In April 2024, the House of People’s Representatives ratified a personal data protection proclamation which moved into implementation in mid-July. This proclamation establishes a thorough legal framework aimed at strengthening individual privacy and regulating the management of personal data within the country. It acknowledges data privacy as a fundamental constitutional right, granting data subjects increased control over their personal data. While applicable to all entities that collect and manage data, it carries significant weight for the digital finance sector.
Pre-Proclamation Data Protection Landscape in Ethiopia
According to DLA Piper Global Data Protection Laws of The World, Ethiopia did not have a dedicated law addressing data protection and privacy before the year 2024. In contrast, countries with comparable contexts like Kenya, Uganda, Egypt, Nigeria, Rwanda, and Tanzania have implemented specific legislation on data protection and privacy, within the context of their existing constitution.
Prior to parliamentary greenlight for the data proclamation were other pieces of legislation touched upon data protection and privacy:
- The 1995 Constitution of the FDRE
- The 1960 Civil Code
- National Information Security Policy of the FDRE
- Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 (as amended by the Media Proclamation No. 1238/2021)
- Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 (as amended)
- The Computer Crime Proclamation No. 958/2016
- Federal Tax Administration Proclamation No.983/2016
- Authentication and Registration of Documents’ Proclamation No.922/2015
- Communications Service Proclamation No.1148/2019
- Electronic Transaction Proclamation No.1205/2020
- NBE Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020
- NBE Financial Consumer Protection Directive No. FCP/01/2020 (this directive was more closely related to personal data protection in the finance sector) and others
What does the proclamation mean for data protection?
The new proclamation details key definitions, the scope of implementation, and the powers and functions of the Ministry of Innovation and Technology (MiNT) and places the Ethiopian Communications Authority (ECA) as the principal regulator. It also covers principles of processing personal data, including lawfulness, conditions for consent, handling sensitive personal data, processing data of minors, the rights of data subjects, registration requirements, obligations of data controllers and processors, exemptions from the provisions, monitoring mechanisms, administrative decisions, criminal offenses, and more.
It introduces detailed stipulations on conditions for cross-border transfer of personal data, widening a framework previously adhered to by law enforcement.
Before this proclamation, there was no specific geographic restriction on personal data transfers, although there was a requirement for transfers to be based on prior written consent and for lawful purposes. The issue of cross-border transfer of personal data and sensitive data was not addressed in previous legislation related to data protection and privacy. However, the new proclamation comprehensively covers this issue. It outlines the conditions that data controllers or processors must meet to transfer personal data across borders, including providing evidence of adequate protection in the receiving jurisdiction, obtaining informed and explicit consent from data subjects, demonstrating the necessity of the transfer, and other related factors such as the meaning of “necessary transfer.” Additionally, the proclamation specifies safeguards that must be in place before a cross-border transfer occurs.
Regarding data sovereignty, the proclamation mandates that all data collectors and processors ensure that locally collected or obtained personal data is stored on servers or data centers located within Ethiopia. This provision aims to enhance data control and protection within the country’s borders.
It also grants data subjects the right to file a written complaint to the Authority for a remedy to a violation of rights and appeal the Authority’s decisions to the Federal High Court within sixty days thereafter. The Authority may impose on the data controller or processor a fine up to 4% of its total worldwide turnover of the preceding financial year where an offence has been committed; (a) by an institution; (b) in relation to sensitive data; or (c) in relation to personal data of a child. Moreover, a data controller or processor shall be subject to penalties, including criminal sanctions upon violation of the provisions of the Proclamation.
———————————————————————————————————————
While the new proclamation represents a significant step forward in addressing personal data protection issues, it also has certain limitations. One notable drawback relates to its scope definition. The proclamation specifies that “Except as otherwise provided, this proclamation applies to a data controller or data processor in respect of any personal data only if: (a) it is established in Ethiopia and the data are processed in the context of that establishment, or (b) it is not established in Ethiopia, but uses equipment in Ethiopia for processing the data otherwise than for the purposes of transit through Ethiopia and has a representative established in Ethiopia.”.
This scope definition creates a potential loophole for data controllers and processors who do not fall within these parameters. It means that entities operating outside of Ethiopia’s jurisdiction, without a physical presence or equipment in the country, might not be subject to the provisions of the proclamation. This could lead to challenges in enforcing data protection standards for certain entities that handle personal data but do not meet the stated criteria for applicability under the proclamation.
Therefore, while the proclamation is a crucial step in enhancing personal data protection, creating strategy to address this scope limitation and ensuring comprehensive coverage across all relevant entities to extend the protection to all data subjects under Ethiopian jurisdiction, regardless of the physical presence or equipment use of the data controllers and processors in Ethiopia, could further strengthen its effectiveness and enforcement.
What key considerations should data collectors and processors keep in mind?
It’s very important for relevant individuals and institutions to consider the compliance costs associated with the proclamation. One of the requirements is to limit data storage within Ethiopia, which may incur additional expenses. Vigilant attention to subsequent directives and regulations by the Ethiopian Communications Authority will be crucial as conditions for registration certificates, penalties, and fees are set to be codified.
Additionally, there are cost implications related to hiring a data protection officer under specific conditions outlined in the proclamation. These factors highlight the importance of understanding and budgeting for the compliance requirements set forth in the new legislation.