Data protection & privacy laws in Ethiopia (2026)

Proclamation No. 1321/2024 was passed by the Federal House of Representatives on 4 April 2024 and gazetted on 24 July 2024, making it Ethiopia's first standalone, comprehensive personal data protection statute.

The Ethiopian Communications Authority (ECA) is the designated data protection regulator, responsible for maintaining a register of controllers and processors, investigating complaints, issuing enforcement notices, and imposing administrative fines.

Processing must comply with principles of lawfulness, proportionality, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. Recognised legal bases include consent, contract performance, legal obligation, public-health emergency, public-authority mandate, and legitimate interest.

Data subjects are granted rights to: be informed, access their data, rectification, erasure, objection to processing, restriction of processing, protection against solely automated decisions, and data portability.

Controllers and processors must store locally-collected personal data on servers or data centres physically located in Ethiopia. Cross-border transfer of sensitive personal data requires prior ECA approval; the ECA may designate certain categories as 'critical personal data' that must remain in-country.

As of early 2026, ECA has yet to publish implementing directives (four were in draft pipeline as of mid-2025) and no public enforcement actions have been recorded. A digital registration portal for controllers and processors was previewed but not yet operational, reflecting limited institutional capacity.