Written by Dorcas Tsebee and Victoria Adaramola

‍

Introduction  

On July 24, 2024, Ethiopia finally published its Personal Data Protection Proclamation (“the Law”) in the Federal Negarit Gazette, officially bringing it into effect. Similar to other data protection laws across Africa, the Law is made in accordance with Ethiopia’s Constitution,[1] specifically its provision on the right to privacy. Before enacting the Law, data protection was regulated by various legislation, including the Civil Code, the Computer Crimes Proclamation, the Financial Consumers Protection Directive, and the Telecommunications Consumer Rights Directive. The Law designates the Ethiopian Communications Authority as the regulatory authority and provides various obligations highlighted in this review.

Key Provisions of the Act

Scope and Application  - Article 3

The Law applies to processing personal data through automated and non-automated means by data controllers and processors established in Ethiopia or, if not established in Ethiopia, using equipment in Ethiopia and having representatives in Ethiopia. The Law exempts processing by individuals for personal or household activity, processing that involves exchanging information between government agencies on a need-to-know basis, and processing where data is merely transiting through Ethiopia to a third country.

Data Protection Authority - Article 5

The Law designates the Ethiopian Communications Authority as the regulatory authority. The authority is responsible for implementing and ensuring compliance with the Law, maintaining a register of controllers and processors, issuing enforcement notices, cooperating with other data protection authorities, and imposing administrative fines in case of violations.  

Lawful Bases for Processing - Article 7

The Law provides for consent, the performance of a contract, compliance with a legal obligation, necessity based on a public health crisis or emergency, processing to fulfil the mandate of a public authority, and legitimate interest.

Processing Sensitive Data - Articles 9 and 10

The Law defines sensitive personal data as health data, political opinions, religious beliefs, criminal offences, and communications data such as content and metadata. While the processing of sensitive personal data is prohibited, it is allowed based on the conditions of consent, the vital interest of the data subject, processing to achieve the lawful and non-commercial interest of a public organisation, medical treatment, protection of lawful rights and interests of persons in court proceedings, or the processing is part of the legitimate activities of a non-profit organisation if it relates to the members.

Additionally, the data must not be shared externally without the individuals' consent. Furthermore, sensitive data relating to race or ethnicity can only be processed where the processing aims to ensure social justice and equality and where it is carried out with appropriate safeguards. The Act also allows the Authority to develop regulations, classifying new categories of data as sensitive data, and specifying the appropriate safeguards to ensure their security.

Processing the Data of a Minor  - Article 11

The Law defines a minor as someone under the age of 16 and allows the processing of a minor’s data only when the consent of a parent or guardian has been obtained. Data controllers are mandated to implement age verification mechanisms to confirm the age of a data subject. However, the Law prohibits the processing of a minor's data for marketing, profiling, or merging profiles.

Principles of Data Processing - Articles 12 -17

Like other data protection laws across Africa, the Law provides for the principles of processing that data controllers and processors should adhere to when processing data. These principles include lawfulness, fairness, transparency, purpose limitation, accuracy, storage limitation, integrity, and confidentiality.

Cross-border transfer of data - Article 18-21

The Law permits international data transfer based on an adequacy decision from the Authority, the explicit consent of the data subject, the transfer is necessary, or where the transfer is made from a register intended to provide information to the public. International transfer of data may also be carried out based on necessity. A transfer is necessary where the processing is for the performance of a contract, in the public interest, establishment of a legal claim or defence, and protection of the data subject’s vital interest. However, the cross-border transfer of sensitive data can only be carried out based on prior authorisation of the Authority.

Data Localisation - Article 22

The Law requires data controllers and processors to store data collected locally on a server or data centre in Ethiopia. The Authority is mandated to prescribe the categories of personal data that should only be processed in a server or data centre in Ethiopia.

