Companies and individuals in Rwanda that process personal data of individuals have 24 months beginning October this year to comply with the new law on protection of personal data and privacy.
The new law demarcates clear and unambiguous consent of an individual to the collection, storage, and processing of personal data, which is a fundamental right.
Among other things, the new law requires companies (large and small scale) as well as individuals collecting, accessing and using personal data to prove that they sought consent to collect and process personal data of persons.
The law further requires that persons whose data is collected and used to be made aware of their data use, understand their rights in a language that they understand. Persons should also have a right to withdraw consent.
The new law also has special provisions to protect data of children, safeguarding against sensitive data such as health records.
Further, the new law makes it possible for members of the public to request companies and firms handling their data to request for access to their personal data as well as information relating to it.
The law also stipulates penalties for offences such as accessing, collecting, using, sharing, disclosing and selling of personal data in a way that is contrary to this regulation.
For individuals, the penalties could be up to 10 years imprisonment or up to Rwf25M in fine.
For firms, the penalties could be up to five per cent (5) of annual turnover of the previous financial year.
A person who suffers serious damage due to violation of the law has the right to claim for compensation through a competent court.
The new law comes into place at a time when personal data is being collected and processed by multiple firms with the growing popularity of the digital economy characterized through aspects such as e-commerce, international financial transactions among other services.
Paula Ingabire, Minister of ICT and Innovation, said that the accelerated digital transformation in both the public and private sectors requires such a progressive and inclusive approach to data protection.
"This law provides the necessary foundation to transform Rwanda into a data-empowered society, by ensuring all critical stakeholders, starting with government institutions, are attaining the gold standard in personal data protection and privacy,” she said.
This law is a product of a consultative process lasting over 15 months spearheaded by the Rwanda Information Society Authority and the Centre for the Fourth Industrial Revolution Rwanda (C4IR Rwanda).
Crystal Rugege, Managing Director of C4IR Rwanda, noted that the law is an important step to compete in the global digital economy.
"Having strong data governance frameworks in place that promote innovation and enable cross-border data flows are essential to maximize the socio-economic benefits of emerging technologies, such as artificial intelligence, that heavily rely on massive amounts of data,” she said.
Felix Cuicredidi, a corporate and commercial lawyer, noted that increasingly businesses collect personal data used for different purposes including understanding consumers’ behavior, marketing purposes, product development among others.
"Due to this prominent significance of personal data, governments try hard to protect the general public due to the fact that this information is the doorway to people’s financial records, medical records, and other important personal records which should not be accessed to the detriment of the owner,” he recently wrote in The New Times Op-ed.
The law designates the National Cyber Security Authority (NCSA) as the supervisory authority charged with enforcement and is expected to work with stakeholders to ensure implementation over the next 24 months.