News Bill looks to grant Comms Authority control over data privacy
December 2, 2023
A bill that would give the Ethiopian Communication Authority (ECA) sweeping control over data privacy is making its way through Parliament.
The latest draft is a rework of data privacy laws that surfaced in 2020 but with some significant changes. Officials at the Ministry of Innovation and Technology have abandoned plans to establish a data protection commission, instead opting to divide up the responsibilities between their offices and the Authority.
The proposal would see the Ministry take on policy and strategy issues, while the Authority would receive a wide range of powers that extend to the formulation of new regulations and directives relating to data privacy.
The draft has adjusted or eliminated entire sections of its earlier version – no less than 20 articles have been removed.
Provisions on children’s personal data protection have seen adjustments such as the lowering of the cutoff age from 18 to 16, and handing consent authorization rights to guardians. The processing of childrens’ data for marketing, profiling or merging of profiles is prohibited.
Clauses granting the Office of the Prime Minister exemptions to some of the proposed laws in the name of security have been thrown out in the new draft.
On the other hand, the draft proposes to make the ECA the sole entity in charge of regulating interactions between data subjects, processors and controllers. The Authority will also have the power to set fines and fees associated with data privacy.The draft also looks to grant the Authority the mandate to further expand categories of sensitive personal data, determine level of protection in third-party jurisdiction data transfer, and set conditions and safeguards for cross-border data transfer.The Authority will also have the responsibility to determine what is classified as “critical data” and can subsequently only be processed and stored in servers or data centers physically located within the country’s borders.ECA is also set to be the body governing the registration and obligations of data controllers and processors. Its officials have the authority to legislate directives outlining the requirements for registration, and the right to refuse applications.The Authority will also have the power to revoke certificates, which are to be renewed every two years.ECA will also be the final say on matters concerning personal data breaches. A data controller is obliged to notify the Authority of a breach within 72 hours, while ECA retains the right to conduct security inspections and assessments at any time.The Authority will also handle complaints, gather records on data processing complaints, impose administrative fines, as well as enforce sanctions and orders. The draft grants the Authority a three-week period to investigate and pass a decision following a complaint from a data subject.The Authority’s decision is final, but can be appealed at the Federal High Court.Criminal offenses related to personal data breaches can be punishable with imprisonment of up to three years, as well as fines of up to 50,000 birr. Violating the rights of data subjects can entail a five-year prison sentence and a 100,000 birr fine.The re-identification of personal data that has been destroyed or erased can carry a sentence of up to 10 years.Offenses committed by an institution are punishable by fines of up to four percent of its total worldwide turnover from the preceding financial year.Stakeholders in the data collection, processing and marketing industry have yet to discuss the draft with policymakers and parliamentarians.