Note: This piece is an excerpt from an upcoming law review article titled “The Dark Future of Privacy in Ethiopia, And How to Stop It”
Ethiopia doesn't have laws that are specifically designed to deal with privacy and data protection issues except a few set of rules contained in various pieces of legislation that guarantee right to privacy rather in a very indirect fashion. The major sources of Ethiopian law dealing with issues of privacy and data protection can generally be grouped into four categories. These are: (1) the constitution, (2) international human rights instruments, (3) subsidiary laws and (4) case law. This piece briefly highlights these sources of Ethiopian privacy law. In so doing, it aims at providing a synopsis of operational privacy rules in Ethiopia.
Ethiopia recognized right to privacy throughout its brief constitutional history, albeit to a different degree. The first written constitution of 1931 explicitly recognized the right of Ethiopian subjects not to be subjected to domiciliary searches and the right to confidentiality of correspondences except in cases provided by law. These rights were also incorporated with a more amplified tone in the revised constitution of 1955. The 1987 constitution of the Dergue also did guarantee Ethiopians the right to the inviolability of their persons and home along with secrecy of correspondences. The transitional government charter didn’t make a specific reference to privacy safeguards; but it did state that all rights provided for under the Universal Declaration of Human Rights (UDHR) shall be fully respected, and without any limitation whatsoever.
A more comprehensive privacy safeguard is however introduced by the Constitution of 1995 (Ethiopian Constitution) which protects privacy of persons, their home and correspondences. Notable about the constitutional privacy provision is that it is framed illustratively so that all forms of intrusion into private spheres are prohibited. The Constitution requires public officials not only to refrain themselves from interferences with individual privacy, but also to prevent private persons or entities that would impair the right. The right to privacy is not however absolute. The Constitution under Art 26(3) puts a limitation clause to the right to privacy for other competing and compelling interests. Limitation to the right to privacy is allowed only when three important elements are satisfied together: (1) there must be compelling circumstances; (2) restriction must be in accordance with specific laws; and (3) there must be legitimate aims. The privacy provision of the constitution is apparently informed by the privacy provisions of the UDHR and the International Covenant on Civil and Political Rights (ICCPR) to which Ethiopia is a state party.
B. International Human Rights Instruments
All international agreements – including human rights conventions – are integral part of the Ethiopian law while the status of such treaties in the hierarchy of laws remains elusive. The Constitution explicitly mandates that human rights and fundamental freedoms recognized under chapter III of the text shall be interpreted in light of the Universal Declaration of Human Rights (UDHR) and International covenants on human rights adopted by Ethiopia. On top of its explicit mention under the constitution, Ethiopia is bound by the UDHR as a matter of customary international law which guarantees everyone a human right to privacy and family life.
The ICCPR is one of the international covenants that guarantees right to privacy, which Ethiopia ratified in June 11 1993. The covenant details the right to privacy as follows: (1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. (2) Everyone has the right to the protection of the law against such interference or attacks.The convention on the Rights of the Child is the other international instrument that recognizes the right to privacy, which Ethiopia ratified in 14 May 1991.
Ethiopia is also a state party to the African Charter on Human and Peoples Right. The Charter however doesn’t explicitly guarantee the right to privacy. Yet, it has been argued that some aspects of the right to privacy could possibly be implied from some provisions of the convention. The Charter, for instance, guarantees the respect of dignity of human beings and freedom from all forms of exploitation and degradation, including torture. The respects of one’s dignity and the freedom from torture carry protection to one’s autonomy, physical and moral integrity. And, private life of a person includes, among others, his autonomy, physical and moral integrity which signify an aspect of privacy.
The upcoming AU Convention of Confidence and Security on Cyberspace goes to a great length in regulating personal data protection, which is just an aspect of right to privacy. Part II of the draft Convention is dedicated to deal with the protection of personal data. The convention is due to be adopted by heads of states and government in the next AU summit to be held in Addis Ababa. As an important member of the AU, Ethiopia is likely to sign and ratify the treaty once it is endorsed by heads of state and government. This would ultimately make the Convention part and parcel of the Ethiopian law thereby adding a new body of privacy law.
