
Access Now and CARD Urge Immediate Action Against Privacy Violations
In an alarming development, the Commercial Bank of Ethiopia (CBE) has published personal data of hundreds of individuals, sparking a call from Access Now and the Centre for Advancement of Rights and Democracy (CARD) to cease this public shaming campaign immediately and adhere to privacy and data protection laws. The state-owned bank’s decision to disclose names, account numbers, and photographs of people accused of withdrawing unauthorized funds due to a systems glitch is a severe breach of privacy rights.
Earlier this year, Ethiopia’s Personal Data Protection Law was ratified by Parliament, marking a significant step towards securing citizens’ data rights. However, the enforcement of this law is still nascent, and CBE’s recent actions starkly violate its clear provisions. This incident is not isolated; it mirrors past privacy breaches by state-owned entities in Ethiopia, such as Ethio-Telecom’s unlawful data access provided to security authorities, underscoring systemic issues with privacy violations in the country.
Open Letter to the Commercial Bank of Ethiopia
PUBLISHED: 12 June 2024
LAST UPDATED: 12 June 2024
Date: 17 May 2024
To: Mr. Ato Abie Sanu, President, Commercial Bank of Ethiopia
CC: H.E. Mamo E. Mihretu, Governor, National Bank of Ethiopia
Eng. Balcha Reba, Director General, Ethiopian Communications Authority
Subject: Unlawful Publication of Customers’ Personal Data
Dear Mr. Sanu,
We, the undersigned organizations, address the recent and concerning issue of the Commercial Bank of Ethiopia’s (CBE) publication of personal information, including names, account numbers, and photographs of certain customers in connection with reported discrepancies due to a systems glitch. While we acknowledge the CBE’s efforts to rectify the situation and engage with affected individuals prior to public disclosure, the subsequent actions grossly violate the privacy rights of these individuals.
The Right to Privacy
The publication of personal information without the duly obtained consent of the data subject infringes upon the fundamental rights guaranteed under Article 26 of the Constitution of Ethiopia, which unequivocally protects the right to privacy of all citizens. Any encroachment upon this right must adhere to stringent legal standards, including being non-discriminatory, necessary, and proportionate. It is crucial to emphasize that the individuals concerned are currently under investigation and have not been convicted of any wrongdoing. Therefore, any actions taken against them must uphold their presumption of innocence and safeguard their constitutional rights, including the rights to privacy and a fair hearing.
The actions of the CBE not only contravene domestic law but also violate international human rights standards, particularly those enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), to which Ethiopia is a signatory. Similarly, international data protection laws and standards, such as the African Union Convention on Cyber Security and Personal Data Protection 2014 and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), emphasize the principle of informed consent to legitimize data processing, which the CBE has not adhered to in these circumstances. These laws and standards affirm the right to privacy as inviolable, except under strictly defined circumstances and subject to judicial oversight. Furthermore, as a corporation, the CBE has a duty to respect human rights as recognized in the UN Guiding Principles on Business and Human Rights.
Urgent Call for Action
We urge the CBE to cease its public shaming campaign immediately, remove the list of customers from public platforms, including its website, and discontinue the display of customers’ photographs at its branches and other locations. Furthermore, we call upon the CBE to initiate a transparent review of its policies and procedures regarding customer data protection, publicly commit to upholding privacy rights, and outline steps it will take to prevent similar incidents from occurring in the future.
We welcome a written response to the serious issues raised in this letter, as a way to show the public that you take their right to privacy seriously. We would greatly appreciate a formal response from the Commercial Bank of Ethiopia by May 27, 2024. We will make this letter public on May 29, 2024.
Thank you for your attention to this matter.
Signed,
Access Now
Center for Advancement of Rights and Democracy (CARD)
About Access Now
Access Now defends and extends the digital rights of people and communities at risk. As a grassroots-to-global organization, we partner with local actors to bring a human rights agenda to the use, development, and governance of digital technologies, and to intervene where technologies adversely impact our human rights. By combining direct technical support, strategic advocacy, grassroots grantmaking, and convenings such as RightsCon, we fight for human rights in the digital age.
About CARD
The Center for Advancement of Rights and Democracy is a Non-Profit Organization that aspires to see an Ethiopia where democratic culture flourishes on human rights values. CARD works to empower citizens and groups to promote and defend human rights and build democratic governance in Ethiopia.
Conclusion
The actions of the Commercial Bank of Ethiopia in publicly shaming individuals by disclosing their personal information constitute a serious violation of privacy and human rights. Access Now and CARD’s call to cease this campaign highlights the importance of adhering to both domestic and international legal standards to protect individual rights and maintain public trust. The CBE must take immediate action to rectify this breach, review its data protection policies, and ensure that such incidents do not recur.
Leave a Reply