Egypt's Data Protection Law Finally Has Teeth: Executive Regulations Reset the Compliance Agenda for Technology and Telecom

For five years Egypt's Personal Data Protection Law No. 151 of 2020 existed largely on paper. The statute set out principles but lacked the detailed implementing rules needed to apply them, leaving controllers without a clear compliance roadmap and the supervisory authority without an operational footing. That changed in late 2025. By Decree No. 816 of 2025 of the Minister of Communications and Information Technology, issued on 1 November 2025 and circulated more widely in December, Egypt finally promulgated the executive regulations to the law. For technology and telecom companies, which process personal data at scale and as a core part of their business, this is the most significant legal development of the year and the one most likely to require board-level attention.

The regulations matter because they convert abstract obligations into operational requirements. They function as the working manual for the law, detailing how its provisions apply in practice across consent, licensing, record-keeping, breach notification, cross-border data transfers, special categories of data, children's data and direct electronic marketing. Equally important, they activate the Personal Data Protection Centre as the central supervisory and enforcement authority. The Centre is responsible for monitoring compliance, issuing the licences and permits the law requires, investigating violations and enforcing penalties. After years in which the absence of a functioning regulator made the law difficult to apply, there is now an institution charged with implementation.

A one-year grace period accompanies the regulations, with full enforcement expected from around 1 November 2026. This window is the single most important planning fact for technology and telecom businesses. It is generous enough to permit an orderly compliance programme but short enough that delay is risky given the scale of data processing typical in the sector. Organisations should treat the period as a structured runway rather than a reprieve, since building consent infrastructure, transfer mechanisms and breach-response capability across large data estates takes time. The PDPC has also indicated that its electronic portal for licence and permit applications is expected to open in mid-2026, which compresses the practical timetable further.

Several obligations stand out for data-intensive operators. Consent must be tied to declared purposes, and processing that drifts beyond the original purpose requires fresh consent, a discipline that affects telecom operators and platforms that reuse subscriber data for analytics, marketing or product development. Cross-border data transfers require a separate licence from the Centre, supported by data-subject consent, documentation of the destination, purpose, categories of data involved and safeguards applied, and an assessment of the protection available in the destination country. This is a material constraint for cloud-dependent technology companies and multinational telecom groups that routinely move Egyptian personal data to servers and affiliates abroad; informal or undocumented transfers will no longer be defensible. Breach notification is now governed by hard timelines: the Centre must be notified within seventy-two hours of becoming aware of a breach, and affected individuals must be informed within three working days. The regulations also require licences or permits for activities including direct electronic marketing, an area that touches telecom service delivery directly, and they impose parental consent for the personal data of children under fifteen, while those aged fifteen to eighteen may consent for themselves. Depending on the scale and sensitivity of processing, organisations must appoint and register a data protection officer.

These rules do not operate in isolation. They sit alongside Egypt's established sector framework, principally the supervisory role of the National Telecommunications Regulatory Authority, which already obliges licensed operators to preserve the confidentiality of customer information and private communications. The data protection regime layers a horizontal compliance obligation on top of these sector-specific duties. The practical effect is that a telecom operator or technology platform must now satisfy both its existing licence conditions and the broader requirements administered by the Personal Data Protection Centre, and the two regimes must be read together rather than in isolation.

The wider technology legal environment continued to mature in parallel. Egypt's Financial Regulatory Authority advanced the implementation of FinTech Law No. 5 of 2022, having licensed sixteen firms to operate technology-driven non-banking financial services, underscoring that licensing, not just data compliance, is now a live gate for many technology businesses.

The regional comparison is instructive. The UAE has its own federal data protection regime and is widely regarded as further along in operational maturity, but Egypt's November 2025 regulations significantly narrow the gap and give the Egyptian regime concrete enforceability for the first time. For technology and telecom groups operating across both jurisdictions, the practical consequence is that Egypt can no longer be treated as a market where data rules exist only in principle.

The immediate priorities for affected businesses are clear. They should map their personal data flows, identify and license cross-border transfers, implement a seventy-two-hour breach-response process, review consent mechanisms against the declared-purpose standard, and appoint and register a data protection officer, all well before the enforcement date arrives in late 2026.