Egypt E-Commerce Legislations and Comparative European Union and Turkey Legislations Review

As we mentioned in our latest Article Egypt is an appealing advantage for e- commerce initiatives. In this Article we will examine this country regulation within scope of the consumer rights, data protection, license requirements and other related issues in comparison with EU and TR legislation.

Consumer Rights

The Law No 181 of 2018 which repealed Law No. 67/2006 , has ensured the consumer’s protection under the umbrella of the remote contracting, which was not previously treated in the old Law. The law also guarantees the consumers’ right to have comprehensive and correct information about the services introduced to them and products they consume. The main information provided about the product has to include the source of the product, its price, nature, main characteristics besides other information determined by the law’s executive regulations.

Essential consumer rights are following:

• The right to health and safety for the normal use of the products
• The right to obtain all of the correct information and data about the services or products that the consumer buys, uses or receives
• The right to ensure respect for community customs and traditions
• The right to receive fair compensation for damages towards the consumer or its money as a result of the purchase, use or receipt of the products
• The right to return any faulty product for a full refund or replacement in the span of 30 days after purchase[1] • The right to replace or return for a full refund any product without reason within 14 days[2]

Supplier’s Obligations

Since the Law addresses so many obligations we will only examine the substantial ones below.

Disclosing Obligations

The Supplier has the obligation of clearly disclosing all substantial data and information related to a product especially its source, price (including tax details or any other financial burdens), specifications and features, essential characteristics, where and when it is offered, the data enumerated by the Egyptian Standards Specifications, and any other data to be required by the executive regulation when issued .[3]Moreover, the product’s information has to include the supplier’s identifiable information, mainly including his address, contact information, and trade mark if available, all in Arabic as well.

The suppliers are also obliged by the law to ensure that all messages to the consumer including ads, data, information, documents, bills, and receipts are written in Arabic and in another languages at the Supplier’s discretion. These data shall be clearly disclosed and shall be easily read and understood by the consumer.

Warranty Liabilities

According to the Article 3 of this Law, the Supplier shall abide by the health and safety and quality rules as well as guaranteeing them in accordance with the Egyptian Standards Specifications or the international standards specifications approved in Egypt.


Through strict penalties against companies or merchants who violate regulations, the new law criminalizes the monopoly of any product or market and false and/or misleading advertisements or behaviour in any format under the Article 9 of this Law with a fine of up to EGP two million per violation.The new Law primarily aims to not mislead,fraud or deceive the consumer.

In event of businesses fail to fulfill their obligations to inform ( as we mentioned above) the customer in a clear manner.The businesses will otherwise face a fine between 10,000 EGP and 50,000 EGP.

Physical harm or death caused by faulty products are severe penalties that supplier will be penalized imprisonment.[4]

Data Protection Law in Egypt

Egypt’s Personal Data Protection Law was passed on 13 July 2020 and published on 15 July 2020. It will come into force on 15 October 2020, and the Executive Regulations are expected by 14 April 2021. The Personal Data Protection Law introduces a variety of compliance requirements, as well as some significant criminal penalties.

The Regulation will provide further detail on the role of the new regulator and how it will implement the new Law. Companies will have a 12-month grace period to comply with the Law from the date of publication of the Regulation.[5] The new Data Protection Law in Egypt has a similarity on definitions and scopes of the Regulations in Turkey and EU. As GDPR and Data Protection Law in Turkey data subjects have a various fundamental rights under the Regulations in Egypt. Unlikely the GDPR, Article 1 of the Law solely applies to personal data that has been electronically processed, data held exclusively in a physical format is not regulated.

Processing Data

The Personal Data Protection Law prohibits the processing of personal data except with the consent of the data subject, or where otherwise permitted by law. Processing must be lawful, transparent and that the personal data collected should be retained for no longer than is necessary to fulfill the intended purpose.
In contrast to the GDPR, as part of the transparency obligations, data controllers in Egypt do not have to disclose a privacy notice before processing personal data. However, they must maintain a register in accordance with Article 4 that describes the erasure mechanism, the retention period of such data, and so forth.[6]

Cross-border Transfer

Subject to certain exceptions, a company must obtain a license from the Regulator cross border transfer of a data, and should only transfer personal data to a country which affords the same level of protection to personal data as Egypt under the Law.(Article 14)
Transferring data to a country which not affords the same level of protection to personal data with Egypt shall carried out with the approval of Egyptian Data Protection Centre ( yet to be established) and where the level of protection provided is not less than that provided in Egypt pursuant to the Personal Data Protection Law.

Article 15 sets out a number of exceptions to the Article 14 restriction such as obtaining the express consent of the data subject.

Data Protection Officers

Foreign companies processing personal data in Egypt are obliged to appoint a representative in Egypt. For data controllers outside of Egypt a local representative must be appointed Data Protection Officer (DPO) as a point of contact for Egyptian data subjects and the Regulator.

Notification Requirements

In the event of a security breach, unlike under the GDPR, both controllers and processors are obliged to report the incident to the Regulator within 72 hours. In the case of a breach which impacts national security, companies must report the incident to the Regulator and the National Security authorities immediately, including the Ministry of the Interior and the General Intelligence Directorate.[7]


The Personal Data Protection Law provides for a variety of criminal offences, with a range of penalties – including fines and imprisonment. These includes:

• Collecting, processing, disclosing, providing access or circulating personal data, by any means, other than with the consent of the data subject, or as otherwise permitted by law,
• Processing and transferring personal data other than in accordance with the personal data protection law;
• Preventing a data subject from exercising rights granted pursuant to the Personal Data Protection Law;
• Failure of a data controller or data processor to comply with specific obligations, and notification/reporting requirement,
• Failure to appoint a Data Protection Officer,
• Failure of Data Protection Officer to perform duties as specified in the Personal Data Protection Law;
• Failure to comply with digital marketing requirements pursuant to the Personal Data Protection Law.

These offenses according to the Personal Data Protection Law can be committed by Egyptian companies operating in Egypt or overseas and foreign companies operating in Egypt.