Ethiopia’s Personal Data Protection Proclamation Enters in to Force
Bezawit Yirga and Benyam Taffese
Ethiopia has launched its journey towards strengthening data protection with the recent enactment of the long-awaited Proclamation on Personal Data Protection (Proclamation No. 1321 /2024), published in the official Gazette on July 24, 2024. Prior to this development, protection of personal data and privacy was regulated by undetailed rules scattered across various legislations, including the FDRE Constitution. The enactment of the new Proclamation, therefore, marks a significant development towards the protection of personal data in Ethiopia.
At its core, the Proclamation addresses several critical aspects of data protection. One of its features is the clear distinction drawn between personal data and sensitive data, accompanied by stringent rules governing the collection and processing of sensitive personal data. This demarcation enhances safeguards concerning information of a sensitive nature.
Furthermore, the Proclamation enshrines fundamental principles that serve as a guideline for personal data processing. These principles include the principles of lawfulness, proportionality, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, data sovereignty, and data transfer. Data controllers and processors, among others, are obligated to comply with implementation of these principles during data processing activities.
The absence of a dedicated regulatory authority that oversees personal data protection has been a major factor in the absence of a robust personal data protection system in Ethiopia. With a view to addressing this gap, the Proclamation entrusts the Ethiopian Communications Authority with the responsibility of overseeing data protection in Ethiopia.
The Proclamation endows data subjects with a set of rights, granting them greater control over their personal information. These rights encompass the entitlement to be informed about the details of data processing activities, access to personal data, the right to erasure, rectification, objection, restriction of processing, protection against automated decisions, and the right to receive personal data concerning them. Such provisions empower individuals to assert their privacy rights and hold accountable those entrusted with their data.
A data controller or processor may transfer personal data to a third-party jurisdiction under certain conditions. These include providing proof to the relevant Authority that the third-party jurisdiction ensures an appropriate level of protection, which the Authority must verify according to specific legal provisions. Additionally, if the data subject gives explicit consent after being informed of potential risks, or if the transfer is necessary or made from a public register, the transfer may proceed. The Authority retains the right to request evidence of effective security measures and the presence of legitimate interests for such transfers. Furthermore, to safeguard the rights and freedoms of data subjects, the Authority can prohibit, suspend, or impose conditions on the transfer.
With the aim of safeguarding privacy rights and ensuring compliance, the Proclamation imposes penalties for breaches and violations of provisions of the Proclamation. Acts such as failure to notify personal data breaches, inadequate implementation of technical and organizational measures during breaches, or processing personal data contrary to the Proclamation are punished with measures ranging from imprisonment to substantial fines. Moreover, any infringement on the rights of data subjects results in penalties, including serious imprisonment or substantial fines.
In conclusion, Ethiopia’s enactment of the Proclamation on Personal Data Protection opens a new era of data governance and privacy protection. By instituting a comprehensive legal framework for the protection of personal data and defining clear rights and responsibilities of different actors, Ethiopia has announced a strong commitment to safeguarding the privacy and security of personal data.
Legal Disclaimer: The information provided in this update is for general informational purposes only and does not constitute legal advice. This update reflects the current legal landscape as of the date of publication, but laws and regulations are subject to change. Readers should not act or refrain from acting based on the content without seeking professional legal advice specific to their circumstances. No attorney-client relationship is established by reading or responding to this post. For personalized legal guidance, please contact our team of experienced lawyers.