The Significance of Rwanda’s Personal Data Protection and Privacy Law
On October 15 2021, Law No 058/2021 of 13/10/2021 relating to the protection of personal data and privacy was officially gazetted. The law protects personal data and ensures privacy of individual users.
Globally, Data Protection and Privacy legislations have been enacted in the last 5 years – two of the most notable being the EU General Data Protection Regulation and the UK’s 2018 Data Protection Act. The EU’s General Data Protection Regulation was designed to harmonise data privacy laws across members countries and provide greater protection and rights to individuals, while the UK’s 2018 Data Protection Act controlled how personal information was used by organisations, businesses or the government.
In Rwanda, digital services have become central to our way of life; and as the need for availability and dependency to online services have grown, the processing of personal data is a requirement for enabling the online services we all rely on.
This development raised a concern towards the necessity of safeguards that protect the citizens’ fundamental right to privacy during personal data processing. Before the law on personal data protection and privacy was adopted, there was no specific Rwandan legislation protecting the collection, storage, processing and sharing of personal data, within the digital domain.
It was against this background that the law on personal data protection and privacy was officially gazetted on 15th October 2021. The legislation sets out to not only protect personal data and ensure privacy of users, but also enable local and international firms to securely use personal data – a critical element of modern services, and necessary requirement for cooperation with large-scale data-driven tech companies.
So, what interesting new provisions does the law on personal data protection and privacy provide as safeguards?
Significantly, the law on personal data protection and privacy prioritizes the consent of the data subject, putting the data subject in the driver’s seat with regards to the lawful collection and processing of his or her personal data. Recognizing consent of the user (Art. 6) as essential makes the data subject an active participant in the processing of his or her personal data, and establishes a more transparent process that benefits both parties.
The law on personal data protection and privacy also requires all those who wish to process personal data to register with the supervisory authority, the National Cyber Security Authority (NCSA), as data controllers or data processors. There are specific requirements outlined in the law for applicants (Art. 30), and if registration is accepted, the supervisory authority will issue a registration certificate that permits the applicant to process personal data.
Finally, data subjects may request the restriction of processing of their personal data, the erasure or rectification of their personal data as permitted by law. This provides more control to data subjects over their personal data and how data processors and data controllers are able to process it.
The law on personal data protection and privacy declares a 24-month transitional compliance period ending on 15th October 2023 before the provisions of the law take mandatory effect.
During this period, concerned companies and individuals will be guided towards readiness by the supervisory authority, the National Cyber Security Authority, who will be working with stakeholders in the public and private sectors to ensure guidance is available for compliance implementation.