Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Under Review
Ethiopia - Data Protection Overview
October 2023
1. Governing Texts
Ethiopia does not have a single and comprehensive legal instrument regulating privacy and data protection, including the obligations of data controllers and processors, as well as the rights of data subjects in general. There are, however, rules contained in the Constitution of the Federal Democratic Republic of Ethiopia (1995) ('the Constitution'), and other laws that deal directly or indirectly with data privacy and/or data protection. The Ministry of Innovation and Technology ('MINT') (formerly known as the Ministry of Communication and Information Technology ('MCIT')) has recently issued a Draft Data Protection Proclamation which is yet to be approved.
While there is also no national data protection authority, some sector-specific Government authorities (including the authorities listed under the section on guidelines below) have the power to regulate privacy and/or data protection issues within their regulatory scope.
1.1. Key acts, regulations, directives, bills
The key laws that provide for privacy and data protection rules include:
- the Constitution;
- Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 ('the Mass Media Proclamation');
- Civil Code of the Empire of Ethiopia Proclamation No. 165/1960 ('the Civil Code');
- Ethiopian Digital Identification Proclamation No. 1284/2023 ('the Digital Identification Proclamation');
- Criminal Code of the Federal Democratic Republic of Ethiopia Proclamation No. 414/2004 ('the Criminal Code');
- Criminal Procedure Code of the Empire of Ethiopia, 1961 ('the Criminal Procedure Code');
- the Food, Medicine, and Healthcare Administration and Control Council of Ministers Regulation ('the Regulation');
- the Communications Service Proclamation No.1148/2019 ('the Communications Service Proclamation');
- Telecom Fraud Offence Proclamation No. 761/2012 ('the Telecom Fraud Proclamation');
- Telecommunications Consumer Rights and Protection Directive No. 832/2021 ('the Telecommunications Consumer Rights Directive');
- Computer Crime Proclamation No. 958/2016 ('the Computer Crime Proclamation');
- Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 ('the Registration of Vital Events and National Identity Card Proclamation');
- Federal Tax Administration Proclamation No. 983/2016 ('the Federal Tax Administration Proclamation');
- Authentication and Registration of Documents' Proclamation No. 922/2015 ('the Documents Authentication and Registration Proclamation');
- Electronic Signature Proclamation No.1072/2018 ('the Electronic Signature Proclamation');
- Electronic Transaction Proclamation No.1205/2020 ('the Electronic Transaction Proclamation');
- Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020 ('the Licensing and Authorization of Payment Instrument Issuers Directive');
- Financial Consumer Protection Directive No. FCP/01/2020 ('the Financial Consumer Protection Directive');
- National Bank Circular No. FIS/01/2014 ('the National Bank Circular');
- FDRE Capital Market Proclamation No. 1248/2021 ('Capital Market Proclamation');
- Draft Capital Market Service Providers Licensing and Supervision Directive ('Draft Capital Market Service Providers Directive');
- Draft Recognition of Self-Regulatory Organizations Directive ('Draft SRO Directive'); and
- Draft Directive on Licensing and Operating Securities Exchanges and Trading Platforms ('Draft Licensing and Operating Securities Exchanges and Trading Platform Directive').
The Constitution
The Constitution contains provisions pertaining to the protection of privacy that mirror the protections enshrined in major international human rights instruments.
Accordingly, Article 26 of the Constitution provides that everyone has the right to privacy [including] the right not to be subjected to the search of their home, person, or property, or the seizure of any property under their personal possession. Moreover, Article 26(2) stipulates that 'everyone has the right to inviolability of [their] notes and correspondence including postal letters, and communication made by telephone, telecommunications, and electronic devices.'
Article 26(3) of the Constitution envisages exceptions where these rights could be limited. As such, the right to privacy can be restricted in 'compelling circumstances and in accordance with specific laws whose purposes [are] safeguarding of national security or public purpose, the prevention of crimes or the protection of health, public morality or the rights and freedom of others.'
Ethiopia is also a party to a number of international and regional human rights instruments that provide for the right to privacy and protection of personal information including the Universal Declaration on Human Rights 1948, the International Covenant on Civil and Political Rights 1966, the Convention of the Rights of the Child 1989, and the African Charter on Rights and Welfare of the Child 1990. According to Article 9 of the Constitution, these and other human rights instruments ratified by Ethiopia form an 'integral part' of the laws of the country.
The Mass Media Proclamation
The Mass Media Proclamation, which is applicable to all media operating in Ethiopia, contains provisions for protecting privacy and personal data in the form of limitations on the right to seek and access any information held by public bodies. Public agencies are required to reject requests to access records if the concerned records relate to the 'personal information' of third parties, including individuals who passed away within less than 20 years from the time of the application.
A request for access to public records can be rejected in accordance with Article 18(1) of the Mass Media Proclamation, if:
- it relates to information supplied by the third party in confidence and if it would potentially prejudice the supply of similar information in the future when public interest so demands; and
- the disclosure of the record would constitute an action for breach of duty of the confidence owed to the third party in terms of an agreement and would likely result in legal action against it.
A third party whose information is requested for disclosure has the right to be notified and can protest the disclosure (Article 19 of the Mass Media Proclamation).
The Civil Code
The privacy-related rights recognized under the Civil Code include the Constitutional right not to be subjected to search except in cases provided by the law (Articles 11 and 13). Article 11 provides that 'no person may have [their] freedom restricted, or be subject to a search, except in cases provided by the law.' Articles 20 and 24 of the Civil Code provide for the right to refuse to be compelled to submit oneself into a medical examination without consent and the right not to be compelled to reveal facts obtained while exercising one's professional duty (see the section on personal scope below). Moreover, Article 31 of the Civil Code stipulates that the addressee of a confidential letter may not divulge its content without the consent of the author, except in judicial proceedings where they have a legitimate interest.
