Million Alemu Legal Services

Introduction

It can be said that Ethiopia has long acknowledged the importance of privacy and data protection as enshrined in its Civil Code and Constitution, yet it lacked a comprehensive, modern and unified framework for data protection. Previously, laws related to personal data protection were scattered across various legal instruments, including the Constitution, the Civil Code, the Criminal Code, and numerous other proclamations. This fragmented approach often led to inconsistencies and huge gaps in safeguarding personal information.

The enactment of the Personal Data Protection Proclamation No. 1321/2024 (the “Proclamation”) represents a significant advancement in Ethiopia’s data protection landscape. By consolidating these dispersed provisions into a unified legal framework, the Proclamation addresses previous gaps and provides clear guidelines for managing personal information.

This Legal Update offers a general overview of the Proclamation and will introduce the core aspects of this new legislation. We will cover the general purposes of the Proclamation, key concepts and definitions, fundamental principles, the rights of data subjects, the obligations of data controllers and processors, data transfer restrictions, enforcement mechanisms, and the implications for businesses and individuals. This introductory legal note aims to provide a foundational understanding of how the Proclamation will impact data protection practices in Ethiopia.

1.     General Purposes of the Proclamation

As it can be concluded from the preamble of the Personal Data Protection Proclamation No. 1321/2024 and the overall reading of the law, the Proclamation serves several critical purposes:

1.1.Rectifying the Fragmented Data Protection Landscape: The Proclamation aims to address the absence of comprehensive laws and a dedicated regulatory authority concerning personal data protection in Ethiopia. By establishing a unified legal framework, it seeks to create a robust system for safeguarding personal data and preventing violations during its collection and processing.

1.2.Supporting the Growth of Digital Services: In response to the expanding scope of digital technology and services, the Proclamation is designed to ensure that personal data collected for these services is handled responsibly. This supports the efficient delivery of digital services tailored to user needs while promoting social and economic development.

1.3.Mitigating Risks and Addressing Data Breaches: The Proclamation emphasizes the need for effective solutions to manage personal data breaches and reduce risks associated with data processing. It seeks to foster a culture of responsible data management and provide mechanisms to address breaches and minimize associated risks.

1.4.Encouraging Innovation and Building Trust: By establishing clear guidelines for data protection, the Proclamation aims to encourage innovation within the digital economy. It seeks to build trust among users and businesses by ensuring that personal data is processed securely and responsibly.

1.5.Aligning with International Standards: The Proclamation strives to align Ethiopia’s data protection framework with international standards. This alignment facilitates cross-border data transfers and capitalizes on the opportunities presented by global data exchange, ensuring that personal data is adequately protected while engaging in international transactions.

 2.     Core Concepts and Definitions

The Proclamation establishes several key definitions to clarify the scope and application of the law. Some of the basic and core concepts and definitions are as follows:

2.1.Data: Refers to information that:

(a)   Is processed by automated means in response to specific instructions.

(b)   Is collected with the intention of being processed by automated means.

(c)   Is recorded as part of a filing system or with the intention of forming part of such a system.

(d)   Is included in any other accessible public record, regardless of its method of collection or processing.

2.2.Personal Data: Refers to any information that relates to an identified or identifiable natural person. This includes information that can identify an individual directly or indirectly through:

(a)   Names

(b)   Identification numbers

(c)   Location data

(d)   Online identifiers

(e)   Any factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.

2.3.Data Subject means an individual who is the subject of personal data.

2.4.Data Controller is defined by the proclamation as any person which, alone or jointly with others, process personal data and determine the purpose and means of processing of personal data.

2.5. As per the Proclamation, Data Processor means any person other than an employee of the data controller who processes the data on behalf of the data controller.

The Proclamation also recognizes and defines other essential terms, including Genetic Data, Traffic Data, Sensitive Personal Data, Biometric Data, Personal Data Breach and other fundamental terms which are crucial for a comprehensive understanding and application of the law.

The proclamation doesn’t provide what Data Protection is but generally it is the process of protecting sensitive data from damage, loss or exploitation. This information can come from a variety of areas, but primarily refers to personal information. Simply, data protection is a combination of data privacy and data security.

