Rwanda’s new law relating to the protection of personal data and privacy (Law No 058/2021 of 13/10/2021) was officially gazetted on October 15 2021, with a mandate to protect personal data and ensure privacy of individual users.

This legislation on personal data protection and privacy is a significant step forward in establishing a predictable framework that enables local and international firms to securely use personal data.

Within the law on personal data protection and privacy, consent of the data subject (Art.6) is a noteworthy provision that empowers the individual user with significant ownership over their data collection and processing. The law states that:

“Where the processing of personal data is based on the consent of the data subject, data subject demonstrates that he or she has consented to the processing of his or her personal data for a specified purpose. The consent of the data subject is valid only when it is based on the data subject’s free decision after being informed of the consequences of his or her consent.”

This provision makes the consent of the user a key foundation for collection and processing of data to be lawful. Consent of the data subject may be made in oral, written or electronic format, and where data processors or data controllers process personal data without the consent of the user, an offence has been committed. Upon conviction, he or she is liable to imprisonment and a fine.

The importance attached to the consent of the data subject not only makes data collection and processing more transparent, but it also demands active participation from the data subject, encouraging ownership of the process on both sides.

Globally, similar data protection instruments have signified consent as a legal base for processing personal data. In the EU’s General Data Protection Regulation (GDPR), consent of the data subject is one of the legal bases you can use to justify collection, handling and/or storage of personal data, and in the African Union Convention on Cybersecurity and Personal Data, processing of personal data is deemed to be legitimate where the data subject has given his/her consent.

As evidenced by the provisions within similar laws, assigning importance to the consent of the data subject is critical to delivering a robust legislation on personal data protection and privacy. In Rwanda’s case, the law on personal data protection and privacy is clear in its stance. The consent of the data subject is central to lawful collection and processing of personal data, and this provision supports the people in their fundamental right to data privacy in data collection and processing.

The law on personal data protection and privacy: 15.10.2021_Amakuru_bwite.pdf