Federal institutions, schools, civil society organisations, and other entities that collect personal data are required to register with the Ethiopian Communications Authority (ECA). Parliament recently passed a law protecting personal data, mandating the federal government to safeguard citizens' privacy rights in an increasingly digital world.

Ratified four months ago, the law imposes a broad range of obligations on data controllers who determine the purpose and means of processing personal data. These controllers are mandated to collect personal information only for "specified, explicit, and legitimate purposes." They are required to ensure that the data is accurate, up-to-date, and processed securely to prevent unauthorised access or breaches.

The Communications Authority, directly accountable to the Prime Minister's Office, oversees the law's enforcement, regulating data processing, upholding individuals' rights, monitoring compliance, and enforcing the law through administrative fines, penalties, and sanctions against violators.

"This is why the protection law is important," said Million H. Tolessa, deputy director general of the Authority, stating the need to distinguish personal data from other types. "Personal data may contain sensitive information that could be misused to harm an individual if not properly protected."

According to Million, the dual-edged nature of the data economy offers considerable benefits and also poses risks if not managed properly. He cited the example of residential electricity consumption data, which, if analysed, could lead to improved efficiency. However, he cautioned that the same data, if mishandled, could be used by cyber criminals to organise theft.

"The law is a comprehensive response to these issues, establishing a legal framework ensuring that individuals' data is handled lawfully and transparently," Million told Fortune.

An IBM report for 2024 unveiled that data threats and unexpected business disruptions due to data breaches recorded a 10pc spike worldwide. Conducted by the independent Ponemon Institute and analysed by IBM, the report draws from a year-long survey of 604 organisations that experienced data breaches between March 2023 and February 2024. The findings revealed that an organisation's average data breach cost has skyrocketed to 4.88 million dollars.

Over half of the organisations surveyed suffer from a severe shortage of cybersecurity professionals.


According to Million, the law's provisions are intended to prevent such losses and build trust between citizens and the entities that collect and process data, trust is crucial for the growth of the digital economy.

"Some people withhold from using digital platforms for lack of trust," he told Fortune.

The law also grants individuals rights over their personal data. Citizens have the right to be informed about how their data is being used, access their data, request corrections to inaccurate information, and even demand data removal in certain circumstances. They have the right to transfer data and to object to its processing, mainly when it is being used for purposes beyond what was initially consented to.

Experts see the law as a legal instrument shifting the power dynamics between citizens and entities that rely heavily on personal data, such as event organisers, where collecting names, phone numbers, and email addresses at entry points is a common practice.

Nebeyu Lemma, managing director of Prana Events, noted that while attendees have always had the right to refuse personal information, the new law formalises these rights and places greater responsibility on organisers.

"It's a choice," Nebeyu said, stating that individuals can choose not to provide their information, but organisers also have the right to deny entry if they deem it necessary.


According to Nebeyu, terms and conditions on data use are stated, and individuals have the option to unsubscribe at any time. However, he acknowledged that the new law would likely increase costs and workload for data collectors.

"The price of getting data will increase," he stressed.


The proclamation imposes strict obligations on data controllers and processors accountable for compiling with data protection principles. Data processors, who handle data on behalf of controllers, are required to act strictly according to the latters' instructions to ensure that data is processed securely. This is expected to compel organisations to invest in new infrastructure and spend on training.

With over 78 million subscribers, Ethio Telecom is one of the largest data processors in the country. It was actively involved in the preparation of the law and has taken three major steps on policy updates, technological controls and training to align with the proclamation.

According to Tsegaye Emmanuel, chief information security officer, existing processes and procedures were updated while comprehensive data protection and personally identifiable information (PII) policies were developed. To safeguard data from unauthorised access, Tsegaye said robust technological controls were placed, providing clear guidelines for employees and contractors on how to handle sensitive data.

Tsegaye stressed that Ethio Telecom mainly get customers' consent during subscription for the specific service and during interactions with websites or mobile applications as they request to read and give informed consent on the handling and usage of their data in the system.

"We took customer data protection seriously regardless of the proclamation," he told Fortune. "The law makes our job easier."

Those in the middle are set for a ride as the new law will likely require additional measures to ensure compliance, particularly to secure data processing and prevent unauthorised access.

Eshetu Abebe, shareholder and general manager of AfroReach Technology Plc, a two-year SMS-based campaigning platform and API provider, anticipates the challenges faced by companies like his. AfroReach has grown to serve about 200 companies that use its platform to send bulk messages. According to Eshetu, these companies come with their own data sets used exclusively for their campaigns.

"We don't use one company's data for another," he told Fortune.


However, the law is not free from controversies. Its authors desire to see cross-border data flow regulation ensure personal data is transferred only to countries with adequate protection standards, a measure "to prevent the exploitation of citizens' data by entities in jurisdictions with weaker privacy protections." This provision mirrors similar regulations found in the European Union’s General Data Protection Regulation (GDPR), but has raised concerns among businesses operating on a global scale. Critics argue that these restrictions could impose costs and reduce efficiency on international companies.

Despite these concerns, the law's proponents argue it is necessary in Ethiopia's digital evolution.

According to Million Kibret, a partner at BDO Consult, personal data protection plays a vital role in the country's rapidly changing digital ecosystem. He advocated for a more institutionalised approach, including establishing systems and procedures that comply with the proclamation.

"Companies should invest in training their employees on the requirements," Million told Fortune, warning that failure could result in substantial financial and legal consequences. "They should ensure their systems are designed for compliance."

Appointing data protection compliance officers may become essential for businesses heavily reliant on personal data. The law mandates these officers to oversee data protection activities and ensure compliance with the law, potentially saving companies from costly legal battles. Companies may need to invest in infrastructure, such as local data storage facilities.

However, the Deputy Director General anticipates the law will boost customer confidence in using digital platforms rather than diminish the data economy. With mandatory digital infrastructures such as the National Digital ID in place, he believes citizens need to feel safe using supportive platforms.

"They've the right to be protected," he told Fortune.



PUBLISHED ON Aug 25,2024 [ VOL 25 , NO 1269]


How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.





Editors' Pick



Editorial




Back
WhatsApp
Telegram
Email