By Eyerus Fiseha & Sintayehu Abebe | Sat Jan 08 2022
Ethiopia lacks a unified and comprehensive legal framework that governs privacy and data protection. However, there are protections scattered throughout different legislations, including the Constitution, the Criminal Code, the Civil Code, the Computer Crime Proclamation, and the Freedom of the Mass Media and Access to Information Proclamation. Even though the country doesn’t have a comprehensive data protection regulation nor a national data protection body, the regulatory bodies under these sector-specific legislations have the power to regulate data protection issues within their regulatory scope.
However, the protections provided throughout these scattered legislations are not comprehensive. Specifically, considering the current digital world, a country typically has a comprehensive data protection system.
In this context, the government of Ethiopia, through the Ministry of Innovation and Technology, recently took the initiative to draft a personal data protection proclamation. This draft personal data protection proclamation, which is the first by its nature in Ethiopia, is expected to be approved by the Council of Ministers this year (1). The proclamation, once enacted, will be vital in regulating the use and protection of personal data. In this blog, we summarize what this draft proclamation will cover.
The Ethiopian Data Protection Commission (the “Commision”) is envisioned under the draft proclamation as a national data protection institution. The Commission is proposed as a self-governing body accountable to the House of People's Representatives (HPR). The HPR also appoints the Commission's commissioner and deputy commissioners. The draft proclamation emphasizes the Commission's institutional independence, requiring commissioners to act with total independence and impartiality, neither seeking nor accepting orders.
The Commission is charged with a wide variety of regulatory responsibilities. These include overseeing the implementation of the data protection law, keeping a register of data controllers and processors and undertaking audits of practices and policies of data controllers and processors, investigating complaints, and conducting search and seizure, among others. Furthermore, the draft proclamation also envisions the possibility that the Commission may be entrusted with additional roles in sector-specific data protection schemes.
Rights of Data Subjects
The draft proclamation contains fundamental data subject rights including the right to be informed, right of access, right to rectification, right to erasure, right to object to processing, right not to be subject to automated decision making, restriction right and right to data portability.
Data Processing Requirements
The draft proclamation envisages two levels of criteria for the authorized handling of personal data. First, it specifies the broad parameters for legitimate processing. Any processing will be lawful if it is based on the data subject's consent, which must be free, informed, explicit, unambiguous, and capable of withdrawal and granted before the start of the processing. It also provides other grounds for authorized processing, such as the fulfillment of contractual commitments, vital interests of the data subject, and public interest. Secondly, it defines the circumstances under which sensitive personal data, as well as data belonging to children, may be treated, setting of organizational and technical security measures, data protection impact assessments, prior authorization and data protection by design. Though the requirements may apply for various circumstances, failures to meet these requirements would make the processing unlawful. There will also be general requirements for personal data processing to be lawful including prior registration of data controllers and processors and appointments of data protection officers.
Exemptions for Certain Categories of Data Processing
An exemption for certain categories of data processing is provided in the draft proclamation. All of the exemptions concern the processing of personal data undertaken in the public interest. These are:
When the processing is done for national security, defense, or public security purposes, including when the Prime Minister grants or certifies an exemption thereof;
When the processing is to prevent, investigate, and prosecute crimes, as well as the execution of penalties;
Processing to safeguard the general public interest, including the state's economic interests;
Processing to uphold judicial independence and judicial proceedings;
Processing for purposes of protecting data subjects or the rights and freedoms of others; and
Processing for purposes of historical, statistical or scientific research.
Data Breach Notification Requirements
When a data breach occurs, the draft proclamation specifies two levels of notification: notification to the Commission where the breach is likely to constitute a "risk" to an “individual’s" rights and freedoms and notification to the data subject (the individual whose personal data is breached) when it’s likely to pose a high risk to the rights and freedoms of the individual. In principle, notification of the data breach should be provided to the Commission and data subjects within 72 hours unless the data controller has a reason for the delay.
