Rwanda moves to tighten data protection, privacy
Friday, November 06, 2020
A user tries to unlock his phone.

Rwanda is moving to tighten rules that govern how personal data and privacy is handled, following a new draft law on data protection and privacy that was approved by the cabinet last month.

Many private and public organisations such as telecommunication companies, banks, airlines and other businesses always collect, use and keep people’s personal information.

What is not clear is how these institutions handle this information, despite citizens having an obligation to know how their personal data is processed and how their privacy is protected.

The new law, approved on October 27, seeks to safeguard fundamental rights to privacy by regulating the processing of data and providing the individual with rights over their data.

Similarly, it aims at enabling the setting up systems of accountability and clear obligations for those who control or undertake the processing of the personal data.

According to the Ministry of Innovation and ICT, the law will ensure that there is the free flow of non-personal data within and outside Rwanda by laying down rules relating to its protection.

Fred Nkusi, a law expert, believes this is an important move as online and digital activities increase.

"In this digital age there is too much transfer and sharing of personal information that could move from one place to another, from one person to another, from one country to another,” he says.

"It is, therefore, of paramount importance that personal information be protected because if it’s not protected, that information could be used by the owner of the information,” he added.

That is true in most part because there are cases where internet companies have used people’s personal information to influence their decisions, for instance, during elections.

A popular example is that of a British analytics firm, Cambridge Analytica, which inappropriately accessed personal data of about 50 million users of Facebook during the 2016 US presidential election.

Cambridge Analytica’s parent company, SCL Group, was accused of harvesting millions of Facebook profiles and working to fix elections in Kenya and Nigeria both in 2013 and 2017 as well as 2015 respectively.

That is how personal data such as names, pictures, and internet protocol addresses may be used against you.

Nkusi says global efforts by countries like those in the European Union to set up data protection rules – like the General Data Protection Regulation (GDPR) – have inspired other countries in Africa to set up similar laws.

The rise of digital activities have led to the rise of data privacy violations especially by institutions that keep information.

Tough rules

Rwanda is now moving to put in place tight rules that will ensure public and private organisations take measures to protect the integrity and confidentiality of people’s personal data.

The new law categorises data as personal or non-personal. Personal data shall be classified as sensitive and non-sensitive data.

Non-personal data shall be classified as top secret, secret, confidential and open data.

The draft law says that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

It doesn’t segregate any institution rather any public or private entity controlling or processing data should observe data protection principles.

This simply means the way data is processed should be transparent and lawful.

The draft law provides for hefty fines for those who unlawfully collects or processes sensitive personal data, saying in doing so they commit an offence.

Upon conviction, they are liable to a fine not less than Rwf5 million and not exceeding Rwf10 million or imprisonment not less than two years and not exceeding five years.

Any controller or processor who knowingly provides false or misleading information during registration commits an offence, the law which awaits the parliament approval says.

Corporate entities committing similar offences, the court may order the corporation to pay a fine of 5 per cent of the annual turnover.