This article has been reposted by LexisNexism which you can find it here:
With the growing number of user-generated data and expansion in social media and mobile applications, State legislative bodies gave particular attention to the protection of personal data shared on these fora: Different laws, and on top of them the European General Data Protection Regulation, were enacted to regulate the collection, usage, transfer and disclosure of personal data. The Egyptian legislator was also part of this international collective and enacted Law No. 151 of 2020 and its executive regulations addressing personal data.
As the need to protect personal data rose massively in light of political and social, internet related incidents, non-experts associated data protection with cybersecurity. However, it is true that the spectrums of data protection and cybersecurity intertwine, however, they do not necessarily match.
Personal data regards such information that relate to an identified or identifiable individual. Cybersecurity not only addresses personal data, but also sensitive data, protected health information, intellectual property and governmental and industry information and systems. Also, data protection laws regulate the ‘flow’ of data, while cybersecurity focuses on the acts of theft, damage and unauthorized use of all type of electronic data and measures taken to achieve them.
In this article, we will shed light on the key crimes set out under law No. 175 of 2018 on Cybersecurity Crimes (“Cybersecurity Law”), which could all result in imprisonment and/or payment of a fine.
A typical breach of cybersecurity occurs through accessing a privileged website, private account, or information systems. As such access is of itself an act of fault given that the hacker violates someone’s privacy, the Egyptian legislator has prohibited this act of breach, regardless of whether it was intentional or not. Even more, the law does not require coupling this breach with another act like theft of data or the similar, rather, the mere breach of cyber systems is sufficient to impose imprisonment and/or payment of a fine.
In the event such breach indeed is coupled with damaging the website, erasing, changing, copying, or republishing information available on such systems, a heavier fine will be imposed as in addition to a possible longer imprisonment term.
Unlawful access addresses the case of accessing a website or account absent the right to do so. However, if a person enjoys the right to access, but exceeds its scope, then another crime is satisfied for the purpose of Cybersecurity Law. Such overstepping can occur when accessing a website, an account or an electronic system outside the permitted hours or to an extent not authorized to the user.
This crime would be particularly relevant in case of to IT personnel and engineers: While such persons are invaluable team members within any enterprise due to the increasing reliance on complex IT systems, given to such personnel’s expertise and position within the institution, it could be very easy for them to exceed the scope of their permitted role.
This could have serious consequences, as such persons could obtain sensitive data and information that result in losing a competitive advantage of the company. Even worse, if such information is privileged and confidential information belonging to a third party, such as a client, the institution could face legal liability because of this access or leakage.
Interestingly, the crime of unlawful interception does not only relate to intercepting information systems, but also extends to intercepting any information or data available on computer systems and the similar. Given this broad scope of protection, this crime could be a possible haven if a person fails to establish a violation under data protection laws, such as when the intercepted information does not fall under the scope of protected data. In this case, the injured person could benefit from this board wording.
This crime established when viewing or retrieving the data for the purpose of monitoring/eavesdropping or holding, storing, recording, misusing, redirecting or changing information in any manner.
Hackers do not only access information systems to use information and data available on them but are also malicious to an extent that they hack systems to erase or change data, or damage the actual hardware to harm their targets. Some hackers could encrypt certain data in return of a ransom, so that these data would be rendered unusable, if the ransom is not paid. Also, valuable data may be accidentally damaged or not saved, because of interference from hackers.
Under the Cybersecurity Law, any intentional damage, suspension and whole or partial redirection or cancellation of paths relating to data, information available on information systems, regardless of the tool and nature of the damage, is prohibited and would result in imprisonment and payment of a fine.
A hacked email can put a person and his identity at risk of theft. This theft does not only include basic personal information but is likely to extend to include bank account details and credit cards. Also, stealing private communication can be quite embarrassing for the hacked person, if this private communication contained sensitive data that got leaked.
Given these considerations, under the Cybersecurity law, should a person damage, suspend, delay or interrupt an email, website or a private account of an individual, the breaching person could face imprisonment not less than a month and/or payment of a fine not less than fifty thousand and not more than one hundred thousand Egyptian Pounds.
Where this email, website or private account relates to a private establishment, such as businesses, imprisonment will not be less than six months and the fine will not be less than one hundred thousand and not more than two hundred thousand Egyptian Pounds. This is so, given to the strong likelihood that the hacked data would be sensitive, such as documentation of business processes, trade secrets or contact information for employees and customers.
