Title: Egypt activates data protection law with implementing regulations after five-year delay
Egypt has issued long-awaited executive regulations bringing its 2020 personal data protection law into force. The new framework sets out concrete obligations for organisations, including registration, cross-border transfer controls, and breach notification requirements.
Five years after adopting Law No. 151 of 2020, Egypt has published Executive Decree No. 816 of 2025, establishing the operational rules for personal data protection. The regulations, issued by the Ministry of Communications and Information Technology, entered into force upon publication in the Official Gazette on 10 November 2025.
The decree introduces a comprehensive compliance framework for data controllers and processors operating in Egypt or processing data relating to individuals in the country. Key elements of the regulations include:
- Mandatory registration and licensing: Data controllers and processors must register with the competent authority, with tiered fees based on database size and organisational scale.
- Cross-border data transfers: International transfers generally require prior authorisation, unless adequacy, explicit consent, contractual necessity, or limited public interest exceptions apply.
- Sensitive data protections: Processing of biometric, health, genetic, political, and similar data requires explicit consent or narrowly defined legal grounds, with additional permit requirements.
- Data protection officials: Certain organisations must appoint and register qualified data protection officials responsible for compliance.
- Breach notification: Personal data breaches must be reported to authorities within 72 hours, with notification to affected individuals where risks are high.
- Individual rights: Data subjects are granted rights of access, rectification, erasure, and protection of children’s data, including parental consent requirements for those under 15.
- Enforcement and penalties: Authorities are empowered to investigate, impose corrective measures, and apply administrative penalties for non-compliance.
With the regulations now in force, organisations that previously relied on general principles must move quickly to align operations with detailed statutory requirements, marking a significant shift in Egypt’s data protection landscape.
