Date: May 23, 2024
The main purpose of the Proclamation is to introduce special and comprehensive personal data protection law that enables the establishment of a strong personal data protection system that aligns with international standards. Personal data is defined as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Under the Proclamation, in order to process personal data, the data controller or the data processor shall be registered with the Ethiopian Communication Authority. The Authority is authorized to set in a directive requirements for registration. Those who meet the requirements will be issued certificate of registration valid for two years and renewable every two years.
The Proclamation provides for administrative and criminal penalties for non-compliance with the personal data protection rules. For instance, re-identifying personal data which has been de-identified; processing re-identified personal data; selling or offering to sell personal data; or transferring personal data outside Ethiopia in violation of the Proclamation is punishable with serious imprisonment from five years to ten years or fine from one hundred thousand to three hundred thousand Birr or both. If the offence is committed by a legal entity, it is punishable with a fine up to four per cent of its total worldwide turnover of the preceding financial year.
