In a notable data breach liability ruling in Egypt, an Egyptian court ordered a licensed telecom operator to pay EGP 10 million in compensation after an unauthorized SIM replacement resulted in unlawful access to subscriber accounts. The decision reinforces statutory data protection obligations under Egyptian law

Background of the Dispute

In a recent court case, a telecom customer filed a claim against one of the licensed mobile operators in Egypt for negligence and failure to take the necessary actions to protect her personal data and mobile line. The case was brought by the customer, who resides abroad, after discovering that her mobile SIM card had been replaced without her knowledge or approval. The new SIM card was then unlawfully used to access her accounts on social networking platforms, primarily WhatsApp and Facebook. The customer also faced difficulty with the mobile provider, which refused to provide her with a copy of the agreement signed between the parties for that line.

Legal Grounds Relied Upon by the Court

The case was brought before the court, and the judgment was issued on the following main legal grounds:

Article 2 of the Cybercrime Law No. 175 of 2018 , which requires any natural or legal person who provides users with information and communications technology services — including those who process or store information themselves or on behalf of others in any such services or information technology — to, inter alia, retain and store information system records or any means of information technology for a period of one hundred and eighty consecutive days.

, which requires any natural or legal person who provides users with information and communications technology services — including those who process or store information themselves or on behalf of others in any such services or information technology — to, inter alia, retain and store information system records or any means of information technology for a period of one hundred and eighty consecutive days. Articles 1, 2, 4, and 9 of the Data Protection Law No. 151 of 2020 , which prohibit data controllers from, inter alia, performing or refraining from performing any action that would make personal data or the results of its processing available, except in cases permitted by law.

, which prohibit data controllers from, inter alia, performing or refraining from performing any action that would make personal data or the results of its processing available, except in cases permitted by law. Article 178 of the Egyptian Civil Code , which stipulates that "anyone who undertakes to guard items requiring special care or to guard mechanical machinery shall be liable for any damage caused by such items, unless it is proven that the damage was caused by a third party without fault on his part, without prejudice to any special provisions in this regard."

, which stipulates that "anyone who undertakes to guard items requiring special care or to guard mechanical machinery shall be liable for any damage caused by such items, unless it is proven that the damage was caused by a third party without fault on his part, without prejudice to any special provisions in this regard." Decree No. 7125 issued by the National Telecommunications Regulatory Authority (NTRA) on 21 October 2018 , obliging telecom providers to retain details of all communication movements, operating systems, applications, and all records related to the company's customers for a period of no less than 180 consecutive days.

, obliging telecom providers to retain details of all communication movements, operating systems, applications, and all records related to the company's customers for a period of no less than 180 consecutive days. Article 12 of the Universal Declaration of Human Rights, which states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Expert Findings and Court Determination of Liability

Following the appointment of an expert who confirmed the fault and responsibility of the defendant mobile provider, and after a full review of the case, the court ordered the defendant to pay EGP 10,000,000 (approximately USD 208,634.11) in material and moral damages to its customer.

Scope of Telecom Providers' Statutory Obligations

The court further affirmed, inter alia, that telecom service providers are under a clear and

enforceable legal obligation to protect subscriber data, implement adequate technical and

administrative safeguards, and maintain secure systems capable of preventing unauthorized access or misuse. The court emphasized that this obligation is not merely contractual in nature but derives directly from statutory duties under the Cybercrime Law, the Personal Data Protection Law, and the regulatory framework governing telecommunications services.

In this context, the provider's responsibility extends beyond simply delivering connectivity services; it includes ensuring the integrity, confidentiality, and security of subscriber information and communication tools. The court treated these duties as active obligations requiring continuous monitoring, proper verification procedures (including SIM replacement controls), secure data retention practices, and effective internal controls designed to prevent breaches.

Failure to implement such measures, particularly where it results in unauthorized access to a subscriber's accounts or exposure of personal data, may constitute actionable fault giving rise to civil liability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.