3.     Scope of the Proclamation’s Application

The Proclamation applies to the processing of personal data in the following contexts:

3.1.Processing Covered

 The proclamation applies to both automated processing of personal data and manual processing where data forms part of a filing system or is intended to form part of one.

3.2.Geographical and Entity Scope

3.2.1.      The Proclamation applies to data controllers and data processors established in Ethiopia when processing data in the context of their establishment.

3.2.2.      It also applies to entities not established in Ethiopia but using equipment within Ethiopia for data processing, provided they have a representative established in Ethiopia.

3.3.Institutional Applicability

3.3.1.      The Proclamation covers private and public institutions, including federal and regional government bodies and city administrations (Addis Ababa and Dire Dawa) that process personal data.

3.4.Exemptions

3.4.1.      Processing by individuals in the course of purely personal or household activities.

3.4.2.      Exchanges of information between government agencies on a need-to-know basis.

3.4.3.      Data processing restricted by other provisions of the Proclamation.

3.4.4.      Data originating from outside Ethiopia and merely transiting through Ethiopia to a third country.

The Scope of Application provided in the Proclamation establishes clear boundaries for the applicability of the law, ensuring that it effectively covers relevant data processing activities within Ethiopia while accommodating the presence of international entities.

4.     The Fundamental Principles of the Data Protection

The Proclamation lays down seven essential principles that ensure the responsible and ethical processing of personal data. These principles set the standards for lawfulness, fairness, and transparency, safeguarding individuals’ privacy and enhancing data protection practices. The principles of personal data protection are as follows:

4.1.Lawfulness

Personal data must be processed in accordance with legal requirements. This means that processing activities must be based on a legitimate legal basis as defined by the Proclamation.

4.2.Fairness

Data processing should be conducted fairly, avoiding any practices that may be unjust or detrimental to data subjects. Fairness involves treating individuals’ data with respect and consideration.

4.3.Transparency

Data processing must be transparent to data subjects. They should be informed about how their data is collected, used, and processed, including the purposes and any third parties involved.

4.4.Purpose Limitation

Personal data should be collected for specific, explicit, and lawful purposes. It must not be further processed in a manner that is incompatible with those original purposes.

4.5.Accuracy

Data must be accurate and, where necessary, kept up to date. Inaccurate or outdated data should be corrected or erased to maintain its reliability.

 4.6.Storage Limitation/Data Minimization

Personal data should be retained only for as long as necessary to achieve the purposes for which it was collected. Data should not be kept longer than required for its intended use.

4.7.Sovereignty of Data

Data processing must respect the sovereignty of data, ensuring that personal data is processed in a manner consistent with the legal and ethical standards of Ethiopia, and that the rights of data subjects are upheld

5.     Rights of Data Subjects

The Proclamation empowers individuals with significant rights concerning their personal data. These rights are designed to give data subjects control over how their personal information is collected, used, and managed, ensuring that their privacy is protected. The key rights granted to data subjects under this law include:

5.1.Right to Be Informed

Individuals have the right to be fully informed about the collection and use of their personal data. This includes knowing who is collecting the data, the purpose of processing, and with whom their data may be shared.

5.2.Right of Access

Data subjects have the right to access their personal data held by any organization. This allows them to understand what data is being processed and to verify its lawfulness.

Right to Rectification:

Individuals can request the correction of inaccurate or incomplete personal data. This right ensures that the information held is accurate and up-to-date.

5.3.Right to Erasure ("Right to Be Forgotten")

Data subjects can request the deletion of their personal data under certain circumstances, such as when the data is no longer needed for the purposes for which it was collected, or when they withdraw their consent.

5.4.Right to Object

Individuals have the right to object to the processing of their personal data, particularly in cases where the data is being processed for direct marketing purposes or based on the legitimate interests of the data controller.

5.5.Right to Restriction of Processing

Data subjects can request that the processing of their personal data be restricted in certain situations, such as when they contest the accuracy of the data or when they need the data to be preserved for legal claims.

5.6.Right Against Automated Decision-Making

Individuals have the right to not be subject to decisions made solely on automated processing, including profiling, which significantly affects them. This ensures that important decisions are not made without human intervention.

5.7.Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. These rights collectively reinforce the power of individuals to control their personal data, ensuring greater transparency, accountability, and respect for privacy.

