Ethiopia began implementing its first legal instrument targeting the use, dissemination, modification, and processing of personal data last week.
Organized under seven chapters, the proclamation assigns the Ethiopian Communications Authority (ECA) as the regulatory body tasked with overseeing the processing of personal data for local companies and international firms utilizing equipment located in Ethiopia. Public institutions found at federal and regional levels also fall under this purview, while the exchange of information between government agencies on a need-to-know basis is exempted.
The bill, which received parliamentary greenlight four months ago, nearly three years after it was initially tabled, lays the preliminary scaffolding in data privacy for an increasingly data-driven economy.
It defines personal data as information that is collected for purposes of processing while being ascribable to either a natural person or containing a unique identifier that would enable identification. Racial, religious, professional association membership, political opinion, genetic, and health status are further classified under sensitive personal data.
Questionable Past
Ethiopia’s relationship with the protection of personal rights amid the expansion of telecommunications technology has a peculiar history, as highlighted in a 137-page report by the Human Rights Watch organization a decade ago.
Unlawful surveillance, privacy violations, and extrajudicial data collection, all supported by the previously monopolized telecommunications network were some of the concerns cited by the Report. One of the recommendations from the report was the enactment of strong legislation defining and setting a legal framework around personal data.
Under the inaugural personal data proclamation, the ECA is empowered to add further categories it considers sensitive while enforcing a set of defined principles for processing personal data.
Transparency, specificity, purposiveness, in-excessiveness, confidentiality, and security of personal data are some of the main principles outlined in the proclamation.
However, Ethiopia’s short stint in the digital economy has been marked by a series of haphazard forays regarding regulatory oversight, with notable progress largely limited to the finance sector. The National Bank of Ethiopia’s series of directives pertaining to the licensing of payment instrument issuers, operators, and financial consumer protection represent the most significant development pertaining to dematerialized data so far.
Under the data protection proclamation, consent is given significant weight, with rigorous conditions laid out to define what it means and how it should be given.
Balcha Reba (Eng), Director General of ECA, emphasizes the importance of nursing a culture of valuing one’s personal data as Ethiopia adopts greater digitization. He indicates the need to embed principles in data collection for both collectors and owners.
“Only data required for a stated purpose should be collected,” the DG told Shega.
He foresees snippets of information being attached to data collection forms like those carried by bank tellers when they are fishing for new accounts.
The Director heralded the proclamation as a crucial development in Ethiopia’s digital ecosystem, ushering foundational pillars in data processing and collection.
He says the first phase of implementation by the Authority will entail creating an administrative structure capable of handling its new responsibilities.
“It’s intimately tied to both human rights and even intellectual property,” Balcha noted.
With 138 of the 193 United Nations member countries having ratified data protection laws, there is a budding global awareness of the primacy of data in the ‘fourth industrial revolution’.
The rapid rise of artificial intelligence, especially in the past three years, has introduced unprecedented data collection and processing.
ECA’s director general is keenly aware of this revolution. Balcha expects the principles laid out in the proclamation to be adhered in both manual data management and automated procedures.
He referred to how data is collected, which ends up being fed into machine learning algorithms without the approval of the data owner. The DG pointed out how sensitive issues arise when information pertains to individual markers of identity.
“Big data collection is a global issue,” Balcha says. ”We are keenly aware of it.”
Heavy Penalties
The proclamation permits cross-border data transfer only when it meets third-party jurisdiction standards and has the owners’ informed consent. This means that the data being transferred must comply with the laws and regulations of a third-party country or jurisdiction that is involved in or has authority over the matter.
Subsequent regulations by the Council of Ministers as well as guidelines and directives from the Authority will lay out fees, penalties, and other details of enforcement in the near future.
Data processors are required to notify data controllers of any data breaches, who are then required to communicate them to owners within 72 hours of becoming aware of it.
Failure to notify a personal data breach or implement technical and organizational measures when a breach occurs could result in imprisonment of up to three years and fines of 50,000 birr.
While some legal historians point to the ratification of the General Data Protection Regulation (GDPR) by the European Parliament in 2016 as the most significant legislative development, others trace the foundations to “right to be left alone” principles laid out in US privacy laws from late 19th century.
Under Ethiopia’s proclamation, selling or transferring personal data outside of Ethiopia without proper conditionalities could bring about imprisonment of up to ten years and fines of 300,000 birr.
With phone ownership hovering over 70 million, a significant portion of which are smartphones, and nearly every public and private service expanding into the digital realm, the need for this proclamation has reached a fever pitch.
Veterans in Ethiopia’s digital ecosystem, like Nurhassen Mensur, point out that the latest proclamation falls into a wider legal framework concerning consumer protection. As one of the early participants when the bill was being discussed by stakeholders, he recognizes its implementation as foundational for subsequent directives and regulations.
“Ownership of data has been a central issue of concern,” Nurhassen told Shega. ”It is a matter of trust.”
He expects the efficacy of the data proclamation to rest on execution, as the basic legal scaffolding has been laid out. The consultant, with expansive experience in several fintech firms, foresees an adaptive response by the nascent digital ecosystem in Ethiopia, which has largely been operating with limited oversight on its data management. Nurhassen hopes that all data collection procedures, even in public administration, will adhere to the principles laid out in the proclamation.
“Government offices down to the Woreda level have lessons to learn,” he says.
Nurhassen also recommends enhancing regulatory capacity to keep up with the pace of the global evolution of technology. He highlighted how the acceleration of artificial intelligence tools introduces an international dimension to data protection, which could weaken regulatory capacity if not properly managed.
“Institutional awareness needs to be cultivated,” the consultant noted.
As Ethiopia ventures deeper into a digital economy nudged by government initiatives like Digital Ethiopia 2025, the primacy of data to either fuel or hamper economic growth becomes increasingly self-evident. With nearly 40 million internet users and a massive youth population aggressively adopting technology, strong legal bulwarks in data management are increasingly vital to Ethiopia’s digital prospects.
For a country that has recorded at least 26 incidents of internet shutdowns since 2016 in response to conflict, communal violence, and political turmoil, the importance of constantly evolving legislation to govern individuals’ rights in the digital realm is self-evident to many.
Follow us