Rights of Data Subjects - Articles 23- 32

The Law provides for the right to be informed, access, rectification, erasure, object to processing, restrict processing, not to be subject to automated decision-making, and data portability. The Law provides for post-mortem privacy rights, which ensure that the privacy rights of deceased data subjects remain enforceable for ten years after death. The deceased data subject's lawful heir may exercise their rights at any time within ten years. However, the consent of the lawful heir will not be required to process data such as name, sex, date of birth, fact of death, and the time and place of the burial of a deceased.  

Registration of Controllers and Processors - Article 33 - 39

The Law mandates all data controllers and processors to register with the Authority, and the Authority must maintain a publicly available register of all registered organisations. Where an organisation intends to function as a data controller and processor, such organisations will be required to make separate applications. The Authority has the prerogative to reject the application of an entity, in which case it must notify the entity of its decision in writing within 14 days of the application. Upon the acceptance of registration, the Authority will issue a certificate, which will be renewable every two years. Where there is a change in any details supplied at the point of registration, the organisation must notify the Authority.

Furthermore, the Authority may also revoke a registration where the information supplied is misleading and there isa non-compliance with the Law or the conditions under which the registration certificate was issued. Where the Authority intends to revoke an organisation’s certificate, it shall issue a notice requesting the organisation to defend why the registration certificate should not be revoked within 21 days. The Authority is also mandated to ensure that the Register of Controllers and Processors is accessible to the public where necessary.

Appointment of a Data Protection Officer - Article 40-41

Government bodies and other controllers and processors whose core activities involve large-scale systematic monitoring of data subjects or the processing of significant amounts of sensitive personal data are required to appoint or designate a qualified Data Protection Officer(DPO). Group entities are allowed to appoint a single DPO who must be accessible to each entity.  The controllers and processors shall publish the DPO's contact details and communicate the same to the Authority. A DPO is expected to possess relevant academic or professional qualifications, which may include knowledge and technical skills in matters relating to data protection.

Data Breach Notification - Articles 43 and 44

Data controllers are expected to notify the Authority and the affected data subjects of the breach within 72 hours of becoming aware. However, processors should notify the controller without undue delay after becoming aware. The obligation to notify data subjects is unnecessary where the breach will not negatively impact the data subjects or if notification will involve a disproportionate effort. Data controllers are also mandated to document all data breaches, indicating the impact of the breach and the measures taken to address the breach.

Record of Processing Operations - Article 46

Data controllers and processors must maintain a record of processing operations (activities), which should specify the categories of data processed, the purpose of processing, a description of the data subjects, categories of recipients, the countries to which data will be transferred, and the retention period.

Data Protection Impact Assessment (DPIA) - Article 47

Prior to engaging in a high-risk processing, controllers and processors must conduct a DPIA, especially where the processing involves sensitive data, monitoring of publicly accessible areas, and automated processing such as profiling. The DPIA should assess the purpose of processing, its proportionality and necessity, the risk associated with processing, and the safeguards to prevent the risks. The Law also includes the option to seek the views of data subjects on the proposed processing activity where appropriate. Like other data protection laws in Africa, Ethiopia’s Law includes the requirement to consult with the Supervisory Authority, where a DPIA indicates that a processing activity could pose high risks to data subjects or where the Authority sees it necessary to carry out such consultation. The authority is empowered to publish a list of processing operations that require such authorisation.

Prior Authorisation to Process Data - Article 48

The Law includes the requirement for every data controller or processor to obtain authorisation from the Authority before processing personal data. This is to ensure that the processing complies with the law. The Authority can prohibit any intended processing that does not comply with the law and recommend measures to remedy the non-compliance.

Enforcement- Article 55-60

In case of non-compliance, the Authority may issue an enforcement notice to the organisation specifying the measures to remedy such violations. Where an enforcement notice is issued, the organisation will have 21 days to implement the recommended actions. In case of further violations, the Authority may impose administrative fines and sanctions on the organisation.

