Federal institutions, schools, civil society organisations, and other entities that collect personal data are required to register with the Ethiopian Communications Authority (ECA). Parliament recently passed a law protecting personal data, mandating the federal government to safeguard citizens' privacy rights in an increasingly digital world.
Ratified four months ago, the law imposes a broad range of obligations on data controllers who determine the purpose and means of processing personal data. These controllers are mandated to collect personal information only for "specified, explicit, and legitimate purposes." They are required to ensure that the data is accurate, up-to-date, and processed securely to prevent unauthorised access or breaches.
The Communications Authority, directly accountable to the Prime Minister's Office, oversees the law's enforcement, regulating data processing, upholding individuals' rights, monitoring compliance, and enforcing the law through administrative fines, penalties, and sanctions against violators.
"This is why the protection law is important," said Million H. Tolessa, deputy director general of the Authority, stating the need to distinguish personal data from other types. "Personal data may contain sensitive information that could be misused to harm an individual if not properly protected."
According to Million, the dual-edged nature of the data economy offers considerable benefits and also poses risks if not managed properly. He cited the example of residential electricity consumption data, which, if analysed, could lead to improved efficiency. However, he cautioned that the same data, if mishandled, could be used by cyber criminals to organise theft.
"The law is a comprehensive response to these issues, establishing a legal framework ensuring that individuals' data is handled lawfully and transparently," Million told Fortune.
An IBM report for 2024 unveiled that data threats and unexpected business disruptions due to data breaches recorded a 10pc spike worldwide. Conducted by the independent Ponemon Institute and analysed by IBM, the report draws from a year-long survey of 604 organisations that experienced data breaches between March 2023 and February 2024. The findings revealed that an organisation's average data breach cost has skyrocketed to 4.88 million dollars.
Over half of the organisations surveyed suffer from a severe shortage of cybersecurity professionals.
According to Million, the law's provisions are intended to prevent such losses and build trust between citizens and the entities that collect and process data, trust is crucial for the growth of the digital economy.
"Some people withhold from using digital platforms for lack of trust," he told Fortune.
The law also grants individuals rights over their personal data. Citizens have the right to be informed about how their data is being used, access their data, request corrections to inaccurate information, and even demand data removal in certain circumstances. They have the right to transfer data and to object to its processing, mainly when it is being used for purposes beyond what was initially consented to.
Experts see the law as a legal instrument shifting the power dynamics between citizens and entities that rely heavily on personal data, such as event organisers, where collecting names, phone numbers, and email addresses at entry points is a common practice.
Nebeyu Lemma, managing director of Prana Events, noted that while attendees have always had the right to refuse personal information, the new law formalises these rights and places greater responsibility on organisers.
"It's a choice," Nebeyu said, stating that individuals can choose not to provide their information, but organisers also have the right to deny entry if they deem it necessary.
According to Nebeyu, terms and conditions on data use are stated, and individuals have the option to unsubscribe at any time. However, he acknowledged that the new law would likely increase costs and workload for data collectors.
"The price of getting data will increase," he stressed.
The proclamation imposes strict obligations on data controllers and processors accountable for compiling with data protection principles. Data processors, who handle data on behalf of controllers, are required to act strictly according to the latters' instructions to ensure that data is processed securely. This is expected to compel organisations to invest in new infrastructure and spend on training.
With over 78 million subscribers, Ethio Telecom is one of the largest data processors in the country. It was actively involved in the preparation of the law and has taken three major steps on policy updates, technological controls and training to align with the proclamation.
According to Tsegaye Emmanuel, chief information security officer, existing processes and procedures were updated while comprehensive data protection and personally identifiable information (PII) policies were developed. To safeguard data from unauthorised access, Tsegaye said robust technological controls were placed, providing clear guidelines for employees and contractors on how to handle sensitive data.
Tsegaye stressed that Ethio Telecom mainly get customers' consent during subscription for the specific service and during interactions with websites or mobile applications as they request to read and give informed consent on the handling and usage of their data in the system.
"We took customer data protection seriously regardless of the proclamation," he told Fortune. "The law makes our job easier."
Those in the middle are set for a ride as the new law will likely require additional measures to ensure compliance, particularly to secure data processing and prevent unauthorised access.
Eshetu Abebe, shareholder and general manager of AfroReach Technology Plc, a two-year SMS-based campaigning platform and API provider, anticipates the challenges faced by companies like his. AfroReach has grown to serve about 200 companies that use its platform to send bulk messages. According to Eshetu, these companies come with their own data sets used exclusively for their campaigns.
"We don't use one company's data for another," he told Fortune.
However, the law is not free from controversies. Its authors desire to see cross-border data flow regulation ensure personal data is transferred only to countries with adequate protection standards, a measure "to prevent the exploitation of citizens' data by entities in jurisdictions with weaker privacy protections." This provision mirrors similar regulations found in the European Union’s General Data Protection Regulation (GDPR), but has raised concerns among businesses operating on a global scale. Critics argue that these restrictions could impose costs and reduce efficiency on international companies.
Despite these concerns, the law's proponents argue it is necessary in Ethiopia's digital evolution.
According to Million Kibret, a partner at BDO Consult, personal data protection plays a vital role in the country's rapidly changing digital ecosystem. He advocated for a more institutionalised approach, including establishing systems and procedures that comply with the proclamation.
"Companies should invest in training their employees on the requirements," Million told Fortune, warning that failure could result in substantial financial and legal consequences. "They should ensure their systems are designed for compliance."
Appointing data protection compliance officers may become essential for businesses heavily reliant on personal data. The law mandates these officers to oversee data protection activities and ensure compliance with the law, potentially saving companies from costly legal battles. Companies may need to invest in infrastructure, such as local data storage facilities.
However, the Deputy Director General anticipates the law will boost customer confidence in using digital platforms rather than diminish the data economy. With mandatory digital infrastructures such as the National Digital ID in place, he believes citizens need to feel safe using supportive platforms.
"They've the right to be protected," he told Fortune.
PUBLISHED ON
Aug 25,2024 [ VOL
25 , NO
1269]
Radar | Oct 12,2019
Radar | Dec 10,2022
Fortune News | Oct 02,2021
Radar | Feb 26,2022
Featured | Jan 25,2020
Radar | Sep 28,2019
Radar | May 15,2021
Fortune News | Jun 14,2020
Fortune News | Apr 04,2020
Fortune News | Jan 19,2019
Aug 18 , 2024 . By AKSAH ITALO
Although predictable Yonas Zerihun's job in the ride-hailing service is not immune to...
Jul 13 , 2024 . By AKSAH ITALO
Investors who rely on tractors, trucks, and field vehicles for commuting, transportin...
Jul 13 , 2024 . By MUNIR SHEMSU
The cracks in Ethiopia's higher education system were laid bare during a synthesis re...
Jul 13 , 2024 . By AKSAH ITALO
Construction authorities have unveiled a price adjustment implementation manual for s...
Sep 28 , 2024
In the early 2010s, Ethiopian authorities found themselves at odds with the Internati...
Sep 21 , 2024
A nurse in Addis Abeba shares a cramped one-room apartment with three colleagues. Her...
Sep 14 , 2024
Successive regimes share a common legacy: a deep-seated commitment to education as a...
Sep 8 , 2024
Prime Minister Abiy Ahmed's (PhD) visit to China last week could mark a watershed mom...