Because of the sensitive and vital nature of the Egyptian State’s information systems, the legislator dedicated a special article addressing e-infringements relating to the State. The protection granted under this Article extends not only to the State, but also extends public entities, State owned entities or entities relating to the State.
If a person intentionally or unintentionally by fault accesses or exceeds the permitted scope when accessing a website, an email address, a private account or information systems operated by the State or any of its institutions, this person could incur imprisonment and/or payment of a fine.
The term of imprisonment would be harsher and so the fine, if the breach is to interrupt or unlawfully obtain governmental information or data. Also, where this access or unlawful maintaining of information results in a damage or any changes in the network, regardless of the means, an even heavier fine will be imposed which not less one than million and not more than five million Egyptian Pounds.
People are relying more and more on online payment solutions since they are convenient, easy to use and safe. However, scamming credit cards and payment tools is a risk the internet users are always facing. Even worse, a person can get scammed from outside his country. A fraudster does not need to physically have a card as he can use malware to obtain payment and personal data ranging from a wide range of sources: An individual can be deceived by an innocent-looking SMS reading ‘Your card will not be charged; please confirm your details to validate your X account”. Also, card details can be compromised at any POS or online website.
The Cybersecurity Law prohibits using the internet or any technical means to merely, unlawfully access bank card numbers or data or any similar online payment tools. If such access was with the intention of obtaining other person’s money or benefiting from the services granted by such cards, then the breaching person would face a harsher sanction. This sanction will be even worse, if this person succeeds in taking the money or benefiting from the services.
Online purchasers have developed new habits given when shopping online. For example, instead of making a phone call or visiting the physical store to connect with customer service agents, users have now turned to social media to contact business support teams. As a result, businesses are increasingly using social media platforms to communicate with their customers. In Egypt, there has been a rise in local online stores, where local individuals prefer to only operate an online store on social media given to the operational costs associated with having a physical store.
This is where hackers intervene. Hackers create entirely fake brand profiles, impersonating a brand, while e-victims unknowingly directly engage with them. When they catch their prey, e-criminals usually hide their tracks, which is especially easy when using social media.
Also, a fake account could easily spread over the internet given to the magic of the ‘share’ button:
A malicious post can be shared and re-shared amongst users, making it almost impossible to trace the origin of specific fraudulent content.
Under the Cybersecurity Law, if a person creates a fake account, website or email address and associates it with a natural person or legal entity, this violating person could face imprisonment not less than three months and/or payment of a fine not less than ten thousand Egyptian Pounds and not more than thirty thousand Egyptian Pounds.
Where this fake account is used in any manner prejudicial to the person to whom the account is affiliated, then imprisonment will not be less than one year and the fine will not be less than fifty thousand and not more than two hundred thousand Egyptian pounds.
If the crime pertains to any public legal body, imprisonment will be not less than three years and will be mandatorily coupled with a fine not less than one hundred thousand Egyptian Pounds and not more than three hundred thousand Egyptian Pounds.
As the Egyptian legislator pays particular importance to preserving public morals, if a person uses an electronic program or electronic tools in order to process personal data of another person in violation of public morals or where this use is in such a manner that may prejudice the affected person’s honor or standing, the violator may be imprisoned for a period not more than two years and not exceeding five years and/or payment of a fine not less than one hundred thousand and not more than three hundred thousand Egyptian pounds.
To conclude, what will eventually happen if the same act triggers another crime under a different law?
When reading the Cybersecurity Law, it would seem that prohibited acts mentioned under it could simultaneously trigger other laws. The most evident one mentioned under the title of this article is the data protection law. However, the Cybersecurity Law also touches upon issues under the Banking Law, the Telecommunication Law and, generally speaking, the Penal Code.
Where such situations occur, it is believed that the rule set forth under the Penal Code applies: Reliance will be made on the crime with the heavier penalty and the other possible crimes will be excluded. For example, if an act triggers a crime under the Cybersecurity Law and the Banking Law, where the latter imposes heavier sanctions, the verdict will be rendered with respect to the crime constituted under the Banking Law only.
It seems though that despite the interplay between cybersecurity and other fields, the most common confusion will always remain between cybersecurity and data protection. However, as clarified under this article, cybersecurity deals with its own set of challenges.
