Egypt's long-dormant data-protection regime now has a clock on it. With the Executive Regulations to Personal Data Protection Law No. 151 of 2020 issued by Decree No. 816 of 2025, regulated entities have a one-year transition and must be fully compliant by November 1, 2026. The Personal Data Protection Center (PDPC) — promised since 2020 — becomes a live regulator with the power to license, inspect, and fine. The timing is what makes this more than a routine compliance story: the deadline lands as Egypt scales Haweya, the Central Bank–backed digital identity platform that combines face and fingerprint biometrics to onboard citizens into banking and telecoms.
The strongest case for the new regime
It should be said plainly: Egypt building a real data-protection framework is overdue and largely welcome. For years the country processed enormous volumes of personal data — SIM registration, banking KYC, e-government — with no statutory floor and no supervisory authority. The PDPL, modelled in part on the EU's GDPR, finally gives individuals consent rights, a 72-hour breach-notification duty, purpose-limitation, and rules for children's and sensitive data. Crucially, it reaches the things people actually worry about. Under the Executive Regulations, operating a visual surveillance system in a public place requires a specific PDPC license (Article 31), and CCTV footage is bound by purpose limitation — it cannot be repurposed beyond the security reason it was collected for. A country wiring up cameras and biometric kiosks needs exactly this kind of legal constraint on who watches whom. We support it.
But the architecture is permission-first, not accountability-first
The concern is the regulatory model, not the goal. Egypt has chosen ex-ante licensing as its default lever. A controller needs a license to process at scale; a separate license at 50% of the controller fee to move data across the border; another dedicated license for direct electronic marketing; another for public surveillance. Cross-border transfer applications can take up to ninety working days to review. This is a heavier touch than the GDPR, which it otherwise resembles. Europe largely abandoned prior authorization for accountability: register your processing, document it, and answer to a regulator after the fact. Egypt has instead built a system where a growing share of ordinary digital commerce requires a government permit before it can begin.
For a state that explicitly wants Haweya to make it a regional fintech hub, that is a tension worth naming. A fintech that wants to verify a customer, market a new product, and reconcile data with an offshore cloud provider now needs the regulator's blessing on each leg. None of those steps is inherently dangerous; bundling them all into license queues risks turning a privacy law into a throttle on the digital economy it is supposed to protect. The proportionate alternative is well understood: reserve ex-ante licensing for genuinely high-risk processing, and let the rest run on registration plus enforcement.
The asymmetry at the center
The deeper problem is who the law binds hardest. The compliance countdown disciplines private business — banks, marketers, platforms, the SMEs that will spend the next five months papering their processing. Meanwhile the single largest new collector of sensitive biometric data in the country is the state's own ID program. Haweya stores residents' face and fingerprint templates and is the gateway to bank accounts at 37 institutions, SIM purchases, and government services. Egypt's financial-inclusion rate of roughly 76% means tens of millions of people will route their identity through this one platform.
That is a defensible public goal — biometric eKYC genuinely lowers the cost of banking the unbanked. But it concentrates the country's most irreversible personal data (you cannot reissue a face) in a state-linked system, precisely as a data law takes effect that carves out wide latitude for public authorities acting on national-security and public-order grounds. A regime that imposes license fees and three-to-six-month criminal exposure on a private marketer, while the government's own biometric mega-database operates under softer constraints, has its incentives inverted. The risk to citizens from a breached or repurposed national biometric store dwarfs the risk from an unlicensed mailing list.
What proportionate would look like
None of this argues against the PDPL. It argues for finishing it honestly. Three things would make the November deadline a net win for Egyptians and for the digital sector:
- Bind the state to its own rules. Haweya and public surveillance deployments should be subject to the same purpose-limitation, retention, and breach duties as any private controller — with published audits, not self-certification.
- An independent, adequately resourced PDPC. A licensing regulator that becomes a bottleneck breeds informal workarounds and selective enforcement. Independence and capacity determine whether this is rule-of-law or rubber-stamp.
- Trim the permit perimeter. Move routine, low-risk processing — most cross-border cloud transfers to adequate jurisdictions, first-party marketing with consent — to a register-and-be-accountable track, freeing the PDPC to scrutinize the high-risk biometric systems that actually warrant prior review.
Egypt has done the hard part: it wrote a credible law and set a real deadline. The next five months decide whether it produces a privacy framework that protects people from the most powerful data collector in the country — or one that mostly inconveniences the small businesses least able to threaten anyone's privacy.