How the European Union’s new data protection regulation affects your business here in Egypt
A new regulation that goes into effect in the European Union tomorrow could have an impact on every Egyptian business with a website. We asked our friends at Sharkawy & Sarhan Law Firm for a primer on what it means to all of us and how to be prepared for it:
Here’s how the European General Data Protection Regulation (GDPR) affects companies in Egypt, starting from tomorrow when it goes into effect. It set out the rules for collecting personal information from individuals. The GDPR applies to all companies outside the EU, as long as they collect personal data in the context of offering goods or services to people located in the EU, or if the collected data is about the behavior of individuals located in the EU. We note that the GDPR refers to persons “in” the EU, regardless their nationality or the place where they usually live.
This means that any personal information you may have collected for future marketing purposes may be subject to the GDPR if the marketing happens when that person was located in the EU. Likewise, if your company has a website with cookies (files that allow you to collect personal information relating to the users of your website), then you must watch out as you never know where the user may be based.
In brief, what the GDPR regulates is mainly the collection, storage, transfer and usage of any information relating to natural persons. This includes the name, location data, online identifier or cultural traits of that natural person, as long as such information may lead to identifying the concerned person.
Fines are massive and can find their way to Egypt. In certain cases, fines can reach up to EUR 20 million or 4% of the company’s total worldwide annual turnover of the preceding financial year, whichever is higher. Administrative fines are imposed by the competent European supervisory authority. Claims for compensation may be also lodged before EU courts. The GDPR additionally requires all EU States to enforce their international cooperation mechanism to ensure cross-border enforcement where necessary — these mechanisms are already in place between Egypt and a number of EU countries.
But you’re not in the crosshairs — not yet, at least. The EU might not apply the extra-territorial effect of the GDPR aggressively on small and medium sized non-EU companies, at least at the early stages. Instead, we expect it to start by targeting large global companies, such as Facebook and Google. It might also focus on substantial leakages of personal data that result in actual damages. So if this is the first time you hear about the GDPR, don’t panic — but don’t ignore it, either. You still need to comply.
What you can do now? If your company collects personal information about people outside Egypt, make sure that the concerned persons know who you are, the type of information that you are collecting, and why. For instance:
- If your company sends out newsletters, send an email to your list of addressees to seek their consent, with a link directing them to more details on your privacy policy. Remove from your list those who do not agree to receive the newsletters;
- If your website uses cookies, install a pop-up on your website that notifies the user that these cookies exist;
- If someone requests to correct or delete their data, make sure you comply;
- If you do not have a privacy policy, set up one that is clear and easy to understand;
- If you outsource service providers who collect personal data on your behalf, discuss GDPR compliance with them;
- Also, depending on the nature and amount of personal data that you collect, you may need to designate a representative in the EU.
For your background, Egypt does not have a generic data protection law, although various regulations include privacy and secrecy regulations that apply in specific situations. The Egyptian Constitution of 2014 sanctifies private life. It also provides for the secrecy of emails, phone calls and other means of communication and prohibits their monitoring and confiscation without a prior court order and for a limited period. However, it remains to be seen how and whether Egypt will be taking effective steps towards further protection of data protection, especially in light of the new draft law against crimes using technical means, which is currently being drafted.
Want more? Visit these links (here and here, both pdfs) for more practical insights on the GDPR.