Implementing the Data Protection Act

The following strategies and best practices will help organisations effectively operationalise the provisions of the Act:

‍

• Registering  with the Authority:     All organisations processing personal data are required to register with     the Authority. To comply with this requirement, organisations should     establish a compliance team or assign a dedicated compliance officer     responsible for managing the registration process. Prepare the necessary     documents early and implement a reminder system to track the certificate's     two-year renewal timeline.
• Appointment  of a Data Protection Officer (DPO): Organisations are required to promptly appoint a     qualified Data Protection Officer (DPO) to ensure compliance with the Act.     Choose a DPO with adequate experience in privacy and data protection, and     IT security. Group companies and government bodies may appoint a single     DPO to oversee multiple entities. Regular DPO training should be conducted     to update them on evolving data protection laws and technological changes.    
• Implementing   Data Protection Principles:     Organisations should assess their data processing activities to ensure     they align with the data protection principles outlined in the Act.     Perform a data mapping to understand how data is processed across the     organisation. Adopt a “privacy by design” and “privacy by default”     approach, ensuring data protection is built into every project from the     outset. Develop a data protection policy that enforces compliance with     data processing principles.
• Implementing  Age Verification Mechanisms:     The Act prohibits processing a minor’s data without parental consent. To     comply, organisations must implement age verification mechanisms in their     systems to verify users' ages and obtain consent from parents or guardians     when necessary. Implement online age verification tools like identity     verification systems or simple age-gating features where consent from     parents or guardians is required for minors. This may include using     digital consent forms to obtain consent and digitally secure methods to     store proof of consent.
• Implementing  Relevant Security Measures:     In line with the Act, organisations must adopt appropriate technical and     organisational measures to ensure data security. This includes developing     information security-related policies, using encryption and     pseudonymisation techniques, implementing access management controls, and     adopting recognised security standards to enhance security practices and     conducting regular security awareness and training for all staff.
• Conducting  Data Protection Impact Assessments (DPIAs): Organisations engaging in     high-risk data processing must conduct DPIAs to evaluate potential risks     and identify mitigation strategies. Where possible, use automated risk     assessment tools like Cealed, allowing faster assessments of new projects.     Implement a DPIA template that highlights specific risk areas and maintain     a record of all DPIAs conducted for regulatory reference. Consultation     with the Authority should also be undertaken before the processing, as     required by the Act.
• Breach  Notification: In     the event of a data breach, organisations must notify the Authority and     the affected data subjects within 72 hours. To achieve this, organisations     must develop a clear incident response plan that outlines the steps to     take, including communication with the Authority and affected data     subjects. In addition, regular breach simulation exercises should be     conducted to test and refine the incident response plan.
• Operationalising  Data Subjects' Rights:     The Act grants specific rights to data subjects. Organisations should     clearly inform data subjects of these rights and explain how to exercise     them. To implement this, organisations should create a (automated) system     for tracking data subject requests, ensuring timely responses. Document     requests and how they were handled. Ensure all employees who handle     personal data are trained on the rights of data subjects and how to handle     such requests.
• Maintaining a Record of Processing Operations: Organisations should perform a comprehensive data     mapping exercise to identify all data flows, from collection to disposal     and maintain and accurate record of these. Conduct periodic reviews to     ensure that records reflect current data processing activities.
• Implementing Safeguards for International Data Transfers: Organisations transferring personal     data outside of Ethiopia must ensure that appropriate safeguards are in     place.  Maintain a detailed register     of international data transfers, documenting the type of data transferred,     the countries involved, and the legal basis for the transfer. Regularly     review and update transfer mechanisms to align with changing regulations     or case law.
• Complying with Data Localisation: To     comply with the Act's data localisation requirements, evaluate your data     storage infrastructure and establish local data centres or use cloud     services with servers based in Ethiopia. Ensure that localised processing     is aligned with other security and compliance standards.

Conclusion

The enactment of the Act provides a comprehensive regulatory framework for data protection in Ethiopia. Recognising that the Act sanctions non-compliance, organisations should thoroughly assess their current data processing activities to identify necessary gaps and implement necessary measures to ensure compliance with the novel obligations introduced by the Act.

[1] Article 55(1) of the Constitution of the Federal Democratic Republic of Ethiopia.

‍