Egypt Data Privacy Laws: Law No. 151 of 2020 Guide (2026)

Overview of Egypt's Data Protection Framework

Egypt's data protection framework centers on Law No. 151 of 2020 on the Protection of Personal Data, the country's first comprehensive legislation dedicated to personal data protection. Enacted by the House of Representatives, the law was published in the Official Gazette on 15 October 2020 and entered into force on 14 January 2021.

Despite the law's passage, full implementation was significantly delayed due to the absence of executive regulations needed to operationalize key provisions. This situation changed on 10 November 2025, when Executive Decree 816 was issued, establishing the operational framework for the legislation. The decree addresses licensing requirements, cross-border transfer procedures, and the functioning of the Personal Data Protection Center.

The law applies to all natural and legal persons, both in Egypt and abroad, who process the personal data of Egyptian residents through any means, including electronic and traditional methods. This broad territorial scope brings international organizations that handle Egyptian personal data within the law's reach.

Law No. 151 of 2020: Core Provisions

Scope and Definitions

The law applies to the processing of personal data by automated and non-automated means. Personal data is defined broadly as any data relating to an identified or identifiable natural person. The law also recognizes sensitive personal data, which includes data revealing mental, psychological, physical, or genetic health conditions, financial data, religious beliefs, political opinions, and criminal records.

The law covers data controllers (those who determine the purposes and means of processing) and data processors (those who process data on behalf of controllers), imposing specific obligations on each.

Legal Bases for Processing

The law establishes several legal bases for the lawful processing of personal data. These include the consent of the data subject, the performance of a contract to which the data subject is a party, compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, and the legitimate interests of the controller.

Consent must be explicit, informed, and documented. The data subject must be informed of the purpose of processing, the type of data being collected, the identity of the controller, and the rights available to the data subject. Consent may be withdrawn at any time, and the controller must cease processing upon withdrawal.

Sensitive Data Processing

The processing of sensitive personal data is subject to stricter requirements. It may only be processed with the explicit consent of the data subject or where specific exemptions apply, such as compliance with employment law obligations, the protection of vital interests where the data subject is incapable of giving consent, or processing for public health purposes.

Data Subject Rights

Law 151 grants data subjects a comprehensive set of rights. These include the right to be informed about the collection and processing of their data, the right to access their personal data, the right to correct inaccurate data, the right to delete or restrict processing of data, the right to withdraw consent, the right to object to processing, and the right to data portability.

Data controllers must respond to data subject requests within specified timeframes and must provide mechanisms for individuals to exercise their rights.

The Personal Data Protection Center (PDPC)

Establishment and Role

The law establishes the Personal Data Protection Center as an independent authority affiliated with the Ministry of Communications and Information Technology. The PDPC is responsible for overseeing compliance with the law, issuing licenses and permits for data processing activities, investigating complaints, conducting inspections, and taking enforcement action against violations.

The center serves as the primary regulatory body for data protection in Egypt, similar to the role played by data protection authorities in European jurisdictions.

Licensing Requirements

One of the most distinctive features of Egypt's data protection framework is the mandatory licensing regime introduced by Executive Decree 816. Most data controllers and processors are required to obtain a formal license or permit from the PDPC before conducting data processing activities.

The regulations distinguish between two types of authorization. An ongoing license is required for regular, continuous data processing activities. A shorter-term permit is available for specific, time-bound processing purposes.

This licensing requirement represents a significant compliance burden for organizations, as it requires advance regulatory approval rather than the self-assessment approach used in most other data protection frameworks. Organizations must prepare and submit license applications with detailed information about their processing activities, security measures, and data protection practices.

Implementation Delays

The PDPC was slow to become fully operational after the law's passage in 2020. For approximately five years, the absence of executive regulations and the incomplete operationalization of the PDPC meant that enforcement was effectively on hold. During this period, there were no formal administrative enforcement actions or penalties issued under the law.

The issuance of Executive Decree 816 in November 2025 marked a turning point, providing the regulatory detail needed for the PDPC to begin active enforcement. Organizations operating in Egypt should treat the decree's issuance as the effective starting point for compliance obligations.

Cross-Border Data Transfers

Prior Authorization Required

The law imposes restrictions on the transfer of personal data outside Egypt. Cross-border transfers require prior authorization from the PDPC. Organizations must demonstrate that the receiving country provides an adequate level of data protection or that appropriate safeguards are in place to protect the data being transferred.

The executive regulations establish procedures for applying for transfer authorization, including the information that must be provided to the PDPC and the criteria that will be applied in assessing transfer requests.

Conditions for Transfer

In addition to PDPC authorization, cross-border transfers must meet several conditions. The transfer must be necessary for the purposes for which the data was collected, the data subject must be informed of the transfer and its purposes, and the controller must take appropriate measures to ensure the security of the data during transfer.

Transfers of sensitive personal data are subject to additional restrictions and may require explicit consent from the data subject in addition to PDPC authorization.

Penalties and Sanctions

Administrative Fines

The PDPC has the authority to impose administrative fines for violations of the law and its implementing regulations. Fines can reach up to EGP 5 million (approximately USD 100,000 at current exchange rates), with the specific amount depending on the nature and severity of the violation.

Executive Decree 816 establishes a penalty framework with fines of up to EGP 666,666 for certain categories of violations, providing more granular detail on the administrative penalty structure.

Criminal Penalties

The law includes criminal sanctions for serious violations. These include imprisonment of more than six months for offenses such as processing sensitive personal data without a legal basis, transferring personal data outside Egypt without authorization, and failing to comply with orders issued by the PDPC.

Criminal penalties also apply to individuals who unlawfully access, disclose, or destroy personal data, with sentences increasing based on the severity of the offense and whether it was committed for profit or with intent to harm.

Civil Liability

Data subjects who suffer harm as a result of violations of the law may pursue civil claims for compensation. The law provides for both material and moral damages, allowing individuals to recover compensation for financial losses as well as non-financial harm such as distress or reputational damage.

Data Security Requirements

Technical and Organizational Measures

The law requires data controllers and processors to implement appropriate technical and organizational measures to protect personal data against unauthorized access, destruction, loss, alteration, or disclosure. These measures must be proportionate to the nature of the data being processed and the risks associated with the processing.

Data Protection Officer

Organizations that process sensitive personal data or process data on a large scale are required to designate a data protection officer. The DPO is responsible for monitoring compliance with the law, advising the organization on data protection matters, and serving as a point of contact with the PDPC.

Data Breach Notification

The law requires data controllers to notify the PDPC of any personal data breach that is likely to result in harm to data subjects. The notification must be made within a timeframe specified by the executive regulations and must include details about the nature of the breach, the data affected, and the measures taken to address it.

Where a breach poses a high risk to data subjects, the controller must also notify the affected individuals.

Practical Compliance Considerations

Organizations operating in Egypt or processing the personal data of Egyptian residents should take immediate steps to comply with Law 151 and its executive regulations now that the operational framework is in place.

The mandatory licensing requirement means that organizations cannot simply self-certify compliance. They must actively engage with the PDPC to obtain the necessary licenses and permits before conducting processing activities. This may require significant lead time, and organizations should initiate the process promptly.

The cross-border transfer authorization requirement creates particular challenges for multinational organizations that routinely transfer data across borders. Organizations should map their international data flows, assess which transfers involve Egyptian personal data, and prepare applications for PDPC authorization.

Given the recent operationalization of the enforcement framework, organizations should expect the PDPC to ramp up its supervisory and enforcement activities in the coming months. Organizations that have not yet taken steps to comply with the law should prioritize compliance efforts to avoid being caught unprepared when enforcement begins in earnest.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.