A new personal data protection bill places legal limitations on the extent to which both government and non-government entities can collect and utilise personal information imprinted on the internet by users who are often unsuspecting.

The bill, which was drafted by using European Union's General Data Protection Regulation (GDPR) bill as a benchmark, set outs the fundamental rights of data subjects including the right to be informed, the right to access and the right to be forgotten (right to erasure), among others.

Upon being legislated by the parliament, it is also expected to serve as a legal framework to regulate the processing of personal data, such as the principles of fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, security, and data transfer.

"As human rights in the physical world are inalienable, it should be extended to the online sphere as well," said Abiyot Bayou (PhD), director of the National Digital Transformation Programme at the Ministry of Innovation & Technology.

Prepared by the Ministry, the final draft has been submitted to the Office of the Federal Attorney-General. It restricts government entities from soliciting personal data, which is defined as any information relating to a person who can be identified, directly or indirectly, from other data collectors, without the knowledge and consent of the data owner.

The bill makes an exception where data can be confiscated as a response in the case of a period of crisis. Although government institutions would be allowed to process data in this scenario, the process must comply with several restrictions such as ensuring that it is in the public interest, is necessary and that its effects on the rights of the data owner are reasonable. And most importantly, it details that how the data is processed should be clearly defined.

According to Yohannes Eneyew, PhD candidate at the Monash University Faculty of Law in Australia, such exceptions have to be properly managed and regulated as they might expose personal data to misuse.

"The draft looks like a modern law decorated with stunning provisions yet it may face some challenges in practical implementation since currently there isn't an adequate body to oversee it," said Yohannes

To address such concerns, the bill aims to establish a regulatory body called the Data Protection Commission, which will be in charge of ensuring the implementation of the data protection law and auditing data controllers and processors, among the two dozen responsibilities it is to be tasked with.

The details on the establishment of the Commission, whether it is to be established as a separate entity or to be integrated into a certain ministry's services, will be decided on by parliament upon the issuance of the proclamation. However, the drafters of the proclamation are insisting it should be instated as an independent entity that answers to parliament. This is meant to foster impartiality as the Commission will also be in charge of monitoring government organisations, according to Abiyot.