Ethiopia’s Parliament approves Personal Data Protection Bill

The House of Peoples Representatives (HoPR) of the Federal Democratic Republic of Ethiopia has taken a historical step by ratifying the Personal Data Protection Proclamation during its 20th ordinary session held on April 4, 2024. This development represents a major step forward in Ethiopia’s digital transformation journey and shows the country’s commitment to building an inclusive and secure digital economy.  

Historically, Ethiopia has lacked a dedicated legislation setting out personal data rights, and a supervisory authority to enforce such legislation. This latest proclamation heralds a new provision of statutory guidance for personal data breaches, mitigating risks associated with data processing, and provides a framework which demands accountability among data processors and controllers. Ethiopia, like much of the world, has seen an increase in digital-first services and products and legislators felt it was high time to enshrine the protection of personal data, while supporting economic development. Key features of the proclamation include providing resolutions for personal data breaches, minimising risks associated with data processing, and promoting accountable data management practices.  

For companies operating within Ethiopia or processing personal data within the country, the ratification of the Personal Data Protection Proclamation presents both opportunities and responsibilities.  To ensure compliance with the provisions of the new Bill, privacy leads must adequately establish a privacy programme that adheres to the regulatory guidelines, which may take some time to bed in. To effectively protect the personal data rights of everyone, strong horizon watching for updates to the Bill must be maintained, as well as watching for any notable impacts of the regulation in practice – both in business and for individuals.  

ICO releases guidance on health data transparency  

The Information Commissioner’s Office (ICO) has taken a proactive stance in supporting health and social care organisations in their endeavour to uphold transparency regarding the use of personal information. In a recent announcement, the UK ICO has unveiled its latest revisions to guidance regarding the handling of health data. This crucial update aims to ensure that health organisations stay up to date with the evolving rules governing the storage and collection of patient information.  Given the inherently sensitive nature of health data, particularly within the health and social care sectors, maintaining public trust is paramount.  

The newly released guidance serves as a vital tool for organisations, offering clarity on the concept of transparency and providing a framework for evaluating appropriate levels of disclosure. The guidance is tailored to offer practical steps for developing transparent communication strategies. By complying with these guidelines, health organisations can bolster public confidence in their handling of personal information, ultimately enhancing the quality of care provided to patients.   

The guidance has been developed from a consultative process involving feedback from health and social care entities across the UK, reflecting a collective effort to enhance understanding and implementation. The guidance supplements existing ICO directives on transparency and the right to be informed, reinforcing the importance of clear, open, and honest communication with individuals regarding their personal information use.  

For organisations within the health and social care sectors, embracing the guidance provided by the ICO on transparency is not only a regulatory necessity but also a vital step towards accountable and ethical data practices.    

CNIL fines retail chain for alleged spam messages 

On April 4th, 2024, the French data protection authority, CNIL, imposed a significant fine of €525,000 on HUBSIDE.STORE for using data provided by data brokers for commercial prospecting purposes without obtaining valid consent from the individuals involved.   

An investigation revealed that the company misrepresented the data collection forms used by data brokers, effectively bypassing the consent process and obtaining data without proper authorisation. These actions directly violate Article L.34-35 of the French Post and Electronic Communications Code (CPCE) and Article 6 of the GDPR, which mandate transparent and consent-based data practices.   

The fine, amounting to 2% of the company’s turnover, reflects the severity of the breach and the culpability of HUBSIDE.STORE in mishandling customer data. The CNIL emphasised the importance of holding organisations accountable for their data usage practices, reiterating that it is the responsibility of every company to ensure that individuals have provided valid consent for data usage.   

While HUBSIDE.STORE had imposed contractual obligations on its data suppliers, it failed to effectively monitor and enforce these requirements. This incident serves as a strong reminder to businesses about the critical importance of robust data management protocols and compliance with data protection regulations. Organisations should prioritise compliance with data protection regulations, such as obtaining valid consent, providing comprehensive information to individuals, and implementing robust controls throughout the data processing lifecycle, to avoid penalties and maintain trust with customers. It is equally important for companies to monitor and ensure compliance by all stakeholders.  

South Korea’s PIPC releases compliance guide for overseas businesses  

The South Korean Personal Information Protection Committee has unveiled a comprehensive guide aimed at safeguarding the personal information of Korean citizens held by foreign businesses. Published recently, the “Overseas Businesses’ Personal Information Protection Act Application Guide” is a crucial resource that spells out the legal obligations foreign entities must fulfil under the revised Personal Information Protection Act (PIPA).  

The guide outlines three broad categories of overseas businesses subject to the PIPA: 

  • First, it identifies that any foreign business providing goods or services to Korean data subjects must comply with the PIPA. Criteria for determining this include language, currency, service provision types, and methods.  
  • Secondly, even if not directly targeting Korean data subjects, if an overseas business processes their personal information and significantly impacts them, the protection law may still apply.  
  • Finally, the law may extend to overseas businesses with operations in Korea that involve processing personal information. For instance, if a global service company designates a Korean corporation as the personal information processor for Korean information subjects, the Korean corporation falls under the data protection law’s purview.  

Additionally, the guide addresses critical areas such as appointing a legal representative for children under 14 years of age, overseas data transfer mechanisms, disclosure methods for processing policies, and prompt reporting of data breaches. It is important to note the requirement for overseas businesses, similar to domestic companies, to report data breaches to the Personal Information Commissioner’s Office within 72 hours, and promptly notify affected data subjects. Also, the guide emphasises the necessity for transparency in processing personal information overseas, advocating for clear disclosure of processing activities and key country/business details in processing policies viewed by data subjects.  

To ensure wide accessibility of the guide, the Personal Information Commission will make it available on its official website, as well as the Personal Information Portal. Affected companies are encouraged to prioritise aligning their practices with the guidelines by reviewing and updating relevant policies, enhancing data protection measures, and implementing robust breach notification procedures.  

As a global B Corp organisation, HewardMills is ready to partner with and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at