Law No. 175 of 2018 dated 14/08/2018 on Combating Information Technology Crimes

Article 1

In application of the provisions of this Law, the following words and expressions shall have the meanings indicated opposite each of them:

The Authority: The National Telecom Regulatory Authority.

The Competent Minister: The Minister concerned with telecommunications and information technology affairs.

Electronic Data and Information: Anything that can be created, stored, processed, synthesized, transmitted, shared, or copied by information technology, including numbers, codes, passwords, letters, symbols, signals, images, sounds, and anything similar.

Government Data: Data related to the State, one of its authorities, its agencies or units, public bodies, independent bodies, or supervisory authorities, or other public legal persons and anything similar, available on the information network, any information system, computer, or anything similar.

Electronic Processing: Any electronic or technical process carried out wholly or partially to write, compile, record, preserve, store, merge, display, send, receive, circulate, publish, erase, change, modify, retrieve, or deduce electronic data and information, using any medium, computer, or other electronic, magnetic, optical devices, or any newly developed technologies or media.

Information Technology: Any means or group of interconnected or non-interconnected means used to store, retrieve, sort, organize, process, develop, and exchange information or data, including everything related to the means used, whether wired or wireless.

Service Provider: Any natural or legal person who provides users with information technology and telecommunications services, including those who process or store information themselves or on their behalf in any of those services or information technology.

User: Any natural or legal person who uses or benefits from information technology services in any manner.

Software Program: A set of commands and instructions expressed in any language, code, or signal, taking any form, which can be used directly or indirectly in a computer to perform a function or achieve a result, whether in its original form or in any other form displayed through a computer or information system.

Information System: A set of programs and tools prepared to manage and process data and information, or to provide an information service.

Information Network: A group of devices or information systems connected together, capable of exchanging information and communications with each other, including private, public, and international information networks, and the applications used on them.

Website: A domain or virtual place with a specific address on an information network, aimed at making data and information available to the public or private entities.

Website Administrator: Any person responsible for organizing, managing, monitoring, or maintaining one or more websites on the information network, including managing user access rights, designing it, generating and organizing its pages or content, or being responsible for it.

Private Account: A set of information pertaining to a natural or legal person, granting them exclusively the right to access or use available services through a website or information system.

Electronic Mail: A means of exchanging electronic messages at a specific address between more than one natural or legal person, via an information network or other electronic connection means through computers or anything similar.

Interception: Viewing, obtaining, or accessing data or information for the purpose of eavesdropping, disabling, storing, copying, recording, changing the content, misusing, modifying the route, or rerouting, for unlawful reasons and without legal right.

Hacking: Unauthorized entry or violation of license terms, or entering by any unlawful means into an information system, computer, or information network, or anything similar.

Content: Any data that, alone or combined with other data or information, forms information, determines a trend, direction, perception, meaning, or refers to other data.

Digital Evidence: Any electronic information possessing probative force or value, stored, transmitted, extracted, or taken from computers, information networks, or anything similar, which can be compiled and analyzed using specialized technological devices, programs, or applications.

Expertise: Any work related to providing consultations, inspection, audit, evaluation, or analysis in the fields of information technology.

Traffic Data (Call Data Records): Data generated by an information system showing the source and destination of the connection, the sender and receiver, the route taken, time, date, size, duration, and service type.

Computer: Any device or technical equipment capable of storage and performing logical or arithmetic operations, used to record, store, convert, synthesize, retrieve, sort, process, develop, exchange, analyze, or communicate data or information.

Electronic Medium: Any physical medium for storing and circulating electronic data and information, including compact discs, optical discs, electronic memory, and anything similar.

National Security: Everything related to the independence, stability, and security of the homeland, the unity and integrity of its territory, and matters concerning the Presidency of the Republic, the National Defense Council, the National Security Council, the Ministry of Defense, Military Production, the Ministry of Interior, General Intelligence, the Administrative Control Authority, and agencies subordinate to those entities.

National Security Authorities: The Presidency of the Republic, the Ministry of Defense, the Ministry of Interior, General Intelligence, and the Administrative Control Authority.

Article 2

First - Without prejudice to the provisions of this Law and the Telecommunications Regulation Law issued by Law No. 10 of 2003, service providers shall be obligated to:

1. Preserve and store the information system log or any information technology means for a period of one hundred and eighty days, including the following data: a) Data enabling identification of the service user. b) Data related to the content and substance of the information system in use, whenever under the service provider's control. c) Data related to traffic data. d) Data related to terminal communication devices. e) Any other data to be specified by a decision of the Authority's Board of Directors.

