Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ethiopia: General overview of Ethiopia's first personal data protection proclamation in light of the EU GDPR

The digital landscape continuously evolves, demanding strong and robust frameworks to safeguard personal data. Many countries have put in place laws to protect the privacy and security of individuals and organizations. On April 4, 2024, Ethiopia, which hitherto did not have any comprehensive data protection rules except for those scattered in financial and media laws, took a significant step forward by enacting the Personal Data Protection Proclamation (Proclamation No. 1321/2024) (the Proclamation).

One of the prominent legislations in the realm of private data protection is the European Union's General Data Protection Regulation (GDPR) which significantly strengthens privacy rights for individuals in the European Economic Area. Due to its comprehensive nature and its extensive geographical application, the GDPR could serve as a valuable reference standard. In this Insight article, Fitsum Sitotaw, from DABLO Law Firm LLP, gives a general overview of the Ethiopian Proclamation in light of the GDPR.

Weiquan Lin/Moment via Getty Images

Background and context

Several factors necessitated the Ethiopian Private Data Protection Proclamation. Acknowledging the absence of a comprehensive law that governs personal data in Ethiopia, the preamble of the Proclamation reasons the need for a special law from human rights, economic, and globalization perspectives. It aims to maximize the benefits of cross-border transfers of data, respect international standards, protect fundamental rights and freedoms with regard to personal data, and build an effective digital economy.

In this regard, the Proclamation shares the rationale of the GDPR to uphold the right to the protection of personal data as a fundamental right. Notably, the GDPR's preamble extends the necessity of the Regulation for ensuring security and justice, the free flow of personal data, freedom of thought, conscience, and religion, freedom of expression and information, freedom to conduct business, and many more.

Scope and applicability

The Proclamation and the GDPR share a similar material scope, both applying to 'the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system,' as outlined in Article 3(1) of the Proclamation and Article 2(1) of the GDPR.

According to Article 3(2), the Proclamation applies to data controllers and data processors with respect to any personal data only if established in Ethiopia, and the data is processed in the context of that establishment, or if they are not established in Ethiopia but use equipment in Ethiopia for processing the data otherwise than for the purposes of transit through Ethiopia and has a representative established in Ethiopia. The Proclamation applies to both private and public institutions falling under these classifications. Similar to Article 2(2)(c) of the GDPR, exceptions for the Proclamation's application include the processing of personal data by an individual for purely personal or household activities, the exchange of information between government agencies where such exchange is required on a need-to-know basis, and activities exempted listed under the Proclamation's chapter on exemptions. Territorially, the Proclamation does not apply to activities originating outside of Ethiopia and merely transits through the country, while the GDPR sets its respective scope within the European Union.

Core principles

Consent and lawful processing of personal data

Processing of personal data fundamentally requires the consent of the data subject, as stipulated in Article 7(2)(a) of the Proclamation. Such consent shall be given before the commencement of the processing and must be free, informed, specific, clear, and require an active action from the data subject. The request for consent shall be distinguishable and separate from other terms and conditions. The burden of proof to establish that consent was obtained lies with the data controller. The Proclamation also states that consent can be withdrawn by the data subject at any time. However, withdrawal does not work retroactively, meaning data processing performed prior to withdrawal remains lawful.

Consent is not the only requirement for lawful processing of personal data. The processing must be:

  • necessary;
  • related to the fulfillment of a contract with the data subject;
  • necessary for compliance with the data controller's legal obligations;
  • necessary to protect vitally important interests of the data subject; or
  • necessary to respond to a public health crisis or national emergency, to fulfill functions of public authority within the limits of the law, or for other legitimate interests of the data controller without overriding the fundamental rights and freedoms of the data subject.

Data processing must be necessary, proportionate, and bound by the categories of data, purpose, storage period, and possible disclosure determined as per Article 7 of the Proclamation.

While these are the conditions for lawful data processing, the Proclamation prohibits the processing of sensitive personal data, which includes racial or ethnic origins, genetic or biometric data, physical or mental health conditions, political opinions, membership of a trade union, religious beliefs, the commission or alleged commission of an offense, communication data including content and metadata, and other data to be determined by the Ethiopian Communications Authority (the Authority). Exceptionally, sensitive data may be processed in accordance with Article 9(2) of the Proclamation. The exceptions include explicit consent by the data subject, protection of the life and health of a person, and for medical treatment, among others. The Proclamation also provides conditions for processing the personal data of a child, which imposes additional obligations on the data controller, who is required to obtain consent from the parent, guardian, or tutor of the child, and that the personal data of a child cannot be processed for marketing or profiling purposes or for the merging of profiles. It is also important to note that the Proclamation adopts the GDPR's definition of a child as a person under the age of 16.

