Report: Egypt’s Personal Data Protection Law: Implementation Challenges and Additional Compliance Requirements

Egypt’s Personal Data Protection Law No. 151/2020 (PDPL), which entered into force in October 2020, has become fully operational with the issuance of its Executive Regulations on 1 November 2025 and the establishment of the Personal Data Protection Centre (PDPC). The Executive Regulations close a long-standing enforcement gap by introducing detailed technical, procedural and licensing requirements, effectively transforming the PDPL from a principles-based framework into a functioning supervisory regime. A one-year implementation grace period runs until 31 October 2026, during which controllers and processors must secure mandatory licences (including specific licences for cross-border transfers, electronic marketing and video surveillance), supported by extensive documentation and subject to progressive, volume-based fees. The PDPL diverges from the European Union’s General Data Protection Regulation (GDPR) in several material respects: a broader and differently framed concept of sensitive personal data (including children’s, financial and security-status data), a requirement for consent for all cross-border transfers, a universal data breach notification duty with strict timelines, and an unclear extraterritorial provision. Enforcement risk is heightened by a dual penalty system combining administrative measures with criminal sanctions, including possible imprisonment and personal liability for data protection officers. Organizations processing personal data in Egypt must therefore adapt GDPR-based controls to the PDPL’s stricter and locally specific requirements and prioritize early, structured compliance.