6.     Notification Requirements in Case of a Personal Data Breach

Data controllers are mandated to promptly notify the relevant authority of any personal data breach within 72 hours of its occurrence. This notification must include comprehensive details about the breach, its potential impact, and the corrective actions taken to address the situation. Data processors also have an obligation to inform the data controller of any breaches they become aware of, ensuring a swift and coordinated response.

7.     Complaints and Appeals Process

Individuals have the right to file complaints with the relevant authority regarding any violations of their personal data rights. The authority is required to investigate these complaints and provide the complainant with a resolution within 21 days. Should the individual be dissatisfied with the authority's decision, they may appeal to the Federal High Court within 60 days.

8.     Ensuring Compliance with the Personal Data Protection Proclamation

To adhere to the Personal Data Protection Proclamation, businesses must undertake a thorough data audit to identify and evaluate their data processing activities. Following this audit, companies should update their contracts and policies, enhance data security measures, appoint a Data Protection Officer (if necessary), develop a robust data breach response plan, conduct data protection impact assessments for high-risk activities, and regularly review and monitor compliance to mitigate risks.

9.     Administrative Fines for Violations

When determining the appropriate fine for data protection violations, the authority will consider factors such as the nature and duration of the violation, the harm caused to data subjects, the intent of the violator, the steps taken to mitigate any damage, and any previous violations. The onus is on the data controller to demonstrate that their processing of personal data is lawful. Non-compliance with data protection regulations, including failing to report breaches or mishandling personal data, can lead to severe consequences, such as imprisonment, substantial fines, or both. The severity of the punishment depends on the nature of the offense, particularly if it involves sensitive data, minors, or specific institutions.

10. Implications of the Proclamation on Individuals and Business

10.1.        Major Implications of the Proclamation on Business

10.1.1.  Compliance Requirements: Businesses must align their data processing practices with the Proclamation's principles, including ensuring lawful, fair, and transparent data handling, maintaining data accuracy, and implementing robust security measures.

10.1.2.  Operational Changes: Companies may need to update their data handling procedures, revise privacy policies, invest in new technologies, and possibly appoint a Data Protection Officer (DPO) to manage compliance effectively.

10.1.3.  Increased Liability and Risk: Non-compliance with the Proclamation can result in significant legal and financial penalties, including administrative fines or imprisonment, particularly for those handling sensitive data or operating in high-risk sectors.

10.2.        Implications on Individuals

10.2.1.  Enhanced Rights: Individuals now have greater control over their personal data, with rights such as access, rectification, erasure (right to be forgotten), and data portability, empowering them to manage their information more effectively.

10.2.2.  Increased Awareness and Empowerment: The Proclamation raises awareness about personal data rights, encouraging individuals to make more informed decisions about data sharing and scrutinize how businesses handle their information.

10.2.3.  Legal Recourse: Based on the provisions of the Proclamation, individuals can file complaints with the relevant authority if their data protection rights are violated and seek judicial remedies if necessary, providing a clear pathway to address grievances and hold organizations accountable.

Conclusion

In conclusion, the enactment of the Personal Data Protection Proclamation No. 1321/2024 marks a significant leap forward in Ethiopia’s data protection landscape by unifying previously fragmented regulations and introducing a comprehensive set of rules and framework.

This Proclamation addresses critical gaps in personal data protection, supporting the growth of digital services, and mitigating risks associated with data breaches. By establishing clear principles and empowering individuals with robust rights, such as access, rectification, and data portability, it enhances transparency and control over personal information.

The Proclamation also emphasizes compliance requirements for businesses, including data audits and security measures, while introducing severe penalties for violations to ensure accountability. Overall, this landmark legislation aligns Ethiopia’s data protection standards with international norms, fostering trust and encouraging responsible data management in the digital age.

Disclaimer: This legal update is for informational purposes only and does not constitute legal advice. Million Alemu Legal Service assumes no responsibility for any actions taken based on the information contained herein.

Should you need any legal advice in this regard, please contact Million Alemu Legal Service. We are your trusted legal partners and can guide you through the legal process. Feel free to reach out to us at Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser..

Quality Legal Services, Timely Results!!