Unwritten Rules: Impacts of the Delayed Executive Regulations of Data Protection Law on Sensitive Data

 

  • Introduction
  • The concept of sensitive personal data and its different classifications
  • Obligations of service providers to protect sensitive data
  • Consequences of unauthorized disclosure, collection or storage of sensitive data
  • The impact of the expansion of the entities exempted from the data protection law on sensitive data
  • The impact of the delay in issuing the executive regulations of the data protection law on sensitive data

Introduction

With the increasing importance of personal data and its potential impacts on Internet users considering the continuous technological developments, the legislative efforts that seek to protect that data have also proliferated. The degrees of protection vary according to the nature of the personal data that Service Providers collect or process.

The most visible attempts in Egypt to impose some form of protection for personal data began with the European General Data Protection Regulation (GDPR). The regulation established a general protection umbrella for personal data, and a higher degree of protection for what is known as sensitive personal data, with strict conditions and controls to deal with the process of collecting, storing, or processing it. The regulation defines sensitive data as data that reveals a person’s racial or ethnic origin, political opinions, or religious or philosophical beliefs, as well as genetic data and biometric data that are processed only to identify a person, in addition to data related to health, a person’s sexuality, or sexual orientation.

The Egyptian Personal Data Protection Law has been greatly influenced by the European GDPR, despite the difference in philosophy regarding the scope and degree of protection and the size of the exceptions to the law. This paper discusses the different classifications of sensitive data, the obligations of service providers to protect it, and the consequences of disclosing it, in addition to the impact of the delay in issuing the executive regulations of the Personal Data Protection Law on sensitive data.

The concept of sensitive personal data and its different classifications

The Personal Data Protection Law is the first Egyptian law enacted to protect personal data in general. It is also the first regulatory law that establishes controls and conditions for the collection, storage, and processing of electronically processed personal data. The Personal Data Protection Law deals with the definition and classification of sensitive data types.

The law defines sensitive data as “data that discloses psychological, mental, physical, or genetic health, biometric data, financial data, religious beliefs, political opinions, or security status, and in all cases, children’s data is considered sensitive personal data.”

The previous definition contained different classifications of sensitive data, and the law provided multiple scopes to protect it. However, despite this, there are some problems related to the formulation of this definition, namely:

First: Weak formulations used in defining sensitive data

The words and phrases used in writing laws always reflect the goals for which the law was drawn up. Phrases of the law act as indicative signals to its addresses, illustrating the difference between regulatory spaces, procedural controls, and exceptions, for example. However, the formulation of the definition of sensitive data, which is understood from the totality of the texts that regulate it as supposed to be a very careful legal space, did not express the purpose of writing the law.

The definition used the phrase “data that discloses” and then followed it with patterns and models for sensitive data, but the purpose of protecting this data was absent from the wording of the definition. It might have been better to use more indicative terms, such as “data defining” or “which defines”, preceding that with the word “possibility,” so that the phrase becomes “data that possibly define”, and the definition ends with the phrase “for a person or categories that are distinguished from others.” The intent here is to clearly indicate that a person should not be directly linked to data associated with her/him which by its nature can distinguish her/him from others, or that may cause great harm to the person as a result of being accessed or processed.

Second: The definition fails to identify the basic elements that require the imposition of special data protection

Definitions that exclude certain groups from the scope of application of a legal rule or provide them with greater care depend on two criteria. Either to specify the categories that may enjoy superior protection exclusively, or to identify the elements that, when available, require care of a different kind, and in both cases, there must be significant examples or detailed definitions of the elements included in the definition.

The definition of sensitive data in the Data Protection Act attempts to combine these two criteria. The law referred to data specific to certain categories, such as data relating to children, and to other classifications of data types mentioned exclusively, such as mental health data and biometric data. However, the law did not provide clear examples or specific elements regarding the nature of sensitive data, such as defining what is meant by health data, for example.

It is worth noting that the law did not include sub-definitions of the types of sensitive data it mentioned, nor did it allocate to the executive regulations the power to set definitions for this data. This differs from the definition contained in the European GDPR, the rationale for which was issued in the definitions section and referred to the detailed definitions. For example, the Regulation defined “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images. The regulation also defined “health-related data” as personal data relating to the physical or mental health of a natural person, including the provision of health care services, which discloses information about his health condition.

