Data Privacy Tool
You may also be interested in our Data Privacy Scorebox to assess your organization's level of data protection maturity.
Ethiopia has several laws that relate to privacy and data security, including:
- The 1995 Constitution of the Federal Democratic Republic of Ethiopia;
- Tthe 2005 Criminal Code of the Federal Democratic Republic of Ethiopia:
- The 1960 Civil Code, the Computer Crime Proclamation No. 958/2016;
- Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 (as amended by the Media Proclamation No. 1238/2021);
- Federal Advocacy Service Licensing and Administration Proclamation No.1249/2021;
- Telecom Fraud Offence Proclamation No. 761/2012;
- Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 (as amended);
- Federal Tax Administration Proclamation No.983/2016;
- Authentication and Registration of Documents' Proclamation No.922/2015;
- Electronic Signature Proclamation No.1072/2018;
- Communications Service Proclamation No.1148/2019;
- Electronic Signature Proclamation No.1072/2018;
- Electronic Transaction Proclamation No.1205/2020;
- National Bank of Ethiopia (NBE) Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020;
- NBE Financial Consumer Protection Directive No. FCP/01/202
Definition of Personal Data
No specific definition is generally applicable.
The Freedom of the Mass Media and Access to Information Proclamation No. 590/2008, applicable to government entities, is understood to generally define personal data as information about an identifiable individual that relates, but is not limited, to:
- medical, education, academic, employment, financial transaction, professional or criminal history
- ethnic, national or social origin, age, pregnancy, marital status, color, sexual orientation, physical or mental health, well-being, disability, religion, belief, conscience, culture, language or birth
- an identification number, symbol or other identifier assigned to the individual, address, fingerprints or blood type
- personal opinions, views or preferences, except as relate to another individual
- views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the other individual’s name
- views or opinions of others about the individual, or
- an individual’s name, in combination with other personal data, or alone, if could reasonably be linked to personal data (exception applies for persons deceased for more than 20 years).
Ethiopian Communications Authority’s Consumers Rights and Protection Directive 2020 defines personal information as private information and record relating to consumers leading to identify such consumer such as his identity, address or telephone number and / or traffic and billing data and / or other personal information.
Definition of Sensitive Personal Data
Sensitive personal data is not defined.
There is no data protection authority.
There is no requirement to register databases or personal data processing activities.
There is no requirement to appoint a data protection officer.
Though Ethiopia has not enacted a specific law to address personal data collection and processing issues, the country’s scattered legislative framework is understood to require that personal data be collected and processed with due care and only for an intended lawful purpose. Obtaining express consent for collecting and processing of personal data is also a requirement under those scattered provisions.
No specific geographic transfer restrictions apply in Ethiopia.
However, existing law provides that personal data transfers must be based on the prior written consent of the person whose data is to be transferred and only for an intended lawful purpose.
There are no specific data security requirements.
The Computer Crime Proclamation No. 958/2016 requires service providers to implement reasonable and necessary security measures to protect confidential computer traffic data disseminated through their computer systems or communications services from unlawful and unnecessary access.
Ethiopian Communications Authority’s Sim Card Registration Directive requires Telecommunication Operators to take all reasonable steps to ensure the security and confidentiality of its subscribers’ registration details.
There is no general breach notification requirement in Ethiopia.
However, the Computer Crime Proclamation No. 958/2016 requires service providers with knowledge that a crime stipulated by the Proclamation (including breach of privacy via unauthorized access) has been committed by a third party through the computer system it administers to immediately notify the Information Network Security Agency, report the crime to police, and take appropriate measures.
Ethiopian Communications Authority’s Sim Card Registration Directive under Article 24 obliges a telecommunication operator to notify the Ethiopian Communications Authority of any data breach that compromises subscribers’ information within seven (7) business days from discovery of the breach. The operator shall also notify the affected subscriber of such breach.
Ethiopian courts are responsible for enforcing data protection and privacy provisions in the law.
Electronic Transaction Proclamation No.1205/2020 backed by Electronic Signature Proclamation No.1072/2018 regulate aspects of electronic marketing in addition to general contract law and commercial law provisions.
There are several provisions in Ethiopian law to regulate online privacy. For example, the Computer Crime Proclamation No. 958/2016 criminalizes the unauthorized access to, and illegal interception and damage of, computer data.
The Proclamation further prohibits the use of computer systems to disseminate advertisements absent addressee consent.
The new Media Proclamation obliges online Media to protect the data of users and obtain explicit consent from users when circumstances requiring users’ data to be made available to third parties.