The Digital Identification Proclamation
The Digital Identification Proclamation has been recently enacted with the view to adopt a comprehensive legal framework for the regulation of the national digital identification system. The Digital Identification Proclamation provides the rules for collecting, processing, transferring, disclosing, modifying, and overall management of personal data of customers (registrants). It also incorporates the provisions that accord protection to the personal data of registrants.
'Personal data' is defined in the Digital Identification Proclamation as the biometric and demographic data collected with the 'digital identification system' (Article (2)(17) of the Digital Identification Proclamation). According to Article 17(1) of the Digital Identification Proclamation, the registrants own their personal data, and when they give the data to the registering institution (registrar)the processing, transferring, disclosing, and modifying of such data must be done with the consent of the registrants.
Article 17(2) of the Digital Identification Proclamation requires the registrar to ensure that the confidentiality of personal data is maintained while collecting, registering, authenticating, storing, and processing the personal data. Reflective of the principle of data minimization, the Digital Identification Proclamation requires that only data needed for the functioning of the identification system, i.e., data necessary to identify an individual digitally, should be collected (Article 17(3)).
Article 16(4) of the Digital Identification Proclamation stipulates that while authenticating personal data, the 'authentication service providers' shall provide only the minimal necessary level of personal data based on the needs of the 'relying party' as authorized by the registrar. The authentication service providers as well as the relying parties shall also ensure the safety and security of the personal data they receive from the digital identification system (Article 16(5) of the Digital Identification Proclamation).
The Digital Identification Proclamation obligates the registrar to employ strong administrative, legal, procedural, and technical safeguards to ensure the protection of personal data from either natural or man-made disasters, electronic attacks, theft, destruction, and other similar losses (Article 17(12) of the Digital Identification Proclamation). Particularly, the registering institution must establish a complaint-handling department and notify such establishments to its customers (Article 20(1) of the Digital Identification Proclamation). The Digital Identification Proclamation provides that any party who is dissatisfied with the decision of the 'institution' (as defined in Article (2)(9) of the Digital Identification Proclamation) can file a complaint in the pertinent court. (Article 20(4) of the Digital Identification Proclamation).
The Criminal Code
Articles 604 to 606 of the Criminal Code criminalize the violation of privacy safeguards guaranteed under the Constitution. Pursuant to Articles 604 and 605 of the Criminal Code, whoever commits any of the enumerated acts constituting a violation of the privacy of a domicile or restricted area is punishable with up to five years of imprisonment in aggravated cases.
According to Article 606 of the Criminal Code, violation of the privacy of correspondence or consignments including intrusion of one's letter, telegram, telecom, and other electronic correspondence, among others, is punishable, upon complaint, with up to six months imprisonment or a fine. Moreover, Article 399 of the Criminal Code criminalizes breaches of professional secrecy. Accordingly, professionals including advocates, legal advisors, attorneys, arbitrators, experts, jurors, employees of private companies, doctors, dentists, nurses, and auxiliary medical personnel, who disclose a secret obtained in the course of professional duties, are punishable by law.
The Criminal Procedure Code
Article 32 of the Criminal Procedure Code provides that no person or premises will be searched without a court warrant except for certain exceptions provided for by the law. These exceptions include:
- where the offender is followed in hot pursuit and enters the premises or disposes of articles that are the subject matter of an offense in the premises; and
- where there is a reasonable cause for suspecting that articles which may be material evidence are concealed and there are good grounds for believing that delay would likely result in removal of such articles.
As an exception to the protection provided under Article 20 of the Civil Code, Article 34 of the Criminal Procedure Code provides that a physical examination may be made, upon the order of an investigating officer, on the person accused of a crime. An examination for such purposes may include the taking of a blood test.
The Regulation
Article 77(2) of the Regulation stipulates that 'a health professional may not disclose, verbally or in writing, information regarding a patient unless the appropriate organ believed that there is a prominent health risk to the public demanding to do so, it is ordered by a court, they get written consent from the patient, or the patient's guardian, or it is permitted by law. The health professional may, however, release or transfer such information of patients for the purpose of conducting scientific research in a manner the information does not identify directly or indirectly any individual patient.'
The Communications Service Proclamation
The Communications Service Proclamation requires the 'telecommunications operators' to take all reasonable steps to ensure the confidentiality of their customers' communications. The Digital Identification Proclamation mandates the Ethiopian Communication Authority ('ECA') with the power to promote information security, data privacy, and protection and issue Directives in order to ensure that the interests of consumers of communication services are protected (Article 50(1) of the Communications Service Proclamation).
Telecommunications Consumer Rights Directive
The ECA enacted the Telecommunications Consumer Rights Directive in line with the requirements set forth in the Communications Service Proclamation. The rights and interests protected under the Telecommunications Consumer Rights Directive include the right to information, privacy, safety, choice, and redress. More specifically, Article 16 of the Telecommunications Consumer Rights Directive lays down minimal standards of protection that 'licensees' must provide for their customer's privacy, and these are:
- the collection, processing, and maintenance of personal data on consumers must comply with the laws of Ethiopia;
- the personal data of consumers must not be processed and maintained for purposes other than those originally identified and communicated to the consumers;
- licensees must provide consumers choices regarding the collection, use, and disclosure of personal data collected about them;
- personal data collected on consumers must not be kept longer than one year after the licensee has ended its service to the consumer;
- information on consumers must not be transferred to any party unless by court order, or when the consumer has specifically agreed, by their written consent or other verifiable means, to transfer their personal data; and
- consumers' personal data must only be processed in a server or data center located in Ethiopia.
