Ethiopia’s Personal Data Protection Proclamation of 2024 and its Budding Digital Identity Regime

Introduction

Various legal regimes that address privacy and data protection to some extent have marked the journey towards enacting the current data protection law in Ethiopia. The Horn of Africa State has long lacked a comprehensive legal instrument regulating privacy and data protection with scattered rules across different laws and regulations, including the Constitution, the Civil Code, and sector-specific laws like the Mass Media Proclamation and the Telecommunications Consumer Rights Directive.¹

The Ethiopian Ministry of Innovation and Technology identified the necessity for a comprehensive data protection framework, leading to the Draft Data Protection Proclamation in April 2020. This initiative culminated in the enactment of the Ethiopia Data Protection Law (Personal Data Protection Proclamation No. 1321/2024(PDPP 2024)), which establishes significant safeguards for data privacy and security flowing from the right to privacy. The law delineates the rights of data subjects, imposes obligations on data processors and controllers, and sets requirements for the protection of these rights during cross-border data transfers.² Additionally, these regulatory measures support the implementation of the Ethiopian Digital Identification Proclamation No. 1284/2023, aimed at developing a national Digital Identification System.

This blog thematically analyses the key takeaways from Ethiopia’s PDPP 2024 in relation to the Digital Identification Regime noting the proclamation’s contents and concludes with a summary of the discussion.

Key elements of the PDPP 2024

Scope and purpose

The PDPP 2024 establishes a robust personal data protection framework to provide for data subject rights and principles of data processing and establishes the Ethiopian Communications Authority (ECA) as an independent supervisory authority.³

Article 3 extends its application over all types of personal data processing within filing systems, including data handled by processors situated in Ethiopia or data processed using equipment located in the country.⁴ Furthermore, Article 2 delineates personal data as information pertaining to a natural person, including identifiers such as name, identification number, and location data.⁵ It designates individuals to whom this information pertains as data subjects.⁶ Notably, the PDPP 2024 under Article 2(9), specifies that a data subject is an individual who is the subject of personal data, thereby excluding corporate entities, such as companies. Additionally, Article 2 (2)⁷ clarifies that personal data refers to any information concerning an identified or identifiable natural person.

Data Subject Rights

The Ethiopian PDPP 2024 grants data subjects the right to be informed of the collection and processing of their personal data, the right to access their data, request its erasure and correction, and object to its processing for appropriate purposes, and the right to receive their data in a transferable format from other processors or controllers.⁸ This provision mirrors Chapter 3 of the European Union’s General Data Protection Regulation (GDPR), which outlines the rights a data subject can invoke against a data controller or data processor.⁹ Unique to the PDPP is that a data subject’s rights shall survive for up to ten years after their death.¹⁰

Obligations of Data Processors & Controllers

Ethiopia’s data protection law, as outlined in the PDPP, delineates the roles of data controllers and processors. A data controller is defined as an individual or entity that determines the purpose and means of personal data processing,¹¹ while a data processor acts on behalf of the controller.¹² The PDPP 2024 requires both parties to register with the Ethiopian Communications Authority (ECA) before engaging in data processing activities and mandates the necessity of obtaining informed and explicit consent from data subjects.¹³ Additionally, it emphasises the importance of lawful, fair, and transparent data handling, mirroring principles found in the GDPR.¹⁴ Data controllers must minimise data collection, limit processing purposes, ensure accuracy, and maintain confidentiality. In the event of a data breach, they are obliged to notify both the ECA and affected data subjects within 72 hours, providing relevant details of the breach unless adequate protective measures are in place that render the data unintelligible.¹⁵ The PDPP 2024 also stipulates that data processors and controllers must monitor data processing activities and conduct regular assessments.

Cross Border Data Transfers & Data Sovereignty

The PDPP 2024 in Ethiopia emphasises the importance of data sovereignty by mandating that personal data collected within the country must be stored domestically.¹⁶ However, it permits cross-border data transfers under certain conditions, particularly when the receiving jurisdiction demonstrates adequate data protection measures or when explicit consent is obtained from the data subject.¹⁷ This provision distinguishes the PDPP 2024 from previous legal frameworks, as it enhances the protection of citizens’ privacy rights in relation to their personal data, even when such data is processed outside Ethiopia’s borders.

