Ethiopia has made significant strides in recognizing the right to privacy, both domestically and internationally. Article 26 of the Constitution explicitly guarantees this right, while the country’s adherence to international instruments like the ICCPR (Article 17) and UDHR (Article 12) further solidifies its commitment to privacy protection.
The enactment of the Personal Data Protection Proclamation No. 1321/2024 is a positive step in operationalizing these commitments. However, the proclamation suffers from several critical shortcomings that impede its effectiveness.
Limited Scope of Application
A primary concern is the proclamation’s narrow scope of application, as outlined in Article 2. By restricting its coverage to data processors established within Ethiopia or using equipment within the country, the proclamation fails to address the pervasive issue of cross-border data processing.
In the era of globalization and digital interconnectedness, this limitation is particularly problematic. Social media giants like Meta, Telegram, and LinkedIn process vast amounts of personal data of Ethiopian citizens, often without adequate safeguards. The proclamation’s inapplicability to these entities creates a significant gap in privacy protection.
To rectify this, the proclamation should be amended to extend its jurisdiction to any entity processing personal data of Ethiopian citizens, regardless of the entity’s location. This would align Ethiopia with international best practices and ensure comprehensive protection for its citizens’ privacy rights.
Unjustifiable Fees and Compromised Independence
Article 5(2) of the proclamation allows the Ethiopia Personal Data Protection Commission (EPDPC) to levy fees for its services. Imposing financial burdens on individuals to exercise their constitutionally guaranteed right to privacy is fundamentally unjust. The EPDPC should be adequately funded through alternative means, such as government allocations or regulatory fees imposed on data processors.
Moreover, Article 10(3) of the proclamation grants the Prime Minister the authority to nominate EPDPC commissioners, raising concerns about the commission’s independence. To ensure impartiality and effectiveness, the appointment process should be reformed to involve a diverse range of stakeholders, including civil society organizations, professional bodies, and independent experts. A transparent and merit-based selection process would enhance public trust in the commission’s ability to act independently.
Insufficient Data Breach Notification and Lack of Clarity on Security Measures
Article 20 of the proclamation mandates data processors to notify data subjects about data breaches within 72 hours. While this is a step in the right direction, the timeframe is insufficient to allow individuals to take necessary protective measures. Reducing the notification period to 24 hours would provide individuals with more time to mitigate potential harm.
Furthermore, Article 26’s reference to “technical and organizational measures” for data protection lacks specificity. To enhance clarity and compliance, the proclamation should provide detailed guidelines and standards for data security practices. This could include requirements for data encryption, access controls, data minimization, and regular security audits.
Inadequate Penalties and Enforcement Mechanisms
The proclamation’s enforcement mechanisms are also inadequate. The penalties prescribed for non-compliance are insufficient to deter violations. To strengthen deterrence, the proclamation should establish a graduated penalty system with significantly higher fines for serious offenses, such as unauthorized data processing or breaches involving sensitive personal data.
Additionally, the EPDPC should be granted robust investigative and enforcement powers, including the authority to conduct inspections, issue cease-and-desist orders, and impose sanctions.
Despite these shortcomings, the proclamation incorporates several key international data protection principles. Articles 15 and 16 address lawfulness and consent, respectively. Article 21 outlines purpose limitations, while Article 23 emphasizes data accuracy. The principle of confidentiality is enshrined in Article 25.
Conclusion
While the Personal Data Protection Proclamation is a commendable first step, it falls short of providing comprehensive privacy protection for Ethiopian citizens. To address these shortcomings, the proclamation requires substantial amendments and effective implementation.
By expanding its scope, eliminating unjustified fees, ensuring the commission’s independence, strengthening data breach notification requirements, providing clear data security guidelines, and imposing robust penalties, Ethiopia can create a robust legal framework for protecting personal data.
Author: Samuel Lijagegnehu, LLB Graduate, Hawassa University (HU).

Samuel Lijagegnehu is LLB Graduate from Hawassa University, 2024. He is Virtual Intern at Legal Admirers Editorial Program , Indian; as well as Virtual Intern at Legal Vidhiya editorial project , India. He can be reached at: slijagegnehu@gmail.com