Date: May 29, 2024
1. Introduction
Ethiopia followed a sector-specific approach in protecting personal data until the promulgation of Proclamation No. 1324/2024 (hereinafter “the Proclamation”). The earlier approach was not exhaustive, with specific laws limited to a few sectors such as banking, telecom, and computer networks. Broader rules existed under the FDRE Constitution and the Civil Code, but they were inadequate and lacked comprehensive coverage. With the new Proclamation, Ethiopia has shifted to an EU‑style comprehensive data protection law. This legal update highlights key features of the Proclamation.
2. Justification for the Proclamation
The Proclamation’s justification, as stated in its preamble, is grounded in both rights‑based and utilitarian considerations. The rights‑based rationale builds on Article 26 of the FDRE Constitution, which guarantees the right to privacy and obligates public officials to respect and protect it. In the digital age, risks of privacy violations—whether by government surveillance or non‑government entities—have increased. International instruments such as Article 12 of the UDHR and Article 17 of the ICCPR reinforce privacy protections.
The Proclamation responds to these vulnerabilities and provides specific conditions under which the right to privacy may be limited. It also recognizes the role of personal data protection in supporting digital economy initiatives, including participation in online services, financial technology, ID systems, telecommunications liberalization, and investment reforms.
The Proclamation additionally aims to address gaps affecting prospective domestic and foreign investors seeking to establish data centers in Ethiopia.
3. Scope of Application
The Proclamation applies to data processing by public and private institutions at federal and regional levels, including Addis Ababa and Dire Dawa. Although the Constitution does not explicitly assign the federal government authority over data protection, the Proclamation introduces a uniform national framework, recognizing the cross‑regional nature of digital data flows.
The Proclamation covers automated and non‑automated processing of personal data where such data is part of a filing system. It does not apply to:
- purely personal or household activities;
- necessary information exchange between government agencies on a need-to-know basis;
- processing exempted under the Proclamation;
- personal data originating outside Ethiopia that merely transits through the country.
4. Understanding Personal Data
Personal data refers to any information relating to an identified or identifiable natural person. It includes direct identifiers (e.g., name, ID number) and indirect identifiers (e.g., name combined with birth date). The Proclamation protects only natural persons—not legal persons.
Sensitive personal data includes information relating to racial or ethnic origin, biometric data, health status, political opinions, religious beliefs, criminal records, communications data, and any category designated by the Authority.
5. Some Key Concepts
- Data: Information processed automatically or recorded for processing.
- Data Controller: Person or entity determining purposes and means of processing.
- Data Processor: Person or entity processing data on behalf of a controller.
- Data Subject: Natural person to whom the data relates.
- Personal Data Breach: Unauthorized access, loss, alteration, or destruction.
- Processing: Any operation performed on personal data.
- Consent: Freely given, specific, informed, unambiguous agreement.
6. Purpose and Scope of the Proclamation
The Proclamation establishes a comprehensive personal data protection system aligned with international standards. It regulates data processing activities, cross‑border data transfers, obligations of controllers and processors, and rights of data subjects.
7. Regulatory Organ
The Ethiopian Communications Authority (ECA) is designated as the regulator responsible for enforcement, monitoring, registration, investigation, and preserving vulnerable data.
- enforcing the Proclamation;
- monitoring processing of personal and sensitive data;
- maintaining a register of controllers and processors;
- conducting investigations and taking administrative measures;
- obtaining injunctions to preserve vulnerable data.
8. Rights of Data Subjects
- Right to be informed
- Right to post‑mortem protection (10 years)
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to object to processing
- Right not to be subject to automated decision-making
- Right to data portability
9. Principles of Data Processing
The Proclamation provides principles that must guide all processing activities:
- Lawfulness
- Proportionality
- Prior authorization/consultation where high risks exist
- Record‑keeping
- Fairness and transparency
- Purpose limitation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Security of personal data
- Cross‑border data transfer restrictions
- Data sovereignty
- Data protection impact assessments
10. Dispute Settlement
Data subjects may file complaints with the Authority within 21 days. The Authority must issue a written decision within 21 days.
11. Registration of Controllers and Processors
Data controllers and processors must register with the Authority. Certificates are valid for two years and renewable. Grounds for cancellation are provided by law.
12. Notification of Data Breach
Controllers must notify the Authority within 72 hours of a breach and inform affected data subjects unless exempted. Data processors must notify controllers without undue delay.
13. Non‑Compliance
- Failure to notify breaches or implement safeguards: 1–3 years imprisonment or ETB 30,000–50,000 fine.
- Failure to erase data, respect objections, or restrict processing: 3–5 years imprisonment or ETB 50,000–100,000 fine.
- Re‑identifying or selling personal data, or unlawful transfers: 5–10 years imprisonment or ETB 100,000–300,000 fine.
If the offender is a legal entity, fines may reach up to 4% of worldwide turnover.
Disclaimer: This summary is provided for general information only. The law may have changed since publication. It is not legal advice. Please refer to full terms and conditions on our website.