The Obligations of the Data Protection Officer under the Personal Data Protection Law

Introduction

The Personal Data Protection Law, issued in mid-2020, sets out a general vision for the establishment of regulatory frameworks to ensure the protection of electronically processed personal data. To this end, the law created an independent body that works to enforce the law and ensure its implementation, called the Personal Data Protection Center (PDPC). The law also committed the service providers to a number of obligations and entrusted the implementation of these obligations to a person/department at each service provider, who was named the Personal Data Protection Officer.

The Data Protection Officer plays a pivotal role in the process of preserving and processing personal data, being the person responsible for addressing all parties. The Data Protection Officer is the person who represents the service provider in front of the PDPC as well as in front of the service recipient, and they are also responsible for setting and enforcing internal rules related to procedures for saving, processing, and editing personal data.

This paper deals with the definition of the position of the Data Protection Officer and the obligations imposed on them by the Personal Data Protection Law. The paper also presents the conditions for appointing a Data Protection Officer and the impact of lack of commitment to these conditions, in addition to the impact of the Data Protection Officer breaching their legal obligations.

Moreover, the paper addresses the impact of not criminalizing the breach of the Data Protection Officer’s obligations towards sensitive personal data, the consequences of the delay in issuing the executive regulations of the law, and the establishment of the PDPC on the obligations of the Data Protection Officer. Lastly, the paper explores the extent to which reconciliation is permissible in the Data Protection Officer’s crimes.

Definition of the Personal Data Protection Officer

The Personal Data Protection Law has introduced a set of new definitions and job titles in the Egyptian legislative environment. Among these definitions are the definition of personal data, sensitive personal data, the Personal Data Protection Center, as well as the characteristics and job titles of some dealers with personal data such as the holder, the controller, the processor, and the Personal Data Protection Officer.

The Personal Data Protection Law has devoted the first chapter to introducing some of the words and phrases contained in it, but these definitions did not include any definition of the Data Protection Officer. However, the definition can be concluded through the fourth chapter of the law titled the “Personal Data Protection Officer.” A personal data protection officer can be defined as a job title that applies to one of the employees working for a legal entity, whether a controller or processor of personal data and whose name is registered for this purpose with the PDPC. In the event that the controller or the processor is a natural person, the title of Data Protection Officer applies to them, in addition to the title of the controller, the processor of personal data, or both

Appointing a Personal Data Protection Officer

The Personal Data Protection Law has established some general rules for appointing a Personal Data Protection Officer, including:

1. Creating a register in the PDPC in which all the Personal Data Protection Officers working for every legal entity controller or processor of personal data are registered.
2. Obliging the legal representative of every legal entity controller or processor of personal data to appoint a competent employee responsible for data protection.
3. Obliging the legal representative of every legal entity controller or processor of personal data to register their personal data protection officer in the register prepared for this purpose at the PDPC.
4. Obliging the legal representative of every legal entity controller or processor of personal data to announce the designated employee responsible for protecting their personal data.
5. Exempting the natural person who controls or processes personal data from appointing a Data Protection Officer affiliated with them, while obliging them to perform the same duties and obligations as the Data Protection Officer.

As for the rules related to the conditions for registration in the Data Protection Officers Register at the PDPC and its procedures, the law has referred its organization to its executive regulations that were supposed to be issued in the second quarter of 2021 at the latest, which has not happened so far.

The Effect of the Failure to Appoint a Personal Data Protection Officer

After the Personal Data Protection Law obligated the legal representative of every legal entity controller or processor of personal data (service provider) to appoint a specialized employee responsible for data protection and imposed on them a set of previously clarified obligations, the law has stipulated a set of penalties for violating these obligations. These penalties are divided into administrative penalties imposed by the PDPC on violators of these obligations and other criminal penalties imposed by criminal courts.

First: The administrative penalties resulting from the failure to appoint a Data Protection Officer

1. Penalties imposed by the CEO of the Personal Data Protection Center

The law granted the CEO of the PDPC the authority to warn the service provider who violates the provisions of this law to stop the violation and remove its causes and effects within a specified timeframe mentioned in the warning.

