No Dedicated Law, No Clear Doctrine
Egypt has no statute that names deepfakes. What it has is an overlapping mesh of cybercrime legislation, a freshly activated data protection law, and a pending draft AI act — all layered over a Penal Code whose misinformation provisions the Cabinet is now moving to sharpen. That combination provides some coverage but not the precision the challenge requires, and the direction Cairo is moving raises its own concerns.
The urgency is real. Egypt's population of over 100 million is heavily connected via social media. Synthetic audio and video of politicians, celebrities, and judges circulates freely on platforms with minimal moderation oversight inside the country. Deepfake fraud targeting ordinary citizens — fake bank communications, fabricated family emergencies, impersonated officials — is no longer hypothetical. The regulatory vacuum is not a technicality; it has direct consequences.
The Cybercrime Law's Double-Edged Reach
The primary instrument available for deepfake-related harms is Law No. 175 of 2018 on Anti-Cyber and Information Technology Crimes, Egypt's principal cybercrime statute. Its provisions cover the establishment of false online identities, the misuse of personal data through information systems, and the publication of content that harms an individual's reputation or dignity — categories broad enough to reach some deepfake conduct in principle.
Article 26 of Law 175/2018 is particularly relevant: it imposes enhanced penalties where IT misuse causes reputational or personal harm. Legal analysts note that the law does not require the underlying content to be genuine in order to prosecute — an important implicit acknowledgment that fabricated media can constitute a real legal injury. Non-consensual deepfake pornography targeting a private individual, or a fabricated video designed to defraud, could plausibly be prosecuted under these provisions.
But the law's practical record tells a different story. In November 2025, Egyptian courts handed down a series of convictions against TikTok content creators under Article 25 of the same law — the provision criminalising content that "violates Egyptian family values." Sentences ranged from six-month suspended terms to two years' imprisonment; each creator also faced a fine of EGP 100,000. The Law and Democracy Support Foundation documented the cases and criticised Article 25 as lacking any clear legal definition, creating space for prosecutorial discretion that has been exercised against ordinary digital expression rather than genuine harm.
This is not an edge case; it is the systemic risk. When deepfake regulation is embedded in vague "family values" or "public morals" provisions, authorities acquire a tool calibrated for selective enforcement rather than proportionate harm-reduction.
The Cabinet Reaches for Misinformation Fines
In December 2025, Egypt's Cabinet met at the New Administrative Capital and instructed the Ministry of Justice to draft amendments to Article 380 of the Penal Code, which governs the spread of rumors and false information. The stated rationale was that current financial penalties no longer deter misinformation, particularly content that the Cabinet described as threatening "societal security and the national economy." The Cabinet simultaneously ordered all ministries to establish internal early warning units for detecting rumors and coordinating rapid official responses.
The legitimate case for updating these provisions deserves acknowledgment. Egypt faces genuine information-environment challenges: disinformation campaigns during sensitive political periods, health misinformation, and increasingly sophisticated AI-generated fabrications targeting state institutions. Regulatory responses that can move quickly and impose meaningful penalties are not inherently wrong.
What is wrong — or at least concerning — is the framing. Article 380 amendments aimed at "rumors" lack the surgical definition that deepfake-specific regulation demands. In practice, broad anti-misinformation laws tend to land on journalists, activists, and opposition voices before they land on AI-generated propaganda. Egypt's own Cybercrime Law history confirms that vague content provisions migrate toward political use.
The Data Protection Layer
Egypt's Personal Data Protection Law No. 151 of 2020 (PDPL), whose Executive Regulations entered force in November 2025 and whose full compliance deadline is November 1, 2026, adds a meaningful but incomplete layer. Deepfakes inherently process an identifiable person's biometric likeness — face, voice, physical mannerisms — which falls squarely within the PDPL's definition of personal data. Creating or distributing a deepfake without a valid legal basis would, in principle, violate the PDPL's consent and purpose-limitation requirements, exposing violators to penalties reaching EGP 5 million.
In September 2025, Egypt's Economic Court awarded EGP 10 million in damages for a data breach, establishing that liability can attach without proof of intent — a precedent that could extend to deepfake creators in future litigation. But the Personal Data Protection Center, operational since late 2025, has focused its initial guidance on foundational consent and breach-notification requirements, not AI-specific scenarios. Data protection law is a partial fix, not a substitute for direct deepfake rules.
The Draft AI Law's Narrow Window
Egypt's most consequential near-term development is the Draft Artificial Intelligence Law (2024), which is moving through stakeholder consultation ahead of expected parliamentary consideration. The draft would establish the Egyptian Center for Responsible AI (ECRAI) with audit authority and compliance-certification powers, converting the principles of the Egyptian Charter for Responsible AI (2023) — transparency, accountability, human oversight — into binding requirements.
This is the right vehicle for deepfake-specific rules, if the drafters seize the opportunity. The draft's proposed risk-based framework, which imposes stricter requirements on AI systems affecting fundamental rights, is exactly the architecture that supports specific provisions on synthetic media: mandatory watermarking or provenance labelling for AI-generated video and audio, consent requirements before any person's biometric likeness is used in generative training data, and strict penalties for non-consensual intimate deepfakes. These are targeted, harm-specific rules that are consistent with Egypt's stated goal — in its National AI Strategy 2025–2030 — of building a trustworthy AI ecosystem that can deliver sustainable economic value.
The Proportionality Test
Egypt's regulators face real pressure to act on deepfakes. The risk is that the instinct to reach for existing instruments — the cybercrime law's "family values" provisions, a strengthened Penal Code Article 380 — produces rules that are too broad to be proportionate and too blunt to be effective. A vague anti-misinformation statute applied to AI-generated content will not stop determined bad actors; it will chill ordinary users and journalists.
The PDPL's November 2026 enforcement deadline, the draft AI law's parliamentary trajectory, and the Cabinet's signalled appetite for new rules converge in a narrow window. Egypt has the institutional architecture — the NCAI, the ECRAI, the PDPL regulator — to build something better than what it is currently reaching for. Whether it does so will determine whether the country becomes a model for deepfake governance in the Arab world or a cautionary example of how blunt digital-safety laws multiply without actually making the information environment safer.