Other principles

The Proclamation recognizes the principles of fairness, transparency, accuracy, integrity, confidentiality, data transfer, and data sovereignty. All data controllers and data processors are required to store personal data locally. However, they may transfer personal data to a third-party jurisdiction if that third-party jurisdiction provides the appropriate level of protection, the data subjects give explicit consent, the transfer is necessary, or the transfer is made from a register intended to provide information to the public. For sensitive personal data, a cross-border transfer is subject to the approval of the Authority.

In this regard, the Proclamation and the GDPR are relatively similar, while the latter provides detailed conditions for the transfer of personal data. The EU Commission takes into account additional conditions, such as the rule of law, respect for human rights, and fundamental freedoms, to assess the adequacy of the level of protection before allowing data transfers.

Data subject rights and obligations

The GDPR recognizes a data subject's right to:

  • be informed;
  • access;
  • rectification;
  • erasure (right to be forgotten);
  • restriction of processing;
  • data portability;
  • object;
  • not be subject to solely automated decision-making; and
  • lodge a complaint with a supervisory authority.

Correspondingly, the Proclamation also recognizes, with exceptions, the right to:

  • be informed;
  • access;
  • rectification;
  • erasure;
  • object to the processing of personal data;
  • not be subject to solely automated decision-making; and
  • data portability.

The distinctive feature of the Proclamation is that it bounds the duration of the privacy rights of a data subject. According to Article 23 of the Proclamation, privacy rights remain valid for 10 years after the death of the data subject. During such period, the lawful heirs may invoke the rights of the data subject; however, the heirs' consent is not required if the processed personal data only contains the data subject's name, sex, dates of birth and death, the fact of death, and the time and place of burial.

Data controllers and data processors

Who are data controllers and data processors?

Under Ethiopian Law, a data controller is any person who, alone or jointly with others, has decision-making power concerning data processing, while a data processor is any person other than an employee of the data controller who processes the data on behalf of the data controller by virtue of Articles 2(7) and (8) of the Proclamation. These definitions are essentially similar to Articles 4(7) and (8) of the GDPR.

Registration of data controllers and data processors

Data controllers and data processors are required to be registered in Ethiopia pursuant to Article 33 of the Proclamation. Detailed requirements for registration will be determined by a forthcoming directive. Any interested person from the public has the right to access the register and obtain a duly certified copy in writing of the particulars contained thereof.

Appointment of a data protection officer

Similar to Article 37 of the GDPR, Article 40 of the Proclamation requires data controllers and data processors to appoint a designated data protection officer (DPO) where the processing is carried out by a public body except for courts acting in their judicial capacity, where the processing consists of regular and systematic monitoring of data subjects on a large scale, or where the processing is done on sensitive personal data on a large scale. The DPO is tasked with advising on data processing requirements, ensuring that the processing complies with the law, facilitating capacity building, providing advice on Data Protection Assessments, and cooperating with different authorities concerning data protection matters.

Obligations of data controllers and data processors

The Proclamation imposes several obligations on data controllers and data processors corresponding to Article 24 and the subsequent provisions of the GDPR. In addition to designating a DPO, data controllers, and data processors are obligated to implement appropriate data security and organizational measures, keep a record of all processing operations, perform a Data Protection Impact Assessment (DPIA), and comply with the requirements for prior authorization or consultation from and with the Authority.

Regarding personal data breaches and their management, Article 43 of the Proclamation provides that data controllers are required to notify a personal data breach to the Authority within 72 hours after having become aware of it. The contents of the notification are similar to Article 33(3) of the GDPR. Both legislations also require the data controller to notify the data subject about the personal data breach without undue delay or within 72 hours in Ethiopia's case. However, the data controller may not be required to make such notification if it meets three conditions:

  • the data was properly encrypted or otherwise protected;
  • the data controller took steps to ensure the risk of harm from the breach is no longer likely; and
  • informing everyone would be impractical - in this case, a public announcement can be made instead.

One unique obligation of data controllers and data processors comprised in the Ethiopian Proclamation is the duty to keep logs of personal data processing and reading activities. The logs shall include why data was accessed, shared, and transmitted, the date and time of the activity, who performed the activity, and who received the data. The logs are used to verify if data handling complied with the law, to monitor internal activity, to ensure data security, and to assist with legal investigations. The Authority will determine how long these logs must be kept.

The other unique obligation explicitly envisaged under Article 50 of the Proclamation but not under the GDPR is the duty to destroy personal data. While the GDPR recognizes the data subject's right to erasure (the right to be forgotten) and obligates the data controller to erase personal data when some conditions are met, it does not expressly pass the obligation on to the data processor. The Proclamation, on the other hand, obligates the data controller to notify the data processor by which the data processor becomes obligated to destroy the data specified by the data controller.

