Issue

Vol. 6 No. 1 (2026)

Personal Data Protection

دراسة نقدية للائحة التنفيذية لقانون حماية البيانات الشخصية المصري: مشروعية التنظيم وكفاءته الوظيفية

https://doi.org/10.54873/jolets.v6i1.253
ahmed abou-elhasan
باحث بمركز أبحاث القانون والتكنولوجيا الناشئة

Corresponding Author(s) : ahmed abou-elhasan

ahmed.aboualhassan@bue.edu.eg

Journal of Law and Emerging Technologies, Vol. 6 No. 1 (2026)

Abstract

This study provides a critical and analytical examination of the Executive Regulations of the Egyptian Personal Data Protection Law (Law No. 151 of 2020), promulgated by the Minister of Communications and Information Technology Decree No. 816 of 2025. The analysis spans several axes: initially exploring the implications of the temporal gap between the enactment of the Law and the issuance of its Regulations, along with the Law’s impact on the latter; proceeding to evaluate the consistency and adequacy between the Law and the Regulations, as well as the internal consistency of the Regulations themselves; and concluding with an assessment of their economic and technological impacts.
Methodologically, the study adopts a critical analytical approach to evaluate the legality and coherence of the Regulations, specifically scrutinizing their adherence to the boundaries of legislative delegation. The analysis reveals a methodological defect and a fundamental inconsistency between the Regulations and the Law. This stems from the Regulations’ reliance on a structural framework confined to the direct cross-references explicitly stated in the Law, while disregarding substantive interconnections. Furthermore, the Regulations unlawfully expand the powers of the Center beyond the permissible scope of legislative jurisdiction and delegated authority. In certain sections, the study also employs a comparative methodology to assess legislative harmonization with the legal, technical, and economic frameworks governing the global data economy, ultimately highlighting the distinct divergence of the Egyptian approach from the comparative models.
Furthermore, the research discusses the economic and technological implications of the Regulations, highlighting the challenges imposed by the overarching regime of licenses, fees, and penalties. It critiques the monolithic technical and operational architecture underlying the Regulations, demonstrating its friction with the fundamental dynamics of modern technologies and agile business models.

