Jan 13 , 2024

In a landmark development of crafting Ethiopia's first personal data protection proclamation, fierce debates over legal mandates and regulatory oversight sparked at Parliament last week. The legislation, three years in the making, was put before the Standing Committee on Human Resource Development, Employment & Technology Affairs, triggering discussions on critical issues such as the regulation authority, data owner empowerment, and the definition of sensitive information.

One of the key points of contention revolves around the choice of the regulatory body.

The proposal suggests entrusting the responsibility of regulating and registering data controllers and processors to the Ethiopian Communication Authority. However, lawmakers and stakeholders are pushing for an independent commission that directly reports to the Parliament, arguing that such a commission would ensure a more transparent and accountable approach to data protection.

Commissioner Abdi Jebril echoed stakeholders' statements, indicating that the establishment of an independent commission to oversee data protection was proposed during the early drafts of the proclamation.

"That is how other countries do it," he said.

Ayalneh Lemma, the legal head of the Ministry of Innovation & Technology justified the choice of assigning data protection regulation to the Ethiopian Communication Authority by comparing its institutional alignment with the Ethiopian Statistical Services and the Ombudsman Office.

"We aim to foster trust in data owners," he said.

The Authority's experience in overseeing telecom operators makes it qualified for the task, according to Balcha Reba, the director of the Authority, who defended its capability stating, "Its entire arrangement gives it an independent perspective." He underscored the importance of obtaining consent from data owners for any third-party transfers.

Reporting directly to the Prime Minister's Office, the Authority is allocated 25pc of its budget from the government treasury. It has made industry insiders question if the intention was financially motivated.

Ermias Mamo, an independent lawyer and researcher closely following Ethiopia's digital landscape, expressed concerns about leaving the definition of sensitive information open-ended. He pointed out potential risks in digital marketing practices based on personal data collection and opposed the Ethiopian Communication Authority's oversight, suggesting it may stem from budgetary considerations rather than genuine necessity.

The bill seeks to establish a legal framework for interactions between data owners, collectors, and processors, drawing inspiration from the European Union's Convention for the Protection of Individuals about the Processing of Personal Data.

A central aspect of the proposed legislation is the empowerment of data owners. According to Ayalneh, the bill grants individuals the authority to edit, transfer, or remove their data collected by institutions such as banks, utility service providers, health institutions, and schools. This move is seen as a step towards putting individuals in control of their personal information in the digital age.

Ayalneh underscored that several directives and regulations would emerge later on to define what purposeful data collection entails and what sensitive data is precluded from transfer between institutions.

"The bill sets the foundation for data privacy principles," Ayalneh told Fortune.

The draft proclamation categorises certain data as sensitive including ethnicity, associations and memberships, and criminal history. The transfer of data between countries is outlined to involve the Ministry of Foreign Affairs to ensure compliance with international standards.

Concerns were raised about lowering the age limit for data consent with Commissioner Rigbe Gebrehawaria from the Ethiopian Human Rights Commission questioning the rationale behind lowering the age limit for data consent to 16 years when the country is a signatory to international treaties where 18 is the standard.

The choice was defended by Abyot Bayou (PhD), a senior advisor at the Ministry, citing early-age exposure to the digital world and referencing the EU's data protection law. He is optimistic about the potential to transform the digital arena, emphasising the ability to move information between different institutions.

Not everyone is embracing the proposed legislation with open arms. Endale Asrat, the chief information officer of Ethio telecom, expressed reservations about allowing data owners to move information between institutions for free. He highlighted the significant investments required for data compilation and proposed a small fee to be paid to the original data collector to cover operational costs and address potential impacts on competition.

"It significantly impacts competition," he told Fortune.

While concerns about clearer terminologies and the independence of the Authority were ubiquitous in the stakeholder session some keenly pointed to glaring oversight of emerging technologies in artificial intelligence and surveillance.

Getachew Girma from the Bio & Emerging Technology Institute raised questions about the purposefulness and proportionality of collectable data, particularly from surveillance cameras.

"Who checks the purposefulness and proportionality of the collectable data?" he inquired.

The proclamation is poised to shape Ethiopia's approach to data privacy and security with stakeholders advocating for transparency, accountability, and a robust regulatory framework. As discussions continue on the proposed legislation, the dynamics of responsible regulatory bodies remain to be seen.

PUBLISHED ON Jan 13,2024 [ VOL 24 , NO 1237]

How useful was this post?

Click on a star to rate it!

Average rating 4 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Put your comments here

N.B: A submit button will appear once you fill out all the required fields.

Editors' Pick