In April 2023, authorities reportedly restricted mobile data access in several major cities in Ethiopia’s Amhara Region, including Gondar, Bahir Dar, and Woldia. Mobile data remained unavailable in these areas through May. In August 2023, following an escalation of conflict in the region, the government expanded restrictions by cutting mobile internet and disconnecting phone lines in 19 cities, resulting in a partial communications blackout. Mobile services were partially restored in November 2023, but full access across Amhara was reportedly not reinstated until July 2024. During this period, fixed-line internet service remained accessible. The government’s control over the country’s telecommunications infrastructure—exercised through Ethio Telecom, which centralises all international internet connections—enables it to restrict information flows and suspend internet and mobile services at will.
Additionally, the indicator "7.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 2 in Ethiopia for the year 2024. This corresponds to "The government shut down domestic access to the Internet several times this year."

Art. 5 (1. e) of Investment Regulation No. 474/2020 (which implements the Investment Proclamation No. 1180/2020) reserves some areas of investment, including advertisement and promotion for joint investment with domestic investors only. According to Section 3.3 of the regulation, the scope of the law includes advertisements disseminated through the internet website being designed in Ethiopia or abroad. Previously, there was a ban on foreign investment in the advertising sector.

According to Art. 82.1 of the Commercial Code No. 1243/2021 and Arts. 5.1 & 22 of the Commercial Registration & Licensing Proclamation No. 980/2016, any Ethiopian or foreign person or company carrying out commercial activities within Ethiopia shall be registered and then licensed.

The importation of telecommunication equipment requires authorisation by the government. The Communication Services Proclamation No. 1148, under Art. 23, gives broad powers to the Ethiopian Communication Authority to regulate the importing of any telecommunication equipment to the country. It is prohibited to manufacture, import, or distribute radiocommunications and telecommunications equipment that requires the Authority’s technical efficacy assurance without obtaining prior approval of the Authority.

Proclamation 808/2013 mandates the Information Network Security Agency (INSA) to control the import and export of information technologies, build an IT testing and evaluation laboratory centre and regulate cryptographic products and their transactions.

According to Art. 3 of the Telecom Fraud Offences Proclamation, the import, assembly, sale, manufacturing, or even use of any telecom equipment (which includes any apparatus and software used for telecom services) without a prior permit from the government is prohibited. Failure to comply with this rule is a crime punishable with imprisonment and a fine.

Ethiopia is reported to experience regular logistical delays due in part to inefficiencies in the customs process, which significantly affect the import process. In addition, monopolistic conditions in the multimodal transport market and insufficient infrastructure make it difficult for private-sector logistics companies to operate. Logistics costs usually represent between 22% and 27% of the final cost of the product, and transport and freight costs are 60% higher than in neighbouring countries. Customs administrative difficulties are compounded by the fact that Ethiopia is landlocked, and more than 90% of its foreign trade depends on a single port in Djibouti, which suffers from inadequate infrastructure and inefficient customs procedures.

Art. 22 of the "Personal Data Protection Proclamation No. 1321/2024" establishes a strict data localisation requirement, mandating that all personal data collected or obtained in Ethiopia must be stored on servers or data centres located within the country. Moreover, the law states that the Ethiopian Communications Authority is empowered to designate certain categories of personal data as critical, which must be processed exclusively within Ethiopia. In addition, any cross-border transfer of sensitive personal data requires prior authorisation from the Authority. Complementing this, Arts. 18 to 21 regulate international data transfers more broadly. Art. 18 permits transfers only if the receiving jurisdiction ensures an appropriate level of protection. Art. 19 outlines the criteria for assessing adequacy, including the nature of the data, the purpose and duration of processing, the legal framework of the destination country, and its professional and security standards. If adequate protection is lacking, the Authority may still authorise limited transfers under Art. 19.3, provided the data subject’s rights are not compromised. Art. 20 allows transfers based on explicit informed consent, contractual necessity, legal obligations, or public register disclosures. Art. 21 empowers the Authority to demand evidence of effective safeguards and to prohibit or suspend transfers if data subjects’ rights and freedoms are at risk.

