On July 24, 2024, Ethiopia introduced the Personal Data Protection Proclamation (Proclamation No. 1321/2024), establishing a comprehensive framework for data protection in the country. Previously, Ethiopia lacked a unified Ethiopia data protection system, with related provisions dispersed across various laws. The new legislation addresses this gap by setting principles for data processing, defining the rights of data subjects, and specifying the responsibilities of data controllers and processors. The Ethiopian Communications Authority (ECA) serves as the national data protection authority, tasked with regulating privacy and data protection matters within its jurisdiction.  

_{Ethiopia's Personal Data Protection Proclamation- A Comprehensive Overview}

Scope and Applicability

Territorial scope 

The Proclamation primarily applies to data processing activities conducted within Ethiopia, regardless of whether the data controller is based in the country. Additionally, it extends its scope to certain processing activities performed outside Ethiopia if they involve equipment located within Ethiopian territory.  

Material scope 

The Proclamation governs both automated and manual processing of personal data, provided the data is part of a filing system or intended to be included in one. However, it does not apply to the following: 

• Personal or household activities. 

• Information exchange between government agencies on a need-to-know basis. 

• Processing activities where the application of the Proclamation is explicitly restricted. 

• Data that merely passes through Ethiopia in transit. 

Legal bases 

• Consent 

• Contract with the Data Subject 

• Legal Obligation 

• Public Interest. 

• Interest of the Data Subject. 

• Legitimate Interests of the Data Controller. 

 Principles 

The Proclamation establishes core principles of data protection law, including the following: 

• Lawful, Fair, and Transparent Processing: Data must be processed lawfully, fairly, and transparently. It should be collected for specific purposes and retained only as necessary. For sensitive data categories, explicit consent from individuals or a demonstration of compelling public interest is required. Individuals must be informed about how their data is processed, ensuring compliance with applicable laws. 

• Purpose Limitation: Data should only be collected for specified, legitimate purposes and must not be used beyond those purposes. 

• Data Minimization: Only the data necessary for the intended purpose should be collected, and it must be kept accurate and up-to-date. 

• Storage Limitation: Personal data should not be retained longer than necessary for the purposes for which it was collected. 

• Integrity and Confidentiality: Adequate security measures must be implemented to safeguard data against unauthorized access, disclosure, alteration, or destruction. 

• Data Sovereignty: Personal data collected or obtained within Ethiopia must be stored locally. The Proclamation also ensures the protection of personal data during cross-border transfers, requiring appropriate safeguards to prevent unauthorized access or misuse. 

Controller and Processor Obligation.  

Data processing notification 

The Proclamation mandates that data controllers and processors must register with the ECA to process personal data. Each purpose must be separately registered if data is processed for multiple purposes. The ECA may also set registration requirements through a Directive.  

Data transfers 

The Proclamation establishes strict regulations for the transfer of personal data to third-party jurisdictions. Such transfers must comply with the provisions of the proclamation and ensure that the receiving jurisdiction provides an appropriate level of protection. 

Data processing records 

Ethiopian data controllers and processors must keep detailed records of all processing activities to ensure transparency, accountability, and compliance with data protection laws. 

Data protection impact assessment 

The Proclamation in Ethiopia mandates that data controllers and processors perform a Data Protection Impact Assessment (DPIA) before specific processing activities. This proactive step aims to identify and address potential risks to individuals' privacy rights.  

Data Protection Officer appointment 

The Proclamation in Ethiopia requires certain data controllers and processors to appoint a Data Protection Officer (DPO) to ensure compliance with data protection laws and safeguard individuals' privacy.  

Data Breach Notification. 

The Ethiopian Proclamation mandates a notification process for personal data breaches. This ensures that both the relevant authority and affected data subjects are informed of any security incidents that may compromise personal data. 

Data Retention 

Data controllers and processors in Ethiopia must store and retain personal data only for a reasonable period necessary to fulfill the original purpose of processing or as prescribed by law. 

Children's data 

The Proclamation in Ethiopia includes specific provisions for processing minors' personal data, prioritizing their rights and best interests while ensuring responsible data handling.  

Special categories of personal data 

Under Article 53 of the Proclamation, data controllers are generally prohibited from disclosing information related to the following: 

• National security, defence, or public security. 

• Historical, statistical, or scientific research. 

• Objectives of general public interest, including the state's economic or financial interests. 

• Protection of judicial independence and proceedings. 

• Protection of a data subject or the rights and freedoms of others. 

Data Subject Rights 

The right to be informed includes the right to access, rectification, and deletion, as well as the right to object/opt out and data portability. It also includes the right not to be subject to automated decision-making. 

Penalties 

The Proclamation imposes penalties for data protection violations. Individuals who fail to report data breaches, implement security measures, or process data improperly may face 1-3 years in prison and fines of 60,000-100,000 Birr (approx. $498-$830). More severe penalties, including 3-5 years in prison and fines of 100,000-200,000 Birr (approx. $830-$1,659), apply for violations that infringe on data subjects' rights. Those who re-identify de-identified data, sell personal data, or illegally transfer it outside Ethiopia face even harsher penalties, with imprisonment of 5-10 years and fines of 200,000-600,000 Birr (approx. $1,659-$4,976). Institutions can be fined up to 4% of their total global turnover from the previous year for these offenses.