Why Ethiopia Needs a Robust Data Protection Policy Urgently

The Global Context

In 2006, the British mathematician Clive Humby coined what is now the popular phrase “data is the new oil”.  In 2022, five of the top-earning corporations around the world are working in the area of information and communications. Throughout the years, not only corporations working in the area of communications but also other sectors have been using huge data to analyze and interpret customers’ demand and profit-making in addition to targeting them for politically tailored messages. Today, artificial intelligence is used to enhance data mining and analyzing in multiple sectors including medicine and technology among other things. Data collection and processing, as much as it is playing a significant role in research and the provision of social solutions, is also causing unethical violations of privacy rights and manipulation of the behavior of targets.

One of the biggest examples of misuse of data by business corporations is the data breach sometimes referred to as ‘the Cambridge Analytica Scandal’. It is a misuse of around 87 million Facebook users’ data to manipulate voters during the presidential election of the US in 2016 by Cambridge Analytica, a UK-based political consulting firm, without explicit consent of the data subjects. Business Insider reported quoting a whistleblower that “Cambridge Analytica came up with ideas for how to best sway users’ opinions, testing them out by targeting different groups of people on Facebook. It also analyzed Facebook profiles for patterns to build an algorithm to predict how to best target users.” The consulting firm later got bankrupt after the scandal was leaked and Facebook was fined £500,000 by the UK’s Information and Commission’s Office.

Corporations are not the only bodies that can potentially misuse personal data without the explicit permissions of the data subjects. Governments might also use huge data surveillance to install authoritative systems. For example, China has reportedly used artificial intelligence to improve its surveillance capabilities.

The Ethiopian Reality

In this digital age, Ethiopia is not an island exempted from the challenges that came across the advancement of data collection and processing capacity of technology companies or others who use the technology to maximize interests. However, the internet penetration in Ethiopia has only reached 24% as of 2022, ethiotelecom, the state monopoly of telecom service provision until recently has been the most profitable business in Ethiopia for successive years. Furthermore, Safaricom has become the first privately owned business to join the telecom service provision in Ethiopia. Liberalization of the telecom service provision along with the expansion of internet penetration and the booming of tech startups it makes data protection an urgent matter for its citizens and the debates are already in the public space.

For example, one of the controversies between the Addis Ababa City Administration and RIDE metered taxi app service in September 2019 has been the location of the data center of RIDE. According to the then head of Addis Ababa City Transport Bureau, Solomon Kidane (Ph.D.), RIDE has put the safety and security of its users’ data by using data servers in foreign jurisdictions. The owner of the metered taxi service app, Samrawit Fikru, on the other hand, argued that there is no infrastructure in place to put customers’ data safely and use it effectively in-country. Beyond the specific controversy, the need for a policy framework that governs data issues emerges out as the transfer of personal data to third parties in other jurisdictions needs international cooperation for regulation as well as explicit consent and the right to be informed to the data subjects whose rights are in jeopardy.

Data protection is a part of privacy rights, which is constitutionally protected in Ethiopia. Therefore, the protective mechanisms should evolve as the methods of data collection also evolve.

The Ethiopian economy, netizens’ digital literacy, government regulation capacity and willingness, and the rise of data-collecting businesses are the reasons making the placement of an independent data regulation policy an urgent matter.

In 2021, Ethiopia ranked last in the digital quality of life index among 110 world’s most populous countries. The index has also indicated Ethiopia’s low score in infrastructure, internet quality and affordability, and governance among others. Lack of quality and accessible infrastructure is one of the factors driving many businesses that collect their customers’ data to use servers located in a foreign jurisdiction which involves third parties without enforcement to the data collector to notify data subjects about the associated dangers and potential lack of accountability in cases of a data breach.

Like the challenge in other countries, surveillance is also another challenge that exposes individuals’ privacy or data vulnerable. Historically, the Ethiopian government is known for using technological tools to surveil citizens. Currently, the Ethiopian government has introduced a national ID project where the issuance of the ID requires citizens to provide biometric information. In all cases, where Ethiopian businesses collect data or transfer it to third parties, or where the government of Ethiopia collects data of its citizens for public service provision, there is no legal ground that will be enacted to protect data or prevent breaches. 

The Draft Bill and the Way Forward

In 2020, the Ministry of Innovation and Technology (MiNT) introduced a draft bill for personal data protection in Ethiopia. However, the draft bill has not been subjected to public consultation so far, it has been revised at least twice with comments received from stakeholders. The draft bill has been reportedly adopted by the Ministry of Justice and sent to the adoption of the Council of Ministries. Up on adoption by the Council of Ministers, it will be sent to the parliament where it might see the light of effectiveness.

This personal data protection bill is expected to establish a Personal Data Protection Commission which will be accountable to the parliament. This is an important step towards a robust data protection policy framework; however, it is important to ensure the complete independence of the Commission for a better protective system. The Commission shall be protecting personal data from private entities, executive bodies of the government, and international organizations. Therefore, it needs to have complete independence from the control and influence of all actors it is expected to regulate data.

The Center for the Advancement of Rights and Democracy (CARD) in collaboration with Internews’ Advocating for Data Accountability, Protection, and Transparency (ADAPT) has been working to promote awareness of data protection as well as advocating for the revision of the draft bill of Ethiopia for personal data protection since 2021. Accordingly, some advocacy materials have been produced to assist in the development of a policy framework toward robust data protection.

Please visit the following:

  1. Blog: Prospects and Challenges of the Ethiopian Data Protection Commission [to be established]
  2. Position Paper on the Draft Personal Data Protection Proclamation in Ethiopia
  3. Documentary: Your Data as Profit-Making Resource for Others [in Am with English subtitles]
  4. Policy Brief for an Independent Data Protection in Ethiopia

Center for Advancement of Rights and Democracy (CARD)

Making Democracy the Only Rule of Game!

Leave a Reply

Your email address will not be published.