Ethiopia's Council of Ministers’ approval of the Personal Data Protection Proclamation signifies a significant step in safeguarding privacy rights in the country's digital landscape. This legal review aims to provide an overview and analysis of the key provisions and implications of the proclamation, highlighting its importance in protecting personal data and promoting responsible data management.
Introduction
The Personal Data Protection Proclamation establishes a comprehensive legal framework to support the culture and practice of personal data protection in Ethiopia. It recognizes privacy as a constitutionally recognized right and emphasizes the need to develop a successful digital economy while protecting human rights and fundamental freedoms. The proclamation defines key terms, providing clarity and ensuring a common understanding among stakeholders.
Rights and Responsibilities of Data Subjects and Entities
The proclamation grants data subjects greater control over their personal data. It outlines specific rights, such as the right to access, rectify, and erase personal data, and the right to object to its processing. Data subjects are empowered to provide specific and informed consent for the processing of their data.
Entities that control and process personal data are assigned clear responsibilities. Data controllers must ensure lawful and fair processing, establish appropriate security measures, and notify the Ethiopian Personal Data Protection Commission of any personal data breaches. Data processors must adhere to strict guidelines and ensure the security and confidentiality of personal data.
Data Processing and Security Measures
The proclamation addresses various aspects of data processing, including collection, storage, organization, retrieval, use, disclosure, and destruction of personal data. It emphasizes the importance of obtaining consent from data subjects and defines the conditions for lawful processing, ensuring that personal data is processed for specific and legitimate purposes.
To enhance data security, the proclamation introduces measures such as encryption, pseudonymization, and restrictions on data transfers. It requires entities to implement appropriate technical and organizational measures to prevent unauthorized access, disclosure, or loss of personal data. Recognizing the global nature of data flows, the proclamation acknowledges the jurisdiction of foreign countries and international organizations in cross-border data transfers. It encourages international cooperation and alignment with global data protection standards.
The Right to be Informed
Article 35 of the Proclamation highlights the essential right to be informed. Data subjects have the right to receive comprehensive information from data controllers regarding the processing of their personal data. This includes details such as the purpose of the processing, the lawful basis, retention periods, and the existence of automated decision-making. Furthermore, data subjects must be informed about their rights, including the right to withdraw consent, lodge complaints with supervisory authorities, and the consequences of failing to provide requested information. This transparent approach ensures that individuals have a clear understanding of how their data is being handled.
The Right of Access and Exceptions:
Article 36 guarantees data subjects the right to access their personal data, allowing them to obtain confirmation of processing, access to the data itself, and information on its origin and storage period. However, exceptions to this right exist under Article 37. Data controllers may refuse access to personal data in certain circumstances, such as when disclosure would invade another individual's privacy, when the data is privileged or obtained during legal proceedings, or when the data pertains to health records that could harm someone's well-being. Additionally, the Proclamation allows data controllers to disregard requests that are repetitious, systematic, frivolous, or vexatious, provided they do not unreasonably interfere with the operations of the data controller.
Enforcement
The proclamation establishes the Ethiopian Personal Data Protection Commission as the regulatory authority responsible for monitoring and enforcing data protection provisions. The commission is empowered to conduct investigations, issue guidelines, and impose penalties for non-compliance.
According to the provisions outlined in the Personal Data Protection Proclamation, the Ethiopian Personal Data Protection Commission is structured as follows: it consists of a Commissioner, three Deputy Commissioners, and the necessary staff.
The Commission's headquarters is situated in Addis Ababa, with the possibility of establishing branch offices as directed by the Parliament. The budget of the Commission is allocated by the Parliament, and the Commission is required to maintain accurate and complete books of account, subject to annual inspection by the Auditor General or an assigned auditor.
Appointment Process
The appointment of the Commissioner and Deputy Commissioners is conducted by the Parliament. The Commissioner serves a term of six years, while the Deputy Commissioners serve a term of four years, without eligibility for reappointment. The appointment criteria encompass loyalty to the Constitution, adherence to human rights principles, expertise in law, data science, or information technology, commendable reputation, absence of criminal convictions, Ethiopian nationality, good health, and a minimum age of thirty-five.
The Commissioner, accountable to the Parliament, exercises complete independence and impartiality, without seeking or accepting instructions. The Commissioner's responsibilities include exercising the specified powers of the Commission, preparing the annual work plan and budget, representing the Commission in dealings with third parties, and hiring and managing employees based on Federal Civil Service Laws. Appointed by the Parliament, the Deputy Commissioners assist the Commissioner in various capacities, such as planning, organizing, directing, and facilitating the Commission's activities. They may also act on behalf of the Commissioner in their absence and perform tasks assigned by the Commissioner.
Removal Procedures
An appointee may be removed from office or discharged from their responsibilities under several circumstances, including resignation, incapacity due to illness, conviction of a serious crime, manifest incompetence, or expiration of the term of office. In case of removal, a replacement must be appointed within six months. For removal grounds, a Special Inquiry Committee, formed by the Parliament, investigates the matter. Removal from office requires a two-thirds majority vote by the Parliament, based on the recommendation supported by the majority vote of the Special Inquiry Committee.
