By Befekadu Hailu, Executive Director at the Center for Advancement of Rights and Democracy (CARD)
The Global Context
In 2006, the British mathematician Clive Humby coined what is now a popular phrase; “data is the new oil”. In 2022, five of top earning corporations around the world are working in the area of information and communications. Throughout the years corporations within and outside of the communications world have been collecting and using huge amounts of data to analyze and interpret customers’ demand to maximize profit, and have deployed tactics based on those data such as targeting them with politically tailored messages. Today, artificial intelligence is used to enhance data mining and analysis across sectors including medicine and technology. Despite its utility in research and provision of social solutions, it has become clear that data collection and processing is also causing unethical violations of privacy rights and manipulation of the behavior of targets.
One of the biggest examples on misuse of data by business corporations is the data breach sometimes referred as ‘the Cambridge Analytica Scandal’. This misuse of around 87 million Facebook users’ data to manipulate voters during the 2016 US presidential election by Cambridge Analytica, a UK based political consulting firm, was notably carried out without explicit consent of the data subjects. Business Insider reported quoting a whistleblower that “Cambridge Analytica came up with ideas for how to best sway users’ opinions, testing them out by targeting different groups of people on Facebook. It also analyzed Facebook profiles for patterns to build an algorithm to predict how to best target .” The consulting firm later filed for bankruptcy after the scandal was leaked and Facebook was fined £500,000 by the UK’s Information and Commission’s Office.
Corporations, however, are not the only bodies that can potentially misuse personal data without the explicit permissions of the data subjects. Governments might also deploy large-scale data surveillance systems to help strengthen their hold on power. For example, China has been reportedly using artificial intelligence to improve its surveillance capabilities.
The Ethiopian Reality
In this digital age, Ethiopia is not an island exempted from the challenges that come with the advancement of data collection and processing capacity of technology companies or others who use the technology to maximize interests. However, the internet penetration in Ethiopia has only reached 24% as of 2022, and ethiotelecom, the state monopoly of telecom service provision until recently has been the most profitable business in Ethiopia for successive years. Furthermore, Safaricom has become the first privately owned business to join the telecom service provision in Ethiopia. Liberalization of the telecom service provision along with expansion of internet penetration and booming of tech startups make data protection an urgent matter for Ethiopian citizens. Debates on the topic have already entered the public space.
For example, one high profile controversy between Addis Ababa City Administration and RIDE metered taxi app service in September 2019 concerned the location of the data center of RIDE. According to the then head of Addis Ababa City Transport Bureau, Solomon Kidane (Ph.D.), RIDE has put the safety and security of its users’ data by using data servers in foreign jurisdiction. The owner of the metered taxi service app, Samrawit Fikru, on the other hand, argued that there is no infrastructure in place to store customers’ data safely and use it effectively in-country. Beyond the specific controversy, the need for a policy framework which governs data issues emerges as the transfer of personal data to third parties in other jurisdictions requires international cooperation for regulation as well as explicit consent and the right to be informed to the data subjects whose rights are in jeopardy.
Data protection is a part of privacy rights, which is constitutionally protected in Ethiopia. Therefore, the protective mechanisms should evolve along with the methods used to collect user data.
The Ethiopian economy, netizens’ digital literacy, government’s regulatory capacity and willingness, and rise of data collecting businesses make the passage of an independent data regulation policy an urgent matter.
In 2021, Ethiopia ranked last in the digital quality of life index among 110 world’s most populous countries. The index has also indicated Ethiopia’s low score in infrastructure, internet quality and affordability, and governance among others. Lack of quality and accessible infrastructure is one of the factors driving many of the businesses that collect their customers’ data to use servers located in foreign jurisdiction which involves third parties without an enforcement to the data collector to notify data subjects about the associated dangers and potential lack of accountability in cases of data breach.
Similar to other countries, surveillance poses another challenge that exposes individuals’ privacy or data vulnerable. Historically, the Ethiopian government has been known for using technological tools to surveil citizens. The Ethiopian government recently introduced a national ID project where the issuance of the ID requires citizens to provide biometric information. In all cases, where Ethiopian businesses collect data or transfer it to third parties, or where the government of Ethiopia collects data of its citizens for public service provision, there is no legal ground that will be enacted to protect data or prevent breaches.
The Draft Bill and the Way Forward
In 2020, the Ministry of Innovation and Technology (MiNT) introduced a draft bill of personal data protection in Ethiopia. However, the draft bill has not been subjected for public consultation so far despite having been revised at least twice with comments received from . As of September of this year, the draft bill has been reportedly adopted by the Ministry of Justice and sent to the adoption of Council of Ministries. Upon adoption by the Council of Ministers, it will be sent to the parliament where it might see the light of effectiveness.
This personal data protection bill is expected to establish a Personal Data Protection Commission which will be accountable to the parliament. This is an important step towards a robust data protection policy framework; however, it is important to ensure the complete independence of the Commission for a better protective system. The Commission shall be protecting personal data from private entities, executive bodies of the government, and international organizations. Therefore, it needs to have a complete independence from control and influence of all actors it is expected to regulate data from.
The Center for the Advancement of Rights and Democracy (CARD) in collaboration with Internews’ Advocating for Data Accountability, Protection, and Transparency (ADAPT) project has been working to promote awareness on data protection as well as advocating for the revision of the draft bill for personal data protection since 2021. Accordingly, some advocacy materials have been produced to assist the development of policy framework towards a robust data protection.
Please visit the following:
- Blog: Prospects and Challenges of the Ethiopian Data Protection Commission [to be established]
- Position Paper on the Draft Personal Data Protection Proclamation in Ethiopia
- Documentary: Your Data as Profit Making Resource for Others [in Am]
- Policy Brief for Effective Data Protection in Ethiopia