C. Subsidiary Legislation
i. Civil laws
a. Civil Code – Rights of Personality
The Ethiopian civil code is the major subsidiary legislation that regulates the right to privacy under what it refers to as ‘rights of personality’. At a more general level, it provides that every physical person shall enjoy the rights of personality recognized under the Ethiopian constitution. In so doing, it makes reference to civil rights guaranteed under the (FDRE) Constitution including the right to privacy. The code further provides specific personality rights some of which have clear privacy undertones. The privacy safeguards guaranteed within the umbrella of rights of personality recognized under the code are the following: right not to be searched in ones person; inviolability of domicile; inviolability of correspondences and right to ones image. There are also rights with some privacy undertones such as the right to refuse medical examinations, right against unlawful molestation and the right to keep silent. No reported cases are yet available how these provisions have played out in court except a very recent ruling given by the Federal Supreme Court Cassation Division that implicated the right to image provision of the Civil Code. As shall be seen later, given that the decisions of the Cassation Division have the status of precedent, the case is in effect establishes a new case law in the field of privacy.
Ethiopian law of torts also recognizes privacy tort. Rules of defamation are the first set of rules that protect a person against libelous publications or slander. What is notable about Ethiopian law is that an offense would be deemed to have been committed even when the statements or writing are true in so far as there is intent to injure. The second important privacy safeguard under the Ethiopian tort law is right against trespassing. This rule protects privacy of one’s home against unwelcome intrusions the violation of which may result in extra-contractual liability.
b. Freedom of Mass Media and Access to Information Proclamation
The Freedom of the Mass media and Access to information law is another civil law that indirectly provides safeguards to data privacy. While recognizing the right of every citizen to have access to information held by public bodies, it provides that such rights may be restricted should ‘public’ and ‘private’ interests so require. According to this rule, with the view to protect the privacy of individuals, public bodies may deny access to public records that may contain personal information. The law further provides that concerned public record officers must reject requests for personal information where disclosure of such information may constitute ‘unreasonable’ disclosure of a third party’s personal information.
What is commendable about the freedom of information law is that it has very crucial notification and intervention rules by which a data subject – the person on whom data is requested - will be notified of any requests made with respect to information that he declared confidential and will be allowed to intervene to protest disclosure of such information. The law also has another category of information whose disclosure may be restricted: confidential information. These sorts of information are those confided with the public body under contractual confidentiality agreement. Accordingly, any such information may not be disclosed except with the consent of the data subject.
The Freedom of Information law is the only legislation in Ethiopia that contains a comprehensive definition of personal information. It defines personal information as: ‘information about an identifiable individual, including but not limited to: (a) information relating to the medical or educational or the academic, employment, professional or criminal history, of the individual or information relating financial transactions in which the individual has been involved; (b) information relating to the ethnic, national or social origin, age, pregnancy, marital status, colour, sexual orientation, physical or mental health, wellbeing, disability, religion, belief, conscience, culture, language or birth of the individual; (c) information relating to any identifying number, symbol or other particular assigned to the individual, the address, fingerprints or blood type of the individual; (d) the personal opinions, views or preferences of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual; (e) the views or opinions of another individuals about a proposal for a grant, an award or a prize to be made to the individual, but excluding the name of the other individual where it appears with the views or opinions of the other individual; (f) the views or opinions of another individual; or (h) the name of the individuals where it appears with other personal information relating to the individual or where the disclosing of the name itself would reveal information about the individual; but excluding information about a person who has passed away before 20 years.’
Overall, the law also implicitly embodies some basic data protection principles. For instance, while requiring public bodies (de facto data controllers) to maintain public records in accordance with the code of practice issued by the ombudsman, it implies what is called ‘principles of data security’. The ‘principle of data quality’ is also latent in the law where it provides that public bodies or data controllers shall make sure that corrections are made on personal information kept. Also to be inferred from the law is the ‘principle of individual participation’ as the law requires that public bodies shall notify data subjects when requests for data concerning the data subjects are made and the later are invited to lodge protest, if any.