Transborder Data Transfer
The provisions of the draft proclamation are the direct reflection of the General Data Protection Regulation (GDPR). The GDPR is the comprehensive data protection regulation of the European Union (EU) but applies to data controllers and processors in jurisdictions outside the EU provided they handle the personal data of EU citizens. When considering adopting personal data protection laws, many countries are considering laws in line with the GDPR for a variety of reasons. One of the reasons is to enable transborder personal data flow while avoiding statutory inconsistencies.
The draft proclamation stipulates possible grounds by which the transborder transmission of personal data is allowed. Accordingly, the transmission of personal data from Ethiopia is permitted only if the third-party jurisdiction (any country other than Ethiopia, international organizations, and its subordinate bodies) provides an adequate level of data protection. The Commission will decide whether a third-party jurisdiction has an adequate degree of protection by taking into account two layers of considerations: general and specific.
The general consideration encompasses all factors relating to a specific or group of data transfer procedures. The type of the data, the purpose and length of the intended transfer, and the state of the rule of law in the third-party jurisdiction are all vital particular concerns. It is worth noting that the Commission may restrict, suspend, or impose limits on transfers to third-party jurisdictions judged to have adequate levels of protection to preserve the data subject's rights and freedoms.
There are, however, exceptions where personal data can be transferred to a third-party jurisdiction without meeting the adequate standard assessment by the Commission. These are: (i) when the data subject gives explicit consent to the proposed transfer after being informed of the lack of appropriate protection in the third-party jurisdiction; (ii) when the transfer is required to achieve certain legitimate aims of the data subject, data controller, or both, as well as for matters of public interest; and (iii) when the transfer is from a public register.
The draft proclamation further provides the possibility of limited transfer of personal data to the third party jurisdiction, when the data subject gives his or her agreement to the transfer and elements of the data are omitted or reduced. However, authorization by the Commission may be required.
What Happens if the Data Protection Laws are Breached?
Under the draft proclamation, data subjects can file a complaint with the Commission if they believe their rights have been violated. In addition to the data subjects, if the Commission has any doubt about the contravention of the proclamation or any subsidiary laws, it can launch an investigation or cause an investigation to be initiated. Unless the Commission has reason to suspect or doubt the complaint (i.e. the existence of bad faith), it is required to investigate the case. Furthermore, the Commission is obligated to come up with a solution within a reasonable time frame, giving the data subject the option of going to court if the data subject is dissatisfied with the decisions of the Commission.
The data subjects have the right to file an appeal to the Commission when they are unsatisfied with the decision rendered by a data controller. However, the time to appeal is limited and the Commission may dismiss the case for various reasons. Moreover, if the parties are not satisfied by the decision rendered by the Commission they can appeal to the Federal High Court.
There are scenarios under which a third party (mediator) engaged on behalf of the Commission may investigate the appeal of the data subject. If the Commission does not authorize a mediator to investigate and settle the parties’ disagreement, it will conduct its investigation and render a decision. Even though filing a complaint is personal, the draft proclamation allows for a proxy. Hence, an agent can convey a client's case on her/his behalf in a written form unless the Commission requires other forms of presentation. The draft proclamation imposes a duty on the Commission to provide adequate assistance to complaints in putting their grievances in writing.
What is Next?
The draft proclamation has been completed by the Ministry of Innovation and Technology and is expected to be presented to the Council of Ministers this year. Once approved by the Council, it will pass to the House of People’s Representatives for final ratification. It will then be published in the Federal Negarit Gazette, marking its coming into force. A number of steps are expected to be taken before and after the enactment in order to operationalize the regulatory body. Creating awareness and building a legal infrastructure suitable for data protection are expected to be the biggest assignments for the government, post enactment.
Renew Capital is an Africa-focused impact investment firm that backs innovative companies with high-growth potential. Renew Capital manages investments made on behalf of the Renew Capital Angels, a global network of angel investors, foundations and family offices who seek financial returns and sustainable social impact. For the latest on investing in Africa, subscribe and follow us at our social links below.