One Year On, Ethiopia’s Personal Data Protection Law Faces a Slow Path to Enforcement

It has been a year since Ethiopia ratified its first personal data protection proclamation. Although the law technically took effect once it was published in the Federal Negarit Gazette, implementation has been slow. Delays in issuing directives, limited public awareness of data rights, and a long-standing habit among businesses and state enterprises of treating data as an afterthought have all contributed.

The Ethiopian Communication Authority (ECA), responsible for enforcing the landmark law, has made gradual progress. Four directives are expected to be approved in the coming months as the Authority expands its technical capacity and staffing. On Thursday, at a workshop co-hosted with Huawei, officials previewed a forthcoming digital portal that will allow data controllers and processors to register, an early step toward building a nationwide compliance system.

Representatives from banks, public institutions and telecom operators handling the data of tens of millions of Ethiopians filled the room. Their presentations offered a rare peek into internal protocols at some of the country’s largest data processors.

Safaricom Ethiopia stood out, drawing on practices adopted in other markets and shaped by its ownership structure. Yafet Ashebir, the company’s Executive Head of Compliance, emphasized that Safaricom had begun enforcing strict data protocols even before the proclamation was passed. Its compliance risk framework and data protection impact assessments are already embedded in internal operations, and the operator appointed a data protection officer before Ethiopian law required one. Only data necessary to perform core functions is collected, Yafet said, and always with user consent.

“Privacy is a fundamental human right,” he noted. “We follow consent-based operation.”

Still, he said few customers fully understand or exercise their data rights. While Yafet welcomed the arrival of a data protection law, he questioned the severity of the penalties. Ethiopia’s proclamation allows fines of up to 4% of a company’s total worldwide annual turnover for violations involving minors or sensitive data.

“That fine is too much for a country just starting to implement these laws,” he said.

The proclamation sets out a dual enforcement regime, administrative penalties, mostly fines and compliance orders, handled by the Authority, and criminal sanctions for the most serious violations. Failing to notify a data breach or to implement required safeguards can bring one to three years’ imprisonment, a fine of 60,000 to 100,000 Birr, or both. Selling personal data or transferring it abroad without authorization can lead to five to ten years’ imprisonment and fines of 200,000 to 600,000 Birr.

Cross-border transfers are especially sensitive for telecom operators, some of which still rely on non-localized services.

Globally, social media giants have faced multimillion-dollar fines for data privacy lapses, underscoring the stakes for emerging frameworks like Ethiopia's. In October 2024, Ireland's Data Protection Commission slapped LinkedIn with a €310 million GDPR penalty for mishandling user data in targeted ads. TikTok drew a €530 million hit in 2025 for inadequate child data protections, while Meta's cumulative fines topped $1.3 billion by early 2025, largely for EU-U.S. data transfers. These precedents highlight how Ethiopia's up-to-4% turnover penalties could deter violations as enforcement ramps up

Balcha Reba, Director General of the ECA, said Ethiopia expanded the Authority’s mandate, originally limited to telecom regulation, to include data protection, following the example of a handful of other countries. A new institutional “muscle”, he said, is being built slowly but deliberately.

“Both data processors and collectors now need permission from the Authority,” he told Shega.

Ethiopia's data protection framework, while structurally aligned with GDPR principles, lags in global maturity. It ranks 103rd out of 172 in the 2023 National Cyber Security Index, signaling moderate cybersecurity readiness amid rising digital threats. Similarly, in the UN E-Government Development Index 2024, Ethiopia places 169th out of 193 nations, with a digital services score of just 0.23, below the East African average, highlighting infrastructure and enforcement gaps.

Balcha said the digital registration portal became essential given the sheer number and geographic spread of data operators. Registration, he stressed, is the foundation for every other oversight function, including the scrutiny of foreign data transfers. State-owned utilities and some NGOs that rely on foreign partners have already filed special requests to avoid violating the law.

