The Ethiopian Parliament has taken a significant step towards safeguarding individual privacy with the passage of the Personal Data Protection Proclamation (Proclamation No. 1321/2024). This comprehensive legislation establishes a robust legal framework for data protection in Ethiopia.
Salient Features of the Proclamation:
- Individual Rights: The Proclamation empowers Ethiopians with greater control over their personal data. It grants individuals the right to access, rectify, erase, and restrict the processing of their information. Additionally, individuals can object to direct marketing and automated decision-making processes.
- Data Subject Rights: People have the right to be informed, access their data, request correction of inaccurate data, request erasure of their data under certain circumstances, restrict processing of their data, object to processing for specific reasons, and receive their data in a transferable format.
- Data Controller Obligations: The Proclamation outlines clear responsibilities for entities handling personal data. Data controllers must obtain informed consent, implement appropriate security measures, and report data breaches.
- Limitations on Collection and Use: Data collection and processing should be limited to the specific purposes explained to the user. Businesses should only collect the data they need for those purposes.
- Lawful Data Processing: Businesses need a legitimate reason for collecting and using data, and must be transparent with users about how their information is handled.
- Data Security Measures: The legislation emphasizes data security by introducing measures like encryption and data transfer restrictions. It mandates data controllers to implement safeguards against unauthorized access, disclosure, or loss of personal data.
- Cross-Border Transfers: According to the Proclamation, personal data cannot be transferred to countries that lack adequate data protection standards unless certain conditions are met. The conditions to transfer data to a third-party jurisdiction, pursuant to the Proclamation are:
- The company (either a data controller or a data processor) has given proof on the existence of appropriate level of protection in that third party jurisdiction;
- The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer such as the absence of appropriate level of protection;
- The transfer is necessary as per the Proclamation; or
- The transfer is made from a register which, according to law, is intended to provide information to the public.
Disclaimer: The writing is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation.
