Human rights bodies and media institutions have raised concerns about intentions to grant the Ethiopian Communications Authority near-total control over the regulation over personal data.
Critics questioned the impartiality of the Authority – a government agency – during a Parliamentary discussion on the final draft of the ‘Personal Data Protection’ proclamation on January 10, 2024. The half-day session saw private sector reps, heads of public legal departments, and NGOs challenge officials from the Ministry of Innovation and Technology, who drafted the legislation.
The proclamation was initially floated in 2020, and the early drafts call for the establishment of an independent institution – the ‘Ethiopian Personal Data Protection Commission’ – to enforce private data protection.
However, the final draft under discussion earlier this week designates the Ethiopian Communications Authority (ECA) as the federal entity charged with regulating and safeguarding personal data.
“The Authority is a government institution and it cannot be impartial or free from the influence of the government’s executive branch,” said Befekadu Hailu, executive director of the Center for Advancement of Rights and Democracy (CARD).
Federal officials argue ECA would be the most efficient choice.
“Establishing a new institution to regulate data privacy would be redundant. It would be better to give the role to an existing institution that has a similar mandate,” said Balcha Reba (Eng.), director-general of the Communications Authority.
He argues ECA’s establishment proclamation grants it a similar mandate.
“The Authority is a free and independent federal institution accountable to the Prime Minister,” said Balcha. “It’s the right institution for implementing the personal data proclamation.”
If approved, the draft would place the Authority in charge of regulating the collection, processing, administration, and transfer of all kinds of personal data. This would include biometrics, financial records, physical, medical and physiological data, genetic information, and other economic, political, and social data.
It is too wide a scope for some of the draft’s critics.
“How can ECA regulate biometrics data?” asked Getachew Girma, legal director at the Biotechnology and Emerging Technologies Institute.
There are other concerns as well. A major one is the draft’s proposed age limits: its authors want to see laws regarding personal data apply to anyone over the age of sixteen.
“Children under eighteen years of age are under the guardianship of the family. So why does the proclamation choose sixteen as the age limit?” asked Rigbe Gebrehawaria, commissioner for Women, Children, the Elderly, and Disability Rights at the Ethiopian Human Rights Commission (EHRC).
“It is against international conventions,” said Abdi Jibril Ali (PhD), commissioner for Civil and Political and Socio-Economic Rights at EHRC.
Officials from the Innovation Ministry argued that minors are exposed to the internet, and it is difficult to consult families over matters regarding children. They also pointed to EU data laws, which apply to residents over the age of thirteen.
The legal representatives of Ethio telecom and commercial banks, on the other hand, were more interested in compensation for the investments they make in data collection and storage.
“We invest a lot to collect data and store it. Now the proclamation states data shall be transferred freely. How can we be compensated for the investments we make in data collection, if the data we collect is freely transferred? There is also an issue of competition,” said Endale Asrat, a representative from state-owned Ethio telecom.
The proclamation governs only data originating from Ethiopia, but not data flowing via Ethiopia.
Ambassador Reta Alemu, a representative from the Ministry of Foreign Affairs, raised concerns about how the diplomatic community and foreigners in Ethiopia can access data if the proclamation’s purview is limited to Ethiopian citizens.
Officials from the Central Statistics Service asked for a clear definition of ‘data’, ‘information’, ‘statistics’, and ‘intelligence’, which they say is not provided in the draft.
There were also questions about the use of personal data in academic studies and research. The draft permits full freedom in collecting private data for research as long as participants are well informed, but concerns were raised about data misuse.
Others argued the proclamation focuses on data processors and not collectors. But Ministry experts stressed that individual rights are at the heart of the legislation.
Amare Eticha, legal director of the Information Network Security Agency (INSA), also stressed, among others, that “the draft proclamation does not consider data theft.”
Amare is also uneasy with the fact the draft allows regulatory officials to act as data processors at the same time.
The privacy concerns are mirrored in questions about surveillance cameras in public places.
“The utilization of surveillance cameras must be transparent. Those who use surveillance cameras cannot use the data and information for other purposes. If it is for security purposes, then it can be used only for security purposes. Hotels cannot install cameras in bedrooms,” said
The criticisms were received by Negeri Lencho (PhD), chair of the Parliamentary Human Resources Development, Placement, and Technology Affairs committee.
Belete Molla, minister of Innovation and Technology, did not reply to many of the questions posed by participants before wrapping up the session.
“We’ll take the questions and suggestions as input,” he said.