Ethiopia recently enacted a comprehensive Personal Data Protection Proclamation (the "Proclamation"), a significant development for the country which previously did not have a consolidated legislation on data protection, only scattered laws spread across various legislations.

This law applies to a broad spectrum of businesses and requires them to register with the Ethiopian Communication Authority, the regulatory body responsible for overseeing data protection practices, before collecting or processing any personal data.

The Proclamation applies to data controllers and processors with establishments in Ethiopia. Its application also extends to data controllers and processors who, despite not having establishments in Ethiopia, have a representative established in Ethiopia and utilize equipment within Ethiopia for data processing.

The Proclamation sets out stringent rules that data controllers and processers must adhere to throughout the lifecycle of personal data including at the time of collection, storage, processing, sharing, and destruction of personal information.

Any business involved in activities related to personal data should exercise caution and diligence in handling such information, as the Proclamation's definitions of personal data and data processing are broad and could potentially apply to their operations.

What Activities Count as Data Processing Activities?

The Proclamation defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

Processing of personal data is defined to include a wide range of operations performed on such data including “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data." Processing also includes pseudonymisation.

The collection, management, and access of personal information by companies for various purposes like employee recruitment, payroll management, maintaining customer databases, and even video recording through CCTV can all be considered as data processing activities.

Cross-Border Transfer of Personal Data

The Proclamation extends its reach to cross-border data transfers. Data processors must secure a special permit from the ECA and explicit consent from the data subject before transferring personal data outside Ethiopia. Additionally, the ECA has the authority to restrict data transfers to countries deemed to lack adequate data protection standards.

What Should Companies Operating in Ethiopia Do?

Companies involved in controlling or processing personal data are required to:

  • Register with the ECA: Businesses must register with the ECA, declaring the specific purposes for which they process personal data. Upon registration, the ECA will issue a certificate that remains valid for a period of two years.
  • Obtain Separate Registrations for Multiple Purposes: If a business processes personal data for diverse purposes, a separate registration with the ECA is mandatory for each distinct purpose.
  • Adhere to Data Processing Guidelines: The Proclamation outlines a set of rules that data controllers and data processers must adhere to when collecting, processing, storing, and sharing personal data. These include implementing appropriate data security and organizational measures; keeping a record of all processing operations; appointing a data protection officer; and notifying any data breach to the ECA within 72 hours after having become aware of it.
  • Businesses operating in Ethiopia are advised to thoroughly evaluate their data processing activities to determine whether they are subject to the Proclamation and ensure compliance with the regulations. If so, it is essential for them to register with the ECA, comply with the specified data processing rules, establish their own data protection policies, and regularly conduct data security audits. By adopting such proactive measures, businesses not only protect the privacy third parties but also safeguard themselves from any potential adverse reputational and legal consequences, such as administrative penalties and criminal liabilities.

    How HSP Can Assist?

  • Assisting with the updating and structuring of contracts to incorporate clauses related to data protection in order to comply with data protection laws.
  • Drafting privacy and cybersecurity policies and privacy statements for online activities.
  • Advising on cross-border data transfers.
  • Advising on digital marketing strategies that align with data protection laws.
  • Advising on data processing and data transfer agreements.
  • Representing clients in regulatory investigations and disputes related to privacy matters.
  • Providing data protection law trainings for your teams to enhance their understanding and compliance with data protection laws.