Attention! Ethiopia has just upped its game in the digital privacy arena. The country has officially rolled out the Personal Data Protection Proclamation No. 1321/2024(let’s call it “the PDPP” for short), and it’s a game-changer for anyone handling personal info. This new law isn’t just more red tape. It places new, significant responsibilities on data controllers and organisations, making them more accountable. By putting real power in people’s hands when it comes to their data, this law requires organisations to respect individuals’ rights and respond transparently. Compliance isn’t optional, this law mandates that businesses prioritise privacy, security, and transparency like never before.

What you need to know about the Ethiopian data protection law

The PDPP was published in the Federal Negarit Gazette on 24 July 2024, after getting the thumbs up in Parliament on 4 April 2024. This isn’t just another piece of legislation it’s setting up a whole new ballgame for data protection in Ethiopia.

The PDPP defines personal data broadly. It’s not just names and ID numbers – it covers any information that could identify someone, directly or indirectly. This includes things like location data and online identifiers.

Who does the Ethiopian data protection law apply to?

If you’re handling personal data in Ethiopia, this law’s got you in its sights. That includes:

  • Government departments
  • Private companies (big and small)
  • Non-profit organisations
  • Foreign companies dealing with data of people in Ethiopia

The PDPP applies to both automated and non-automated processing of personal data. So even if you’re still working with paper files, you’ve got to toe the line.

Key features of the Ethiopian data protection law

Core principles of data processing

The PDPP lays down seven core principles for processing personal data:

  1. Lawfulness
  2. Fairness
  3. Transparency
  4. Purpose limitation
  5. Accuracy
  6. Storage limitation
  7. Sovereignty of data

You need to embed these principles into your data handling practices.

Data subject rights

The PDPP’s given people some serious new rights. These rights are a big deal because they’re putting power back in people’s hands when it comes to their personal information.

This is all about transparency. You’ve got to tell people, why you’re collecting their data, what you’re going to do with it, who you might share it with and how long you’ll keep it. You need to provide this info in clear, plain language. No hiding behind legal jargon!

This is a biggie. People can ask you, what personal data you have on them, where you got it from, who you’ve shared it with. You’ve got to provide this info free of charge and with haste.

If someone spots a mistake in their data, they can ask you to fix it. And it’s not just about correcting wrong info – if the data’s incomplete, they can ask you to fill in the blanks.

In certain situations, people can tell you to delete their data. This might apply if, you no longer need the data, they withdraw their consent or if they object to the processing. This right isn’t absolute. There are times when you can refuse, like if you need the data to comply with a legal obligation.

People can put their foot down and say “no” to you processing their data in certain circumstances. This is particularly relevant for direct marketing – if someone objects to this, you’ve got to stop.

This is like hitting the pause button. In some cases, people can ask you to stop processing their data, but still hold onto it. This might happen if, they’re contesting the accuracy of the data, they’ve objected to processing and you’re considering their objection.

The PDPP gives people the right to not be subject to decisions based solely on automated processing if these decisions significantly affect them. Think things like automatic refusal of an online credit application.

This is a modern right for the digital age. People can ask for their data in a format that’s easy to read and transfer. They can even ask you to send it directly to another organisation.

After death rights

Here’s an interesting twist – these rights don’t die with the person. The PDPP says privacy rights survive for 10 years after death. So companies need to be prepared to handle requests from deceased individuals’ legal heirs.

Data breach notifications

If you’ve had a data breach, you can’t just sweep it under the rug. You’ve got to tell the Ethiopian Communications Authority (the Authority) within 72 hours of finding out. Sometimes, you’ll need to let the affected people know, too. This is similar to the GDPR in the EU, which also gives you a 72-hour deadline to report breaches to regulators and requires you to tell affected people if there’s a high risk to their rights. Under South Africa’s POPIA, you have to inform the Information Regulator “as soon as reasonably possible” and may need to notify those affected. POPIA doesn’t have the same 72-hour rule but still expects quick action to protect people’s information.

Cross-border data transfers

The law’s got strict rules about this. You can only send personal data to countries with similar levels of data protection. If they don’t measure up, you’ll need special permission.

Enforcement and penalties

The Authority’s got real power to enforce this law. They can impose administrative fines if you don’t play by the rules.

Timeline to comply

The clock’s ticking. The law is already in force, having been published on 24 July 2024. But don’t panic, there’s likely to be a grace period for implementation. Still, you should start getting your ducks in a row now.

Remember, this law isn’t just a box-ticking exercise. It’s about respecting people’s privacy and handling their data responsibly. Get it right, and you’ll be building a stronger, more trusted business for the future.

Actions to take

  • Understand the type of data you have by auditing your data, figure out what personal data you’re holding and why.
  • Find out the impact the new law would have on your business by conducting a data protection impact assessment.
  • Protect your organisation by updating your privacy policies, make sure they’re clear and cover all the new rights.
  • Secure your organisation by setting up an incident response plan and procedure.
  • Educate your employees by asking us to provide you with data protection training.
  • Make sure you’re only sending data to countries with adequate protection by conducting a transfer impact assessment. 
  • Find out more about the PDPP by reading it.