The law is not however without limitations. A trouble side of the freedom of information law is that it allows pubic bodies to provide access to personal information indirectly outside the formal channel. It reads in its relevant parts as: “nothing in this proclamation shall be understood as limiting the power of public bodies to provide access to information on an informal basis.” The law in effect permits back doors that maybe misused in practice. Also of concern is that the law claims supremacy over any other law that may restrict disclosure of personal information. According to this proviso, no other law other than the freedom of information act could restrict access to information. In practical terms, this means that the rules of confidentiality of tax information provided under the income tax law doesn’t apply where request for information is made. Any decision to allow access or deny request of tax information is to be made as per rules of the freedom of information act, not the tax legislation.
c. National Identification Cards Proclamation
The law on the registration of vital events and national identity cards is another law in which one finds privacy protective rules. According to this law, disclosure of personal information is restricted to be made only under exceptional circumstances such as upon the consent of the data subject or court order. Curious enough, the law provides that where disclosure of personal information is likely to prejudice public interest, no disclosure will be made even with the consent of the data subject concerned.
d. Criminal laws
1. Criminal Code
The Ethiopian criminal code of the 2004 is perhaps the most important piece of legislation that deals with privacy at some length and in a more direct fashion. Indeed, it penalizes privacy violation in almost the same order that the constitution guarantees right to privacy. Criminal acts made punishable under the code are generally three. First, it penalizes unlawful interference or restraint on the free exercise of civil rights – right to privacy included – guaranteed under the Constitution or other laws. This proviso criminalizes violation of privacy of persons such as unlawful searches and violations of personality rights recognized under the Ethiopian Civil Code. As we have noted above, the Civil Code provides a handful of personality rights with clear privacy undertones. And, the violation of those personality rights results in not just liabilities under civil law but also criminal punishments.
Second, the criminal Code outlaws ‘violation of privacy of domicile or restricted areas’. Notable about this provision is that it also covers violation of the privacy of premises of entities as well. Read closely, this means that Ethiopian law recognizes privacy of not just individual person but also legal persons which normally don’t enjoy individual rights as right to privacy. The third criminal act in connection with privacy rights is ‘violation of privacy of correspondence’. This penalizes the right to privacy of communications such as letters and electronic communications. This offense is nevertheless punishable only upon complaint and accusation.
2. Criminal Procedure Code
The criminal procedure code has also privacy protective rules, albeit indirectly. It, for instance, provides that no person or premises may be searched without a court warrant unless under exceptional circumstances. The exception includes when there is a ‘reasonable suspicion’ that he possesses any articles serving as a material evidence for the offence he is accused or is suspected to have committed. Also notable about the code is that it commendably details the circumstances under which warrants may be issued, and it even specifies the time during which searches and seizures may be made.
D. Case law
Precedent has recently been introduced into the Ethiopian legal system by virtue of Proclamation No. 454/2005. The proclamation stipulates that decisions of the Federal Supreme Court Cassation Division bind courts of all levels in Ethiopia. In effect, final interpretation of the law given by the highest court in the country serves as law and has to be applied uniformly throughout the country. It is only recently that the Cassation court passed a landmark case that implicated the privacy provisions of the Ethiopian civil code noted above. In Riyan Miftah v. Elsewdi Kebels Plc, the Cassation court rules that no image or photograph of a person may be publicly exhibited, sold or disseminated without the consent of the person and the latter is entitled to damages for violation of the right of image.
The foregoing discussion illustrates the fragmented nature of the Ethiopian privacy law regime. One barely finds a single comprehensive body of law designed to deal with privacy in general. What we currently have is just a patchwork of rules scattered across various legislations, and notably rules that regulate privacy in a very indirect fashion. Despite this state of affair, the Ethiopian government has recently drafted a full-fledged data protection proclamation reportedly benchmarked after major instruments in the field such as the European data protection directive. Given that this draft legislation is yet to be made accessible to the public and still is in a very crude stage, it is too soon to provide a critique at this point in time. It nevertheless is an opportune moment to suggest that the draft legislation shall be revisited in the light of already existing data privacy and data protection rules as well as the draft AU convention on cyber legislation which presently is in the offing.