Third: the absence of a link between the definitions and the ambiguity of some terms used to define sensitive data

Statement and elaboration of the general rule is essential for clarity of exceptions. This does not mean that the exceptions come only in the form of an exemption from the application of the law, but rather that extends to cases in which the law imposes more careful controls than the controls contained in the original rule. This necessarily entails that there is a link between general definitions and sub-definitions.

The Personal Data Protection Law set a general definition for personal data, which is “any data related to a specific natural person, or who can be identified directly or indirectly by linking this data to any other data such as name, voice, image, identification number, or identifier.” online identity, or any other psychological, health, economic, cultural, or social identification data.

It is worth noting that the previous definition dealt with some forms of sensitive data such as psychological and health identity. However, the definition of sensitive data is not directly linked to the general definition of personal data. Linking the two definitions is necessary for integration between them and to confirm that the main element in the definition is the ability to link some types of data with individual persons, and then comes the types or images of data that require a great deal of care.

In addition to the above, there are some issues with the texts used to define sensitive data. The definition mentioned the types of sensitive data, for example, which necessitates the development of sub-definitions for each type of data with examples. The lack of detailed definitions of the terms and phrases used in defining sensitive data has caused the existence of terms and phrases that are alien to the Egyptian legislative environment. For example, among the classifications of sensitive data is what is known as “security data”, which is a term that cannot be understood or understood for its purpose, or the scope of protection related to it, or the reason for collecting, storing and processing data of a high security nature. This gives the impression that the phrase is interpolated into the text of the article without an understandable legislative purpose or justification.

Clarity and unambiguity of terminology are important for two reasons. The first relates to the right of the data subject to be aware of the type and volume of sensitive data associated with him and then his right to rectify or erase it. The second reason is that the collection, storage or processing of this data places great legal burdens and responsibilities on the service provider. If this data is unclear or defined in a way that cannot be interpreted, service providers may be subject to significant legal consequences.

Obligations of service providers to protect sensitive data

The Personal Data Protection Act establishes a general prohibition on the collection, transmission, storage, preservation, processing or making available of sensitive data. After mentioning that general rule that stipulates prohibition, the provisions of the law move to a regulation of general controls and conditions related to cases in which sensitive data can be collected or processed, namely:

  • Express written consent from the person concerned with the collection, processing or storage of data.
  • If the process of collecting, saving, storing or processing sensitive data relates to children’s data, the consent of the guardian is required, and the data required for the child’s participation in a game, competition or any other activity is not more than what is necessary to participate in it.
  • Following and fulfilling the security policies and procedures necessary to prevent sensitive personal data from being breached or violated. These policies are the responsibility of the Personal Data Protection Center to publish once it is formed.
  • Obtaining licenses and authorizations to control and process sensitive personal data. The executive regulations of the Personal Data Protection Law – which have not yet been issued – specify the types of these licenses, permits, and approvals, their categories and levels, and the procedures and conditions for their issuance and renewal and the forms used, in return for fees not exceeding two million pounds for the license, and an amount not exceeding five hundred thousand pounds for the permit or Accreditation.

Consequences of disclosing, collecting, or storing sensitive data without permission

Service providers who collect, store, or process sensitive data share with other service providers the same controls related to the collection, storage and processing of data and the penalties for failing to fulfill these responsibilities. However, in addition to these responsibilities are added various penalties that the service provider may face if it makes available, circulates, processes, discloses, stores, transfers or saves sensitive personal data without the consent of the data subject. The service provider may also face a penalty if the process of collecting, storing or processing sensitive data was carried out without complying with licenses or permits or by not following the policies issued by the Data Protection Center for dealing with sensitive data.

In the event of a breach of these responsibilities, the service provider may face imprisonment for a period of no less than three months and up to three years, and a fine of no less than five hundred thousand pounds and no more than five million pounds, or one of these two penalties.

The impact of the expansion of entities exempted from the data protection law on sensitive data

The Personal Data Protection Law included several exceptions that exclude some activities or entities from the scope of its application. The law relied on two different criteria to not be subject to data protection controls. The first criterion is the nature of the data, such as statistical data collected by the Central Authority for Public Mobilization and Statistics (CAPMAS), or data that is processed for personal use.