In a bid to ensure the implementation of the minimal standards provided by the Telecommunications Consumer Rights Directive, it requires licensees to prepare and submit to the ECA, within 90 working days of the grant of a license, a code of conduct that provides, among other things, the terms and conditions under which the consumers' personal data is to be held and processed. Licensees are further required to include in their code of conduct specific information on the measures they would undertake to prevent unauthorized access to consumer communications and personal data. Moreover, licensees must also develop a policy for the protection of consumer privacy that must clearly state what personal data will be collected, the use of that data, possible third party exchange or disclosure of that data, and choices available to the consumers regarding the collection, use, and disclosure of the collected data.
The Telecom Fraud Proclamation
The Telecom Fraud Proclamation protects the data of telecom service subscribers from unauthorized interception and access. To this effect, the Telecom Fraud Proclamation, under Article 5, states that whosoever, without the authorization of the service provider or lawful user, or any other competent authority intercepts, alters, destroys, or otherwise damages the contents of telephone calls, data, identification code, or any other personal information of the subscribers will be criminally responsible.
The Computer Crime Proclamation
The Computer Crime Proclamation criminalizes persons who intentionally commit a 'computer crime', which is defined as a crime committed against (Article 2(1) of the Computer Crime Proclamation):
- a computer, computer system, computer data, or computer network;
- a conventional crime committed by means of a computer, computer data, or computer network; or
- dissemination of illegal computer content data through a computer, computer system, or computer network.
The Registration of Vital Events and National Identity Card Proclamation
The Registration of Vital Events and National Identity Card Proclamation guarantees the protection of personal data collected in relation to the registration of vital events and national identity cards. Information specific to an individual may not be disclosed to any other person without the consent of the concerned individual or a court order. However, the Registration of Vital Events and National Identity Card Proclamation allows the disclosure of such information for the purposes laid down under Article 64(1), which include considerations of national security, crime prevention and investigation, tax collection, administrative and social services, and the implementation of risk management systems for financial institutions. Moreover, such information must be properly kept in a central database by the appropriate organ so that the information collected for one purpose is used for other purposes by organs established by law with respect to the registration of vital events or the issuance of national identity cards. Apart from this, the information cannot be used for other purposes or shared with other organs. A Government agency that collects such information has the obligation to protect the data from electronically designed attacks, thefts, and other similar criminal abuse.
The Federal Tax Administration Proclamation
Pursuant to Article 8 of the Federal Tax Administration Proclamation, every tax officer is obliged to maintain the secrecy of documents and information received in [their] official capacity. In addition, Article 8 of the Federal Tax Administration Proclamation enumerates the conditions under which tax information or documents can be disclosed. These include disclosure to:
- another tax officer for carrying out official duties;
- law enforcement agencies;
- the tax commission or a court for the purposes of establishing tax liability;
- a foreign country with which Ethiopia has a bilateral agreement for the exchange of information;
- the Office of Federal Auditor-General of Ethiopia and Attorney General for the performance of official duties;
- regional tax authorities; and
- a person in the service of the Government statistical department or conducting research where disclosure is necessary for official duties provided that the disclosure does not identify the specific person.
Disclosure to any other person can only be made with the written consent of the person to whom the information relates, and other organs authorized by law.
Furthermore, a person to whom the information is disclosed has the obligation to maintain the secrecy of the information and only use such information to the minimum extent necessary to achieve the object for which the disclosure is permitted and is required to return any documents obtained for the purpose to the Ministry of Revenue.
The Documents Authentication and Registration Proclamation
Article 21 of the Documents Authentication and Registration Proclamation obliges the notary to keep the confidentiality of information obtained in the performance of its official duty. No information is allowed to be shared with third parties except in accordance with a court order or upon request by other bodies empowered by law. However, the notary has the obligation to report to the appropriate organ if it accesses information related to the commission of a crime.
Electronic Signature Proclamation
A 'certificate provider' is defined as a legal person duly authorized or recognized to issue a certificate (electronic data that links public keys to the person named in the certificate and confirms the real identity of that person) and related service. Article 29 of the Electronic Signature Proclamation stipulates that the certificate provider is required to keep the custody of information related to certificate issuance, suspension, revocation, or related services for two years. It must keep personal information confidential unless clearly provided otherwise by law.
Electronic Transaction Proclamation
Article 43 of the Electronic Transaction Proclamation provides that, with the exception of legally authorized persons, a person who can access electronic messages, any other written documents, or other electronic devices has the obligation to keep it confidential.
Licensing and Authorization of Payment Instrument Issuers Directive
Article 12(2)(f) of the Licensing and Authorization of Payment Instrument Issuers Directive provides that a payment instrument issuer, upon opening an account, is required to enter into an agreement with a user and the agreement should state the confidentiality of all users' information.
Financial Consumer Protection Directive
Article 4.4 of the Financial Consumer Protection Directive requires financial service providers to keep the financial consumers' data they collect confidential and secure. They can only use and disclose such data for legitimate purposes agreed to by the financial consumer, security provider, or otherwise as permitted by law. Moreover, Article 5.4 of the Financial Consumer Protection Directive requires the financial service providers to put in place and apply policies as well as procedures to ensure the confidentiality and security of the financial consumers' data. It also requires them to inform and make available to financial consumers and security providers regarding their policies.
The National Bank Circular
The National Bank Circular is aimed at implementing the Directives on the Regulation of Mobile and Banking Services No. FIS/01/2012 and clarifies the manner of the relationship of financial institutions with third parties including Technology Service Providers ('TSPs'). The National Bank Circular obliges financial service providers engaged in agent and mobile banking to retain data centers and related infrastructure in the premises of financial institutions that they have acquired, leased, or have special agreements with for the same purposes. It prohibits TSPs from accessing any customer data unless they are authorized by the financial institution for specific periods and purposes related to support and maintenance.