abou-elhasan, ahmed. (2026). دراسة نقدية للائحة التنفيذية لقانون حماية البيانات الشخصية المصري: مشروعية التنظيم وكفاءته الوظيفية. Journal of Law and Emerging Technologies, 6(1). https://doi.org/10.54873/jolets.v6i1.253 (Original work published April 14, 2026)
Download Citation
Endnote/Zotero/Mendeley (RIS)
BibTeX
References
  1. أولاً: المراجع باللغة العربية (Arabic References)
  2. الكتب (Books)
  3. الصغير م، القانون الإداري بين التشريع المصري والسعودي (المركز القومي للإصدارات القانونية 2015).
  4. المكاوي ع، العلوم الإدارية (مؤسسة طيبة للنشر والتوزيع 2012).
  5. القوانين واللوائح (Laws & Regulations)
  6. قانون رقم (63) لسنة 2004 المتعلق بحماية المعطيات الشخصية (تونس)
  7. قانون رقم (30) لسنة 2018 بإصدار قانون حماية البيانات الشخصية (مملكة البحرين)
  8. قانون رقم (175) لسنة 2018 بشأن مكافحة جرائم تقنية المعلومات (مصر)
  9. قانون رقم (151) لسنة 2020 بإصدار قانون حماية البيانات الشخصية (مصر)
  10. نظام حماية البيانات الشخصية بالمملكة العربية السعودية (المرسوم الملكي رقم م/19 وتاريخ 9/2/1443هـ وتعديلاته)
  11. قرار رئيس مجلس الوزراء رقم (1699) لسنة 2020 باللائحة التنفيذية للقانون رقم (175) لسنة 2018 بشأن مكافحة جرائم تقنية المعلومات (مصر).
  12. قرار وزير الاتصالات وتكنولوجيا المعلومات رقم (816) لسنة 2025 بإصدار اللائحة التنفيذية لقانون حماية البيانات الشخصية (مصر).
  13. قرار وزير العدل والشئون الإسلامية والأوقاف رقم (43) لسنة 2021 بشأن شروط وإجراءات تعيين مراقب حماية البيانات الشخصية (مملكة البحرين).
  14. اللائحة التنفيذية لنظام حماية البيانات الشخصية بالمملكة العربية السعودية (قرار رئيس مجلس إدارة سدايا رقم 798 وتاريخ 23/02/1445هـ).
  15. ثانياً: المراجع باللغة الأجنبية (English References)
  16. Books & Journal Articles
  17. Crootof R, ‘International Cybertorts: Expanding State Accountability in Cyberspace’ (2018) 103 Cornell L Rev 565 https://scholarship.law.cornell.edu/clr/vol103/iss3/2 accessed 20 February 2026.
  18. Hacker P, Engel A and Mauer M, ‘Regulating ChatGPT and Other Large Generative AI Models’ (2023) Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency.
  19. Schwartz PM, ‘Global Data Privacy: The EU Way’ (2019) 94 NYU L Rev 771 https://www.nyulawreview.org/issues/volume-94-number-4/global-data-privacy-the-eu-way/ accessed 17 February 2026.
  20. Trautmann K, ‘Cloud Computing Evolution and Regulation in the Financial Services Industry’ (2023) 2 ISACA Journal https://www.isaca.org/resources/isaca-journal/issues/2023/volume-2/cloud-computing-evolution-and-regulation-in-the-financial-services-industry accessed 18 February 2026.
  21. Ustaran E and others, ‘Data Protection and Privacy in the Age of Federated Learning’ (2022) 14 Law, Innovation and Technology .
  22. Veale M and Borgesius FZ, ‘Demystifying the Draft EU Artificial Intelligence Act — Analysing the Good, the Bad, and the Unclear Elements of the Proposed Approach’ (2021) 22 Computer Law & Security Review https://www.semanticscholar.org/reader/8b165eba2d0b9308682fdc4d775c00d1d3907a59 accessed 18 February 2026.
  23. Wachter S and Mittelstadt B, ‘A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI’ (2019) 2019 Columbia Business Law Review 494 https://doi.org/10.7916/cblr.v2019i2.3424 accessed 18 February 2026.
  24. Reports, Working Papers & Institutional Guidance
  25. Article 29 Data Protection Working Party, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’ (WP251rev.01, 2018).
  26. Article 29 Data Protection Working Party, ‘Guidelines on Data Protection Officers (DPOs)’ (WP 243 rev.01, 2017).
  27. Article 29 Data Protection Working Party, ‘Statement on the role of a risk-based approach in data protection legal frameworks’ (WP 218, 2014).
  28. Carugati C, ‘The interplay between the Digital Markets Act and the General Data Protection Regulation’ (2023) Bruegel Working Paper 06/2023 https://www.bruegel.org/working-paper/interplay-between-digital-markets-act-and-general-data-protection-regulation accessed 18 February 2026.
  29. Centre for Information Policy Leadership (CIPL), ‘A Risk-based Approach to Privacy: Improving Effectiveness in Practice’ (Hunton & Williams LLP 2014).
  30. Cloud Security Alliance (CSA), ‘Security Guidance for Critical Areas of Focus in Cloud Computing v4.0’ (2017).
  31. CNIL, ‘Solutions for a responsible use of the blockchain in the context of the GDPR’ (2018).