2. Maintain the confidentiality of stored and preserved data, and not disclose or reveal it without a reasoned order from one of the competent judicial authorities, including personal data of any of its users, or any data or information related to the private websites and accounts accessed by these users, or the persons and entities they communicate with.

3. Secure data and information to preserve their confidentiality, prevent unauthorized access, or damage.

Second - Without prejudice to the provisions of the Consumer Protection Law, the service provider must provide its users and any competent government authority, in an easily accessible, direct, and continuous format, the following data and information: a) The service provider's name and address. b) Contact information related to the service provider, including the electronic contact address. c) Licensing data to identify the service provider and determine the competent supervisory authority. d) Any other information deemed important by the Authority to protect service users, to be specified by a decision of the Competent Minister.

Third - While respecting the privacy guaranteed by the Constitution, service providers and their affiliates shall, upon request by national security authorities, provide all technical capabilities enabling those authorities to exercise their competencies in accordance with the Law and their needs.

Fourth - Providers of information technology services, their agents, and their affiliated distributors responsible for marketing those services are obligated to obtain user data, and it is prohibited for others to do so.

Article 3

Without prejudice to the provisions of the First Chapter of the First Book of the Penal Code, the provisions of this Law shall apply to any non-Egyptian who commits outside the Arab Republic of Egypt any of the crimes stipulated in this Law, provided the act is punishable in the country where it occurred under any legal description, in any of the following cases:

• If the crime was committed on board any means of air, land, or sea transport registered with or flying the flag of the Arab Republic of Egypt.
• If the victim or one of the victims is Egyptian.
• If the crime was prepared, planned, directed, supervised, or financed within the Arab Republic of Egypt.
• If the crime was committed by an organized criminal group conducting criminal activities in more than one country, including the Arab Republic of Egypt.
• If the crime is likely to harm any citizen or resident of the Arab Republic of Egypt, or its security or interests, domestically or abroad.
• If the perpetrator is found in the Arab Republic of Egypt after committing the crime and has not been extradited.

Article 4

Competent Egyptian authorities shall facilitate cooperation with their counterparts in foreign countries within the framework of ratified international, regional, and bilateral agreements based on the principle of reciprocity, by exchanging information to prevent information technology crimes, assist in investigating them, or applying the law, and track perpetrators. The National Computer and Network Emergency Readiness Center at the Authority shall be the designated technical point for this purpose.

Article 5

By decision of the Minister of Justice, in agreement with the Competent Minister, judicial police status may be granted to employees of the Authority or others designated by national security authorities, regarding crimes committed in violation of this Law and related to their official duties.

Article 6

Competent investigation authorities may, upon a reasoned request, issue an order to competent judicial police officers, for a period not exceeding thirty days, renewable once if beneficial for establishing the truth regarding a punishable crime under this Law, to do one or more of the following:

• Seize, withdraw, collect, or preserve data, information, or information systems, or track them in any location, system, program, electronic medium, or computer where they are located.
• Conduct searches, inspections, entry, and access to computer programs, databases, and other devices and information systems to seize evidence.
• Order the service provider to deliver any data or information related to an information system or technical device under their control or stored with them, as well as user data and traffic data on that system or device.

In all cases, the order of the competent investigation authority must be reasoned. Appeals against the aforementioned orders shall be submitted to the competent Criminal Court convened in camera, within the timeframes and according to the procedures stipulated by criminal procedure law.

Article 7

The competent investigation authority may, upon evidence that a website broadcasting from inside or outside the country is publishing any phrases, numbers, images, films, or any promotional materials or similar, constituting a crime under this Law and posing a threat to national security or the country's economy, order the blocking of the broadcasting website(s), whenever technically feasible. The investigation authority shall submit the blocking order to the competent court, convened in camera, within twenty-four hours, accompanied by a memo stating its opinion. The court shall issue a reasoned decision either accepting or rejecting the order within a period not exceeding seventy-two hours from its submission. In cases of urgency due to imminent danger or impending harm, investigative and judicial police authorities may notify the Authority, which shall immediately inform the service provider of a temporary blocking order for the website, content, sites, or links mentioned in the first paragraph of this Article, in accordance with its provisions. The service provider shall be obligated to execute the notification's content immediately upon receipt. The investigative and judicial police authority that issued the notification shall draft a report documenting the procedures carried out under the preceding paragraph and submit it to the investigation authorities within forty-eight hours from the date of notification to the Authority. The same procedures mentioned in the second paragraph of this Article shall apply to this report. The competent court shall issue a decision in this case either upholding the blocking procedures or suspending them. If the aforementioned report is not submitted within the specified timeframe, the blocking carried out shall be deemed null and void. The trial court, during the hearing of the case, or upon request by the investigation authority, the Authority, or interested parties, may order the termination of the blocking decision or modify its scope. In all cases, the blocking decision shall lapse upon the issuance of a non-prosecution order or a final acquittal judgment.

