Why Rwanda needs a law on data protection

Protection of data privacy is one of the most pressing issues in the contemporary digital age. To begin with, data protection law refers to the legal framework governing the collection, holding, processing, disclosure and transfer of individuals’ personal information online and offline.

Monday, September 07, 2015

Protection of data privacy is one of the most pressing issues in the contemporary digital age.

To begin with, data protection law refers to the legal framework governing the collection, holding, processing, disclosure and transfer of individuals’ personal information online and offline.

Due to the growing concerns of data privacy, in 1980, the Organisation for Economic Cooperation and Development (OECD) issued Guidelines on the Protection of Privacy and trans-border flows of personal data, and it was the first legally non-binding text that became a guiding principle to many national data protection laws.

A fundamental change in the business and technological environment for data processing is taking place, driven by phenomena such as the increased globalisation of the world economy; the growing importance of data the ubiquity of data transfers over the Internet; greater direct involvement of individuals in trans-border data flows; the changing role of geography; and growing risks to the privacy of individuals.

In the absence of legal protection of data privacy, personal information can, however, be used to control people, steal their identities or be mined to extract value.

Rwanda, like the rest of partner states of EAC, has no law on data protection and privacy. And, to date, Rwanda is one of the fastest growing countries in the area of information technology in the East African region.

A couple of weeks ago, I spent some good time consulting different government institutions whose activities are in line with ICT, notably RURA, RDB and Rwanda National Police (RNP), whether they have data protection in their purview.

Those institutions, however, especially RDB and RNP, have departments that deal with cyber-security and cybercrime as well, as opposed to data protection in the real sense of it. One big challenge I noticed is lack of law that safeguards data privacy.

It is, equally, true to say, no institution has been specially designated to be a controller and overseer of data privacy without a law establishing it. A question can be raised: why should there be a law on data privacy?

Today’s steady advancement of technologies has potentially facilitated massive growth in volume of trans-border data flows, continued emphasis on international security and the unprecedented shock that international community is undergoing because of mass-surveillance revelations and spying activities of Western, accompanied by a change in the nature of such transfers in that they no longer constitute point-to-point transmissions, but occurs as part of a networked series of processes made to deliver a business result.

More specifically, personal data are now crucial raw materials of the global economy; data protection and privacy have emerged as issues of concern for individuals, and confidence in data processing and privacy protection have become important factors in enabling the acceptance of electronic commerce.

Interestingly, many transborder data flows today involve multiple partners (i.e. persons, organisations) communicating through networks in a distributed fashion, in particular, via phenomena such as ‘Web 2.0’, online social networking, search engines, and cloud computing.

As a consequence, controlling the collection and retention of personal data, while important, may no longer be sufficient to protect personal privacy, in part because ‘big data enables new, no-obvious, unexpectedly powerful uses of data.

Despite lack of data privacy protection law, data privacy, as opposed to a general right to privacy laid down in various human rights instruments, has been considered as a fundamental right in many jurisdictions and the accelerating spread of data privacy legislation around the world.

EU, for example, recognizes data protection under the Charter of Fundamental Rights of the European Union European Convention on Human Rights (ECHR) in its Article 8 and the 1995 Data Protection Directive (DPD), respectively.

Likewise, at African level, there is African Union Convention on Cyber security and Personal Data Protection, where member states must establish a legal framework for ‘protection of physical data’ and ‘national Data Protection Authorities (DPAs)’.

Rwanda, like all EAC partner states, applies Penal Code to guarantee data protection remedies. The Penal Code does not, however, specifically address data privacy claims which fall within the ambit of civil law.

It rather criminalizes unauthorized access to personal computer data. It is unfortunate that all EAC Partner states apply their penal codes due to lack of law on data privacy.

However, Kenya, Uganda and Tanzania submitted their Bills on Data Protection and Privacy to parliaments for consideration.

Having legislation on data protection and privacy ensures that personal data are not deprived of the protection of their national law once they are transferred outside their territory.

Besides, establishing a national Data Protection Authority (DPA), as a non-judicial body, would address data protection violations under the national law.

In such, there is a variety of administrative sanctions, including issuing a warning or objection, making different orders (e.g. to disclose information, to implement specific measures, to rectify, erase or block data, to discontinue processing operation or suspend the transfer of data to a third state), imposing fines (pecuniary sanctions), revoking licenses or reporting the matter to courts of law or a public prosecutor.

The writer is a lecturer and international law expert.