protection Officer; 3. the potential consequences of the infringement; 4. description of the procedures which have been followed and the proposed procedures to be adopted in order to minimize the negative impacts of the infringement; 5. evidence of documenting any Personal Data Infringement and the corrective actions which have been taken to solve the same; and 6. any documents, information or data requested by the Center. In all events, Controller and Processor, as the case may be, shall notify the Data Subject within 3 days from the date of notifying the Center, with the infringement and the adopted procedures related thereto. The Executive Regulations of this Law shall determine the procedures relating to the obligation to notify and inform.”
3 “Personal Data Protection Law… Enhancing the right to privacy or delusion of improving the legislative environment? Masaar – Technology and Law Community. Legal Comment Released December 5th, 2020
4 Ibid.
5 News: “Amr Talaat: A regulation for the protection of personal data in Egypt is being issued” published on the electronic portal of Al-Ahram newspaper on April 4th, 2021, the date of the visit is June 15th, 2021.
6 News: “Parliament’s Communications: Issuance of the “Personal Data Protection” regulation within 30 days” published on the electronic portal of Elwatannews newspaper on March 3rd, 2021, the date of the last visit on June 15th, 2021.
7 News: “Minister of Communications: The executive regulations for “data protection” will take time for societal dialogue with companies” published on the electronic portal of Al-Shorouk newspaper on May 22nd, 2021, the date of the last visit on June 18th, 2021.
8 News: “A request for briefing due to the delay in the issuance of the executive regulations of the Personal Data Protection Law” published on the electronic portal of Akhbar Al-Youm newspaper on June 14th, 2021, the date of the last visit on June 1th8, 20921.
9 Proposals submitted by more than 15 companies, including Google, Microsoft, Amazon, Vodafone, Facebook, Twitter, MasterCard, IBM, Uber, Careem, to request smart transportation services, OLX and SAP. The proposals were prepared in cooperation with Moharram & Partners | Public Affairs & Strategic Communications and ADSERO-Ragy Soliman & Partners. Excerpts of this proposal were published in the electronic portal of Al Mal newspaper on March 1st, 2021, the last visit date is May 12th, 2021.