The Plenary sitting of the Chamber of Deputies on Thursday, May 6, adopted a draft law relating to personal data protection and privacy, which aims at safeguarding fundamental right to privacy. The bill seeks to help the achievement of such an objective by regulating the processing of personal data by electronic or other means of processing personal data, providing the individual with rights over their data, and setting up systems of accountability and clear obligations for those who control or undertake the processing of such data. It also provides penalties for failure to comply with its requirement by those who either collect or process personal data. Now, the bill will go to the responsible committee for scrutiny before being voted into law by the plenary. The move comes as an amount of personal data, including sensitive personal data is being generated and stored on different devices in this digital era, and might be misused in some cases. Personal data is information relating to an identified or identifiable data subject, such as a name and surname, data of birth, a home address; an email address; an identification card number; location, and web view histories. For sensitive personal data, this refers to information revealing a person’s race, health status, criminal or medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information (such as fingerprints), sexual life or family details. “The right to privacy is a fundamental right enshrined in our constitution, and it is multifaceted, but a fundamental aspect of it, increasingly relevant to people’s lives, is the protection of individuals’ data,” said Paula Ingabire, Minister of ICT and Innovation while explaining the relevance of the bill to lawmakers. Increasingly, Ingabire said, everything we do generates data, whether we are in possession of a device or not, indicating that our devices, networks, and even homes generate vast amounts of data. Also, she said, our transport systems, cars, payment systems, and cities generate data through us and about us. “Our devices and infrastructure are being designed for data exploitation. Increasingly, it is beyond the ability of individuals themselves to control the ways in which data about their lives is shared and processed,” she said. Ingabire said that the bill provides for data use in both public and private sector. “Especially, as entrepreneurs in the private sector continue to develop different systems – mainly financial and health systems – which largely collect personal data, this bill also provides for how the entities collect such data, and share it in compliance with legal provisions,” she said. Timely bill MP John Rukurwabyoma said that the bill was timely as it could protect Rwandans’ personal data from unintended use. “[Generally] Rwandans openly provide personal data. But, we are living in times when they are those who might misuse their data,” he said, pointing out that an individual should give consent for the use of their personal data such as in a bank. MP Frank Habineza said that the data provided on social media such as Facebook and WhatsApp, is [sometimes] given to commercial companies to be used for advertisement purpose, or in a way that can invade privacy without the knowledge of the person in question, an issue that has to be tackled. He said that there are instances when Rwandans’ personal data, such as patients’ medical records, is misused. “There are people who have one’s medical, driving and education records, and they can provide them to people who are not authorised to, or threaten to share it if the individual does not pay them money,” he said calling firm regulation and control of such data to avoid its misuse. Some offences and penalties The bill proposes offences and penalties. They include unlawful obtaining, processing or disclosing of personal data, a crime of which the convict is liable to an imprisonment of not less than six months but not more than two years and a fine of not less than five million Rwf5 million but not more than Rwf10 million or one of these penalties. Also a person convicted of re-identification and processing of de-identified personal data, unlawful sale or offer of personal data, or unlawful collecting or processing of sensitive personal data, is liable to an imprisonment of not less than two years but not exceeding five years and a fine of not less than Rwf5 million but not more than Rwf10 million or one of these penalties. If a legal entity knowingly and intentionally, facilitates in the commission of an offence under this Law, it is liable to a fine of 5 percent of its annual turnover upon conviction.