Your Microsoft 365 Is Already a Cross-Border Data Transfer Under Egyptian Law (Art. 14)

Most international companies operating in Egypt believe they have never transferred personal data abroad. They are wrong. And the mistake carries criminal liability.

If your company stores employee or customer data on Microsoft 365, Google Workspace, AWS, Azure, or an HR platform like Workday or SAP SuccessFactors — and those servers sit outside Egypt — you are conducting a cross-border data transfer under Law No. 151 of 2020. You did not sign a transfer agreement. You did not move a file. Your software did it for you, the moment the data was created.

Egypt’s Personal Data Protection Law gives you until 2 November 2026 to hold a license for that transfer. This article explains what the law requires, why it lands on foreign companies harder than on local ones, and what you have to do before the deadline.

Storage is transfer

Under the PDPL this is not a grey area. Article 1 of Law 151/2020 defines a “cross-border transfer” as a list of acts performed on personal data from inside Egypt to outside — and that list expressly includes to store. Article 14 says it again: transferring personal data to a foreign country, or its storage there, is a cross-border transfer. The law did not leave this to interpretation. Data sitting on a server outside Egypt is, by the text of the statute, a cross-border transfer — whether or not anyone ever pressed “send.”

Article 14 permits that storage on two conditions: the destination country must offer data protection at least equal to Egypt’s, and you must hold a license or permit from the Personal Data Protection Centre — with narrow exceptions under Article 15, such as the data subject’s explicit consent. The license is separate from your general controller license (the framework sits in Article 16 of the Executive Regulations, Decree 816/2025). It names the destination countries, and the Centre assesses whether each one protects data adequately. For data sitting on US servers, that is not a given.

What actually counts as a transfer

This is where most compliance reviews fail. Each of the following is a cross-border transfer under Egyptian law, even though no employee ever consciously sent anything abroad:

• Microsoft 365 or SharePoint hosted on European or US servers
• Google Workspace data stored on non-Egyptian servers
• AWS, Azure, or Google Cloud storage in any region outside Egypt
• HR platforms such as Workday or SAP SuccessFactors hosted abroad
• Any email server outside Egypt that holds personal data

If your IT stack looks anything like a normal multinational’s, you are already transferring data across the border today. The question is not whether you transfer. The question is whether you are licensed to.

Why this lands on international companies hardest

A domestic Egyptian company often runs on local infrastructure, or has a simple single-country data footprint. The cross-border question may never arise.

An upper-mid international company is the opposite. Its entire architecture is built to push data upward — to group HQ, to a regional shared service center, to a centralized HR or finance system that was chosen long before Egypt was on the map. The company’s strength abroad — integrated systems, centralized control, group-wide platforms — is exactly what creates the exposure in Egypt.

This is why cross-border transfer is the single most commonly missed obligation for international companies. It is not an edge case. It is the default state of the business.

The penalty

Continuing a cross-border transfer without a licence after the deadline is not an administrative fine you absorb and move on from. It is a criminal offence.

The PDPL attaches imprisonment of not less than three months and/or a fine of EGP 500,000 to EGP 5,000,000 to cross-border transfer in breach of Articles 14 to 16. Repeat offences are doubled. A fine reaches the company; imprisonment, by its nature, reaches the individuals responsible for the breach.

For a company whose only error was choosing a global cloud provider years ago, that is a serious result. It is also entirely avoidable.

What the license costs, and what it covers

The cross-border transfer license is priced as a percentage of your standard controller license. The fee is 50% of the controller/processor license fee for the same record-count tier. What you pay depends on how much personal data you hold — which is why the first step is always a count, not a guess.

The license specifies the destination countries. If your data sits on servers in both the EU and the US, both are named. If you later add a platform hosted somewhere else, the license has to follow.

Where this actually stands

Two things are true at once, and a serious compliance function needs to hold both.

The law is in force. The Executive Regulations took effect on 2 November 2025, the obligation is real, and the grace period closes around the end of October 2026. That date is not moving in your favor.

But the enforcement machinery is only now coming online. The Personal Data Protection Centre exists and has published the Regulations and its implementation guidelines — yet its electronic licensing portal, the channel through which a cross-border transfer license is actually filed, was slated to open only around mid-2026; the application forms and the country-by-country adequacy list are still being rolled out; and the Centre has publicly signaled a gradual, compliance-first approach, helping organizations get licensed before it moves to audits and inspections. No public enforcement action has been taken to date.

The wrong conclusion to draw from that is “wait.” The right one is the opposite. The preparatory work — mapping your flows, identifying every transfer, scoping your license tier — takes weeks, not days, and every company subject to the law is on the same clock. When the portal is fully live and the deadline is close, there will be a filing bottleneck. The companies that pass through it cleanly are the ones that did the groundwork while the channel was still opening. This is a window to get ahead, not a reason to stand still.

What to do now

The work is sequential, and none of it can be skipped.

First, map every data flow. For each category of personal data — employee, customer, supplier — trace where it is collected, where it is stored, and every system that touches it. Mark every point where data leaves Egypt, including cloud storage. This is the step that surfaces the transfers nobody knew about.

Second, identify the destination country and receiving entity for each transfer. A license cannot be issued without them.

Third, count your records. The count sets your license tier, and the tier sets the fee.

Fourth, prepare your applications and file as the PDPC’s portal comes online — and where the same exercise reveals sensitive data (biometric attendance, financial, health) or a missing controller license, handle those inside the same programme rather than one at a time.

The point

The cross-border transfer trap is not a question of intent. It is a question of architecture. The companies most exposed are the well-run ones — integrated global systems, a capable compliance function, and no one who was ever told that storage on a foreign server is, in Egyptian law, a licensed transfer.

The deadline is fixed. The penalty is criminal. The fix is procedural, and it is faster the earlier it starts.

At Consortio, we treat this as a transfer of risk, not a box-ticking exercise. We map the flows, identify the destinations, set the license tier, and carry the licensing process — so that on 2 November 2026, the question of where your data sits is already answered.

Consortio Law Firm advises upper-mid international companies entering and operating in Egypt. For a review of your cross-border data exposure under Law 151/2020, contact info@consortiolawfirm.com.