The Data Protection Law (DPL) of Egypt explicitly exempts personal data held by national security authorities and data processing activities determined by them for other considerations from the law's applicability. Article 3(5) of the DPL states that the provisions of the law "shall not apply" to personal data held by national security authorities and whatever determined by them for other considerations.

This exemption is broad and includes not only data held by national security authorities but also data processing activities that are determined by them for other considerations. The provision also grants national security authorities the power to request the Center to notify controllers or processors to modify, delete, hide, make available, or circulate personal data within a specified period, according to national security considerations.

The rationale for including this factor in the law is likely to ensure that national security authorities have the necessary flexibility to process personal data for national security purposes without being constrained by the general data protection rules. This exemption is consistent with the practice in many jurisdictions, where national security and law enforcement activities are often exempted from data protection laws to allow for the effective conduct of these activities.

Implications

The implications of this exemption are significant for companies and organizations that process personal data in Egypt:

1. National Security Authorities: National security authorities have broad powers to process personal data without being subject to the general data protection rules.
2. Data Controllers and Processors: Data controllers and processors must comply with requests from national security authorities to modify, delete, hide, make available, or circulate personal data within a specified period, according to national security considerations.
3. Limited Applicability: The data protection law does not apply to personal data held by national security authorities and data processing activities determined by them for other considerations.
4. Examples: Examples of cases where the law does not apply include data processing activities carried out by national security authorities for national security purposes, such as intelligence gathering and counter-terrorism activities.