Rwanda has fully ratified the African Union Convention on Cyber Security and Personal Data Protection adopted at Malabo, Equatorial Guinea on 27 June 2014.
The law n° 024/2019 of 04/09/2019 approving the ratification of Malabo Convention addresses three areas: electronic transaction, commonly known as e-commerce and personal data protection and promoting cybersecurity and combating cybercrime.
Under the Rwandan Constitution of 2003 revised in 2015, especially Article 168, stipulates international treaties and agreements which have been duly ratified or approved have the force of law as national legislation in accordance with the hierarchy of laws.
Such a hierarchy of laws are: Constitution, Organic law, international treaties and agreements ratified by Rwanda, ordinary and orders (i.e. presidential, prime ministers, and ministerial).
That being said, in spite of lack of specific law on as e-commerce and personal data protection, the foregoing Convention bridges the gap.
But for promoting cybersecurity and combating cybercrime, there’s a law nº 60/2018 of 22/8/2018 on prevention and punishment of cybercrimes. Though the law in terms of hierarchy is subservient to the AU Convention.
The AU Convention equally addresses e-commerce and personal data protection, which aren’t addressed in existing laws. E-commerce is the use of electronic systems to engage in commercial activities.
Businesses use e‑commerce to buy and sell goods and services create greater corporate awareness and provide customer service.
To start with, recognition of electronic transaction (e-commerce) breaks down online barriers so that people may enjoy full access to all goods and services offered online by businesses beyond the country.
It ends conventional cross-border barriers, facilitating cheaper cross-border parcel deliveries and protection of online customer rights.
Under Article 2, State parties must ensure that persons exercising e-commerce activities shall provide to those for whom the goods and services are meant, easy, direct and uninterrupted access using non-proprietary standards with regard to the particulars.
With respect to taxes, a person involved in e-commerce activities must clearly and unambiguously show prices and relevant taxes and other charges.
It’s equally true to assert that digital age has created numerous new commercial opportunities. Common business transactions can be accomplished with the click of a button, and agreements can be made and carried out entirely online.
However, the technological changes that have revolutionized modern commerce also raise novel legal issues, particularly pertaining to the form and enforceability of contracts made and carried out electronically. As noted elsewhere, there has been a specific law on this kind of business.
The Convention also addresses the issue of electronic contracts (e-contract) that are executed and enacted by a software system in the sense that they are not concluded by face to face communications i.e. the ‘seller and buyer’ or ‘supplier and consumer’ do not meet in person to form, negotiate and execute the terms of their contract.
Distance contracts is a type of e-contract because they are contracts concerning goods or services concluded between a supplier and a consumer under an organised distance sales which for the purpose of the contract, makes use of one or more means of distance communications such as internet, e-mails, telephones and so on up to and including when the contract is concluded.
There are three common ways in which e-contracts are formed which are by exchange of emails and attachments, by ordering on-line for goods which were advertised on a website.
For a contract to be said to have come into existence, an offer has to be made by the ‘offeror or supplier’ to ‘offeree or consumer’ and acceptance has to be communicated back to the offeror before a contract can be said to have come into place.
Most importantly, the Convention underscores the use of online payments managed by bona fide entities approved by relevant authorities. And methods used must equally legally acceptable.
Without taking the necessary precautions, your customers’ payment information can be compromised and complications can ensue.
With regard to data protection, the AU Convention requires State Parties two major elements: a data protection law and data protection authority.
It also sets out key principles of personal data protection. These include to regulate collecting, processing, storing and sharing of personal data; establish the legal and institutional frameworks to protect personal data; strengthen fundamental rights and public freedoms, particularly the protection of data and punish any violation of privacy without prejudice to the principle of free flow of personal data.
Importantly, it requires a State Party to establish the Data Protection Authority, which would implement the data protection legislation once it’s in place.
Besides, it would establish and maintain a register of data controllers and data processors.
The Convention also imposes obligation on State Parties to formulate, implement and oversee programs intended to raise public awareness about data protection.
Also, to exercise control on all data processing activities, either of its own motion or at the request of a data subject, and verify whether the processing of data is in accordance with any proposed law.
More interestingly, the Convention lays down the fundamental rights of a data subject, such as the right to information, right of access, right to object, and right of rectification or erasure.
The writer is a law expert.
The views expressed in this article are of the author.