Exceptions or derogations

Articles 53 and 54 of the Proclamation provide exceptions or derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, similar to that of Article 89 of the GDPR.

Enforcement mechanisms and compliance

The Authority is mandated to monitor personal data-related activities in Ethiopia. It can issue enforcement orders to non-compliant data controllers or processors to comply within a given period of time and follow up on the same.

In addition to the Authority's monitoring activities, complaints may also come from data subjects to remedy violations of their rights pursuant to Article 58 of the Proclamation. The Authority would then investigate the complaint and notify the data subject of its decision within 21 days. The data subject, if not satisfied with the decision, may institute an appeal to the Federal High Court within 60 days.

A complaint may also be made against a decision rendered by a data controller or a data processor according to Article 61 of the Proclamation. Similarly, the Authority would render its decision on the administrative complaint in writing within 21 days. The Authority is required to notify the concerned data controller or processor and any other affected person before making its decision. After looking into the complaint, it may authorize a mediator to handle the appeal. The administrative procedures to handle complaints will be further determined by a directive to be issued by the Authority.

Regarding the burden of proof, Article 63 of the Proclamation provides that the burden of proof lies with the data controller when it refuses to grant the request of the data subject by claiming an exemption.

Criminal and administrative penalties and sanctions for non-compliance

The Proclamation empowers the Authority to impose 'effective, proportional, and dissuasive' administrative fines on anyone violating the Proclamation. Before issuing a fine, the Authority will consider several factors, including the severity of the violation, the harm caused, whether it was intentional or accidental, and if steps were taken to fix the problem. The Authority will also consider the past history of the offender and any relevant benefits they gained from the violation.

By virtue of Article 60 of the Proclamation, the administrative fines for violations could be up to 4% of the wrongdoer's total worldwide turnover of the preceding financial year where the offense was committed by an institution in relation to sensitive data or the personal data of a child. Similarly, Article 83(5) of the GDPR imposes the same administrative fines for a slightly broader nature of violations.

Furthermore, the Proclamation also provides that failing to notify a data breach, not implementing technical and organizational measures when a breach is committed, or processing personal data in violation of the Proclamation is punishable with simple imprisonment from one to three years, a fine from ETB 30,000 (approx. $520) to ETB 50,000 (approx. $870), or both.

The penalties for failing to report a data breach, neglecting to implement security measures after a breach occurs, or processing personal data improperly ranges from one to three years in prison, fines of between ETB 30,000 (approx. $520) to ETB 50,000 (approx. $870), or both. Those who fail to erase personal data upon request, disregard the right to object to data processing, unlawfully restrict processing, or do not respect the right against automated decisions face serious imprisonment from three to five years, fines ranging from ETB 50,000 (approx. $870) to ETB 100,000 (approx. $1,740), or both.

Thirdly, acts like re-identifying anonymized data, processing such re-identified data, selling personal data, or transferring data outside of Ethiopia in violation of the law are punishable with serious imprisonment ranging from five to 10 years, fines of between ETB 100,000 (approx. $1,740) to ETB 300,000 (approx. $5,225), or both.

The amount of monetary administrative fines imposed by the Proclamation is much lower than the fines under Article 83 of the GDPR. In fact, the highest administrative fine that can be imposed in Ethiopia amounts to approximately 0.05% of the lowest administrative fine that could be imposed by Article 83(4) of the GDPR unless the Authority opts to penalize 4% of the wrongdoer's total worldwide turnover.

It should also be noted that the Proclamation levies the duty to cooperate with the Authority to meet its objective and purpose. Failing to cooperate with such entrusted governmental authority alone may entail criminal liability by virtue of the Ethiopian Criminal Code.

Conclusion

Considering that the Proclamation was enacted very recently, in April 2024, the practical implications on existing and newly entering data processors and data controllers are yet to be realized.

The Proclamation upholds important principles and notions embedded in the GDPR, which is indicative of the future prospects for data protection in Ethiopia. The importance of aligning data protection laws with international standards is crucial in this modern age. In this regard, the Proclamation could potentially levitate the country's legal regime in protecting personal data in parallel with international standards. The Proclamation will benefit from further legislations, such as a regulation by the Council of Ministers and directives by the Authority, that are expected to be enacted to build a thorough and comprehensive legal basis for its smooth application. The ongoing development of this legal framework will be crucial in fostering the digital economy and protecting the fundamental rights of individuals.

Fitsum Sitotaw Head of Consultancy and Compliance
[email protected]
DABLO Law Firm LLP, Addis Ababa