Ethiopia has not yet adopted a personal data protection law. While there are some scattered legislations that deal with data protection related issues such as the criminal code and the computer crime proclamation, there is no comprehensive legislation that regulates data protection in Ethiopia. However, in 2020 the government of Ethiopia under the auspices of the Ministry of Innovation and Technology has prepared a draft data protection proclamation that will be the main legislative instrument that will govern data protection issues in Ethiopia. One of the key proposed institutions that will have the sole responsibility of regulating data protection issues is the Data Protection Commission of Ethiopia (established in Article 5 of the draft proclamation). Given its broad scope and central authority, it is important to understand the structure, powers, and function of the Commission as well as the challenges that that it might in the future. This blog post will highlight these key issues that are going to be critical to the effectiveness of this personal data protection Commission in Ethiopia.
Independence of the Data Protection Commission
The independence of data protection Commissions is considered vital to ensure the protection of the individual data privacy. While the draft data protection proclamation proposes for the establishment of an independent Data Protection Commission, there is limited indication on how the Commission will ensure its independence in discharging its responsibilities. Art 5, for example stipulates that the Commission is “answerable to the House of Peoples’ Representatives”, which is the supreme political body and law-making organ of the state. The other provision that touches on the independence of the Commission is Art 9 of the draft which provides that “[t]he budget of the Commission shall be allocated by the House”. These two provisions, while helpful in ensuring the institutional independence of the Commission, are not adequate. The most important aspect of ensuring the independence of the Commission is also the appointment of independent Commissioners who are not politically affiliated to lead the Commission. The draft proclamation, however, does not provide a roadmap for the selection and appointment of the data protection Commissioner and the three Deputy-Commissioners. In some recently adopted legislations such as the new media proclamation 1238/2021, the law clearly provides for the selection of board members that regulate the media sector in Ethiopia, most of which the law says should be drawn from the civil society. It is true that the draft proclamation provides a generic guidance that the commissioners should be independent and impartial, but given the lack of independence of most rights-based institutions in Ethiopia, a more robust and explicit provision on the composition of the commissioners is necessary.
Comparative experiences on personal data regulation further show that “[n]ot only must the law underpinning a supervisory body’s creation contain provisions specifically guaranteeing independence, but the organisational structure of the authority must demonstrate independence.” Other legislative frameworks such as the European GDPR clearly articulate that supervisory authorities should have “complete independence”. As an authority that has the mandate to regulate an extremely sensitive personal data of individuals and their right to privacy, the independence and impartiality of the Commission is critical to gain trust and legitimacy from the public and undertaking its watchdog function of ensuring the right to privacy of individuals.
Mandate and Power of the Commission
It is, of course, also imperative that regulatory authorities of personal data have adequate mandate and power discharge their responsibilities of ensuing the right to privacy and the personal data of individuals. The draft Ethiopian data protection law provides a number of powers to the data protection Commission to discharge its responsibilities. Some of the key mandates and powers of the commission in Art 6 of the draft data protection law include the following:
- ensure compliance with this Proclamation;
- make the administrative arrangement it considers appropriate for the discharge of its duties;
- issue directives, guidelines and forms for the purposes of this Proclamation;
- promote public awareness, among others, of its functions and powers as well as their activities; of the rights of data subjects and the exercise of such rights; and of data controllers and data processors of their responsibilities under this Proclamation;
- conduct an audit of personal data maintained by data controllers, including individuals, for the purpose of ascertaining whether or not the data is maintained according to the data protection principles;
- investigate following legally established investigation procedures and principles complaints made to it, and require information which are relevant for its investigation;
- get injunction order for the expeditious preservation of data, including traffic data, where it has reasonable ground to believe that the data are vulnerable to loss or modification; and
- cooperate with supervisory authorities of other countries, to the extent necessary for the performance of its duties under this Proclamation, in particular by exchanging relevant information in accordance with any other law;
As can be seen from the above provision, the list of powers and mandate of the Commission is quite broad. However, on a closer look one also notices that there are some issues which should have been better articulated in providing a wide range of powers to the Commission. For example, it is not clear from the draft proclamation whether the Commission has the power to provide effective remedy including compensation for the damage sustained by data beach of data subjects. A parallel clause in the GDPR in Art 82 for example provides a clear stipulation that individuals have the right to get compensation for data breach sustained by data controllers. While criminal responsibility such as the imposition of fines is common in many jurisdictions, whether the Commission will have the power to give compensation for individuals whose data privacy has been breaches is something that needs to be clarified. The GDPR Art 82 clearly provides that individuals have not just the right to lodge complaints but also to get effective remedy including compensation for the violations. Art 82(1) provides that “ [a]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” Accordingly, the data protection Commission should also be able to have the power to provide compensation for any damage sustained by violations of a data breach.
Broadly speaking, the Commission should also have at its disposal a wide range of administrative, criminal and civil remedies depending on the particular nature of the data breach and the violation of the data protection law. In this regard, the draft law fails to provide detailed guidance on the amount of fines and financial penalties that data controllers will face in the event of a breach. In the context of the GDPR there is a clear amount indicated that shows the amount of fine. Art 83(f) of the GDPR provides that “the supervisory authorities shall have the power to impose administrative fines for the infringement of the regulation up to 20, 000, 000 Euros or in the case of an undertaking, 4% of the total world wide annual turnover, whichever is high.” In determining the amount of fines and compensation for a breach, supervisory authorities such as the Commission should consider the nature, gravity and duration of the infringement, the categories of personal data affected, and whether it had an intentional or negligent character.
Lastly, it is unclear form the draft proclamation if the Commission itself has the power to investigate or whether that role falls under the jurisdiction of another entity. In many of the provisions that provide for the investigative power of the Commission it makes reference to other entities that may be given the power to investigate. In particular Art 71 provides that “The Commission may delegate any investigating or enforcement power conferred on it by this Proclamation to any relevant entity of the Federal or State Government.” This is a potentially problematic provision as the power to investigate and oversee the implementation of personal data should be the sole responsibility of the Commission itself.
Capacity and Institutional Challenges
From a practical point of view, there are also many critical enabling factors that should be considered in order to support an effective Commission. First, the Commission should have adequate budget, material and human resources in order to effectively function as an independent institution that oversees the regulation of data protection in Ethiopia. Given the economic challenges that the country is currently facing, it could be difficult to establish a new data protection Commission and allocate the required budget. This may also partially explain why the government of Ethiopia has not yet pushed for the adoption of the draft data protection law.
Second, the Commission must have clear jurisdiction, which necessitates greater clarity around whether data protection is ultimately regulated at the federal or state level. Article 4 seems to indicate that the proclamation is a federal law that will be also applicable to the regions. But given that the Constitution gives regional states legislative discretion to adopt their own laws, the draft should have provided clearly whether the Commission will also have complaints and issues arising from the processing of personal data arising from the regions. Moreover, while the head office of the Commission is going to be based in Addis Ababa, it is not clear if the Commission will have branch office in the regions and how the process of ensuring data protection is going to be affected in the regional states.
In general, in considering the prospects of establishing the personal data protection Commission of Ethiopia, it is important to create clarity on these issues. Given, the significant capacity challenges that the Commission is going to face in the initial phase of its work, support from partners in the area of digital rights is also critical to the success of the work of the Ethiopian Data Protection Commission.