This Publication Data in Egypt is governed by chaos without laws or regulations to the point that personal information is available to be accessed by multiple groups not limited to law enforcement agencies and government agencies, but also to non-governmental entities. Egypt does not have a law to protect personal data and information in, which has contributed to the expansion of access to personal information of citizens in their conduct of their daily lives.
This publication comes within the framework of AFTE’s work on digital rights. It focuses mainly on how the telecom companies in Egypt deal with the personal data and information of their customers.
Telecommunications companies hold huge amounts of personal information and data. These data are collected not only when the service is contracted and the companies are provided with a copy of the national ID, but is constantly collected during normal use of telecommunications services, and there is no guarantee of the confidentiality of such data, especially with the control by security authorities over the telecommunications sector and the lack of respect by telecommunications companies of the privacy of its clients, which caused the spread of disclosure of personal data and information from the companies themselves and their agents. Confidentiality of personal data and information and the privacy of telecommunications users are of paramount importance as they relate to the daily practices of individuals, their association with transactions and the conduct of everyday business.
Summary of Results
Vodafone, Orange, Etisalat and Telecom Egypt receive a huge amount of personal information, without mechanisms and obligations from companies to protect them and not disclose them.
- Vodafone, Orange, Etisalat and Telecom Egypt share user data with third parties, whether for law enforcement, marketing, or debt collection purposes.
- All companies keep user data and information indefinitely, and there are no procedures that enable users to know how these are be being used.
- None of the companies provides an explanation to users about disclosure procedures.
- None of the companies provides an explanation of the procedures related to securing user data and information to their users.
- Egypt Telecom and Orange, condition that users comply with certain rules that restrict freedom of expression and access to information.
- The telecom operators differ regarding what they publish about their privacy policies.
This report focuses on how major operators in Egypt (Vodafone, Etisalat, Orange, We) deal with personal information and data collected from users. The report relied on data published to the public on the corporate web sites in addition to the terms of contracts used by each company.
A set of standards related to data protection and privacy policies have been developed, and standards have been applied to the four companies:
- Change of privacy policies: Commitment of companies to inform users about changes in privacy policies.
- Data collection: the quality of data and information gathered by companies about users, and how this is done..
- Data sharing: the quality of data that companies share with third parties and purpose thereof.
- Data Retention: The length of time companies retain data collected from users, and their storage and protection mechanisms.
- Disclosure procedures: What procedures are used in case government entities request user data.
- Disclosure of requests for information:Transparency of companies in publicly disclosing government requests to obtain user data and informing users thereof..
- Communication security measures: policies and procedures followed by companies to secure communications and data storage.
- Constitutional Protection
Article 57 of the Egyptian Constitution provides for the protection of privacy and the confidentiality of communications and correspondence in Egypt: ” The right to privacy may not be violated, shall be protected and may not be infringed upon. Postal, telegraphic and electronic correspondences, telephone calls, and other means of communication are inviolable, and their confidentiality is guaranteed. They may not be confiscated, revealed or monitored except by virtue of a reasoned judicial order, for a definite period, and only in the cases defined by Law. The State shall protect citizens’ right to use all forms of public means of communications. Interrupting or disconnecting them, or depriving the citizens from using them, arbitrarily, is impermissible. This shall be regulated by Law”.
However, there are no laws that review the protection of privacy and the confidentiality of personal data and information. The practices of telecommunications companies, some of their privacy policies and their terms of engagement, and some legal articles, such as Article 2 of the IT Crimes Act, contradict this constitutional provision.
- Law of the Regulation of Communication
The Telecommunications Regulatory Act, issued in 2003, is the law governing the telecommunications sector in Egypt, but its provisions do not provide legal protection for the personal data of users of Egyptian telecommunications services, although the law mentions in some of its articles general provisions on data protection.
Article 4 and 5 of the Law address the objectives of the NTRA – the governmental body responsible for the management of the telecommunications sector. Article 5 states that the Regulatory Authority shall “establish rules that guarantee the protection of users to ensure the confidentiality of telecommunications and provide the latest services at the most appropriate prices, as well as develop a system to receive and investigate user complaints and follow up with service providers.” In a related context, Article 13 states that the NTRA Board of Directors may make decisions to achieve the objectives of the NTRA, including “establishing the rules and conditions for the licensing of the infrastructure of telecommunication networks … to ensure the rights of users, especially their right to full confidentiality in accordance with the law, in a manner that does not affect the national security and the higher state interests and the standards of urban planning and health and environmental standards decreed by the ministers concerned and the heads of the concerned authorities”. Article 25 specifies the obligations to grant licenses to telecommunications service providers, including “ensuring the confidentiality of communications and calls of the licensee’s customers and establishing the necessary rules to ensure that.” Despite the existence of the above provisions, the actual reality of the practices of state agencies as well as the various service providers and NTRA do not apply this in their various regulations and practices.
- Law against the crimes of information technology (IT crimes)
Article 2 of the Anti-IT Crimes Act regulates the comprehensive monitoring of communications in Egypt, where telecommunications companies are required to keep and store customer usage data for a period of 180 days. These include user-identifiable data, data on the substance and content of the information system, and those relating to the movement of use and devices used. This means that telecom providers will have data that describes all user practices, such as phone calls and text messages, all data related to them, sites visited, and applications used on smartphones and computers. In addition, the law requires telecommunications companies to comply with any “other data to be determined by a decision” from the NTRA board of directors. This means that telecommunication providers can subsequently be obliged to collect and retain data not provided for in the law once an NTRA administrative decision has been issued. The article gives the right to national security authorities to access such data, and obliges telecommunications service providers to provide technical help to obtain them. The law defines national security bodies as including: “the Presidency, the Armed Forces, the Ministry of the Interior, the General Intelligence and the Administrative Oversight Authority.”
AFTE recommends that companies working in the telecommunications sector in Egypt adopt the “Principles for the Protection and Promotion of Freedom of Expression and Privacy in Information and Communication Technologies“, “Guidelines for Implementation of the Principles of Freedom of Expression and Privacy” and “Manila Declaration on the Responsibility of Brokers“.
- AFTE recommends that telecommunications companies operating in Egypt develop privacy policies in a way that facilitates easy, clear and accurate customer access to definitions and formulations, and is relevant to data protection and privacy standards and should apply to all services provided to customers.
- AFTE recommends that telecommunications companies in Egypt not interfere with the content produced or accessed by users, and not set conditions related to the quality of content, whether for ethical, religious or political reasons.
- AFTE recommends that the Egyptian government issue a law to protect personal data that conforms to international human rights standards and sets the protection of privacy as a priority, without the use of broad terms or interference by the security services.
- AFTE recommends that the Egyptian government repeal the Law on Combating Information Technology Crimes and amend the Telecommunications Regulatory Act to ensure the protection of users’ right to privacy and freedom of expression.
Click on the company logo to review its details