The Rwandan government has recently implemented a personal data and privacy protection law, aiming to safeguard the personal information of citizens and establish accountability for organizations handling sensitive data. The law, which came into effect on October 15, 2021, applies to individuals and institutions both within and outside of Rwanda that process the personal data of individuals residing in the country. It aims to empower individuals by granting them control over their personal information while facilitating secure data movement within Rwanda and across its borders.
Several key provisions are outlined in the law to ensure compliance and protect individuals’ privacy. Article 48 prohibits the transfer of data to third parties without authorization from the National Cyber Security Authority (NCSA). Article 50 requires all personal data to be stored within Rwanda, except for registered entities that have obtained NCSA-issued certificates to store data abroad. Data controllers and processors are required, under Article 17, to maintain records of their data-processing activities and submit them to the NCSA upon request. Additionally, Article 38(3) mandates the completion of data protection impact assessments (DPIAs) when processing poses a high risk to individuals’ rights.
In the case of a data breach, Article 43 requires data processors to inform data controllers within 48 hours of discovering the breach. Similarly, data controllers must notify the NCSA within 48 hours of becoming aware of a breach and inform the affected individuals unless the breach is made public. The law also addresses the protection of children’s data, with Article 9 stipulating that the processing of a child’s data under the age of 16 requires parental or guardian consent, except when it is in the child’s best interest. Notably, individuals are granted the right to revoke consent at any time under Article 8. Furthermore, Articles 29-31 require individuals planning to process data to register with the NCSA and obtain a data protection and privacy (DPP) certificate.
To allow a smooth transition towards compliance, the Rwandan government has provided a two-year grace period ending on October 15, 2023. Failure to register and adhere to the law may result in sanctions imposed by the NCSA. Individuals or organizations operating without a DPP certificate may face fines ranging from RWF 2 million (US$1,700) to RWF 5 million (US$4,250) or an amount equivalent to one percent of the entity’s previous fiscal year’s revenue. Additionally, individuals, organizations, data controllers, or data processors that operate without a DPP certificate could potentially face similar fines. Data processors and controllers operating with expired DPP certificates may also be subject to fines.
This new legislation brings Rwanda in line with other African countries that have implemented data protection laws. It becomes the 35th African nation to have a data policy law and the 30th to establish a data protection authority responsible for enforcement. The law is expected to enhance consumer confidence in Rwanda, as individuals are more likely to engage with online services and share their information when they have trust in responsible data handling practices. Consequently, this can foster economic growth and innovation within the country.
Furthermore, robust data privacy laws can facilitate international trade and data sharing. Countries with stringent data protection regulations are often considered safe for cross-border data transfers, which is crucial in today’s globally interconnected economy.
By appointing the NCSA to oversee and enforce data privacy and protection, Rwanda aims to reduce the frequency and impact of data breaches in the country. It is hoped that this legislation will serve as a positive example for other African nations seeking to enhance data protection within their borders.