1. Penalties imposed by the Board of Directors of the Personal Data Protection Center

The law authorized the Board of Directors of the PDPC to issue a reasoned decision imposing penalties on the service provider in the event of non-compliance with the warning issued by the CEO of the PDPC and the expiration of its period. The penalties are:

• Warning of partial or complete suspension of the license, permit, or accreditation for a specified period.
• Partial or complete suspension of the license, permit, or accreditation.
• Withdrawal or partial or complete cancellation of the license, permit, or accreditation.
• Publishing a statement of the proven violations in one or more widely circulated media outlets at the expense of the violator.
• Subjecting the controller or processor to the technical supervision of the PDPC to secure personal data at their own expense.

Second: The criminal penalties resulting from the failure to appoint a Data Protection Officer

The Data Protection Law penalizes the service provider in case of failure to appoint a Data Protection Officer and in case of non-compliance with any of the rules and regulations stipulated in the law for their appointment. The law has decreed a financial fine for the perpetrator of that crime, which shall not be less than two hundred thousand Egyptian pounds and shall not exceed two million Egyptian pounds, without prejudice to any harsher penalty stipulated in another law.

The law also punishes the person responsible for the actual management of the service provider with the same penalty if their knowledge of the offense is proven, and their failure to fulfill the duties imposed on them as managers contributed to the commission of this crime. The service provider shall be jointly responsible for fulfilling the compensations awarded if the crime was committed by one of their employees and in the name and for the benefit of the service provider. In addition to the fine as a principal penalty, the court imposes a mandatory accessory penalty, which is the publication of the conviction verdict in two widely circulated newspapers and on the Internet at the convict’s expense.

Obligations of the Personal Data Protection Officer

The Personal Data Protection Officer serves as a link between the service provider, the PDPC, and the data subject. The law has defined in Articles (9) and (13) a set of obligations to be carried out by the Data Protection Officer. It referred to its executive regulations – which have not yet been issued – to organize another set of obligations and tasks.

The law did not stipulate any controls for the obligations referred to the executive regulations, leaving them all to the authority of the Minister of Communications and Information Technology, as they are responsible for issuing the executive regulations according to the fourth article of the law.

The obligations of the Data Protection Officer stipulated in the law can be summarized in the following points:

1. The responsibility for implementing the provisions of the law and its executive regulations, and the PDPC decisions.
2. The responsibility for monitoring and supervising the applicable procedures within the service provider entity they work for.
3. Act as a direct point of contact with the PDPC and implement its decisions regarding the application of the provisions of the Personal Data Protection Law.
4. Receive and respond to requests related to personal data submitted by data subjects or authorized individuals.
5. Respond to the PDPC in the grievances submitted by data subjects or authorized individuals.
6. Enable the data subject to exercise their rights as stipulated in the Personal Data Protection Law.
7. Conduct periodic evaluations and examinations of personal data protection systems, preventing their breaches, documenting evaluation results, and issuing the necessary recommendations.
8. Commit to following and fulfilling the insurance policies and procedures necessary to prevent sensitive personal data from being breached or violated.
9. Notify the PDPC in case of any breach or violation of personal data.
10. Follow up and update the personal data record at the data controller or the record of processing operations at the data processor, to ensure the accuracy of the recorded data and information.
11. Remove any violations related to personal data within the service provider’s entity where they work and take corrective measures regarding them.
12. Organize the necessary training programs for the employees of the service provider entity they work for and qualify them in accordance with the requirements of the Personal Data Protection Law.

The Impact of the Personal Data Protection Officer Breaching their Legal Obligations

The Personal Data Protection Law provides for a set of penalties to be imposed in the event that the Data Protection Officer violates any of their legal obligations. These penalties are divided into administrative penalties and criminal penalties. Administrative penalties are imposed by the PDPC, and they are the same penalties that are imposed in the event of the failure to appoint a Data Protection Officer, or in the event of any other violation of the provisions of this law. As for criminal penalties, they are imposed by criminal courts and can be summarized as follows:

The law penalizes the Data Protection Officer in the event of failure to comply with the requirements of their job and their obligations stipulated in the law, with a financial fine of not less than two hundred thousand Egyptian pounds and not exceeding two million Egyptian pounds if the crime was intentional. In addition to a fine of not less than fifty thousand Egyptian pounds and not exceeding five hundred thousand Egyptian pounds if the crime occurred as a result of the negligence of the Data Protection Officer, without prejudice to any harsher penalty stipulated in another law.

