Methodology

This report focuses on how major operators in Egypt (Vodafone, Etisalat, Orange, We) deal with personal information and data collected from users. The report relied on data published to the public on the corporate web sites in addition to the terms of contracts used by each company.

A set of standards related to data protection and privacy policies have been developed, and standards have been applied to the four companies:

• Access to the Privacy Policy:The Privacy Policy is publicly, comprehensively, and easily accessible.
• Change of privacy policies: Commitment of companies to inform users about changes in privacy policies.
• Data collection: the quality of data and information gathered by companies about users, and how this is done..
•  Data sharing: the quality of data that companies share with third parties and purpose thereof.
• Data Retention: The length of time companies retain data collected from users, and their storage and protection mechanisms.
• Disclosure procedures: What procedures are used in case government entities request user data.
• Disclosure of requests for information:Transparency of companies in publicly disclosing government requests to obtain user data and informing users thereof..
• Communication security measures: policies and procedures followed by companies to secure communications and data storage.

Legal Regulation

• Constitutional Protection

Article 57 of the Egyptian Constitution provides for the protection of privacy and the confidentiality of communications and correspondence in Egypt: ” The right to privacy may not be violated, shall be protected and may not be infringed upon. Postal, telegraphic and electronic correspondences, telephone calls, and other means of communication are inviolable, and their confidentiality is guaranteed. They may not be confiscated, revealed or monitored except by virtue of a reasoned judicial order, for a definite period, and only in the cases defined by Law. The State shall protect citizens’ right to use all forms of public means of communications. Interrupting or disconnecting them, or depriving the citizens from using them, arbitrarily, is impermissible. This shall be regulated by Law”.

However, there are no laws that review the protection of privacy and the confidentiality of personal data and information. The practices of telecommunications companies, some of their privacy policies and their terms of engagement, and some legal articles, such as Article 2 of the IT Crimes Act, contradict this constitutional provision.

• Law of the Regulation of Communication

The Telecommunications Regulatory Act, issued in 2003, is the law governing the telecommunications sector in Egypt, but its provisions do not provide legal protection for the personal data of users of Egyptian telecommunications services, although the law mentions in some of its articles general provisions on data protection.

Article 4 and 5 of the Law address the objectives of the NTRA – the governmental body responsible for the management of the telecommunications sector. Article 5 states that the Regulatory Authority shall “establish rules that guarantee the protection of users to ensure the confidentiality of telecommunications and provide the latest services at the most appropriate prices, as well as develop a system to receive and investigate user complaints and follow up with service providers.” In a related context, Article 13 states that the NTRA Board of Directors may make decisions to achieve the objectives of the NTRA, including “establishing the rules and conditions for the licensing of the infrastructure of telecommunication networks … to ensure the rights of users, especially their right to full confidentiality in accordance with the law, in a manner that does not affect the national security and the higher state interests and the standards of urban planning and health and environmental standards decreed by the ministers concerned and the heads of the concerned authorities”. Article 25 specifies the obligations to grant licenses to telecommunications service providers, including “ensuring the confidentiality of communications and calls of the licensee’s customers and establishing the necessary rules to ensure that.” Despite the existence of the above provisions, the actual reality of the practices of state agencies as well as the various service providers and NTRA do not apply this in their various regulations and practices.

• Law against the crimes of information technology (IT crimes)

Article 2 of the Anti-IT Crimes Act regulates the comprehensive monitoring of communications in Egypt, where telecommunications companies are required to keep and store customer usage data for a period of 180 days. These include user-identifiable data, data on the substance and content of the information system, and those relating to the movement of use and devices used. This means that telecom providers will have data that describes all user practices, such as phone calls and text messages, all data related to them, sites visited, and applications used on smartphones and computers. In addition, the law requires telecommunications companies to comply with any “other data to be determined by a decision” from the NTRA board of directors. This means that telecommunication providers can subsequently be obliged to collect and retain data not provided for in the law once an NTRA administrative decision has been issued. The article gives the right to national security authorities to access such data, and obliges telecommunications service providers to provide technical help to obtain them. The law defines national security bodies as including: “the Presidency, the Armed Forces, the Ministry of the Interior, the General Intelligence and the Administrative Oversight Authority.”

Recommendations

AFTE recommends that companies working in the telecommunications sector in Egypt adopt the “Principles for the Protection and Promotion of Freedom of Expression and Privacy in Information and Communication Technologies“, “Guidelines for Implementation of the Principles of Freedom of Expression and Privacy” and “Manila Declaration on the Responsibility of Brokers“.

• AFTE recommends that telecommunications companies operating in Egypt develop privacy policies in a way that facilitates easy, clear and accurate customer access to definitions and formulations, and is relevant to data protection and privacy standards and should apply to all services provided to customers.
• AFTE recommends that telecommunications companies in Egypt not interfere with the content produced or accessed by users, and not set conditions related to the quality of content, whether for ethical, religious or political reasons.
• AFTE recommends that the Egyptian government issue a law to protect personal data that conforms to international human rights standards and sets the protection of privacy as a priority, without the use of broad terms or interference by the security services.
• AFTE recommends that the Egyptian government repeal the Law on Combating Information Technology Crimes and amend the Telecommunications Regulatory Act to ensure the protection of users’ right to privacy and freedom of expression.