Ethiopia: Implemented Personal Data Protection Proclamation (Proclamation No. 1321/2024) including data protection authority governance

On 24 July 2024, the Personal Data Protection Proclamation enters into force. The proclamation empowers the Ethiopian Communications Authority to enforce the proclamation. It allows the Authority to establish administrative structures and regulate the processing of personal data in public health crises, national emergencies, or for public authority functions within legal limits. It may define additional categories of sensitive data requiring safeguards and impose conditions or restrictions on data transfers to third-party jurisdictions to protect data subject rights. Data controllers and processors must seek the Authority’s authorisation before processing personal data to ensure compliance and mitigate risks, particularly in cases involving insufficient safeguards for data transfers. The Authority can prohibit, suspend, or condition such transfers to uphold fundamental freedoms.