Moreover, the law also punishes the person responsible for the actual management of the service provider with the same penalty if it is proven that they were aware of it, and if their breach of the duties imposed on them by their management contributed to the occurrence of this crime. Furthermore, the service provider shall be jointly responsible for fulfilling the compensation dictated if the crime was committed by one of their employees and on behalf of and for the benefit of the service provider. In addition to the fine as a principal penalty, the court imposes a mandatory accessory penalty, which is the publication of the conviction verdict in two widely circulated newspapers and on the Internet at the convict’s expense.

The Effect of Not Criminalizing the Data Protection Officer’s Breach of their Obligations Toward Sensitive Data

The legislator in the Personal Data Protection Law limited itself to criminalizing the Data Protection Officer’s breach of the obligations stipulated in Article (9) only, without stipulating any criminal penalties for violating the obligations stipulated in Article (13), while the latter represents the most important obligations compared to others.

Article (13) of the law deals with the obligations to follow the security policies and procedures necessary to protect sensitive personal data and prevent their breach or violation. Sensitive data refers to data of a different nature compared to other personal data, as defined by the legislator in law. The legislator has provided a specific definition for sensitive data that distinguishes it from other data, defining it as “data that discloses psychological, mental, physical, or genetic health, biometric data, financial data, religious beliefs, political opinions, or security status, and in all cases, children’s data is considered sensitive data.”

The failure to criminalize breach of obligations regarding sensitive personal data is a defect in the legislator’s policy of criminalization and punishment regarding the criminal protection of sensitive data. This results in a significant loss of criminal protection for sensitive data and creates ambiguity regarding the criminal responsibility of the Data Protection Officer in cases where they deliberately fail to implement the necessary security measures to protect sensitive data from breaches or violations, or in cases of negligence in following security procedures.

Furthermore, the absence of criminalizing the Data Protection Officer’s breach of the obligations related to sensitive data contradicts the legislator’s philosophy in this law, which intended to intensify the criminal penalties prescribed when the committed offense involves sensitive personal data, compared to the penalties imposed for the same criminal acts involving non-sensitive personal data.

The legislator has considered collecting, processing, transmitting, disclosing, or making personal data available under unauthorized circumstances or without the consent of the data subject as a criminal offense. The law punishes committing any of these acts with a fine of not less than one hundred thousand Egyptian pounds and not more than one million Egyptian pounds. In the event that the personal data involved is sensitive data, the penalty stipulated for committing any of these acts shall be imprisonment for a period of no less than three months and a fine of no less than five hundred thousand Egyptian pounds and no more than five million Egyptian pounds, or one of these two penalties.

The Consequences of the Delay in Issuing the Executive Regulations of the Law on the Obligations of the Data Protection Officer

When developing the law, the legislator relied on the philosophy of fragmentation of legal obligations related to data protection. Some of these obligations were referred to the executive regulations with the justification that the rules that have been referred are only procedural rules for which the executive regulations are responsible. This is one of the most problematic issues affecting the law. The exclusiveness of the executive authority, represented by the Ministry of Communications, in organizing some rules, makes it the sole controller over the way the law is implemented and the interpretation of many of its rules. This results in the loss of the law’s self-regulatory feature and the ability to apply those rules independently, detached from regulatory decisions and rules issued by the executive authority.

The issuance articles of the Personal Data Protection Law stipulate that the executive regulations must be issued within six months from the date the law comes into force, which is three months from the day following its publication. This means that the executive regulations of the Personal Data Protection Law were supposed to be issued in the second quarter of 2021, which has not happened so far.

The law also provided for the establishment of the “Personal Data Protection Center” as a public economic body under the authority of the Minister of Communications and Information Technology. This Center has various responsibilities, including protecting personal data, regulating its processing and making it available, issuing the necessary licenses and permits required for activities of collecting, preserving, or processing personal data, the accreditation of entities and individuals, overseeing and supervising service providers, receiving complaints, issuing technical reports, and inspecting those subjects to the provisions of this law.