Draft Data Protection Law
The MCIT has prepared a Draft Data Protection Proclamation. The most recent version of the Draft Data Protection Proclamation contains detailed provisions on data collection, use, protection, and processing, and provides for the establishment of a regulatory entity called the 'Data Protection Commission'. The Draft Data Protection Proclamation provides for the definition of 'personal data' and sets out the principles governing the processing of personal data including the principle of fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, security, and data transfer.
It also contains the fundamental rights of data subjects including the right to be informed, right of access, right to rectification, right to erasure, right to object, right not to be subject to automated decision making, right to restriction, and right to data portability.
The Draft Data Protection Proclamation defines 'personal data' as any information relating to an identified or identifiable natural person who can be identified:
- from such data; or
- from such data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of intentions of the data controller or any other person in respect of the individual.
The Draft Data Protection Proclamation lists certain personal information as 'sensitive personal data.' This category of personal data includes information on racial or ethnic origin, political opinion, religious belief, membership to a trade union, physical, and mental health condition, sexual life, genetic information, commission, or alleged commission of a crime, and legal proceedings against the subject. The Draft Data Protection Proclamation contains, among others, the principles on the collection and protection of personal data, the rights of data subjects, and conditions for the processing of sensitive private data.
It is unclear at the time of this writing when the Draft Data Protection Proclamation will be tabled before the House of Peoples' Representatives and enacted.
Capital Market Proclamation
The Government of Ethiopia ('the Government') enacted the Capital Market Proclamation which provides for the establishment of capital markets and provides a legal framework for the regulation and supervision of the same. The Capital Market Proclamation envisages the establishment of an autonomous regulatory organ, the Ethiopian Capital Market Authority ('ECMA'), which is directly accountable to the Prime Minister of Ethiopia. The ECMA is responsible for:
- ensuring the existence of a capital market environment in which securities can be issued and traded in an orderly, fair, efficient, and transparent manner;
- reducing systemic risk by ensuring the integrity of the capital market and transactions; and
- promoting the development of the capital market by creating an enabling environment for long-term investments.
The ECMA was established in June 2022 and, currently, it has been preparing legal frameworks for the launch of the capital market. So far, it has issued and presented, for public consultation, the Draft Capital Market Service Providers Directive, the Draft SRO Directive, and the Draft Licensing and Operating Securities Exchanges and Trading Platform Directive.
Although not clearly indicated as to what constitutes 'personal data', the Capital Market Proclamation, in Article 24, protects the personal data of data subjects by requiring SROs to make rules relating to the matters for which it has regulatory or supervisory functions, including mechanisms of protecting personal data of data subjects in compliance with the principles of data protection as set out by the ECMA as discussed below.
Draft Directives and regulations considered by the ECMA
Draft Licensing and Operating Securities Exchanges and Trading Platform Directive
According to Article 37 of the Draft Licensing and Operating Securities Exchanges and Trading Platform Directive, licensed securities exchanges and trading platforms must ensure that they have in place mechanisms to protect the data and information under their custody with respect to their members and their customers' data. It also requires such mechanisms to be in line with principles of data protection applicable to the licensed securities exchanges as set out in the Capital Market Proclamation, as promulgated by the ECMA from time to time, and as required by other relevant Government agencies. However, the Capital Market Proclamation doesn't specifically provide for any personal data protection principle for securities exchanges and trading platforms to adhere to, and to date the ECMA has not promulgated such principles.
Draft SRO Directive
An SRO is an entity that is recognized by the ECMA pursuant to the Capital Market Proclamation to regulate its own members through the adoption and enforcement of rules of conduct for fair, ethical, and efficient practices in the capital market, and includes an exchange and a securities depository and clearing company (Articles 2(70) and 22 of the Capital Market Proclamation). The ECMA delegates its regulatory powers to the SRO and the latter in turn must make rules relating to the matters for which it has the regulatory or supervisory functions, including mechanisms of protecting the personal data of the data subjects in compliance with the principles of data protection as set out by the ECMA (Articles 16(1b), 23, 24(1), and 2(g) of the Capital Market Proclamation). The ECMA, in Article 24 of the Draft SRO Directive, requires SROs to have proper and adequate internal control procedures and satisfactory risk management and compliance systems aimed at preventing, detecting, and correcting securities law and regulation violations. The Draft SRO Directive further provides that an SRO, that uses a technological tool, system, or application for carrying out its operations and activities, to ensure that:
- data privacy regulations and requirements are considered and complied with in the development and/or implementation of such technological tool, system, or application;
- its digital channels have interfaces that are user-centric with the user experience prioritized; and
- vulnerability assessment and penetration tests are conducted on a semi-annual basis.
An identical provision is found in Article 25 of the Draft Capital Market Service Providers Directive. Besides, the Draft Capital Market Service Providers Directive, in Article 3(3)(mm), defines 'identity theft' as wrongfully obtaining and using or transferring another person's personal data, such as their name, identification number, or credit card number, without their permission, with the intent to deceive, commit fraud, or to aid or abet any unlawful activity or other crimes.
1.2. Guidelines
There are no comprehensive guidelines for data protection in Ethiopia.
1.3. Case law
Ethiopia follows a predominantly civil law system and does not have a strong case law tradition. However, since 2005, the ruling of the Cassation Division of the Federal Supreme Court ('Cassation Bench') on the interpretation of the law is proclaimed to be binding on all other courts. As of the date of writing, however, the Cassation Bench has only issued one such ruling pertaining to the protection of privacy. In Riyan Miftah v. Elsiwdi Kebls Plc, the Cassation Bench delivered a landmark ruling stating that no image or photograph of a person may be publicly exhibited, sold, or disseminated without the consent of the person concerned and that the latter would be entitled to damages for any violation of their privacy rights. The decision of the Cassation Bench is a clear articulation of the provisions of Articles 27 and 29 of the Civil Code.