  32. de Streel A and others, ‘The European Proposal for a Digital Markets Act: A First Assessment’ (CERRE 2021) https://cerre.eu/publications/the-european-proposal-for-a-digital-markets-act-a-first-assessment/ accessed 17 February 2026.
  33. EDPB & EDPS, ‘Digital Omnibus: EDPB and EDPS support simplification and competitiveness while raising key concerns’ (European Data Protection Board, 11 February 2026) https://www.edpb.europa.eu/news/news/2026/digital-omnibus-edpb-and-edps-support-simplification-and-competitiveness-while_en accessed 20 February 2026.
  34. European Commission, ‘Digital Omnibus Regulation Proposal’ (Shaping Europe’s Digital Future, 19 November 2025) https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal accessed 18 February 2026.
  35. European Commission, ‘SME Relief Package’ (COM(2023) 535 final, 2023).
  36. European Data Protection Board (EDPB), ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’ (Version 2.0, 2021).
  37. European Data Protection Board (EDPB), ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’ (Version 3.0, 2019).
  38. European Data Protection Supervisor (EDPS), ‘Internet of behaviours’ (TechSonar) https://www.edps.europa.eu/data-protection/technology-monitoring/techsonar/internet-behaviours_en accessed 18 February 2026.
  39. European Data Protection Supervisor (EDPS), ‘Machine Unlearning’ (TechSonar) https://www.edps.europa.eu/data-protection/technology-monitoring/techsonar/machine-unlearning_en accessed 20 February 2026.
  40. ENISA, ‘Guidelines for SMEs on the security of personal data processing’ (2021).
  41. ENISA, ‘Guidelines on assessing the security of personal data processing’ (2021) https://www.enisa.europa.eu/sites/default/files/publications/Online%20Platform%20for%20Security%20of%20Personal%20Data%20Processing.pdf accessed 20 February 2026.
  42. ENISA, ‘Privacy and Data Protection by Design – from policy to engineering’ (2014) https://www.enisa.europa.eu/sites/default/files/publications/Privacy%20and%20Data%20Protection%20by%20Design.pdf accessed 20 February 2026.
  43. Finck M, ‘Blockchain and the General Data Protection Regulation’ (European Parliamentary Research Service 2019).
  44. Information Commissioner’s Office (ICO), ‘Direct Marketing Guidance’ (2018) https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/direct-marketing-guidance/respect-peoples-preferences/#whatdowe1 accessed 20 February 2026.
  45. Information Commissioner’s Office (ICO), ‘Security - Guide to the UK GDPR’ https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/ accessed 20 February 2026.
  46. Mell P and Grance T, ‘The NIST Definition of Cloud Computing’ (National Institute of Standards and Technology 2011) Special Publication 800-145.
  47. NIST, ‘The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management’ (Version 1.0, 2020).
  48. NIST, ‘NIST Big Data Interoperability Framework: Volume 1, Definitions’ (Special Publication 1500-1, 2015).
  49. OECD, ‘Trade and Cross-Border Data Flows’ (OECD Trade Policy Papers No 220, 2019).
  50. OECD, ‘Trade and Cross-Border Data Flows’ (OECD Trade Policy Papers No 237, 2020).
  51. UNCTAD, ‘Digital Economy Report 2021: Cross-border data flows and development’ (United Nations Publications 2021).
  52. World Economic Forum (WEF), ‘A Roadmap for Cross-Border Data Flows: Future-Proofing Readiness and Cooperation in the New Digital Economy’ (White Paper 2020).
  53. Cases
  54. Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd v Minister for Communications [2014] ECLI:EU:C:2014:238.
  55. Legislation
  56. Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L 119/1.
  57. Regulation (EU) 2022/1925 (Digital Markets Act) [2022] OJ L 265/1.
  58. Regulation (EU) 2022/2065 (Digital Services Act) [2022] OJ L 277/1.
  59. Regulation (EU) 2023/2854 (Data Act) [2023] OJ L 2023/2854.
  60. Regulation (EU) 2024/1689 (Artificial Intelligence Act) [2024] OJ L 1689/1.
  61. Regulation (EU) [2024] (European Health Data Space (EHDS) Regulation).
Read More
Author biographies is not available.
Crossref
Scopus
Google Scholar
Europe PMC
Share |
Download this PDF file
PDF (العربية)
Statistic
Read Counter : 36 Download : 16

Downloads

Download data is not yet available.