Meaning and Scope of Data Protection
The advent of the digital era has transformed the way we communicate and organize our work and personal data in a way unthinkable a few years ago. The internet and the ability of individuals to communicate, store data, share data, and perform all their personal and professional issues has transformed significantly. The unprecedented ease of access and ability to store and transfer personal data has provided tremendous opportunity for individuals and business as well as governments to facilitate communication and business transactions. Nevertheless, it has also created vulnerabilities to the integrity, security, and availability of personal data. The risk of illegal access, forgery, interception, interference and in some cases surveillance creates risks for individuals that heavily rely on information technology platforms for the security and integrity of their personal data.
The European General Data Protection Regulations (GDPR) emerged because of the realization of the importance of data protection and the need to ensure both the right to privacy and data integrity of individuals. As GDPR has become a more recent normative development in the regulation of personal data, many states have adopted laws and regulations intended to ensure data protection because of its increased relevance for protecting the privacy of individuals. In this regard, Ethiopia lags behind other counties as there is no specific legislation on data protection. Nevertheless, there are some scattered laws and regulations that have a bearing on data protection and personal data of individuals that are worth exploring. Moreover, a draft Personal Data Protection Proclamation has been prepared under the auspices of the Ministry of Innovation and Technology. The objective of this post is to highlight the key aspects of the existing relevant laws and regulations that have implications for personal data protection and data privacy in the absence of comprehensive national data protection legislation.
Overview of Ethiopia’s Laws on Data Protection
First it should be noted that the Constitution of Ethiopia explicitly provides for the right to privacy and a robust system of other rights. Article 26 provides the right to privacy and the inviolability of correspondence including digital communications. Art 26 reads :
Right to Privacy:
- Everyone has the right to privacy. This right shall include the right not to be subjected
to searches of his home, person or property, or the seizure of any property under / his
personal possession.
- Everyone has the right to the inviolability of his notes and correspondence including
postal letters, and communications made by means of telephone, telecommunications
and electronic devices.
- Public officials shall respect and protect these rights. No restrictions may be placed
on the enjoyment of such rights except in compelling circumstances and in accordance
with specific laws whose purposes shall be the safeguarding of national security or public
peace, the prevention of crimes or the protection of health, public morality or the rights
and freedoms of others
The Constitutional stipulation of the right to privacy, while it was not designed explicitly to govern the online space, provides an important normative basis for personal data protection. First the Ethiopian Constitution provides not just a generic right to privacy but also explicitly provides for the protection of communications and data through telephone, telecommunications and electronic devices” which can serve an important basis for data protection in Ethiopia. Second, the legal grounds for the limitation of personal data within the context of the right to privacy are not arbitrary. The constitution notes that “[n]o restrictions may be placed on the enjoyment of such rights except in compelling circumstances and in accordance with specific laws whose purposes shall be the safeguarding of national security or public peace, the prevention of crimes or the protection of health, public morality or the rights and freedoms of others”. This can be an important legal basis to challenge undue interreferences with personal data, such as the use of surveillance by government as it lacks clear constitutional grounds. Yet, it can also be argued that these broadly defined and vague limitations can also lead to abuse unless construed strictly.
Apart from the Constitution, there are a handful of other laws and regulations that have a bearing for data protection in Ethiopia. As indicated above, Ethiopia has no specific legislation on data protection, but there is a draft personal data protection proclamation prepared under the Ministry of Innovation and Technology in 2021. The most significant existing piece of legislation for data protection in Ethiopia is the Computer Crime Proclamation 958/2016. The Computer Crime Proclamation of Ethiopia provides important safeguards that have significant implications for data protection. It prohibits various forms of infringements on data protection. The following are the key aspects of the protections under the Computer Crime Proclamation of Ethiopia.
- Illegal access[1]: The Compute Crime Proclamation prohibits any form of illegal access of computer data. It prohibits anyone from accessing “the whole or any part of a computer system, computer data or network” and that violations “shall be punishable with simple imprisonment not exceeding three years or fine from Birr 30,000 to 50, 000 or both”. While the proscription for illegal access does not explicitly refer to personal data, it clearly encompasses protections of personal data as computer crimes are normally framed in generic and technology neutral language. This provision has important safeguards for ensuring the right of individuals to protection from unlawful access to their personal data.
- Prohibition of illegal interception[2]: Data protection covers not just personal data that is already stored electronically or through a computer system but also communications in real time. Unlawful interception disrupts the integrity of computer systems and affects the privacy of individuals. Thus, the Computer Proclamation prohibits any form of interception, interference or damage (such as through the use of viruses). Article 4 of the Computer Crime Proclamation prohibits the interception of non-public computer data or data processing service with rigorous imprisonment not exceeding five years and fine from Birr 10,000 to 50,000.
Given the fact that states are complicit themselves in conducting interception and surveillance through their law enforcement agencies, any procedure for gathering data should be guided by international human rights standards and domestic laws including the constitution. Search and seizure or interception of communications must only be done in relation to a reasonable suspicion of a commission of a crime and when the particular data under scrutiny has relevance for criminal investigation. Moreover, there must be a judicial oversight such as the issuance of a search warrant to conduct the interception or interreference. In this regard, one of the drawbacks of the Computer Crime Proclamation is the fact that in some instances it allows for conducting search and seizure of data without a court warrant when it believes that damage against critical infrastructure is going to be committed. What makes Article 25 of the Computer crime even more interesting is that it refers explicitly to the fact that the Attorney General may allow for law enforcement agencies to conduct surveillance. Article 25:
“…the Attorney General may give permission to the investigatory organ to conduct interception or surveillance without court warrant where there are reasonable grounds and urgent cases to believe that a computer crime that can damage critical infrastructure is or to be committed”.
