Last modified 12 January 2023

Data Protection in Ethiopia

Breach notification in Ethiopia

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Ethiopia

Ethiopia has several laws that relate to privacy and data security, including:

The 1995 Constitution of the Federal Democratic Republic of Ethiopia;
Tthe 2005 Criminal Code of the Federal Democratic Republic of Ethiopia:
The 1960 Civil Code, the Computer Crime Proclamation No. 958/2016;
Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 (as amended by the Media Proclamation No. 1238/2021);
Federal Advocacy Service Licensing and Administration Proclamation No.1249/2021;
Telecom Fraud Offence Proclamation No. 761/2012;
Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 (as amended);
Federal Tax Administration Proclamation No.983/2016;
Authentication and Registration of Documents' Proclamation No.922/2015;
Electronic Signature Proclamation No.1072/2018;
Communications Service Proclamation No.1148/2019;
Electronic Signature Proclamation No.1072/2018;
Electronic Transaction Proclamation No.1205/2020;
National Bank of Ethiopia (NBE) Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020;
NBE Financial Consumer Protection Directive No. FCP/01/202

Related resources

Definitions

Definitions in Ethiopia

Definition of Personal Data

No specific definition is generally applicable.

The Freedom of the Mass Media and Access to Information Proclamation No. 590/2008, applicable to government entities, is understood to generally define personal data as information about an identifiable individual that relates, but is not limited, to:

medical, education, academic, employment, financial transaction, professional or criminal history
ethnic, national or social origin, age, pregnancy, marital status, color, sexual orientation, physical or mental health, well-being, disability, religion, belief, conscience, culture, language or birth
an identification number, symbol or other identifier assigned to the individual, address, fingerprints or blood type
personal opinions, views or preferences, except as relate to another individual
views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the other individual’s name
views or opinions of others about the individual, or
an individual’s name, in combination with other personal data, or alone, if could reasonably be linked to personal data (exception applies for persons deceased for more than 20 years).

Ethiopian Communications Authority’s Consumers Rights and Protection Directive 2020 defines personal information as private information and record relating to consumers leading to identify such consumer such as his identity, address or telephone number and / or traffic and billing data and / or other personal information.

Definition of Sensitive Personal Data

Sensitive personal data is not defined.

Authority

National data protection authority in Ethiopia

There is no data protection authority.

Registration

Registration in Ethiopia

There is no requirement to register databases or personal data processing activities.

Data protection officers

Data protection officers in Ethiopia

There is no requirement to appoint a data protection officer.

Collection and processing

Collection and processing in Ethiopia

Though Ethiopia has not enacted a specific law to address personal data collection and processing issues, the country’s scattered legislative framework is understood to require that personal data be collected and processed with due care and only for an intended lawful purpose. Obtaining express consent for collecting and processing of personal data is also a requirement under those scattered provisions.

Related resources

Transfer

Transfer in Ethiopia

No specific geographic transfer restrictions apply in Ethiopia.

However, existing law provides that personal data transfers must be based on the prior written consent of the person whose data is to be transferred and only for an intended lawful purpose.

Related resources

Security

Security in Ethiopia

There are no specific data security requirements.

The Computer Crime Proclamation No. 958/2016 requires service providers to implement reasonable and necessary security measures to protect confidential computer traffic data disseminated through their computer systems or communications services from unlawful and unnecessary access.

Ethiopian Communications Authority’s Sim Card Registration Directive requires Telecommunication Operators to take all reasonable steps to ensure the security and confidentiality of its subscribers’ registration details.

Related resources

Breach notification

Breach notification in Ethiopia

There is no general breach notification requirement in Ethiopia.

However, the Computer Crime Proclamation No. 958/2016 requires service providers with knowledge that a crime stipulated by the Proclamation (including breach of privacy via unauthorized access) has been committed by a third party through the computer system it administers to immediately notify the Information Network Security Agency, report the crime to police, and take appropriate measures.

Ethiopian Communications Authority’s Sim Card Registration Directive under Article 24 obliges a telecommunication operator to notify the Ethiopian Communications Authority of any data breach that compromises subscribers’ information within seven (7) business days from discovery of the breach. The operator shall also notify the affected subscriber of such breach.

Related resources

Enforcement

Enforcement in Ethiopia

Ethiopian courts are responsible for enforcing data protection and privacy provisions in the law.

Electronic marketing

Electronic marketing in Ethiopia

Electronic Transaction Proclamation No.1205/2020 backed by Electronic Signature Proclamation No.1072/2018 regulate aspects of electronic marketing in addition to general contract law and commercial law provisions.

Online privacy

Online privacy in Ethiopia

There are several provisions in Ethiopian law to regulate online privacy. For example, the Computer Crime Proclamation No. 958/2016 criminalizes the unauthorized access to, and illegal interception and damage of, computer data.

The Proclamation further prohibits the use of computer systems to disseminate advertisements absent addressee consent.

The new Media Proclamation obliges online Media to protect the data of users and obtain explicit consent from users when circumstances requiring users’ data to be made available to third parties.

Related resources

Key contacts

Data protection lawyers in Ethiopia

Benyam Tafesse

Head, Employment, IP & Aviation Practices

Mehrteab Leul & Associates

There is no general breach notification requirement in Ethiopia.

Quick links

Data Protection in Ethiopia

Breach notification in Ethiopia

Continue reading