In a landmark development of crafting Ethiopia's first personal data protection proclamation, fierce debates over legal mandates and regulatory oversight sparked at Parliament last week. The legislation, three years in the making, was put before the Standing Committee on Human Resource Development, Employment & Technology Affairs, triggering discussions on critical issues such as the regulation authority, data owner empowerment, and the definition of sensitive information.

One of the key points of contention revolves around the choice of the regulatory body.

The proposal suggests entrusting the responsibility of regulating and registering data controllers and processors to the Ethiopian Communication Authority. However, lawmakers and stakeholders are pushing for an independent commission that directly reports to the Parliament, arguing that such a commission would ensure a more transparent and accountable approach to data protection.

Commissioner Abdi Jebril echoed stakeholders' statements, indicating that the establishment of an independent commission to oversee data protection was proposed during the early drafts of the proclamation.

"That is how other countries do it," he said.

Ayalneh Lemma, the legal head of the Ministry of Innovation & Technology justified the choice of assigning data protection regulation to the Ethiopian Communication Authority by comparing its institutional alignment with the Ethiopian Statistical Services and the Ombudsman Office.

"We aim to foster trust in data owners," he said.

The Authority's experience in overseeing telecom operators makes it qualified for the task, according to Balcha Reba, the director of the Authority, who defended its capability stating, "Its entire arrangement gives it an independent perspective." He underscored the importance of obtaining consent from data owners for any third-party transfers.

Reporting directly to the Prime Minister's Office, the Authority is allocated 25pc of its budget from the government treasury. It has made industry insiders question if the intention was financially motivated.

Ermias Mamo, an independent lawyer and researcher closely following Ethiopia's digital landscape, expressed concerns about leaving the definition of sensitive information open-ended. He pointed out potential risks in digital marketing practices based on personal data collection and opposed the Ethiopian Communication Authority's oversight, suggesting it may stem from budgetary considerations rather than genuine necessity.

The bill seeks to establish a legal framework for interactions between data owners, collectors, and processors, drawing inspiration from the European Union's Convention for the Protection of Individuals about the Processing of Personal Data.

A central aspect of the proposed legislation is the empowerment of data owners. According to Ayalneh, the bill grants individuals the authority to edit, transfer, or remove their data collected by institutions such as banks, utility service providers, health institutions, and schools. This move is seen as a step towards putting individuals in control of their personal information in the digital age.