Egypt Egypt digital ID Takamol surveillance

Egypt's New Data-Licensing Regime Has No Retention Limit on the Biometric Data It Licenses

The PDPC's portal will license firms to process biometric and CCTV data ahead of a Nov. 1 deadline, but sets no retention ceiling as Egypt's own biometric ID rollout scales.

Egypt's Data Protection Licensing Regime, By the Num… People of Internet Research · Egypt Nov 1, 2026 Compliance deadline Grace period under the Executive R… 7 License categories created Includes separate licenses for sen… EGP 5M Max fine per violation Ceiling under the PDPL's penalty r… 37 Banks linked to Haweya ID Biometric digital-identity wallet … peopleofinternet.com
Egypt's Data Protection Licensing Regi… People of Internet Research · Egypt Nov 1, 2026 Compliance deadline 7 License categories creat… EGP 5M Max fine per violation 37 Banks linked to Haweya ID peopleofinternet.com

Key Takeaways

A Six-Year-Old Law Finally Gets a Front Door

Egypt's Personal Data Protection Law, Law No. 151 of 2020, sat mostly dormant for five years while the Ministry of Communications and Information Technology worked out how the Personal Data Protection Center (PDPC) it created would actually operate. That changed with Executive Regulation Decree 816/2025, which took effect November 1, 2025 and started a 12-month grace period. In mid-June 2026, the PDPC's electronic portal — the system through which every controller and processor in Egypt must now request a license — went live. Businesses have until October 31, 2026, with the law fully enforceable from November 1, before non-compliance exposes them to fines reaching EGP 5 million (about $100,000) per violation, according to a Clyde & Co regulatory briefing.

The portal isn't a single gate. Egyptian legal press has catalogued seven distinct license and permit categories the PDPC now issues — general processing, direct electronic marketing, associations handling member data, cross-border transfer, consultancy accreditation, and, notably, two categories aimed squarely at the riskiest data: sensitive personal data (which the law defines to include biometric data) and visual surveillance systems in public places, per Youm7's April 2026 breakdown of the license schedule.

The Case for Prior Authorization

There's a real argument for this design. Biometric identifiers are the one category of personal data a person cannot reset after a breach — you can cancel a credit card, but not a fingerprint. A licensing gate that forces a company to justify, in advance, why it needs to collect faces or fingerprints — and to appoint a Data Protection Officer and commit to the PDPL's 72-hour breach-notification rule before it's allowed to start — is a defensible, if blunt, instrument. The EU's GDPR reaches similar ground through mandatory Data Protection Impact Assessments for high-risk processing rather than upfront licensing, but the underlying judgment — that biometric and mass-surveillance processing deserves friction other data processing doesn't — is one most privacy frameworks share, including ours.

The Gap: A License With No Ceiling

Where Egypt's regime departs from that model is in what the license actually requires once granted. A Baker McKenzie analysis of the Executive Regulations found that explicit data-minimization language — "no more data may be collected than is necessary" — appears only in the section governing children's data. General retention limits for the sensitive-data and visual-surveillance license categories aren't specified in the published regulations. A separate legal briefing notes the PDPL's duties "mirror the GDPR broadly," including a minimization principle in the abstract, but stops short of attaching concrete retention periods to it, per dsn group's compliance guide. In practice, that means a company can obtain a PDPC license to run facial-recognition CCTV in a shopping mall or process fingerprint templates for a fintech app without the license itself specifying how long that footage or those templates can be kept.

A licensing gate without a retention ceiling doesn't function as a privacy regime — it functions as a permission slip. It answers "who may collect this" while leaving "how long may they keep it" entirely to the discretion of the licensee, which is precisely the wrong data category to leave open-ended.

The State's Own Biometric Buildout Sits Alongside It

The timing sharpens the stakes. Egypt is simultaneously scaling Haweya, the Central Bank of Egypt-backed digital identity wallet that combines facial and fingerprint biometrics with digital signatures for remote account-opening (eKYC), now integrated across 37 banks including state-owned Banque Misr, according to Biometric Update. Every source we reviewed on the PDPC's licensing framework describes it in terms of private "controllers and processors" — the commercial entities that must now queue up at the new portal. None of the public guidance we found addresses how, or whether, the same license-and-retention obligations bind government-run biometric identity infrastructure at the scale Haweya represents. That's a legitimate open question, not a settled exemption — but it's one the PDPC has not yet answered publicly, and it matters more, not less, as the country's largest biometric enrollment drive is a state-directed one.

What Proportionate Regulation Would Look Like

A risk-tiered license for biometric processing and public surveillance is the right instinct — better than either an outright ban on facial recognition or a total absence of oversight. But a license is only as good as its conditions. The PDPC should use its remaining months before the November 1 deadline to attach explicit retention ceilings to the sensitive-data and visual-surveillance categories, and to state clearly, on the record, whether Haweya and comparable national ID programs fall inside or outside the licensing perimeter. Otherwise Egypt will have built real bureaucratic friction for private firms while leaving its fastest-growing biometric collector to answer to no license at all.

Sources & Citations

  1. Egypt Law No. 151/2020 (MCIT, statute text)
  2. MCIT press release on PDPC establishment
  3. Youm7: PDPC license categories breakdown
  4. dsn group: PDPL licensing compliance guide
  5. Baker McKenzie: Egypt data protection update
  6. Clyde & Co: Egypt regulatory update on data privacy
  7. Biometric Update: Haweya digital ID rollout