This provision creates a legal loophole for government to conduct surveillance measures that can affect the privacy and data protection of individuals.
- Prohibition of illegal Interference: The Computer Crime Proclamation of Ethiopia also proscribes illegal interference in computer systems. It prohibits hindering, impairing, interrupting or disrupting the proper functioning of the whole or any part of computer system by inputting, transmitting, deleting or altering computer data. The law stipulates that anyone who commits these crimes shall be punishable with imprisonment from three years to five years and fine not exceeding Birr 50,000.
Moreover, the computer crime proclamation provides for other articles that have some implication for data protection. It ensures that personal and traffic data is protected without compromising the integrity of the data. These protections include protections against forgery,[3] fraud,[4] identity theft[5], and unsolicited messages such as advertisements and spam.[6]
The computer crime proclamation provides different sanctions for breaches of the above crimes including imprisonment ranging from 1 to 5 years and fines. In some instances, such as illegal interreference, or any criminal activity that risks the integrity of “critical infrastructure”, the penalty can extend to ten years.
While the criminal law regime can be helpful to ensure the data privacy and protection of individuals, it also lacks some protections afforded to individuals from breaches of their privacy and data by social media platforms as well as other tech companies that have been involved in data breaches by many regulatory commissions. Because of this, it is important to include both criminal and civil remedies for breaches of data protection. Civil remedies such as compensation should also be considered as they are important means of redressing victims whose privacy rights have been breached.
Another relevant legislation that has some implication on data protection and data privacy issues is the Communication Service Proclamation 1148/2019. The Communication Service proclamation key provisions include:
*Art 6(14) which gives mandate to the Telecommunications Authority the power to safeguard the interest of consumers of communications services”.
* Art 6 (15) provides power to the authority to investigate complaints and resolve disputes between Communications Service operators, and between consumers and Communications Service operators;
* The most significant sub article is Art 6(25) which gives the authority the mandate to “promote information security, data privacy and protection”; and
* Art 6(26) also provides the authority with the power to ensure the integrity and security of electronic communications.
Moreover, the Civil Code of 1960 Article 11 provides that “[n]o person shall be subjected to search except in cases provided by the law. Article 24 provides that “[n]o person shall be forced to reveal facts obtained during professional duty. Similarly, the Revised Criminal Code of Ethiopia provides certain protections that could have a beating on data protection.
-Article 399 makes the violation of professional secrecy is punishable by law
-Article 606 makes the violation of the privacy of correspondence or consignments including intrusion of one’s letter, telegram, telecom, and other electronic correspondence, among others, is punishable, upon complaint, with up to six months of imprisonment or a fine.
The Federal Tax Administration Proclamation No.983/2016 Article 66/1 also allows the Ethiopian Revenues Authority to have at all times and without notice full and free access to any premises, place, goods, or property; any document and any data storage device. If a hard copy of information from a data storage device is not provided, the authority is permitted seize and retain the device for as long as is necessary to copy the information required.
These laws should be guided by international and comparative experiences on GDPR that could provide normative guidance in relation to the regulation of data protection in Ethiopia. As it is still an emerging and growing area of legal development, comparative legal experiences can be helpful to draw good practices in the area of data protection from other countries.
Prospects for a New Data Protection Law in Ethiopia
As indicated in the introduction, Ethiopia has not yet adopted a data protection law. Most of the existing regulation on data protection is fragmented with no comprehensive legislation that regulates the protection of personal data. In 2021, the Ethiopian government prepared a preliminary draft of the Ethiopian Personal Data Protection Proclamation under the auspices of the Ministry of Technology and Innovation. While the draft is still in its early stages and may need further work and refinement, it is a major step in addressing the unregulated area of data protection in Ethiopia. The draft proclamation provides various protections for data subjects and prescribes a number of obligations for data processors and data controllers. It also provides for the establishment of a Data Protection Commission which would have the mandate to implement and enforce the data protection proclamation. While it is not clear when this draft Data Protection Proclamation will be adopted, the fact that there is a preliminary draft in itself provides the opportunity to develop it further and advocate for a better regulatory regime in line with developments in international and comparative law. Nevertheless, the pace of the adoption of the draft proclamation on data protection may take some time because of the current security and political problems in the country. Moreover, there are already many draft legislations that are in the pipeline which may drag the adoption of the Proclamation. More effort should be made to advocate for the adoption of the draft law by underscoring its significance for data privacy and security of individuals and its overall economic and social significance.
Conclusion
The importance of data protection in the current digital age cannot be overemphasized. The ever-increasing reliance on the internet to collect and store data electronically calls for strong and rights-based efforts to ensure that the integrity of the personal data of individuals. Moreover, the way social media and other platforms process, store, and share data as well as their obligations is not clearly spelled under Ethiopian law. The fact that individuals provide a large amount of data without having some control over how the data is used poses problems to their privacy and security. Because of this, it is important to provide a legal framework that can spell out clearly the legal protections available for data subjects. The adoption of the draft proclamation on personal data protection will also provide clear obligations for data processors and data controllers on what kinds of specific obligations they have in relation to ensuring the personal data protection of individuals.
[1] Art 3.
[2] Art 4.
[3] Art 9.
[4] Art 10.
[5] Art 11.
[6] Art 15.
Leave a Reply