Ethiopia Proclamation 1321/2024

Personal Data Protection Proclamation No. 1321/2024

Flag of ET
Federal Democratic Republic of EthiopiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
July 24, 2024
Enacted
April 4, 2024
Enforcing Authority
Ethiopian Communications Authority (ECA)
Consent Model
Opt-in
Applies To
All data collectors and processors handling personal data within Ethiopia; institutions face up to 4% global turnover penalties

Overview

Ethiopia's Personal Data Protection Proclamation 1321/2024 is the country's first comprehensive data protection law, effective July 24, 2024. Enforced by the Ethiopian Communications Authority (ECA), it establishes consent as the foundation for all data processing and mandates strict data localization requiring servers within Ethiopia. The law carries some of the harshest criminal penalties in Africa, with up to 10 years imprisonment for selling personal data and a 4% global turnover penalty for institutions.

What This Means for Your Website

If your website collects personal data from Ethiopian users, you must obtain consent before processing, store data on servers within Ethiopia, and report breaches within 72 hours. The law's data sovereignty principle and localization requirements may require infrastructure changes. Penalties are severe, with both criminal and administrative enforcement.

Key Requirements

Consent is required for all personal data processing. Data must be stored on servers within Ethiopia. Breaches must be reported within 72 hours. Processing must follow principles of lawfulness, proportionality, purpose limitation, and data minimization. Data subjects have rights to access, rectify, erase, and restrict processing. Data sovereignty is explicitly enshrined as a principle.

How ConsentStack Handles This

ConsentStack provides compliant consent collection for Ethiopia's Proclamation 1321/2024. The platform delivers a configurable consent banner, records all consent decisions with timestamps for ECA audit requirements, and supports data subject rights workflows. ConsentStack's consent logs provide the documentation needed to demonstrate lawful processing under the proclamation.

Penalties

1-3 years imprisonment or ETB 60,000-100,000; 3-5 years or ETB 100,000-200,000 (automated decision violations); 5-10 years or ETB 200,000-600,000 (unlawful cross-border transfers/selling data); up to 4% of global turnover for institutions

Maximum Fine
ETB 600,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Consent required for all personal data processing
  • Data localization: personal data must be stored on servers within Ethiopia
  • 72-hour breach notification requirement
  • Principles of lawfulness, proportionality, purpose limitation, data minimization, and accuracy
  • Data subjects have rights to access, rectify, erase, and restrict processing
  • Data sovereignty explicitly enshrined as a principle

Notable Provisions

  • Among the harshest criminal penalties in Africa — up to 10 years for selling personal data
  • Strict data localization requirement mandating Ethiopian servers
  • 4% global turnover penalty for institutions mirrors GDPR levels
  • Data sovereignty explicitly enshrined as a legal principle

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

What are the penalties under Ethiopia's Proclamation 1321/2024?

Penalties range from 1-3 years imprisonment or ETB 60,000-100,000 for basic violations, up to 5-10 years or ETB 200,000-600,000 for selling data. Institutions face up to 4% of global turnover.

Does Ethiopia require data localization?

Yes, the proclamation mandates that personal data must be stored on servers physically located within Ethiopia.

When did Ethiopia's data protection law take effect?

The proclamation was approved April 4, 2024 and became effective July 24, 2024 upon publication in the Federal Negarit Gazette.

Who enforces Ethiopia's data protection law?

The Ethiopian Communications Authority (ECA) is the designated enforcing authority under Proclamation 1321/2024.

Stay compliant with Ethiopia Proclamation 1321/2024

ConsentStack helps you implement Opt-in consent for Federal Democratic Republic of Ethiopia automatically.

Get started free