Last modified 23 March 2026

Data Protection in Ethiopia

Data protection laws in Ethiopia

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Ethiopia

Ethiopia has several laws that relate to privacy and data security, including:

Personal Data Protection Proclamation No.1321/2024
The 1995 Constitution of the Federal Democratic Republic of Ethiopia;
The 2005 Criminal Code of the Federal Democratic Republic of Ethiopia:
The 1960 Civil Code, the Computer Crime Proclamation No. 958/2016;
Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 (as amended by the Media Proclamation No. 1238/2021);
Federal Advocacy Service Licensing and Administration Proclamation No.1249/2021;
Telecom Fraud Offence Proclamation No. 761/2012;
Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 (as amended);
Federal Tax Administration Proclamation No.983/2016;
Authentication and Registration of Documents' Proclamation No.922/2015;
Electronic Signature Proclamation No.1072/2018;
Communications Service Proclamation No.1148/2019;
Electronic Signature Proclamation No.1072/2018;
Electronic Transaction Proclamation No.1205/2020;
National Bank of Ethiopia (NBE) Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020;
NBE Financial Consumer Protection Directive No. FCP/01/202.

Related resources

Definitions

Definitions in Ethiopia

Definition of data

Under Article 2 (1) of the Personal Data Protection Proclamation No.1321/2024, “Data” means information that:

is being processed by means of equipment operating automatically in response to instructions given for that purpose;
is collected with the intention that it should be processed by means of such equipment mentioned in (a);
is recorded as part of a filing system or with the intention that it should form part of a filing system; or
does not fall within (a), (b) or (c) but forms part of any other accessible public record.

Definition of personal data

Under Art. 2 (2) of the Personal Data Protection Proclamation No.1321/2024, "Personal Data” is defined as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The Freedom of the Mass Media and Access to Information Proclamation No. 590/2008, applicable to government entities, is understood to generally define personal data as information about an identifiable individual that relates, but is not limited, to:

medical, education, academic, employment, financial transaction, professional or criminal history;
ethnic, national or social origin, age, pregnancy, marital status, color, sexual orientation, physical or mental health, well-being, disability, religion, belief, conscience, culture, language or birth;
an identification number, symbol or other identifier assigned to the individual, address, fingerprints or blood type;
personal opinions, views or preferences, except as relate to another individual;
views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the other individual’s name;
views or opinions of others about the individual; or
an individual’s name, in combination with other personal data, or alone, if could reasonably be linked to personal data (exception applies for persons deceased for more than 20 years).

The Ethiopian Communications Authority’s Consumers Rights and Protection Directive 2020 defines personal information as private information and record relating to consumers leading to identify such consumer such as his identity, address or telephone number and/or traffic and billing data and/or other personal information.

Definition of sensitive personal data

Article 2 (5) of the Personal Data Protection Proclamation No.1321/2024 defines “Sensitive Personal Data” as a natural person's data on:

racial or ethnic origins;
genetic or biometric data; or
physical or mental health or condition.

Related resources

Authority

National data protection authority in Ethiopia

The Ethiopian Communications Authority (ECA)

Related resources

Registration

Registration in Ethiopia

Data controllers and data processors are required to be registered with, and licensed by, the ECA.

Related resources

Data protection officers

Data protection officers in Ethiopia

A data protection officer is a natural person assigned within an organization with the responsibilities of controlling data handling, administration and usage.

Both a data controller and a data processor shall designate or appoint a data protection officer on such terms and conditions as the data controller or data processor may determine, where:

the processing is carried out by a government body, except for courts acting in their judicial capacity;
the core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.

Related resources

Collection and processing

Collection and processing in Ethiopia

Processing of personal data must adhere to the principles of processing personal data. Hence, personal data must be:

processed lawfully, fairly and in a transparent manner;
obtained only for one or more explicit, specified and lawful purposes, and further processed in a manner that is compatible with those purposes;
adequate, relevant and not excessive in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date;
kept for no longer than is necessary for the purposes for which the personal data are processed;
processed in a manner that ensures the integrity, confidentiality, and security of the personal data; and
processed in a manner that ensures the sovereignty of the data

Related resources

Transfer of personal data

Transfer of personal data in Ethiopia

Transfer of data to a third party jurisdiction is allowed provided that the third party jurisdiction to which the data is to be transferred ensures appropriate levels of protection.

Transfer to jurisdictions with inadequate protection is permissible with the authorization of the ECA if:

the data subject consents to the transfer of the data to the third-party jurisdiction; and
there is appropriate severance or reduction of those aspects of the data which it deems appropriate.

Related resources

Security

Security in Ethiopia

Data processing must adhere to the principle of security. Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Related resources

Breach notification

Breach notification in Ethiopia

If there is a personal data breach, the data controller must notify the personal data breach to the ECA within 72 hours after having become aware of it.

Related resources

Enforcement

Enforcement in Ethiopia

Ethiopian courts are responsible for enforcing data protection and privacy provisions in the law.

Related resources

Electronic marketing

Electronic marketing in Ethiopia

The Electronic Transaction Proclamation No.1205/2020, backed by Electronic Signature Proclamation No.1072/2018, regulate aspects of electronic marketing in addition to general contract law and commercial law provisions.

Related resources

Online privacy

Online privacy in Ethiopia

There are several provisions in Ethiopian law to regulate online privacy.

For example:

the Computer Crime Proclamation No. 958/2016 criminalizes the unauthorized access to, and illegal interception and damage of, computer data;
the Proclamation further prohibits the use of computer systems to disseminate advertisements absent addressee consent; and
the Media Proclamation obliges online media to protect the data of users and obtain explicit consent from users when circumstances requiring users’ data to be made available to third parties.

Related resources

Key contacts

Data protection lawyers in Ethiopia

Biruk Haile

Legal Director

Mehrteab & Getu Advocates LLP

Addis Ababa

Email Full bio

Ethiopia has several laws that relate to privacy and data security, including:

Personal Data Protection Proclamation No.1321/2024
The 1995 Constitution of the Federal Democratic Republic of Ethiopia;
The 2005 Criminal Code of the Federal Democratic Republic of Ethiopia:
The 1960 Civil Code, the Computer Crime Proclamation No. 958/2016;
Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 (as amended by the Media Proclamation No. 1238/2021);
Federal Advocacy Service Licensing and Administration Proclamation No.1249/2021;
Telecom Fraud Offence Proclamation No. 761/2012;
Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 (as amended);
Federal Tax Administration Proclamation No.983/2016;
Authentication and Registration of Documents' Proclamation No.922/2015;
Electronic Signature Proclamation No.1072/2018;
Communications Service Proclamation No.1148/2019;
Electronic Signature Proclamation No.1072/2018;
Electronic Transaction Proclamation No.1205/2020;
National Bank of Ethiopia (NBE) Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020;
NBE Financial Consumer Protection Directive No. FCP/01/202.

Quick links

Data Protection in Ethiopia

Data protection laws in Ethiopia

Continue reading