“We have received around 10 such requests to transfer data,” he said.

Approvals, he added, were granted only after comparing Ethiopia’s rules with those of destination countries, and only as a temporary measure until data can be migrated back home. He underscored the need for anonymization, pseudonymization and encryption to safeguard sensitive information.

The Proclamation mandates core rights like data access, erasure, and 72-hour breach notifications, alongside data protection impact assessments for high-risk activities and localization for sensitive data. Yet, as of March 2025, no ECA enforcement actions or guidelines have been publicized, echoing broader challenges like the Information Network Security Agency's handling of 8,854 breaches in 2024 amid resource shortages. This slow rollout positions Ethiopia among Africa's newer entrants, trailing mature enforcers like South Africa.

Ethio telecom, with more than 85 million subscribers and a portfolio spanning mobile money, internet, voice services and hundreds of digital offerings, is one of the country’s largest data custodians. Its role places it at the center of Ethiopia’s emerging data-rights landscape.

Tsegaye Emmanuel, the company’s Chief Information Security Officer, said data sovereignty sits at the core of its strategy, embodied in its Telecloud storage service. He raised concerns about local companies storing information abroad, often without clarity on its final destination.

“Ethiopian data should reside in Ethiopia,” he said.

Ethio telecom operates under a data governance structure led by a steering committee, though it has not yet appointed a dedicated data protection officer. “The role has been given to the Chief Information Security Officer,” Tsegaye said.

He outlined a three-stage defense system beginning at the point of sale and spanning multiple internal divisions. Data collection follows principles of lawful collection, purpose limitation and transparent processing. Nearly all customers, he said, have been informed of their data rights and have given consent, those who did not were removed from subscription. The company is now preparing to conduct annual data protection impact assessments.

“We have also started self-service options for personal data updates,” he added.

Ethio telecom has also established protocols for data retention and erasure. Like others in the sector, Tsegaye expressed concern about fines reaching 4 percent of annual revenue.

With 85.4 million mobile connections, 63.8% penetration, Ethiopia's telecom sector generates vast data volumes, including 2.46 GB per user monthly at Ethio Telecom alone, which serves around 85 million subscribers. Mobile money amplifies this, via platforms like Telebirr (55 million subscribers). These scales, per recent reports, heighten risks for the "tens of millions" of Ethiopians whose profiles span location, financial, and behavioral logs

Ethiopia’s new law aims to tighten accountability around personal data management. When a data controller rejects a request to access or erase personal data, it must now demonstrate that a lawful exemption applies, placing the burden of proof on the institution rather than the individual. Enforcement rests with the Authority, which will monitor compliance and refer criminal violations to prosecutors. The framework mirrors international standards, including the EU’s GDPR, emphasizing preventive measures such as registration, breach notification and data protection officers.

For Dawit Birhanu, CEO of Websprix IT Solutions PLC, Ethiopia’s first private internet service provider (ISP), minimizing the volume of data collected is the first step toward compliance. His company, which provides fiber-to-home services to nearly half a million households, limits collection to what is necessary for billing, regulatory requirements and service improvement.

“We don’t collect data that is not necessary,” Dawit said.

He stressed that strong data protection is central not just for consumer trust but for the resilience of the network itself. Limiting internal access, maintaining firewalls, encrypting sensitive information and training employees, he said, are all part of the company’s approach.

“Data protection is a balancing act”, Dawit stressed. “The ideal data collection would be none.”

For now, Ethiopia’s data protection regime appears more aspirational than a fully realized system. Regulators are still assembling the machinery needed to enforce the law, while the country’s largest data custodians navigate new obligations in real time. The proclamations’ effectiveness could depend on the Authority’s ability to implement regulations, process registrations, and monitor compliance across the country’s diverse digital ecosystem. Otherwise, it risks Ethiopia’s digital expansion outpacing its regulatory muscle, leaving the Authority racing to close a gap that grows wider with every new service brought online.