Subject: Overview On The Cybercrime Law

View this email online if it doesn't display correctly

                                         l  S H A R K A W Y   &   S A R H A N   L A W   F I R M

                                                                                                                                                                             Sharkawy & Sarhan Newsletter
Issue 107,16 October 2018
With no unified data protection or cybercrime laws, the current legislative environment in Egypt leaves internet and information technology service providers as well as information technology users vulnerable to cybercrimes and violations of privacy.

With a Data Protection draft law being currently reviewed and discussed before the Egyptian parliament, a New Media law that has been issued not a few days ago and the Cybercrime law (175/2018) issued on14 August (the “Law”), 2018 is expected to be the golden year for data and privacy legislative reforms in Egypt.
Although not explicitly stated under the Law, we understand from the text of the Law that the competent entity supervising the correct application of the Law, which will also be issuing further regulations in connection with the Law, is the National Telecommunications Regulatory Authority (“NTRA”).
The Cybercrime Law imposes several restrictions on both the users and service providers that serves to protect all stakeholders interests and national security. With wide investigatory powers granted to governmental authorities, balance between privacy concerns and national security might be at stake.

Are You A Person Of Concern To This Law?

The Law affects two main categories, (i) Service providers, (ii) Users.

The Law defines service providers as any person (whether juristic or natural) providing users with telecommunication and information technology services, including processing and storing of information whether by itself or by its delegate in respect of any of such services or information technology (the “Service Provider”). Users protected under the Law are defined as any person (whether juristic or natural) using or benefiting from information technology services through any means (the “User”).


One of the main purposes of the Law is to regulate the relationship between the Service Providers and Users, imposing obligation on Service Providers constituting the following.

First: Data Collection and Storage Obligations

Every Service Provider must maintain system of records (i.e. logs) and must keep any such logs and other information technology data for 180 consecutive days. These data should include:
- User information sufficient to identify the user;
- Information related to the content of the operating system dealt with if this is under the Service Provider’s control;
- Data related to communication movement (i.e. traffic data);
- Data on peripheral communication devices.
- All other data as shall be prescribed by NTRA.

Second: Data Protection

Service Providers shall be obliged to save and store the Information System record or any Information Technology method for a consecutive duration of 180 days. This information should include Users’ identification Information, logs and traffic data.

Service Providers are further required to protect and refrain from disclosing any stored data except by virtue of a reasoned decision issued by the competent judicial bodies; these include investigation authorities, (e.g. general prosecution and the state security prosecution in specific cases) and competent courts (e.g. criminal courts).

Service Providers are also required to secure and protect the stored data against hacking or destruction.

It’s worth noting that only Service Providers and their affiliated marketing agents and distributors may obtain the Users data.

As an exception to the previous obligation of non-disclosure of data, the law provides for the competent investigation authorities to issue a justified order to the competent law enforcement officers , for a duration not more than thirty days, renewable only once for another equivalent duration, while investigating a cybercrime specified under the Law, allowing access to data available to the Service Provider .

Third: Visibility

The Service Provider shall be obliged to clearly disclose and make available his identification information to his Users and competent authorities. This information should include:
1- Name and address of the Service Provider;
2- Contact information;
3- Licensing Information;
4- Other information as shall be required by NTRA.


1. Access to Service Provider Technology

Notwithstanding the rights protected under the Egyptian Constitution 2014 (i.e. right to privacy), Service Providers and their affiliates shall be obliged to enable competent authorities (i.e. national security agencies stated below) upon request, to use their available technology that enables them to perform their functions as per the law. It is worth noting that the law does not limit this right to a specific duration, nor does it allow for compensation for such usage. Furthermore, this right is provided directly to national security agencies namely, the President, Armed Forces, Ministry of Interior, General Intelligence Agency and the Administrative Control Authority, without the need to recourse to court or issue a judicial decision.

