On October 15, 2021, the law nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy (the "Data Protection Act” or "Act”) was gazetted. This is the first general law on personal data protection that Rwanda has had after several years of recourse to a few and scattered data protection provisions in various laws and regulations.
The Act has many similarities to other international legal instruments on data protection especially the European Union General Data Protection Regulation (GDPR) in regard to data subject rights, obligations of data controllers and data processors, and the general approach to personal data protection.
This does not come as surprise since the three-year old GDPR was one of the legal documents from which the drafters of the Act took inspiration during the drafting process.
The Act applies to data controllers and processors who are established or reside in Rwanda and process personal data by electronic or other means while in Rwanda. It further applies to those who are neither established nor reside in Rwanda, but process personal data of data subjects located in Rwanda, bringing foreign companies within the ambit of the Act.
The Act defines a ‘data subject’ as ‘a natural person from whom or in respect of whom, personal data has been requested and processed”. From this flows that juristic persons do not fall into the scope of the Act as data subjects. This may be regarded as a downside of the Act given that companies and other legal entities also have privacy and invaluable personal information (such as their identification numbers, addresses, shareholding information, financial history, etc.) worthy of specific legal protection. Similar to personal data of natural persons, personal information of entities is often exposed to and processed by regulatory authorities, customers, suppliers or partners of such entities. This is taken into consideration in other jurisdictions like South Africa which (under its Protection of Personal Information Act) does recognize juristic persons as data subjects, and protect the processing of their personal information in the same way as that of natural persons.
The Act generally deals with the general processing of personal data (including grounds, safeguards, and principles thereof), processing of sensitive data and that of children and convicts, rights of data subjects, registration of data controllers and data processors, obligations of data controllers and data processors (including designation of a representative for non-resident data controllers and processors, and a data protection officer in certain circumstances).
It also imposes restrictions on the storage, sharing and transfer of personal data outside Rwanda, as well as offences and sanctions for acts contrary to its provisions.
In terms of article 3 (4o) of the Act, the processing of personal data spans operations performed on personal data such as (inter alia) access to, obtaining, collection, recording, structuring, storage, alteration, concealment, consultation, use, disclosure, sale, erasure or destruction of the personal data. From this list, it is fair to conclude that anyone can be a data controller and/or processor at a certain point.
One may think of instances where a private individual installs a recording surveillance camera on his private premises for security reasons, the use of biometric devices at various places, people who obtain personal information in their private conversations or social networking, employers collecting and processing data of their employees, and other persons collecting and processing data on a very limited scale.
Will these persons be required to register with the Supervisory Authority as data controllers or processors? In light of the Act, the answer would be affirmative though it seems unrealistic. One would therefore argue that the Act should have included a de minimis exception excluding persons collecting data for purely personal or household activities, and/or on a limited scale from its scope, just like it is the case in the GDPR.
The Act also provides that data controllers or the data processors who are neither established nor reside in Rwanda are required to designate (in writing) a representative in Rwanda. Assume that a Rwandan resident is involved in a one-time purchasing transaction of car from a foreign seller (and the latter collects and processes personal data of the purchaser) or a foreign higher learning institution receives and processes data from a limited number of Rwanda based applicants, will each of the foregoing data processors be required to designate a representative in Rwanda?
The answer would be yes in the eye of the Act. However, it is highly doubted that this was the intention of the legislator and as a panacea, some exceptions should be made to this requirement. These may include cases where the processing is occasional, does not include processing (on a large scale) of special categories of personal data, or if the processing is unlikely to result in a risk to the rights and freedoms of the data subject. Similar exceptions are provided for under the GDPR.
As one would have expected, data subjects have a big say in the processing of their personal data. Illustratively, free and informed consent of the data subject is a prerequisite to most sorts of personal data processing in the Act. Add to this, under article 19 of the Act, a data subject may request the data controller or processor to stop processing his or her personal data causing or likely to cause loss, sadness or anxiety to him or her. The Act also confers on data subjects the right to request the data controllers in writing or electronically for erasure of his or her personal data (the right to erasure/be forgotten).
Undisputed is that the enactment of the Data Protection Act was a great stride in the protection of personal data protection and privacy in Rwanda. The issues highlighted above and any other grey areas of the Act are nowhere near as much as its pros. In addition, there is hope that the authorities in charge will look into these and make the necessary changes in good time.
Most importantly, data controllers and processors should start familiarizing with their obligations in the Act and putting in place whatever necessary to comply with the Act as penalties for the violations thereof are massive. Good news is that data controllers and data processors (who are already in operation) have been given a moratorium of two years to attune their operations to the provisions of the Act.
The views contained herein are those of the author.
The writer is a junior associate at ENSafrica Rwanda.
Email: enshimiyimana@ensafrica.com