Addis Abeba — Access Now and the Centre for Advancement of Rights and Democracy (CARD) have urged the Commercial Bank of Ethiopia (CBE) to promptly discontinue the publication of personal information of individuals accused of withdrawing unauthorized funds, allegedly due to a "technical glitch" in the bank's systems.
In a statement, the privacy advocacy groups denounced this action as a "blatant violation of data protection laws and the constitutional right to privacy" in Ethiopia.
They demand that CBE immediately remove the published private data and cease the public shaming campaign.
CBE initially disclosed that a "system glitch" had exposed a maximum of 801.4 million birr to potential misappropriation. According to CBE President Abe Sano, the incident involved 25,761 customers who withdrew cash from ATMs or made digital transfers during the glitch.
In an attempt to recoup the missing funds, the bank identified 117 customers who had not returned the erroneously obtained money. Photographs of 67 of these individuals were subsequently published. Positive developments have been reported recently, with the bank announcing an over 98% recovery rate for the funds.
"People in Ethiopia have the right to privacy, and that right is not automatically forfeited based on mere allegations of unlawful behavior," stated Naro Omo-Osagie, Africa Policy and Advocacy Manager at Access Now. "The Commercial Bank of Ethiopia has an obligation to protect people's data, and its decision to name and shame by publishing personally identifiable information without consent violates the fundamental right to privacy guaranteed under Article 26 of the Constitution of Ethiopia."
Ethiopia's recently approved Personal Data Protection Law contains clear provisions regarding the legal basis for the processing of personal data, which the groups assert CBE has failed to comply with in this case.
They contend that this is not an isolated incident, citing previous reports of the state telecommunications company Ethio-Telecom granting security authorities unlawful access to individuals' information as part of a broader pattern of government infringements on privacy rights.
"The Commercial Bank of Ethiopia must respect its obligations as a data controller and only collect, process, and share data within the law," the rights groups stated. "Publishing people's personal information violates the principles of necessity and proportionality."
Despite a formal communication from Access Now and CARD urging corrective action and a review of CBE's data handling practices, the right groups state the bank has yet to provide a response.
However, in an interview with state-affiliated media, Abe Sano, president of the state-owned CBE, addressed concerns regarding the legality of the bank's actions.
When questioned about the constitutionality of publishing personal information, Abe stated, "They are welcome to pursue legal charges, and we will address them through compensation. If individuals confess to withdrawing the funds and subsequently challenge the public disclosure of their information, the bank is prepared to engage in litigation."