Article 8

Any person against whom a judicial decision under Article 7 of this Law was issued, as well as the Public Prosecution, the competent investigation authority, and any interested party, may appeal the decision or its implementation procedures before the competent Court of Cassation after seven days from the date of the order or its implementation, whichever applies. If the appeal is rejected, they may submit a new appeal every three months from the date of the judgment rejecting the appeal. In all cases, the appeal shall be submitted via a report deposited with the registry of the competent Court of Cassation. The court president shall schedule a hearing to review the appeal, notifying the appellant, the Authority, and any interested party. The court shall rule on the appeal within a period not exceeding seven days from the date of the report.

Article 9

The Public Prosecutor or their delegated First Public Prosecutors at Courts of Appeal, and competent investigation authorities, may, when necessary or when sufficient evidence exists of the seriousness of the accusation regarding the commission or attempt of a crime under this Law, order the prohibition of the suspect's travel abroad or place their name on arrival watchlists, for a specified period, via a reasoned order. Any person against whom a travel ban order was issued may appeal to the competent Court of Cassation within fifteen days from the date they become aware of it. If the appeal is rejected, they may submit a new appeal every three months from the date of the judgment rejecting the appeal. The appeal shall be submitted via a report deposited with the registry of the competent Court of Cassation. The court president shall schedule a hearing to review the appeal, notifying the Public Prosecution and the appellant. The court shall rule on the appeal within a period not exceeding fifteen days from the date of the report, after hearing the appellant's statements and the Public Prosecution or competent investigation authority, as applicable, and may take any procedures or investigations deemed necessary. The Public Prosecution and competent investigation authorities may at any time withdraw or modify the issued order, including removing the name from travel ban or arrival watchlists for a specified period if necessary. In all cases, the travel ban shall terminate upon the passage of one year from the date of the order, or upon the issuance of a non-prosecution order, or a final acquittal judgment, whichever occurs first.

Article 10

Two registers for recording experts shall be established at the Authority. The first shall record technical and engineering professionals working at the Authority, and the second shall record experts from technical and engineering professionals not working there. The rules and provisions governing expert procedures before judicial authorities shall apply to experts in practicing their work, defining their obligations and rights. As an exception to those rules, the rules and provisions regarding administrative and disciplinary accountability stipulated in the law organizing their work, if any, shall apply to experts registered in the second register. The Executive Regulations of this Law shall determine the rules, conditions, and procedures for registration in both registers.

Article 11

Evidence derived or extracted from electronic devices, equipment, media, or supports, or from the information system, computer programs, or any information technology means, shall have the value and probative force of material evidence in criminal proof, provided the technical conditions stipulated in the Executive Regulations of this Law are met.

Article 12

Without prejudice to any harsher penalty stipulated in the Penal Code or any other law, and while observing the provisions of the Child Law issued by Law No. 12 of 1996, the following crimes shall be punished with the penalties indicated opposite each crime.

Article 13

Whoever unlawfully benefits, via the information network or any information technology means, from a telecommunications service or a broadcast audio or visual channel service, shall be punished with imprisonment for a term not less than three months, and a fine not less than ten thousand Egyptian pounds and not exceeding fifty thousand Egyptian pounds, or either of these penalties.

Article 14

Whoever intentionally enters, or enters by unintentional negligence and remains without legal right, into a website, private account, or information system prohibited from entry, shall be punished with imprisonment for a term not less than one year, and a fine not less than fifty thousand Egyptian pounds and not exceeding one hundred thousand Egyptian pounds, or either of these penalties. If the entry results in the destruction, erasure, alteration, copying, or republication of data or information on that website, private account, or information system, the penalty shall be imprisonment for a term not less than two years, and a fine not less than one hundred thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties.

Article 15

Whoever enters a website, private account, or information system with authorized access, but exceeds the limits of this right regarding time or access level, shall be punished with imprisonment for a term not less than six months, and a fine not less than thirty thousand Egyptian pounds and not exceeding fifty thousand Egyptian pounds, or either of these penalties.