In addition, the law stipulates that the PDPC shall have a board of directors that shall be the dominant authority over the affairs of the Center and carry out its responsibilities. The PDPC shall also have a chief executive who represents the Center in its interactions with third parties and before the judiciary. The CEO shall be responsible before the Board of Directors for the Center’s administrative, technical, and financial operations. The Board of Directors shall be formed and the CEO of the Center shall be appointed by the decision of the Prime Minister.

As of this writing, the existence of the PDPC is limited to the provisions of the law only. The Center has not been established, and no decision has been issued by the Prime Minister to form its board of directors or to appoint a CEO due to the delay in issuing the executive regulations of the law.

This delay has affected the validity of the Personal Data Protection Law and its entry into force. It has also affected some of the regulations related to the appointment of a Data Protection Officer. These rules include registering the Data Protection Officer in the Personal Data Protection Officers’ Register and the registration mechanisms at the Center, which the law has delegated the organization of to the executive regulations.

Consequently, a temporary implicit exemption has arisen from the obligation of each service provider to appoint a Data Protection Officer, given the impossibility of making such appointments in the absence of the executive regulations. And accordingly, service providers are also exempted from the administrative penalties resulting from not appointing a Data Protection Officer, since the authority to impose these penalties rests with the yet-to-be-established PDPC. As well as exemption from criminal liability resulting from the failure to appoint a Data Protection Officer until the issuance of these regulations and the establishment of the PDPC.

The Extent of Reconciliation Permissibility in the Crimes of a Data Protection Officer

The Personal Data Protection Law granted the accused the right to establish reconciliation with the victim, in certain crimes. The victim is the person concerned with the data, which the law defines as every natural person to whom electronically processed personal data is attributed that indicates them legally or in practice and enables their distinction from others.

Among the crimes in which reconciliation can be established are crimes related to the failure to appoint a Data Protection Officer or the non-compliance with the legal controls for their appointment. Reconciliation may also be established in crimes resulting from a Data Protection Officer’s violation of their job’s duties and obligations stipulated by the law, whether intentionally or due to negligence, subject to a set of criteria, which can be summarized as follows:

1. Reconciliation is established before the judgment in the criminal case becomes final.
2. Reconciliation with the victim is established in person, with their authorized representative, or with their legal successor.
3. Reconciliation is established with the approval of the PDPC before the Public Prosecution or the competent court, as the circumstances dictate.

The Impact of Reconciliation on the Crimes Related to the Data Protection Officer

The legislator did not explain in the Personal Data Protection Law the impact of reconciliation, in contrast to what was explicitly disclosed regarding the impact of conciliation. However, by returning to the general rules of the Code of Criminal Procedure, the criminal case terminates, as a general rule, with the issuance of a final and conclusive judgment. The term “termination” here signifies the conclusion of the criminal case.

A criminal case may be terminated for reasons other than the final judgment, including reconciliation with the victim. The procedural nature and impact of the reconciliation process varies according to the stage in which it occurs of the various stages of litigation, as follows:

•  Investigation stage: In the event of reconciliation before the competent investigation authority in the preliminary investigation stage, the investigating authority must preserve the records regarding the crime for which reconciliation has been reached. The criminal case shall not be pursued, and no order shall be issued to initiate the criminal case if any investigative measures have been taken.
•  Trial stage: Reconciliation in the trial stage entails that the court decides, on its own initiative, even if none of the litigants have argued that, to terminate the criminal case, given that the reasons for the termination are public order.

Conclusion

The paper discussed the definition of the job title of the Data Protection Officer and the associated responsibilities. However, it should be noted that a large part of these obligations remains subject to the completion of the legislative framework related to the process of protecting personal data. Since the issuance of the Personal Data Protection Law in mid-2020, this law has not been fully enforceable due to the absence of its executive regulations, to which the law has referred a large number of procedural rules, the most important of which is the establishment of the Personal Data Protection Center.