2. Scope of Application
2.1. Personal scope
The sector-specific data protection rules discussed under the section on key acts, regulations, directives, bills above, apply to persons or entities covered by the respective legislations. For example, the rules provided under the Financial Consumer Protection Directive apply to financial service providers, financial products and service, financial consumers, and security provider. Financial service provider means banks, insurers, microfinance institutions, capital goods finance companies, postal savings, money transfer institutions, or such other similar institutions as specified by the National Bank of Ethiopia ('NBE'). Security provider means a financial consumer that provides or proposes to provide security.
Article 16 of the Mass Media Proclamation provides that any public relations officer should reject a request for access to a record of the public body if its disclosure would involve unreasonable disclosure of personal information about a third party, including a deceased individual who passed away less than 20 years ago.
2.2. Territorial scope
There is no clear guideline regarding the territorial and extraterritorial scope of the existing sector-specific data protection rules. However, it can be inferred that the data protection rules discussed under the section on key acts, regulations, directives, bills above apply to the processing of personal data/information in the context of the activities of a data controller or processor in Ethiopia.
2.3. Material scope
Although it is not clear under the existing data protection rules, it is our understanding that the privacy and data protection rules apply to the processing of personal data and information of entities both in automated and non-automated means.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Although there is no central data protection authority, there are various sector-specific Government bodies/authorities which regulate privacy and data protection. These include:
- the ECA, a regulator of the telecommunication sector, is empowered, among others, to promote information security, data privacy, and protection;
- the Information Network Security Agency ('INSA'), which is mandated to ensure that information and computer-based key infrastructure are secured;
- the Ethiopian Ministry of Revenue ('MoR'), which is the ministerial body responsible for the implementation and enforcement of tax laws including rules on the protection of tax information;
- MINT, a federal ministry organ, is empowered mainly to ensure and set a general policy framework for the provision of quality, reliable, and secure information technology services and oversee the implementation thereof;
- the NBE, the banking sector regulator, is conferred with certain powers related to privacy and data protection in relation to the financial sector. Its mandate includes collecting data from any person in order to prepare various periodic economic studies and related activities. Any information obtained by the NBE from an operator, participant, issuers of payment instruments, or the central counterparty must not be directly and indirectly disclosed to a third party unless the disclosure is:
- for the purpose of fulfilling the legal requirements under the National Payment System Proclamation No. 718/2011 ('the National Payment System Proclamation');
- necessary to ensure financial integrity, effectiveness, and security of the system;
- to a recipient who is legally authorized to get such information or to a body for which the national bank is accountable;
- to a recipient who is legally authorized to get such information;
- ordered by a court of law; and
- for the purpose of meeting obligations under international agreements.
- the Ethiopian Food and Drug Administration ('FMHACA'), which regulates the safety and quality of medicines, has certain powers relating to the protection of information of patients by health professionals. These include taking measures with respect to incompetent and unethical health professionals who breach their professional duties including professional secrecy;
- the Ethiopian Document Authentication and Registration Agency ('EDARA'), which is an organ responsible for coordinating and supporting the authentication and registration activities. It performs the activities of document authentication and registration and serves as a central database for documents authenticated and registered; and
- the Financial Intelligence Centre ('FIC') is an organ responsible for coordinating various institutions involved in the fight against money laundering and the financing of terrorism, to organize and analyze the information it receives, and to perform other related tasks.
3.2. Main powers, duties and responsibilities
Please refer to the section on the main regulator for data protection above for the general powers of each authority.
4. Key Definitions
Data controller: Ethiopian law does not provide a definition for data controller.
Data processor: Ethiopian law does not provide a definition for data processor.
Personal data: The Digital Identification Proclamation defines 'personal data' in terms of biometric and demographic data collected with the 'digital identification system.' Biometric data refers to the physical attributes that can be computed off of a natural person such as fingerprints, iris, and facial photos used for the unique calculation of a person's identity (Article 2(5) of the Digital Identification Proclamation). On the other hand, 'demographic data' is defined as the non-biometric personal attributes of a resident entered into the 'digital identification system', such as name, nationality, date of birth, gender, address, and phone number (Articles 2(6) and 9 of the Digital Identification Proclamation).
Article 2(8) of the Mass Media defines 'personal information' as information about an identifiable person including but not limited to:
- information related to the medical, educational, academic, employment, professional, or criminal history of the individual or information relating to financial transactions;
- ethnic, national, or social origin, age, pregnancy, marital status, color, sexual orientation, physical or mental health, well-being, disability, religion, belief, conscience, culture, language, or birth;
- an identification number, symbol, or other identifier assigned to an individual, address, fingerprints, or blood type;
- personal opinions, views, or preferences, except as related to another individual;
- views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the individual's name; and
- views or opinions of others about the individual's name, in combination with other personal data, or alone, it could reasonably be linked to personal data (except for deceased persons who died more than 20 years ago).
Article 2(12) of the Telecommunications Consumer Rights Directive defines 'personal data' as 'any information relating to an identified or identifiable natural person leading to identify such person, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, telephone number, traffic, and billing data, and other personal information in the context of telecommunications services.'
Sensitive data: The Digital Identification Proclamation, in Article 2(18), identifies sensitive personal data and includes data related to racial or ethnic origins, genetic data, physical or mental health or condition, political opinion, religious beliefs, or other beliefs of a similar nature, the commission or alleged commission of an offense, and any proceedings for an offense committed or alleged to have been committed and the disposal of such proceedings or the sentence of any court in the proceedings.
