Egypt’s Personal Data Protection Law – the compliance countdown has begun

In November 2025, Egypt issued the Executive Regulations to the Personal Data Protection Law No. 151 of 2020 (the Executive Regulations) bringing the country’s data protection regime fully into operation. The Executive Regulations were issued by Prime Ministerial Decree No. 816 issued on 1 November 2025 and provide the detailed implementing framework required to operationalise the law. They effectively provide the ‘manual’ for the law, clarifying how its provisions should be implemented in practice.  Organisations have been granted a one-year grace period to align their operations with the new requirements, meaning that full enforcement is expected by October 2026 following the one-year transitional implementation period provided under the Executive Regulations. 

Scope and territorial reach

The law has extraterritorial reach, meaning that foreign entities that process personal data relating to individuals located in Egypt may also fall within its scope. Article 2 of the Personal Data Protection Law confirms that the law applies to any natural or legal person who processes personal data relating to individuals located in Egypt, whether the processing activity takes place inside or outside the country. This means that multinational organisations, digital platforms and service providers outside the country could still be required to comply with the rules when handling the personal data of Egyptian residents. 

Lawful processing of personal data

The six lawful bases

The Personal Data Protection Center (PDPC), the regulator, released Data Subject Consent Guidelines confirm that Article 6 provides for six lawful bases for processing: consent, fulfilment of a contractual obligation, fulfilment of a legal obligation, legitimate interest, claim or defence of a legal right, and execution of court judgments or orders from competent investigative authorities.

Where organisations do rely on consent, the Guidelines state that it must be personal, explicit, informed, specific and freely given. The guidance also makes clear that consent requests must be presented in Arabic as the primary language, must be separate from privacy notices and general terms and conditions, and must require a clear affirmative action rather than implied or presumed consent. The law does recognise that requiring consent in every situation would be impractical. Therefore, certain exceptions exist including where there is a clear imbalance between the parties (for example, under an employment contract), or where the processing is necessary for the performance of a contract to which the data subject is a party, for instance when an organisation is processing customer information to deliver purchased goods. Other recognised circumstances include compliance with legal obligations imposed by Egyptian law, the exercise or defence of legal claims, or processing carried out by public authorities within the scope of their statutory powers.

For sensitive personal data, the rules are stricter still. The Guidelines state that consent must be in writing, whether in paper or electronic form. It also sets out additional requirements for children’s personal data, including legal guardian consent thresholds linked to age.

Data subject rights

The law also grants individuals a number of rights in relation to their personal data. These include the right to access personal data held about them, request correction or updating of inaccurate data, object to certain forms of processing, and withdraw previously granted consent. Organisations operating in Egypt therefore need mechanisms to receive and respond to such requests within the framework established by the law and its Executive Regulations.

Regulatory oversight

The role of the data protection regulator 

The law establishes the PDPC as the main supervisory authority responsible for oversight and enforcement.  The PDPC operates under the supervision of the Egyptian Ministry of Communications and Information Technology and acts as the central authority responsible for implementing and enforcing the law. It is tasked with supervising compliance with the law, issuing licences and permits for certain data processing activities, investigating violations, and enforcing the provisions of the law. 

Licensing requirements 

One distinctive feature of Egypt’s data protection regime is its mandatory licensing system.  Organisations may be required to obtain licences or permits from the PDPC for certain processing activities. Unlike many other data protection regimes, the Egyptian framework relies on regulatory permits and licences for specific data processing activities. Licences may be required for activities such as operating as a data controller or processor, processing sensitive personal data, or transferring personal data outside of Egypt. 

The Executive Regulations provide additional clarity regarding the licensing framework and introduce a number of permit categories, including permits relating to direct electronic marketing activities, the processing of sensitive personal data, and the transfer of personal data outside Egypt.

Data breach notification 

The Executive Regulations introduce mandatory breach notification obligations.  If a personal data breach occurs, data controllers and processors must:

• Notify the PDPC within 72 hours (or immediately in cases where the breach is related to national security); and
• Inform affected individuals within three working days of notifying the PDPC.

Under the law, processors must also notify the relevant data controller without undue delay once a breach becomes known so that the controller can fulfil its regulatory reporting obligations.

Unlike the approach adopted under the GDPR, the obligations are not dependent upon the risk posed to the impacted individuals and are therefore broader than in many other jurisdictions. That may make breach response under the Egyptian regime more onerous in practice, particularly for organisations used to applying GDPR-style risk thresholds before notifying.

Cross-border data transfers

The law imposes strict controls on the transfer of personal data outside Egypt.  International transfers are permitted where the conditions set out in Article 14 are satisfied, including where approval is obtained from the PDPC or where another lawful transfer mechanism applies, as follows:

• Approval from the PDPC
• Explicit consent from the data subject
• Assurance that the receiving jurisdiction provides an adequate level of data protection

Article 14 of the Personal Data Protection Law provides that personal data may only be transferred outside Egypt where the receiving country ensures a level of data protection not less than that provided under Egyptian law, unless one of the statutory exceptions applies.

The Executive Regulations further clarify that cross-border transfers may also be permitted where the transfer is necessary for the performance of a contract which the data subject is a party, the fulfilment of a legal obligation, the protection of vital interests, or the establishment or defence of legal claims.

The risks of non-compliance 

Egypt’s data protection law is among the most stringent globally due to its criminal sanctions associated with certain violations.  Articles 35 to 40 of the law establish criminal penalties for a number of violations, including unlawful disclosure of personal data, processing sensitive personal data without authorisation, and transferring personal data abroad without the required approvals.

Financial penalties may also be imposed, with fines ranging from approximately 200,000 to two million Egyptian pounds, depending on the nature and severity of the violation.  Certain offences may attract fines of up to five million Egyptian pounds depending on the nature of the breach and whether sensitive personal data is involved.

Preparing for the 2026 enforcement deadline 

With the Executive Regulations now in force, organisations have a limited window to prepare for compliance before enforcement begins in October 2026. 

In particular, organisations should assess at an early stage whether their activities require PDPC licences or permits, as early scoping of licensing exposure is likely to be critical, review international data transfer practices, update breach response procedures, and ensure that contracts with processors, and service providers reflect the obligations introduced by the law and its Executive Regulations. They should also review the lawful basis relied upon for each processing activity, rather than assuming that consent will always be required or always be appropriate.

Businesses operating in Egypt and further afield should begin reviewing their data governance frameworks, consent mechanisms, security measures and cross-border transfer practices to ensure that they align with the requirements of the law.  The PDPC’s Data Subject Consent Guidelines are useful guidance as they already contain practical design requirements that may require changes to onboarding flows, privacy notices and consent collection mechanisms.

We anticipate a surge in licence applications which may lead to delays in approvals and forced shutdown of data flows; organisations need to prepare ahead of time.   That risk is likely to be most acute for organisations whose business models depend on international transfers, direct electronic marketing, or processing activities that may require prior PDPC approval.