Article 16

Whoever unlawfully intercepts any information or data, or anything circulated via an information network or one of the computers or anything similar, shall be punished with imprisonment for a term not less than one year, and a fine not less than fifty thousand Egyptian pounds and not exceeding two hundred and fifty thousand Egyptian pounds, or either of these penalties.

Article 17

Whoever intentionally and unlawfully destroys, disables, alters the route, or completely or partially cancels programs, data, or information stored, processed, generated, or synthesized on any information system or anything similar, regardless of the means used in the crime, shall be punished with imprisonment for a term not less than two years, and a fine not less than one hundred thousand Egyptian pounds and not exceeding five hundred thousand Egyptian pounds, or either of these penalties.

Article 18

Whoever destroys, disables, slows down, or hacks an electronic mail, website, or private account, shall be punished with imprisonment for a term not less than one month, and a fine not less than fifty thousand Egyptian pounds and not exceeding one hundred thousand Egyptian pounds, or either of these penalties. If the crime is committed against an electronic mail, website, or private account belonging to one of the private legal persons, the penalty shall be imprisonment for a term not less than six months, and a fine not less than one hundred thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties.

Article 19

Whoever destroys, disables, slows down, defaces, conceals, or alters the designs of a website belonging to a company, institution, establishment, or natural person without legal right, shall be punished with imprisonment for a term not less than three months, and a fine not less than twenty thousand Egyptian pounds and not exceeding one hundred thousand Egyptian pounds, or either of these penalties.

Article 20

Whoever intentionally enters, or enters by unintentional negligence and remains without legal right, or exceeds the limits of the authorized right regarding time or access level, or hacks a website, electronic mail, private account, or information system belonging to or managed by the State or one of the public legal persons, or on their behalf, or pertaining to them, shall be punished with imprisonment, and a fine not less than fifty thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties. If the entry is intended to unlawfully intercept or obtain government data or information, the penalty shall be imprisonment, and a fine not less than one hundred thousand Egyptian pounds and not exceeding five hundred thousand Egyptian pounds. In all cases, if any of the aforementioned acts result in the destruction, damage, defacement, alteration of designs, copying, recording, route modification, republication, or complete or partial cancellation of those data, information, website, private account, information system, or electronic mail, by any means, the penalty shall be imprisonment, and a fine not less than one million Egyptian pounds and not exceeding five million Egyptian pounds.

Article 21

Whoever intentionally causes an information network to stop working, disable it, reduce its operational efficiency, jam it, obstruct it, interfere with its operation, or unlawfully performs electronic processing of its private data, shall be punished with imprisonment for a term not less than six months, and a fine not less than one hundred thousand Egyptian pounds and not exceeding five hundred thousand Egyptian pounds, or either of these penalties. Whoever causes this by negligence shall be punished with imprisonment for a term not less than three months, and a fine not less than fifty thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties. If the crime is committed against an information network belonging to, owned by, or managed by the State or one of the public legal persons, the penalty shall be aggravated imprisonment, and a fine not less than five hundred thousand Egyptian pounds and not exceeding one million Egyptian pounds.

Article 22

Whoever possesses, acquires, imports, sells, makes available, manufactures, produces, exports, or trades in any manner in traffic codes, passwords, symbols, or any similar data, without a license from the Authority or legal justification, and it is proven that such conduct was intended to use any of them to commit or facilitate the commission of any crime stipulated in this Law, or to conceal its traces or evidence, or such use, facilitation, or concealment is proven, shall be punished with imprisonment for a term not less than two years, and a fine not less than three hundred thousand Egyptian pounds and not exceeding five hundred thousand Egyptian pounds, or either of these penalties.

Article 23

Whoever uses the information network or any information technology means to unlawfully access bank card numbers, service data, or other electronic payment tools, shall be punished with imprisonment for a term not less than three months, and a fine not less than thirty thousand Egyptian pounds and not exceeding fifty thousand Egyptian pounds, or either of these penalties. If the intent is to use them to obtain others' money or available services, the penalty shall be imprisonment for a term not less than six months, and a fine not less than fifty thousand Egyptian pounds and not exceeding one hundred thousand Egyptian pounds, or either of these penalties. The penalty shall be imprisonment for a term not less than one year, and a fine not less than one hundred thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties, if the perpetrator succeeds in obtaining for themselves or others those services or others' money.