Health data: Ethiopian law does not provide a definition for health data.
Biometric data: Article 2(5) of the Digital Identification Proclamation defines 'biometric data' to mean the physical attributes that can be computed off of a natural person such as fingerprints, iris, and facial photos used for unique calculation of a person's identity.
Pseudonymization: Ethiopian law does not provide a definition for pseudonymization.
5. Legal Bases
Consent of the data subject, lawful and legitimate purpose, and public interest are the common legal basis found under most of the existing sector-specific data protection laws.
5.1. Consent
The consent of the data subject is required in order to process certain personal data unless it is legally permitted to do otherwise. For example, under Article 5.4.7 of the Financial Consumer Protection Directive, a financial service provider should only use and disclose financial consumer's and security provider's data consistently with the original purpose of collection or with the explicit and informed consent of the financial consumer or otherwise required or permitted by the Financial Consumer Protection Directive or other laws.
Under the Digital Identification Proclamation, a registrant is the owner of the data collected for the 'digital identification system' and any authentication processes must be done with her consent. The Digital Identification Proclamation prohibits the collecting, distributing, printing, using, modifying, providing data, or transferring a copy to a third party or disclosing data collected with the digital identification system without the registrant's consent (Article 17(4) and (5) of the Digital Identification Proclamation). The personal data of a registrant can only be transferred to a third party if:
- such a third party is a legal entity authorized by law or court order to obtain the data; and/or
- the third party is legally authorized in accordance with the procedures of the institution (such as relaying parties) and the data to be disclosed is a summarized demographic report and statistical data which will not disclose the personal data of the registrant.
Similarly, Article 15(2) of the Telecommunications Consumer Rights Directive stipulates that telecom consumers' personal data must not be transferred to any party unless:
- there is a court order; or
- the consumer specifically agrees, by written consent or other verifiable means, to transfer their personal data.
As discussed under the section on key acts, regulations, directives, bills above, a health professional is not allowed to disclose the medical information of their patient unless they get written consent from the patient or the patient's guardian.
5.2. Contract with the data subject
Not applicable.
5.3. Legal obligations
Not applicable.
5.4. Interests of the data subject
Not applicable.
5.5. Public interest
The Constitution obligates public officials to respect and protect the right to privacy of an individual and place no restrictions (including on the confidentiality of personal information) except in compelling circumstances and in accordance with specific laws whose purpose shall be safeguarding the interest of the public (i.e., national security, public peace, the prevention of crimes, the protection of health, public morality, or the rights and freedom of others). Article 15(1) of the Prevention and Suppression of Money Laundering and Financing of Terrorism Proclamation No. 780/2013 ('the Prevention and Suppression of ML/FT Proclamation') allows the FIC to obtain from any persons' information it deems useful for the accomplishment of its functions.
Likewise, Article 51(2) of the Communications Service Proclamation requires telecommunication operators to comply with all lawful orders of any Ethiopian court of competent jurisdiction to provide such information relating to a customer's telecommunications. Article 51(3) of the Communications Service Proclamation further requires telecommunication operators to provide access to their telecommunications networks to duly authorized agents of the Government to carry out lawful surveillance of telecommunications in the conduct of a criminal investigation or national security investigation in accordance with the terms stipulated by a court of competent jurisdiction. Moreover, the ECA is authorized to require the telecommunication operators to register all SIM cards and establish a 'National Subscriber Registry' for the purpose of consolidating and harmonizing the database of subscribers of the telecommunication operators in order to promote national security.
5.6. Legitimate interests of the data controller
Article 4.4 of the Financial Consumer Protection Directive provides that a financial service provider should use and disclose the financial consumer's or security provider's data only for 'legitimate purposes' agreed to it by the financial consumer or security provider or otherwise permitted by law. Moreover, Article 5.4.6 of the Financial Consumer Protection Directive stipulates that a financial service provider shall collect a financial consumer's or security provider's data only using lawful or fair means and for legitimate purposes necessary for the activities of the financial service provider.
A tax officer may disclose information related to a taxpayer on conditions (lawful purposes) as mentioned under the section on key acts, regulations, directives, bills above.
5.7. Legal bases in other instances
Not applicable.
6. Principles
The principles of data protection law such as transparency, purpose limitation, data minimization, accuracy, storage limitation, confidentiality, and accountability are envisaged in the Digital Identification Proclamation, Articles 6, 16(4), and 17. However, they are not clearly provided under the rest of the sector-specific data protection rules. These principles, in particular the principles of confidentiality, accountability, and purpose limitation, are often indirectly reflected under the privacy and/or data protection rules. The Financial Consumer Protection Directive, for example, requires the financial service provider to collect the financial consumer's or security provider's data only using lawful and fair means and for legitimate purposes necessary (principle of purpose limitation).
The Electronic Transaction Proclamation obliges persons who can access electronic messages or any other written documents to keep it confidential and violation of this entails a criminal liability (principle of confidentiality and accountability).
Article 8(3) of the Federal Tax Administration Proclamation also requires any tax officer to maintain the secrecy of the tax information received in their official capacity and any person other than the tax officer who receives tax information in their official capacity is required to maintain the secrecy of the information except to the minimum extent necessary to achieve the object for which the disclosure is permitted (principle of purpose limitation).
7. Controller and Processor Obligations
The Financial Consumer Protection Directive requires financial service providers to implement appropriate organizational, physical, and technical measures to ensure that data is protected against misuse, unauthorized disclosure, accidental loss, destruction, or damage.
