A Six-Year-Old Law Finally Gets a Front Door
Egypt's Personal Data Protection Law, Law No. 151 of 2020, sat mostly dormant for five years while the Ministry of Communications and Information Technology worked out how the Personal Data Protection Center (PDPC) it created would actually operate. That changed with Executive Regulation Decree 816/2025, which took effect November 1, 2025 and started a 12-month grace period. In mid-June 2026, the PDPC's electronic portal — the system through which every controller and processor in Egypt must now request a license — went live. Businesses have until October 31, 2026, with the law fully enforceable from November 1, before non-compliance exposes them to fines reaching EGP 5 million (about $100,000) per violation, according to a Clyde & Co regulatory briefing.
The portal isn't a single gate. Egyptian legal press has catalogued seven distinct license and permit categories the PDPC now issues — general processing, direct electronic marketing, associations handling member data, cross-border transfer, consultancy accreditation, and, notably, two categories aimed squarely at the riskiest data: sensitive personal data (which the law defines to include biometric data) and visual surveillance systems in public places, per Youm7's April 2026 breakdown of the license schedule.
The Case for Prior Authorization
There's a real argument for this design. Biometric identifiers are the one category of personal data a person cannot reset after a breach — you can cancel a credit card, but not a fingerprint. A licensing gate that forces a company to justify, in advance, why it needs to collect faces or fingerprints — and to appoint a Data Protection Officer and commit to the PDPL's 72-hour breach-notification rule before it's allowed to start — is a defensible, if blunt, instrument. The EU's GDPR reaches similar ground through mandatory Data Protection Impact Assessments for high-risk processing rather than upfront licensing, but the underlying judgment — that biometric and mass-surveillance processing deserves friction other data processing doesn't — is one most privacy frameworks share, including ours.
The Gap: A License With No Ceiling
Where Egypt's regime departs from that model is in what the license actually requires once granted. A Baker McKenzie analysis of the Executive Regulations found that explicit data-minimization language — "no more data may be collected than is necessary" — appears only in the section governing children's data. General retention limits for the sensitive-data and visual-surveillance license categories aren't specified in the published regulations. A separate legal briefing notes the PDPL's duties "mirror the GDPR broadly," including a minimization principle in the abstract, but stops short of attaching concrete retention periods to it, per dsn group's compliance guide. In practice, that means a company can obtain a PDPC license to run facial-recognition CCTV in a shopping mall or process fingerprint templates for a fintech app without the license itself specifying how long that footage or those templates can be kept.
A licensing gate without a retention ceiling doesn't function as a privacy regime — it functions as a permission slip. It answers "who may collect this" while leaving "how long may they keep it" entirely to the discretion of the licensee, which is precisely the wrong data category to leave open-ended.
The State's Own Biometric Buildout Sits Alongside It
The timing sharpens the stakes. Egypt is simultaneously scaling Haweya, the Central Bank of Egypt-backed digital identity wallet that combines facial and fingerprint biometrics with digital signatures for remote account-opening (eKYC), now integrated across 37 banks including state-owned Banque Misr, according to Biometric Update. Every source we reviewed on the PDPC's licensing framework describes it in terms of private "controllers and processors" — the commercial entities that must now queue up at the new portal. None of the public guidance we found addresses how, or whether, the same license-and-retention obligations bind government-run biometric identity infrastructure at the scale Haweya represents. That's a legitimate open question, not a settled exemption — but it's one the PDPC has not yet answered publicly, and it matters more, not less, as the country's largest biometric enrollment drive is a state-directed one.
What Proportionate Regulation Would Look Like
A risk-tiered license for biometric processing and public surveillance is the right instinct — better than either an outright ban on facial recognition or a total absence of oversight. But a license is only as good as its conditions. The PDPC should use its remaining months before the November 1 deadline to attach explicit retention ceilings to the sensitive-data and visual-surveillance categories, and to state clearly, on the record, whether Haweya and comparable national ID programs fall inside or outside the licensing perimeter. Otherwise Egypt will have built real bureaucratic friction for private firms while leaving its fastest-growing biometric collector to answer to no license at all.