Ethiopia has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Personal Data Protection Proclamation No. 1321/2024 establishes a comprehensive framework for data protection in Ethiopia. It sets out the rights of data subjects and principles governing data processing, and it establishes an independent supervisory authority, the Ethiopian Communications Authority. Also, the Proclamation imposes restrictions on data transfers to third-party jurisdictions and introduces requirements to appoint a data protection officer, report data breaches, and conduct a data protection impact assessment (DPIA). In addition, various existing laws and regulations address aspects of data privacy, including the Constitution of the Federal Democratic Republic of Ethiopia (1995), which recognises a right to privacy, legislation regulating the financial sector, and provisions imposing sanctions for breaches of privacy-related obligations. These legal instruments confer powers on several authorities to safeguard privacy, such as the Communication Services Proclamation No. 1072/2018.

Under Art. 24 of the Computer Crime Proclamation No. 958/2016, all service providers must retain the computer traffic data disseminated through their computer systems or traffic data relating to data processing or communication services for one year. Service provider is defined as a person who provides technical data processing or communication service or alternative infrastructure to users by means of computer system.

Art. 29 .1 of the Electronic Signature Proclamation No. 1072/2018 requires that any certificate provider for electronic signatures shall keep custody of any information related to certificate issuance, suspension, revocation or related services for two years. Any certificate provider who fails to keep custody of the above information shall be punished with a fine up to 150,000.00 ETB (approx. 2900 USD). Art. 25 (3) states that the certificate provider shall retain a copy of the subscribers’ encryption key at all times. Art. 18 (2) of the same law states that a certificate provider who wishes to terminate its certification service shall transfer its subscriber certificates and related records to another certificate provider or authority. A certificate provider is a business entity that issues digital certificates and provides encryption services and time stamp services.

Section 40 of the Personal Data Protection Proclamation stipulates that a data controller or processor engaged in the large-scale processing of personal data—particularly sensitive data or information related to public authorities—must designate or appoint a data protection officer. In addition, Section 47 mandates the conduct of data protection impact assessments for processing activities that are likely to significantly affect the rights and freedoms of data subjects. Such activities include automated processing producing legal effects, large-scale processing of sensitive personal data, systematic monitoring of public spaces, or any other processing requiring prior consultation with the supervisory authority.

The Computer Crime Proclamation No. 958/2016, and the Electronic Transaction Proclamation 1205/2020 establish a safe harbour regime for intermediaries for copyright infringements. According to Art. 16 of the Computer Crime Proclamation, intermediaries are shielded from liability unless they are directly involved in disseminating or editing criminal content data, or fail to take necessary measures to remove or disable access to illegal content data upon becoming aware of its existence. Additionally, Art. 23 of the Electronic Transaction Proclamation specifies that intermediaries cannot be held liable for transmitted information provided they do not monitor online communication, initiate transmissions, select receivers, or modify transmitted information.
Furthermore, Art. 24 absolves intermediaries from liability for the temporary storage of electronic records if such storage aims to facilitate efficient transmission of electronic messages to recipients who requested them. Moreover, Art. 25 extends protection to hosting service providers, relieving them of liability for damages resulting from stored information if they are unaware of any harm or take immediate action upon becoming aware of it.

"The Computer Crime Proclamation No. 958/2016, and the Electronic Transaction Proclamation 1205/2020 establish a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 16 of the Computer Crime Proclamation, intermediaries are shielded from liability unless they are directly involved in disseminating or editing criminal content data, or fail to take necessary measures to remove or disable access to illegal content data upon becoming aware of its existence. Additionally, Art. 23 of the Electronic Transaction Proclamation specifies that intermediaries cannot be held liable for transmitted information provided they do not monitor online communication, initiate transmissions, select receivers, or modify transmitted information.
Furthermore, Art. 24 absolves intermediaries from liability for the temporary storage of electronic records if such storage aims to facilitate efficient transmission of electronic messages to recipients who requested them. Moreover, Art. 25 extends protection to hosting service providers, relieving them of liability for damages resulting from stored information if they are unaware of any harm or take immediate action upon becoming aware of it.