7.1. Data processing notification
There are no provisions regarding data processing notifications.
7.2. Data transfers
According to the Licensing and Authorization of Payment System Operators Directive No. ONPS/02/2020, 'point of sale' ('POS') machine operators are not allowed to send domestic payment information outside Ethiopia for the purpose of authorization, clearing, and settlement. They can only send payment data made through the international card scheme to the financial institution or national switch. Similarly, Automated Teller Machine ('ATM') operators shall not send any transaction outside Ethiopia for the purpose of processing, authorization, and switching.
7.3. Data processing records
There is no clear obligation to maintain data processing records.
7.4. Data protection impact assessment
There are no clear requirements/recommendations to carry out a Data Protection Impact Assessment ('DPIA').
7.5. Data protection officer appointment
There are no clear requirements/recommendations to appoint a data protection officer ('DPO').
7.6. Data breach notification
The Licensing and Authorization of Payment Instrument Issuers Directive requires payment instrument issuers to report to the NBE any cybersecurity breach or data loss.
Additionally, financial institutions designated non-financial businesses, and professions that suspect or have reasonable ground to suspect that funds or property are the proceeds of a crime, or related to, or are to be used for financing of terrorism are required to report promptly to the FIC (Article 17 of the Prevention and Suppression of ML/FT Proclamation).
The Government organs that have knowledge of the commission of crimes stipulated under the Computer Crime Proclamation (including breach of privacy/data by illegal and unauthorized access) or the dissemination of any illegal content data by third parties through the computer system it administers are required to immediately notify the INSA, report the crime to the police, and take appropriate measures (Article 27 of the Computer Crime Proclamation).
7.7. Data retention
Article 24 of the Computer Crime Proclamation stipulates that any service provider is required to retain computer traffic data disseminated through its computer systems or traffic data relating to data processing or communication service for one year. The data is required to be kept in secret unless its disclosure is ordered by a court. Service provider means a person who provides technical data processing, communication service, or alternative infrastructure to users by means of a computer system.
As indicated under section on key acts, regulations, directives, bills above, electronic certificate providers are required to keep the custody of information related to certificate issuance, suspension, revocation, or related services for two years.
Financial service providers are required to retain copies of concluded contract documents, key facts statements, and other records relating to the provisions of financial products or services for 10 years from the time when that version ceased to be used or after the business relationship has ended or as may be required by relevant laws (Article 7 of the Financial Consumer Protection Directive).
7.8. Children's data
There are no specific provisions regulating the processing of children's data. However, producing, transmitting, and distributing pictures and videos of a minor or a person appearing to be a minor engaged in sexually explicit conduct is punishable under the Computer Crime Proclamation.
7.9. Special categories of personal data
In principle, information that relates to the following is not allowed to be disclosed by the public relations officer as provided under Articles 21-25 of the Mass Media Proclamation:
- the protection of proceedings of law enforcement and legal investigation;
- the protection of records privileged from production in legal proceedings;
- defense, security, and international relations;
- cabinet documents; and
- economic interests and financial welfare of the country and commercial activities of public bodies.
7.10. Controller and processor contracts
There is no requirement to have a vendor management contract in place.
8. Data Subject Rights
Data subject rights such as the right to be informed, right to access, right to rectification, right to erasure, right to object, right to portability, and right not to be subject to automated decision-making are not clearly provided under the existing sector-specific data protection rules. However, some of these rights are reflected in some of the sector-specific privacy and/or data provisions.
8.1. Right to be informed
Article 5.4.2 of the Financial Consumer Protection Directive obliges financial service providers to inform and make available to financial consumers and security providers information regarding their policies for the collection, use, and disclosure of data, the kind of data that it collects, and on the third parties to whom it may disclose such data. It also requires them to provide copies of the privacy policy to the financial consumers and security providers upon request and to make available the privacy policy on their official website.
According to Article 5.4.7 of the Financial Consumer Protection Directive, financial service providers should obtain the explicit and informed consent of the financial consumer in order to use and disclose their data unless otherwise permitted by the Financial Consumer Protection Directive or other laws.
Article 15 of the Mass Media Proclamation provides that a public relations officer, when requested to disclose information concerning a third party, should give a notice to such third party within 15 days from the receipt of the request for any protest against the proposed disclosure. The third party is required to lodge their objection within 15 days from the issuance of the notice. Failure to lodge such an objection will result in the disclosure of the information to the person who has made the request.
8.2. Right to access
Article 5.4.9 of the Financial Consumer Protection Directive further provides that financial service providers should give financial consumers and security providers the right to access to their data within a reasonable time and free of charge.
8.3. Right to rectification
Moreover, according to Article 5.4.10 of the Financial Consumer Protection Directive, if the financial consumer or security provider claims that any data about them held by the financial service provider is inaccurate or incomplete, the financial service provider should correct it within a reasonable time and take reasonable steps to advise any third party that has access to inaccurate or incomplete data about the correction.
Similarly, the Telecommunications Consumer Rights Directive requires telecommunication service providers to report any compromise on personal data to the consumer and the ECA within 72 hours of becoming aware of it and to rectify the problem before it brings an adverse impact on the consumer (Article 15(4) of the Telecommunications Consumer Rights Directive).
8.4. Right to erasure
Not applicable.
8.5. Right to object/opt-out
The Telecommunications Consumer Rights Directive, in Article 14, provides the telecommunication service provider with the right to make publicly available, an online directory service to consumers. However, the service provider must obtain written consent from its subscribers to either opt in or opt out prior to referencing their information in the directory.
8.6. Right to data portability
Not applicable.
8.7. Right not to be subject to automated decision-making
Not applicable.
