Following the advancement of the computer and development of information and communication technologies, data privacy protection has recently gained new importance in modern societies. Since 1950s and 1960s when the computer was invented to date, privacy had been regarded as a preserve of Western societies partly because outside the Western hemisphere there has been little or no preoccupation in the privacy field. It is in that perspective that Rwanda, like many African countries, recently enacted ICT law n°24/2016 of 18/06/2016 governing information and communication technologies, which replaced law n°44/2001 of 30/11/2001 governing telecommunications, law n° 18/2010 of 12/05/2010 relating to electronic messages, electronic signature and electronic transactions and Decree-Law n° 43/76 of 01/12/1976 on the organisation of the postal service.

The recently adopted ICT law is the most comprehensive ever adopted in the ICT industry. In fact, it has long been awaited. Its aim is to establish a comprehensive legal framework for information and communication technologies (ICT) that underpins ICT policy. The fact that Rwanda is steadily advancing in modern technologies, it is important to regulate the gaps in IT law and IT applications. This is particularly important for lawyers and law enforcement to develop a broad techno-legal perspective. Additionally, ICT has potentially facilitated massive growth in volume of trans-border data flows, continued emphasis on international security and the unprecedented shock that international community is undergoing because of mass-surveillance revelations and spying activities of the West, accompanied by a change in the nature of such transfers in that they no longer constitute point-to-point transmissions, but occurs as part of a networked series of processes made to deliver a business result.

This ICT law applies to electronic communications, information society, broadcasting sector, and postal sector. And they’re all closely intertwined. But the most exciting aspect in this column is data protection and privacy, as contained in Article 124 of the aforementioned ICT law, which states that "notwithstanding other provisions of this Law, every subscriber or user’s voice or data communications carried by means of an electronic communications network or services, must remain confidential to that subscriber and or user for whom the voice or data is intended”.

Equally, the law provides the Regulatory Authority-that’s Rwanda Utilities Regulatory Authority (RURA). Among others, it regulates electronic transactions and e-government. In regard to personal data privacy protection, it establishes conditions for securing a reliable electronic records through regulations.Currently, individuals, whose data are routinely transferred around the world via the internet, especially by social media, often do not know to whom to turn to protect their rights. Therefore, regulation of data privacy was significantly essential, especially in the technologically evolving society.

In the context of the General Data Protection Regulation European Union (EU), the Regulatory Authority is likened to National Data Protection Authorities (DPAs) which has the mandate to implement and enforce in full the ICT law, including data privacy protection. The Regulatory Authority has significant enforcement powers, including the ability to impose substantial sanctions in case of faults. Having in place such an agency is vital to achieving compliance.

To date, according to the findings, Rwanda is among 18 African countries which enacted comprehensive data protection legislations. Currently, most African countries lack comprehensive data privacy laws and use sectoral legislation to address personal data privacy issues. Though no comprehensive data protection laws in other EAC member states, they have several sectorial laws that, under a combined reading together with basic criminal and civil law provisions, may add up to a data protection cumulative effect.

Today, Europe, which is considered as having a higher standard of data protection policies than the rest of the world, has greatly influenced data privacy law development in Africa and Rwanda in particular. However, the adoption by the African Union of the African Union Cyber Security and Data Protection Convention in 2014, the first and at the moment the single binding treaty across the globe to address data protection outside Europe, has created potentials for new enactments of data privacy legislation in the continent and similarly revisions of existing ones. This Convention covers three main issues: electronic transactions, personal data protection and cybercrimes. Though Rwanda is yet to be a signatory to the AU Convention, the ICT law is peripherally benchmarked at the Convention. Given the steady proliferation of technologies, regulation of data privacy is timely. Considering the fact that international transfer of personal data is rapidly growing, an EAC instrument is equally needed.

From an international legal perspective, privacy and data protection embodies personal data must be obtained fairly and lawfully; used only for the original specified purpose; adequate, relevant and not excessive to purpose; accurate and up to date; and destroyed after its purposes is completed. So, establishment of regulatory or implementing authority is a necessity so as to enforce data protection principles. Implementation also requires to carefully consider their options in relation to establishment and the ‘One-Stop-Shop’.

More importantly, the new ICT law grants the Regulatory Authority to assume the responsibility of implementing the country’s international obligations in ICT area as well as representing the country at international plane.

The writer is an international law expert.