At a presentation before the start of the session, Fatma Ibrahim, Senior Legal Advisor at the PDPC’s CEO Technical Office, examined Egypt’s evolving personal data protection landscape, with a focus on the country’s Data Privacy Law, its executive regulations, and practical implications for businesses. The presentation underscores a fundamental shift from earlier generations—where devices such as televisions and telephones did not actively monitor individuals—to today’s pervasive digital environment, in which technology continuously tracks individuals from the moment they wake up. This constant surveillance enables systems to infer movements, behaviors, preferences, and even personal circumstances, raising significant concerns about privacy and exposure. Consequently, the establishment of a robust legal framework for personal data protection becomes essential, forming the central rationale for this presentation.

The Personal Data Protection Law introduces a comprehensive framework aimed at safeguarding data subjects—positioned as the core beneficiaries or “citizens” of the system—by defining their fundamental rights and imposing obligations on data users, namely controllers and processors. It mandates licensing requirements, emphasizes the role of the Personal Data Protection Center (PDPC) in regulation, enforcement, coordination, and awareness, and introduces key concepts such as personal and sensitive data, with enhanced protections for the latter. The law further outlines the rights of data subjects, including access, rectification, erasure, objection, and data portability, while imposing strict obligations on data users regarding lawful processing, transparency, data minimization, accuracy, security, and accountability. It also establishes new professional roles, particularly the Data Protection Officer (DPO), who ensures organizational compliance. Additional provisions address sensitive data handling, licensing systems, breach notification protocols, children’s data protection, cross-border data transfers, and direct marketing requirements, collectively ensuring that individuals maintain sovereignty over their personal data in an increasingly data-driven world.

Dr. Ziad Bahaa El Din, Managing Partner at Thebes Consultancy and Bahaa El Din Law Office, said that the enactment of Egypt’s Personal Data Protection Law in 2020 marked a significant milestone, with its executive regulations issued several years later, providing organizations with a full year to prepare for compliance before the law becomes fully enforceable this coming November. While already in effect, the transition to mandatory compliance underscores the urgency for businesses and institutions to align with their requirements. Importantly, Egypt is not operating in isolation but is part of a broader global movement toward stronger data protection standards, influenced by frameworks such as the European Union’s GDPR, which has increasingly shaped international business practices and everyday interactions. Beyond its legal function, this law represents a profound cultural shift, extending beyond mere regulatory compliance to fundamentally changing how individuals and organizations perceive, handle, and respect personal data and privacy.

Mohamed Elnawawy, a computer scientist and the previous CEO of Telecom Egypt (WE), noted that Data today is not only a matter of privacy but a monetizable asset, as illustrated by a handful of global companies—primarily based in the United States and China—whose combined market value has reached trillions of dollars by leveraging user data, largely through targeted advertising. This reality highlights a critical choice: societies can either remain passive consumers, exporting raw data and importing high-value digital services, or actively harness data to generate their own economic growth.

He added that The Personal Data Protection Law is thus framed as both a wake-up call and a strategic tool, enabling society to safeguard privacy while unlocking the economic potential of data. Reflecting on earlier professional experience in telecommunications, he contrasts past norms—where privacy was deeply embedded in legal and ethical systems and unauthorized data use was strictly prohibited—with today’s irregulated digital expansion that enabled massive data-driven enterprises. The emergence of artificial intelligence further reinforces this shift, as AI systems, fueled by vast amounts of user-generated data, represent a new and rapidly evolving product beyond advertising. However, unlike traditional professional interactions, engagements with AI lack equivalent privacy protections, raising new concerns. Ultimately, he argues that data is a perpetual source of future wealth, and this law represents a crucial step toward fostering a new mindset—one that not only protects individuals but also empowers society to capitalize on its data resources rather than relinquishing them for external value creation.

Dr. Nasser Loza, a Consultant Psychiatrist and Director of the Behman Hospital, addresses the audience by sharing a perspective shaped by experience in healthcare and mental health, explaining how the system has evolved from a simple doctor–patient model into a complex structure involving management, legal systems, insurance, and data security. While these changes improved organization, they also increased costs and added layers to healthcare delivery. He contrasts past privacy practices, rooted in handwritten records and ethics, with today’s digital systems requiring advanced protection measures. He expresses concern that the growing focus on data monetization and regulation may shift attention away from patient care and contribute to rising costs. He also argues that laws alone cannot change culture without societal belief and highlights contradictions in confidentiality approaches. Based on personal experience, he suggests individuals could choose to waive some data protection in exchange for lower costs, supporting a more flexible, consent-based model. He concludes by warning that healthcare is becoming increasingly expensive, with clinical care forming a smaller share of costs, and urges policymakers to balance data protection with affordability, accessibility, and innovation.

 Tarek Shabaka, the Chairman and CEO of MCS offered an IT industry perspective, emphasizing that the Personal Data Protection Law—initiated by the Ministry of Communications and Information Technology—represents a significant economic and technological transformation. He highlights that the long-awaited executive guidelines are now ready for implementation, marking a critical step in enabling new services such as data centers and data-driven solutions within the country. He stresses that this law will affect everyone, as it applies to daily personal and professional activities, requiring all organizations handling personal data, including employee records, to comply. From a technical standpoint, he underscores the importance of establishing strong cybersecurity standards and compliance frameworks to prevent data breaches and ensure secure environments. Additionally, he points to the growing risk of fraud resulting from uncontrolled data access and a culture of oversharing information, noting that the law provides necessary guidelines to mitigate such risks. Overall, he presents the law as a key enabler of economic growth, improved data security, and fraud reduction, with shared responsibility across all stakeholders.

Suzanne El Akabaoui, the Acting CEO of the PDPC and Advisor to the ICT Minister for Data Governance, emphasizes that while data holds significant economic value as a structured national resource, there is a fundamental obligation to protect citizens who differ in awareness and maturity regarding the risks of oversharing or misuse of their personal data. She explains that the PDPC seeks to strike a careful balance between safeguarding human rights and enabling the economic use of data, with the law designed as both a regulatory and supportive framework that guides stakeholders through compliance via licensing while ensuring proper data handling methodologies without disrupting economic activity.

She acknowledges concerns about rising healthcare costs, noting that delays in issuing executive regulations were partly intended to ease the compliance burden, but stresses that regulation has become unavoidable due to global trends such as cross-border data flows and the increasing use of data in AI and emerging technologies. She further highlights the importance of raising public awareness, especially as rapid technological advancement outpaces societal readiness, and points out that traditional interpersonal trust mechanisms are diminishing in digital environments, making regulatory safeguards essential. From an IT perspective, she views personal data protection as an extension of cybersecurity practices, now requiring more focused attention, and concludes by stressing that strong data protection frameworks are critical for enabling digital trade, attracting foreign investment, and ensuring collaborative efforts among all stakeholders.

El Akabaoui explained that starting November 2026, the PDPC would be fully operational, with authorities adopting a gradual enforcement approach that prioritised compliance over immediate inspections. While the initial phase would not involve large-scale auditing and inspections, the focus would instead be on enabling entities to begin applying for licenses and working toward compliance with the law. She noted that the regulatory authority’s primary approach would ensure compliance through guidance and cooperation before transitioning to more active enforcement activities. However, she emphasized that the PDPC would retain the legal mandate to act in cases of personal data breaches or when handling data subject complaints that demonstrated sufficient merit, which could trigger targeted audits and inspections when necessary. Once sufficient awareness had been raised, compliance requirements had been clearly communicated, and a significant number of entities had applied for licenses, the authority was expected to gradually proceed with fully exercising its auditing and inspection powers as part of its broader enforcement framework.