As for the second criterion, it excludes some administrative bodies from being fully subject to the provisions of the law. The law gives these entities unlimited powers to acquire and process data with a complete absence of judicial oversight over these procedures, which is absolutely inconceivable without the presence of legislative determinants related to the nature of data controlled by entities such as national security agencies.

There is no doubt that it might be difficult to extract some of the data that is processed from these entities so that they are subject to the provisions of the law, but this must be within a specific scope. Although there are some justifications that the national security authorities can provide for excluding some aspects of their work from being subject to the law, this does not mean that they are not completely subject to it without specifying the aspects of the exceptions, and stating the reasons that justify this exception.

The law did not only exclude national security agencies, but this exception extended to other bodies such as the Central Bank and the bodies under its supervision. This greatly devoid the law of its content. The complete exclusion of the Egyptian banking sector from being subject to the provisions of the law not only contradicts the basic rights stipulated in Article 57 of the Egyptian Constitution, which protects the right of individuals to privacy, but rather this exclusion contradicts the goals adopted by the legislator about the law’s objective to attract investment.

On the other hand, there is a big gap related to the philosophy adopted by the legislator in drafting the law. The definition of sensitive data refers to the private nature of some data, which necessitates taking more stringent procedures and controls to protect it, such as financial data, for example. Financial data is closely related to the banking sector, which is completely exempt from applying the Personal Data Protection Law. This contradiction indicates the need for a legislative review of the exceptions contained in the Personal Data Protection Law to establish a specific objective standard that justifies removing certain activities or entities from the scope of application of the law.

The impact of the delay in issuing the executive regulations of the data protection law on sensitive data

The issuance articles of the Personal Data Protection Law stipulate that the executive regulations must be issued within six months from the date the law comes into force. The law shall enter into force three months after the day following the date of its publication. This means that the executive regulations of the Personal Data Protection Law were supposed to be issued in the second quarter of 2021, which has not happened as of the date of writing. This delay affected the validity of the Personal Data Protection Law and its entry into force.

When drafting the law, the legislator relied on the philosophy of partitioning legal obligations related to data protection. The legislator referred some of these obligations to the executive regulations with the justification that the rules that were referred are nothing but procedural rules that the regulations are concerned with regulating. These rules are more than eighteen rules, which can be considered one of the most problematic issues affecting the law. The exclusiveness of the executive authority – represented by the Ministry of Communications – in organizing some rules makes it the sole controller in the way the law is applied and the interpretation of many of its rules. This causes the rules of the law to loss their self-regulatory feature and their ability to be applied without linking to or commenting on decisions and regulatory rules issued by the executive authority.

These rules are summarized in the following main axes:

  • Classifying licenses, permits and credits, defining their types, and setting conditions for granting each type.
  • Rules, conditions, procedures and technical standards related to licenses and permits to approve the activity of collecting personal data.
  • Standard policies, procedures and standards for collecting, processing, preserving and securing data inside and outside Egypt.
  • Conditions for registering personal data protection officials in the dedicated registry at the Data Protection Center.
  • Obligations and duties of the personal data protection officers appointed by the entities responsible for collecting and processing personal data.
  • Authenticity of the digital evidence derived from personal data, and the standards and technical conditions that must be available in the evidence.
  • Policies, standards and controls related to the cross-border transfer, sharing, processing or availability of personal data.
  • The necessary procedures, precautions, standards and rules for making personal data available to a controller or another processor outside the Arab Republic of Egypt.
  • Procedures and conditions for the issuance and renewal of used licensing and permit models.
  • Determining the fees for granting licenses, permits, and approvals to entities that collect and process data.

The delay in issuing the executive regulations has a direct impact on the protection of sensitive personal data. This delay causes the Personal Data Protection Center to not yet be formed. The Personal Data Protection Center is the entity concerned with issuing the necessary licenses and permits to carry out the activities of collecting, storing or processing sensitive data, as well as monitoring and supervising service providers, as it is the competent entity for receiving complaints and issuing technical reports. The delay in issuing the regulation means the absence of technical controls that the service provider must adhere to during the process of collecting, storing or processing sensitive data, as well as the absence of controls for granting a license to collect or process sensitive data