Article 24

Whoever fabricates an electronic mail, website, or private account and falsely attributes it to a natural or legal person, shall be punished with imprisonment for a term not less than three months, and a fine not less than ten thousand Egyptian pounds and not exceeding thirty thousand Egyptian pounds, or either of these penalties. If the perpetrator uses the fabricated mail, website, or private account in an act defaming the attributed person, the penalty shall be imprisonment for a term not less than one year, and a fine not less than fifty thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties. If the crime is committed against one of the public legal persons, the penalty shall be imprisonment, and a fine not less than one hundred thousand Egyptian pounds and not exceeding three hundred thousand Egyptian pounds.

Article 25

Whoever assaults any of the principles or family values in Egyptian society, violates the sanctity of private life, sends a large volume of electronic messages to a specific person without their consent, provides personal data to an electronic system or website to promote goods or services without their consent, or publishes via the information network or any information technology means information, news, images, or anything similar that violates any person's privacy without their consent, whether the published information is true or false, shall be punished with imprisonment for a term not less than six months, and a fine not less than fifty thousand Egyptian pounds and not exceeding one hundred thousand Egyptian pounds, or either of these penalties.

Article 26

Whoever intentionally uses a software program or information technology to process personal data of others to link it with content contrary to public morals, or to display it in a manner likely to harm their dignity or honor, shall be punished with imprisonment for a term not less than two years and not exceeding five years, and a fine not less than one hundred thousand Egyptian pounds and not exceeding three hundred thousand Egyptian pounds, or either of these penalties.

Article 27

In cases not stipulated in this Law, whoever creates, manages, or uses a website or private account on an information network aimed at committing or facilitating a legally punishable crime, shall be punished with imprisonment for a term not less than two years, and a fine not less than one hundred thousand Egyptian pounds and not exceeding three hundred thousand Egyptian pounds, or either of these penalties.

Article 28

Whoever is responsible for managing a website, private account, electronic mail, or information system and conceals or tampers with digital evidence of any crimes stipulated in this Law committed on that website, account, or electronic mail, with the intent to obstruct the work of competent official authorities, shall be punished with imprisonment for a term not less than six months, and a fine not less than twenty thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties.

Article 29

Whoever is responsible for managing a website, private account, electronic mail, or information system and exposes any of them to any of the crimes stipulated in this Law, shall be punished with imprisonment for a term not less than one year, and a fine not less than twenty thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds, or either of these penalties. Whoever is responsible for managing a website, private account, electronic mail, or information system and causes, through negligence, any of them to be exposed to any of the crimes stipulated in this Law, due to failure to adopt the security measures and precautions stipulated in the Executive Regulations of this Law, shall be punished with imprisonment for a term not less than six months, and a fine not less than ten thousand Egyptian pounds and not exceeding one hundred thousand Egyptian pounds, or either of these penalties.

Article 30

Whoever is a service provider and refuses to execute the decision issued by the competent Criminal Court to block a website, link, or content mentioned in the first paragraph of Article 7 of this Law, shall be punished with imprisonment for a term not less than one year, and a fine not less than five hundred thousand Egyptian pounds and not exceeding one million Egyptian pounds, or either of these penalties. If refusal to execute the court's decision results in the death of one or more persons, or harm to national security, the penalty shall be aggravated imprisonment, and a fine not less than three million Egyptian pounds and not exceeding twenty million Egyptian pounds. The court shall additionally order the cancellation of the activity license.

Article 31

Whoever is a service provider and violates the provisions of clause (2) of the first paragraph of Article 2 of this Law, shall be punished with imprisonment for a term not less than one year, and a fine not less than five thousand and not exceeding twenty thousand Egyptian pounds, or either of these penalties. The fine shall be multiplied for each victim among the service users.

Article 32

Whoever is a service provider and refuses to execute the decision issued by the competent investigation authority to deliver their data or information mentioned in Article 6 of this Law, shall be punished with imprisonment for a term not less than six months, and a fine not less than twenty thousand Egyptian pounds and not exceeding one hundred thousand Egyptian pounds, or either of these penalties.

Article 33

Whoever is a service provider and violates any of the obligations stipulated in clause (1) of the first paragraph of Article 2 of this Law, shall be punished with a fine not less than five million Egyptian pounds and not exceeding ten million Egyptian pounds. The fine shall be doubled in case of recidivism, and the court may order the cancellation of the license. Whoever is a service provider and violates the provisions of the second paragraph of clause (4) of Article 2 of this Law, shall be punished with a fine not less than twenty thousand Egyptian pounds and not exceeding two hundred thousand Egyptian pounds. Whoever is a service provider and violates the provisions of