First structured personal data protection proclamation in the making


Ethiopia’s first structured personal data protection proclamation is to be enacted as one of the first proclamations which are expected to be approved by the council of ministers earlier this Ethiopian year. The Ministry of Innovation and Technology after issuing the first comprehensive data protection proclamation draft has submitted the document to the council of ministers.
“Ethiopia does not have a single and comprehensive legal instrument regulating privacy and data protection, including the obligations of data controllers and processors, as well as the rights of data subjects in general,” said Mandefro Eshete Phd, Legal advisor to the Ministry of Innovation and Technology/ MINT/ adding that however there are rules contained in the constitution and other laws that deal directly or indirectly with data privacy and data protection.
Even if there are no comprehensive guidelines for data protection and no national data protection authority in the country, some sector-specific government authorities have the power to regulate privacy and data protection issues within their regulatory scope.
As Mandefro said, as the country is highly working on digitalization and there could be high transformation of data from one to one and from individuals to companies; the law will be important to guide the use and protection of this data in a compressive way. As he said after certain discussion with different stakeholders and continued review, the draft is now on the last stage of approval by the council.
Ethiopia is also a party to a number of international and regional human rights instruments that provide for the right to privacy and protection of personal information including the Universal Declaration on Human Rights 1948, International Covenant on Civic and Political Rights 1966, the Convention of the Rights of the Child 1989, and the African Charter on Rights and Welfare of the Child 1990. According to Article 9 of the Constitution, these and other human rights instruments ratified by Ethiopia form an ‘integral part’ of the laws of the country.
In the country, the main laws which provide for privacy and data protection rules include: the Constitution; Registration of Vital Events and National Identification Cards Proclamation No. 760/2012, Federal Tax Administration Proclamation No.983/2016, Authentication and Registration of Documents’ Proclamation No.922/2015, Electronic Signature Proclamation No.1072/2018, Electronic Transaction Proclamation No.1205/2020, Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020, Financial Consumer Protection Directive No. FCP/01/2020.
Also on Articles 604 to 606 of the Criminal Code criminalize the violation of privacy safeguards guaranteed under the constitution. Pursuant to Articles 604 and 605 of the Criminal Code, whoever commits any of the enumerated acts constituting a violation of the privacy of a domicile or restricted area is punishable with up to five years of imprisonment in aggravated cases.
The most recent version of the Draft Data Protection Proclamation contains detailed provisions on data collection, use, protection and processing, and provides for the establishment of a regulatory entity called the Data Protection Commission.
The draft provides for the definition of ‘personal data’ and sets out the principles (the principle of fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, security, and data transfer) governing the processing of personal data. It also contains the fundamental rights of data subjects including the right to be informed, right of access, right to rectification, right to erasure, right to object, right not to be subject to an automated decision making, right to restriction and right to data portability. The Draft Data Protection Proclamation defines ‘personal data’ as any information relating to an identified or identifiable natural person who can be identified. Moreover, the Draft Data Protection Proclamation lists certain personal information as ‘sensitive personal data.’ This category of personal data includes information on racial or ethnic origin, political opinion, religious belief, membership to a trade union, physical, and mental health condition, sexual life, genetic information, commission, or alleged commission of a crime and legal proceeding against the subject.