8.8. Other rights
Article 40 of the Mass Media Proclamation provides that where any factual or matters injurious to the honor or reputation of any person is reported in a mass media, the person shall have the right to have their reply inserted, free of charge, in the publication in which the report has appeared.
9. Penalties
The penalties for breach of data protection rules are provided across various sector-specific privacy and/or data protection laws. These laws provide different penalties for non-compliance with the privacy and data protection rules and are outlined below.
The Digital Identification System
The Digital Identification Proclamation prohibits the collection of more personal data than needed to get digital identification. According to Article 22(2) of the Digital Identification Proclamation, a registrar who contravenes this provision will be punished with a fine from ETB 10,000 (approx. $180) to ETB 100,000 (approx. $1,803). if the person responsible for the crime is a juridical one, it will be punishable with a fine from ETB 300,000 (approx. $5,408) to ETB 800,000 (approx. $14,423).
Article 17(9) of the Digital Identification Proclamation also prohibits the unauthorized transfer of personal data collected under the digital identification system to a third party. The Digital Identification Proclamation prescribes that a person who violates this provision will face punishment of one year to five years or in accordance with the circumstance of the case up to eight years of rigorous imprisonment. If the said crime is committed by a juridical person, it will be punished with a fine from ETB 100,000 (approx. $1,803) to ETB 500,000 (approx. $9,014).
Financial sector
The National Payment System Proclamation provides that a director, a manager, or an employee of an operator (NBE, financial institutions, any other entity authorized by the NBE as operator), a participant, or issuer of payment instrument who discloses confidential information relating to any person except when legally required or ordered by court of law, NBE, legally authorized person, will be punished with rigorous imprisonment from 10 to 15 years and with a fine from ETB 50,000 (approx. $901) to ETB 100,000 (approx. $1,803) (Article 35(2)(e) of the National Payment System Proclamation).
Article 58(7) of the Banking Business Proclamation generally provides a penalty of imprisonment of up to three years and a fine up to ETB 10,000 (approx. $180) on any persons who contravene or obstruct the provisions of the Banking Business Proclamation, Regulations, and Directives including the provisions on non-disclosure of confidential information.
The Financial Consumer Protection Proclamation provides that financial institutions, that contravene the provisions of the Financial Consumer Protection Directive (including the privacy and data protection provisions), will be subject to a penalty of ETB 10,000 (approx. $180) for each violation. In addition, the NBE may take any other measures it considers necessary.
Health sector
The Criminal Code provides a penalty of simple imprisonment or fine for a breach of professional duties including by health professionals.
The FMHACA may take various forms of measures on health professional who breaches their professional obligations based on the proposal from the Health Professional's Committee. Moreover, a breach of professional duties may also entail tortuous liability pursuant to Article 2031 of the Civil Code. Hence, a person practicing a profession including health professionals is liable in the event of imprudence or of negligence constituting 'definite ignorance of their duties.'
ICT sector
Part II of the Computer Crime Proclamation criminalizes illegal/unauthorized access, illegal interception, interference with a computer system, causing damage to computer data, and other criminal acts related to the usage of computer devices and data. Article 3 of the Computer Crime Proclamation provides, 'Whosoever, without authorization or in excess of authorization, intentionally secures access to the whole or part of a computer system, computer data, or network will be punishable with simple imprisonment not exceeding three years or fine from ETB 30,000 (approx. $539) to ETB 50,000 (approx. $901) or both.' If the crime is committed against a computer system, computer data or network that is exclusively destined for use by a legal person or on critical infrastructure, it is punishable with up to 10 years imprisonment and/or ETB 100,000 (approx. $1,803) fine.
'Critical infrastructure' means computer systems, network, or data where the attack would have considerable damage to public safety and the national interest. Similarly, persons who intercept non-public data or data processing services may be punished with rigorous imprisonment not exceeding five years and/or ETB 50,000 (approx. $901) fine (Article 4(1) of the Computer Crime Proclamation). If the crime of interception is on computer data or system exclusively destined for the use of a specific legal person or critical infrastructure, the punishment will be rigorous imprisonment of up to ten years and/or a fine of ETB 200,000 (approx. $3,591) (Article 4(2) of the Computer Crime Proclamation). Illegal interference with a computer system is likewise punishable with rigorous imprisonment ranging from three to 20 years and/or a fine of up to ETB 500,000 (approx. $9,014) depending on whether the crime is committed on a computer system that is exclusively used by a specific legal person or critical infrastructure (Article 5 of the Computer Crime Proclamation). Damage to computer data is punishable with up to ten years of rigorous imprisonment and/or ETB 100,000 fine (approx. $1,803) (Article 6 of the Computer Crime Proclamation). Criminal acts related to the use of computer devices and data are punishable with between one to five years imprisonment and a fine of ETB 5,000 (approx. $90) to ETB 50,000 (approx. $901) (Article 7 of the Computer Crime Proclamation).
According to Article 12 of the Computer Crime Proclamation, 'whosoever intentionally produces, transmits, sales, distributes, makes available, or possesses without authorization any picture, poster, video, or image through a computer system that depicts a minor engaged in sexually explicit conduct or a person appearing to be a minor engaged in sexually explicit conduct shall be punishable with rigorous imprisonment from three years to 10 years.'
According to Article 17 of the Payment Instrument Issuers Directive, if a director, a manager, or an employee of a payment instrument issuer discloses any confidential information relating to any person except as required or ordered by a court, law, legally authorized person, or the NBE, they may be punished with rigorous imprisonment from 10 to 15 years and with a fine from ETB 50,000 (approx. $901) to ETB 100,000 (approx. $1,803). The NBE may also take its own administrative measures in accordance with the National Payment System Proclamation.
9.1 Enforcement decisions
Not applicable.