Egypt’s Personal Data Protection Law – Before You Process, You Need a Licence

The Arab Republic of Egypt enacted a comprehensive data protection law in 2020. For five years, its practical impact remained limited. There was no supervisory authority, no executive regulations and no enforcement. That changed on 1 November 2025. From 31 October 2026, full compliance will be mandatory.

Background: Egypt’s Path to Data Protection

Egypt is the most populous country in the Arab world and one of Africa’s largest economies, with a population of over 100 million. Its modern state tradition stretches back to the 19th century, but the country’s political landscape has been shaped by successive waves of change: the 1952 revolution that ended the monarchy, the presidency of Gamal Abdel Nasser and his Arab socialist project, Anwar Sadat’s pivot towards the West and the open-door economic policy, and then three decades of Hosni Mubarak’s rule before the 2011 uprising that formed part of the broader Arab Spring.

Since 2014, Egypt has been governed under President Abdel Fattah el-Sisi. The current government has pursued a dual agenda of large-scale infrastructure investment and digital transformation. The Egypt Vision 2030 strategy explicitly prioritises digitalisation, e-government, and the growth of the technology and communications sector. It is in this context, a state actively building digital infrastructure and an expanding digital economy, that data protection regulation became a policy priority.

The Egyptian Personal Data Protection Regime

The Egyptian Personal Data Protection Law No. 151 of 2020 (PDPL)  (find the original text here) entered into force in 2020. On paper, it established a comprehensive framework with definitions of personal data, processing, sensitive data and data subjects. It established rights for individuals, obligations for controllers and processors, and a new supervisory authority, the Personal Data Protection Center (PDPC).

In practice, however, the law’s impact on Egyptian business remained manageable for years. Without the PDPC, there was no licensing body, no enforcement mechanism, and no DPO register. Without the Executive Regulations, the detailed technical and procedural requirements did not exist.

That changed on 1 November 2025, when the Egyptian Ministry for Communication and Information Technology issued Decree No. 816 of 2025 enacting the long-awaited Executive Regulations. Their entry into force triggered the one-year reconciliation period provided under Art. 6 PDPL. From 31 October 2026, full compliance is mandatory. The PDPC is already established under Art. 19 PDPL and chaired by the Minister of Telecommunication and Information Technology. The PDPC’s official electronic portal where licencing and registration will be performed is expected to go live by mid-June 2026.

Core Content of the PDPL in Contrast to the GDPR

The PDPL draws on internationally recognised data protection principles and is broadly aligned with the GDPR in structure and terminology. However, it differs from the GDPR in several significant aspects.

Definitions and Scope

The PDPL applies to the electronic processing of personal data of natural persons by any holder, controller or processor, Art. 1 PDPL. Unlike the GDPR, which recognises only controllers and processors, Art. 4 para. 7 and 8 GDPR, the PDPL introduces a third actor: the holder. This is a person who holds data without decisional authority over its processing.

The PDPL’s extraterritorial reach is narrower than the GDPR’s, as it covers non-Egyptian persons abroad only where the data subject is an Egyptian national or resident, Art. 2 PDPL (enacting law). The GDPR has a broader trigger of targeting or monitoring EU residents regardless of nationality, Art. 3 para. 2 GDPR.

Legal Bases

Processing is lawful in four cases:

1. consent,


2. contractual necessity or exercise of legal rights,


3. legal obligation or court order, and


4. enabling the controller to exercise legitimate rights, provided this does not override the data subject’s fundamental rights, Art. 6 PDPL.

The GDPR provides two additional bases: Vital interests, Art. 6 para. 1 lit. d GDPR and most significantly, legitimate interests as a standalone balancing ground, Art. 6 para. 1 lit. f GDPR.