The non-compliance of IT Service Providers with the above-mentioned obligation will be punishable by a minimum of 3 months imprisonment and/or a fine not less than 200,000EGP and not exceeding 1million EGP .

2. Blocking Websites

In accordance to article 7 of the Law, the Service Provider shall, upon a court decision or an NTRA notification, block any website or content constituting a cybercrime threatening national security.

In case of non-compliance, the Service Provider shall be punishable by a minimum of one-year imprisonment and/or a fine not less than 500,000 EGP and up to 1 million EGP. The law also provides for an aggravated penalty in case such non-compliance resulted in the death of one or more persons. 


i- Cybercrimes

A total of 23 cybercrimes are punishable under the Law. These are classified in the law into six main categories including:
1- Cybercrimes;
2- Cyber-enabled crimes;
3- Breach of personal privacy;
4- Crimes committed by a website manager;
5- Service Providers non-compliance (stated below);
6- Selling, obtaining, importing or manufacturing of programs or IT for committing any cybercrimes.

Criminal fines ranging from a minimum fine of ten thousand Egyptian pounds and could reach a ten million Egyptian pounds and imprisonment ranging from a minimum of three months up to a maximum of five years are stipulated upon under the Law.

ii- E-evidence

Under the previous regime, and due to their nature, several cyber-enabled crimes are penalized under various legislations, mainly the Penal Code. However, providing admissible evidence before criminal courts has always been an issue. In addition to explicitly adding several cyber-related crimes, this Law gives e-evidence the same legal effect as that of physical evidence. However, for this to take place, such e-evidence must meet specific requirements, which will be set under future executive regulations.


As an exception to the principle of territoriality adopted by the Egyptian Penal Code, the Law stipulates that in specific cases prescribed within, the provisions of such law shall apply to any non-Egyptian person committing, outside the Arab Republic of Egypt, a crime penalized under the Law, provided that the action is punishable in the country where the action took place.

Perhaps the most relevant cases are where the crime was prepared, planned, directed, supervised or funded in Egypt, or if the defendants or one of them is Egyptian, or if the criminal was found in the Arab Republic of Egypt, following the commitment of the crime, and was not extradited. Other cases are mentioned in the Law.

Furthermore, it is worth noting that, while applying jurisdiction over other provisions of the Law, in particular the obligation to block national threat websites/contents as stated above, the obligation to block is not limited to sites hosted in Egypt, it is further extended to sites hosted outside Egypt.

Finally, the Service Providers and the addressees of the Law shall abide by the provisions of the law and its obligations and shall take the necessary measures for regularization within one year as of the effective date of the Law (i.e. 15 August 2019).

In 2006, Jim Wright, Ahmed El Sharkawy and Karim Sarhan established Sharkawy & Sarhan. Their extensie experience and different backgrounds combined to create a firm set up to provide high quality business law services. The Firm extended rapidly to become one of the leading firms in Egypt... read more about who we are ››
Sharkawy & Sarhan provides  integrated legal services to international clients.  It maintains ties with global law firms and has acted on some of the largest and most complex transactions in the Egyptian market... read more about our experience ››

We recruit and retain highly talented calibers who genuinely believe in our vision and values, and who will put the necessary efforts to achieve our vision.  We provide real growth opportunities and a clear career path to our people... meet the team 

We have a lot to tell you about law in Egypt...
But we don't want to overwhelm you!

We will be sending bi-monthly updates with the most important legal news taking place in the interval. We will try to keep it simple, but we want to add value with in-depth content and experienced analysis. We will usually highlight the most important changes introduced by law and decree as well as provide you with some context to explain its relevancy. We value your feedback. Feel free to send us your comments on how we can serve you better.

Email our team; Nouran Gamal, Associate on, or Sara Abdelghafar, Knowledge Managment Associate on

2 Mohamed Metwaly El Shaarawy St., Sheraton Heliopolis, Postal Code 11361, Cairo, Egypt.
Tel : +202 2269 0881
Fax : +202 2269 0882

Follow us on LinkedIn