The recently gazetted data protection and privacy legislation in Rwanda is expected to play a crucial role in promoting rights to privacy and data protection after a two-year grace period expires in October 2023 amid increasing concerns on the misuse of personal data online and offline.
Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy was published on 15 October 2021 in the Rwanda’s Official Gazette, a key milestone in promoting data protection and rights to privacy, some of important digital rights.
Article 6 of the law requires that all processors of personal data must first obtain ‘consent of the data subject’ which must be ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes’. This is a key provision in the new legislation that could boost personal data protection in the digital era where people’s data are being collected by organizations and individuals for various reasons.
In a recent TV debate about the personal data and privacy legislation aired by Rwanda’s public broadcaster, Mr. Innocent Muhizi, CEO of Rwanda Information Society Authority (RISA), a public agency that supports government’s digitization programmes stated that data is becoming a very important asset globally making it is imperative for Rwanda to have instruments that are able to protect that data.
“If today anything that identifies me can be used against me, I can use it for my personal development, and for my personal growth, therefore it is very important to have instruments, mechanisms, policies and procedures that are put in place to be able to protect me as a citizen,” Mr. Muhizi explained
We moved where we live in a physical world and now we live our lives virtually, if you will, therefore we have to have an instrument like this to be able to protect me as a citizen and as a person. That is primary and rationale for this piece of legislation, stressed Mr. Muhizi
The new law outlines several data subject rights which include, among others, consent and right to withdraw consent, right to personal data, right to object, right to personal data portability, right not to be subject to a decision based on automated processing, right to restriction of processing of personal data, right to erasure of personal data and right to rectification
The law relating to personal data protection and privacy provides that the National Cyber Security Authority (NCSA) will supervise its implementation. According to Ms. Gislaine Kayigi, Chief Cyber Security Standards Officer at NCSA, the data protection legislation will enable Rwanda and International firms to securely use personal data.
“Rwanda’s Personal Data Protection and Privacy Law is a significant step in establishing a foundation for a predictable framework that enables local and international firms to securely use personal data – a critical element of modern services, e-commerce and trade – while at the same time ensuring the privacy of the user,” stated Ms. Kayigi, said in a n interview with a Rwandan newspaper.
To support seamless implementation, NCSA, the supervisory authority as per the law, is set to publish a compliance guide to help data processors and data controllers start the process.
Rwanda had previously some provisions on data protection and rights to privacy in various laws and policies but the new law is a standalone piece of legislation.
While the new law is seen as a step in the right direction to promote right to privacy and safe processing of personal data, implementation could face several challenges that will require efforts from the supervising authority and other stakeholders to boost compliance.
Implementation Challenges
There are many who are not conversant with data protection and their rights to privacy, hence it could take time to raise awareness by educating the general public. “It is a new law and not everyone is aware of the global trends in this aspect.” Ms. Kayigi further explained in a recent interview “The general public and individuals may not necessarily understand how the law applies to them and how it comes in to help them. That is why much effort will be put in educating the general public and the institutions themselves.”
In 2019 Rwanda’s parliament ratified ‘African Union Convention on Cyber Security and Data Protection’. At the time only 12 countries in Africa had ratified the Malabo Convention that includes sections on data protection and rights to privacy. The article 8 of the convention provides the objective of the convention with respect to personal data says in its first section that “Each state shall commit itself to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data and punish the violation of privacy without prejudice to free flow of personal data”.
Strict sanctions on violation
In the past there have been some initiatives and programs that raise concerns on data protection and rights to privacy. One of them was the Ministry of Justice’s plan to establish a DNA database for all citizens in 2019 in efforts to crack down on crime, an initiative that was criticized by rights to privacy advocates. However, the project could have been shelved.
The Rwanda’s data protection law provides for administrative fines on data controllers, data processors or third parties who commit a misconduct of not less RWF 2,000,000 (approx. $1,900) but not more than RWF 5,000,000 (approx. $4,800) or 1% of the global turnover of the preceding financial year, or in the event of a corporate body or a legal entity, he or she is liable to 1% of the global turnover.
According to RISA’s CEO, the process for formulating the law involved consultations with various stakeholders in data protection including global firms such as Google. International legislations such as EU’s General Data Protection Regulation were also used. Local ICT actors led by the Ministry of ICT and Innovation participated in the legislation process.
The law relating to data protection and privacy provides for a transition period and states that the data controller or the data processor who is already in operation has a period not exceeding two years from the date of publication of this Law in the Official Gazette of the Republic of Rwanda to conform his or her operations to the provisions of this Law.
“The passing of the Personal Data Protection and Privacy Law is a key milestone in ensuring protection of personal data and safeguarding privacy of users. It provides a predictable environment that allows data-driven services to operate in our economy and brings Rwanda in line with the global best practices like the General Data Protection Regulations (GDPR).” Chief Cyber Security Standards Officer at NCSA further noted.
By Jean-Pierre Afadhali | Digital Rights and Inclusion Fellow | Paradigm Initiative