The PDPP 2024’s Significance for Ethiopia’s Digital Identity Regime

Ethiopia’s Fayda ID programme was established under Proclamation No. 1284 /2023, also known as the Ethiopian Digital Identification Proclamation. The programme establishes a digital identity regime and issues registrants with a unique 12-digit ‘Fayda Number’. Moreover, the programme aims to issue the Fayda ID to 90 million residents (both nationals and non-nationals) by 2026.¹⁸ As of October 2024, the Ethiopia National ID Program (NIDP), in collaboration with the Addis Ababa Civil Registration and Residence Services Agency, has rolled out more than 160 registration centres in its Capital, Addis Ababa, to reach more people and communities. This move aims to register 32 million of the 90 million targeted population over the next five years.

Digital identity regimes raise various data governance concerns, such as the privacy of registrants’ data, government officials’ unnecessary data collection, data sharing with third parties, and the exclusion of marginalised groups based on their biographical data.¹⁹ Thus, the new data protection law provides unique rights for citizens that aim to protect them from threats posed by personal data processing.

In relation to digital ID, Ethiopia’s PDPP 2024 establishes a uniform framework for protecting personal data, even as government bodies continue to process citizen data. This law defines biometric data as fingerprints, facial photographs, iris scans, and other similar personal data obtained through approved technical methods.²⁰ Section four of the Ethiopia Digital ID Proclamation protects personal data related to the identity system. It gives guidelines on processing this data, securing it, and available remedies for aggrieved persons.²¹

First, the Digital ID Proclamation states that persons will only be registered with their consent by filling out a standard consent form. It promises to maintain the confidentiality of the collected information throughout the identity regime’s processing.²² Proving a citizen’s consent raises complexities, given that with the uptake of e-government services, one is often compelled to register for the Digital ID to access vital government services.²³ Furthermore, it is important to note that the Digital ID is issued to all persons aged 5 years and beyond, raising concerns about their ability to give adequate consent to enjoy government services. Article 11 of the PDPP 2024 outlines that processing of minor’s data should be in their best interests upon acquiring consent from their parent or guardian and places a burden of proving the satisfaction of this requirement on the data controller.²⁴ Moreover, Article 8 stresses the need for such consent to be free, informed, specific, clear and require an active action from the data subject.²⁵

Furthermore, Article 19 of the Digital ID Proclamation stresses the need for personal data quality, conferring the duty to update, reverify, renew, temporarily lock, and revoke information pertaining to a Digital ID.²⁶ It also recognises the principles of data minimisation, privacy and purpose limitation, particularly as the digital ID data would ideally be shared among various government agencies through a database.²⁷ These principles mirror those outlined in Chapter 2 of the PDPP 2024.²⁸ Moreover, the Fayda identity portal clarifies that adhering to the principle of data minimisation, the only crucial information needed for identification is data subjects’ names, dates of birth, gender, nationality, and address, as well as biometrics such as facial photographs, iris, and fingerprints.²⁹ The data subject is not required to share their email address or phone number, although these can be provided optionally for delivery purposes.³⁰ Moreover, the novelties of the PDPP 2024 on cross-border data flows provide further guidance on the right to privacy where such data is shared with a third-party jurisdiction.³¹

Fair data processing, including transparency, is crucial to prevent discrimination against marginalised groups, particularly in the context of digital IDs, given that the registration process often excludes vulnerable populations. In Ethiopia, the implementation of Fayda ID has raised alarms about ethnic profiling of the Tigrayan minority, who fear misuse of their sensitive data for surveillance and arrests. Scholars, including former UN Special Rapporteur Professor Alston, argue that mandatory digital ID systems can deepen the marginalisation of minority communities by restricting access to welfare programs and socioeconomic rights. Alston’s critique of Uganda’s digital ID highlights potential coverage gaps. Overall, while the Personal Data Protection Proclamation (PDPP) presents opportunities for data processing that promotes justice and equality, it underscores the need for stringent safeguards when handling sensitive personal data related to race or ethnicity to protect individuals’ rights and freedoms.³²

Conclusion

Ethiopia’s PDPP 2024 presents new regulatory avenues for the nation in a data-driven world. The regime anticipates the challenges and opportunities, such as cross-border, presented by the data processing principles. This mirrors the concerns expressed towards the Digital ID Regime, which, although it aims to promote efficient government service delivery, may further existing inequalities against minority groups. Given the voluminous amounts of personal data collected by Ethiopian agencies to drive the shift towards digital ID systems, the PDPP 2024 provides a nuanced approach to accord comprehensive legal protection to the Fayda ID holders. Ethiopia’s new law is an important step towards personal data protection with increased uptake of digital identity regimes in the Horn of Africa region and across sub-Saharan Africa.