ETHIOPIA
DATA PROTECTION FACTSHEET
-
Population: 114,963,583
Capital: Addis Ababa
President: Sahle-Work Zewde; Prime Minister: Abiy Ahmed
2021 Freedom House Score: 22/100
Data protection law? No with no data protection authority yet appointed
-
Privacy enshrined in Constitution: Yes, the right to privacy is enshrined in Article 26 of the Ethiopian constitution,
DPA legislation: Ethiopia circulated a draft comprehensive data protection law in 2009, and in 2020 published the Draft Data Protection Proclamation. However, the Proclamation is only available in Amharic, and as such it has not been possible to provide a reliable analysis of the draft.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Unknown
Applies to juristic persons: Unknown
Applies to public entities: Unknown
Domestic/personal purposes exclusion: Unknown
National security exclusion: Unknown
Law enforcement exclusion: Unknown
Cabinet or Executive Council exclusion: Unknown
Judicial functions exclusion: Unknown
Journalistic, literary or artistic purposes exclusion: Unknown
Temporary copies exclusion: Unknown
Other exclusion(s): Unknown
Broad or vague exclusions: Unknown
Applies to foreign entities: Unknown
Excludes foreign entities that only transit personal data through the country: Unknown
-
The Freedom of the Mass Media and Access to Information Proclamation No. 590/2008, which applies to public bodies, identifies the following categories of information about an identifiable individual as personal data:
- medical, education, academic, employment, financial transaction, professional or criminal history;
- ethnic, national or social origin, age, pregnancy, marital status, colour, sexual orientation, physical or mental health, wellbeing, disability, religion, belief, conscience, culture, language, or birth;
- an identification number, symbol, or other identifier assigned to the individual, address, fingerprints, or blood type;
- personal opinions, views, or preferences, except as they relate to another individual;
- views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the other individual’s name;
- views or opinions of others about the individual; or
- an individual’s name, in combination with other personal data, or alone, if it could reasonably be linked to personal data. (An exception applies for persons deceased for more than 20 years.)
-
According to the Mass Media law, personal data must be collected and processed with due care and only for an intended lawful purpose. No further restrictions on collection and processing have yet become clear.
-
Notification that data is being processed: Unknown
Notification to DPA in event of data breach: Unknown
Notification to data subject in event of data breach: Unknown
Timeframe for notification is specified: Unknown
Exceptions exist to breach notifications: Unknown
Requires a data processing register: Unknown
Register is publicly available: Unknown
Provides for terms of service icons: Unknown
DPA must submit at least annual report: Unknown
DPA report is made public: Unknown
-
Explicit provision for civil liability: Unknown
Established/designates a Data Protection Authority: Unknown
DPA is empowered to investigate: Unknown
DPA is empowered to subpoena or request evidence: Unknown
Law provides for criminal penalties: Unknown
Law provides for administrative penalties: Unknown
DPA is independently structured (does not exist within or receive instructions from another public body): Unknown
DPA receives funding directly from the state budget/legislative body: Unknown
DPA may receive some forms of external funding/own revenue: Unknown
Adequate protections against undue removal: Unknown
Number of members in DPA: Unknown
Maximum term length for members of the DPA (years): Unknown
-
Right of data subject to access a copy of their personal data: Unknown
Right of data subject to request a correction of data: Unknown
Right of data subject to request deletion of data: Unknown
Justification required for a request for deletion: Unknown
Defines the requirements for consent: Unknown
DPA is mandated to participate in policy formulation: Unknown
-
The Mass Media law provides that personal data transfers must occur for an intended lawful purpose with the prior written consent of the data subject.
-
Provides a right not to be subject to automated decision-making: Unknown
Page last updated: 24 May 2022