Egypt has developed a layered legal framework to address the challenges posed by technological advancement and the rise of online activity. The framework is principally anchored in Law No. 175 of 2018 on Combating Information Technology Crimes (“Cybercrime Law”) and Law No. 151 of 2020 on the Protection of Personal Data (“Data Protection Law”), supported by constitutional provisions and the Penal Code. Together, these laws attempt to balance the need for cybersecurity and data integrity with the protection of individual rights, but their breadth and potential overlap raise important interpretive questions.
This overview is prepared from the perspective of a law firm experienced in regulatory and technology-related legal matters in Egypt.
Table of contents
- The Cybercrime Law (Law 175/2018)
- The Data Protection Law (Law 151/2020)
- Constitutional and Penal Code Dimensions
- Liability of Administrators, Service Providers, and Legal Entities
- Key Interpretive Challenges
- Practical Implications
- Outlook
The Cybercrime Law (Law 175/2018)
The Cybercrime Law (Law 175/2018) is the first statute in Egypt to provide a comprehensive treatment of offences committed via information technology. It criminalizes a wide range of conduct, including:
- unlawful access to information systems,
- exceeding authorized access,
- unlawful interception of data,
- alteration or destruction of information,
- fraud through electronic payment tools, and
- the establishment of false websites or accounts.
Notably, the law extends to content-related offences, punishing the publication of material that violates private life, undermines family values, or offends public morals. Its sanctions are stringent, typically involving imprisonment and significant fines, and escalate where financial or reputational harm occurs.
The Data Protection Law (Law 151/2020)
The Data Protection Law (Law 151/2020), by contrast, is designed to regulate the processing of personal data. It establishes rights for data subjects, defines obligations for data controllers and processors, and restricts the cross-border transfer of data. While its emphasis is regulatory rather than criminal, violations may still attract administrative sanctions and criminal liability.
Overlap: Importantly, the interaction between the two statutes creates overlapping areas. For example, unauthorized disclosure of personal data could fall within both the Cybercrime Law and the Data Protection Law, raising questions of concurrent application and the potential for cumulative penalties.
Constitutional and Penal Code Dimensions
The Egyptian Constitution adds further weight by expressly guaranteeing the privacy of communications, including electronic communications, thereby creating a constitutional basis for challenging unlawful intrusions. Additionally, the Penal Code continues to play a role in addressing digital conduct, particularly in matters of defamation, insult, and invasion of privacy. Amendments in 2021 reinforced the applicability of these traditional offences to online platforms, meaning that individuals may face liability under both the Penal Code and cyber-specific statutes for the same underlying conduct.
Cyberbullying and Electronic Harassment
One area where these provisions converge is cyberbullying and electronic harassment. Although the term “cyberbullying” does not appear explicitly in the legislation, the conduct is captured through provisions on defamation, insult, impersonation, and unauthorized use of personal data. Victims may rely on Law 175/2018 for acts such as impersonation and abusive content, while the Penal Code addresses harm to reputation and dignity. The coexistence of multiple provisions, however, increases the potential for inconsistent application and judicial discretion.
Liability of Administrators, Service Providers, and Legal Entities
Liability under the Cybercrime Law is not confined to natural persons. Website administrators, service providers, and legal entities may also be prosecuted where offences are committed through systems under their control. Administrators may be liable for failing to prevent or report illegal activity, and service providers are obliged to cooperate with authorities and maintain technical safeguards.
Content liability: The scope of content liability is particularly sensitive. While the law appears to allow for broad responsibility over user-generated content, there is room to argue that liability should be limited to content approved, solicited, or controlled by the administrator. Until jurisprudence clarifies these points, the uncertainty creates a high-risk environment for digital platforms.
Key Interpretive Challenges
A further legal challenge lies in the interpretation of key terms such as “private life,” “public morals,” and “societal values.” These concepts are not exhaustively defined in the legislation and are left to judicial discretion, which may result in variable outcomes. Similarly, the extraterritorial reach of the Cybercrime Law raises questions about its compatibility with principles of jurisdiction in international law. While the statute purports to apply to offences committed abroad where they impact Egyptian interests or users, enforcement in cross-border contexts remains uncertain.
Practical Implications
From a legal perspective, Egypt’s cybersecurity and data protection framework represents a decisive step towards regulating the digital environment. Yet it also reveals tensions between criminal law, regulatory compliance, and constitutional rights. The overlap of statutes, the breadth of offences, and the reliance on undefined concepts create interpretive challenges that require careful navigation. In practice, companies and individuals must anticipate potential dual liability under both criminal and regulatory regimes, and service providers in particular must reconcile their technical operations with broad obligations under the Cybercrime Law.
Outlook
Going forward, much will depend on the interpretive role of the judiciary and the issuance of executive regulations. Clarification of terms such as “exceeding authorized access” or “content that undermines family values” will be critical in defining the scope of liability. Until such clarity emerges, the prudent course for businesses is to assume a wide reading of obligations and to implement comprehensive compliance measures that account for the dual demands of cybersecurity and data protection law.
