Cabinet on June 24, 2019, finally approved the ratification of the African Union Convention on cyber security and personal data protection adopted at Malabo, Equatorial Guinea, in 2014. Rwanda becomes the fifth country to ratify the framework after Senegal, Mauritius, Namibia and Guinea. Under Article 36 of the Malabo Convention, it will enter into force after thirty days following securing 15 minimum ratifications. Given the increasing trend of protecting personal data and combating cyberthreats, there’s hope that other States will ultimately follow suit. In this regard, the ratification of the Convention will pave way for the implementation of the National Revolution Policy of 2017. This policy requires the government harmonise laws for protection of individuals with regard to the processing of personal data and privacy. Equally, it raises privacy concerns and requires the protection of personally identifiable information or other sensitive information collected, stored and used. Additionally, the policy notes that health information, privacy and protection rules need to be strengthened to protect patients from access of private medical information by insurances and other health business practitioners without complying with universally-recognised data protection principles. To my mind, the ratification of Malabo Convention and National Revolution Policy lay a suitable ground for adopting a specific law, which would perhaps comprehensively cater for protection of personal data. Admittedly, there’re pieces of ICT-related legislations, including ICT law of 2016, but do not address personal data protection. Besides, the AU Convention requires State Parties two major elements: a data protection law and data protection authority. The data protection law would encompass the key principles and other fundamentals. These include to regulate collecting, processing, storing and sharing of personal data; establish the legal and institutional frameworks to protect personal data; strengthen fundamental rights and public freedoms, particularly the protection of data and punish any violation of privacy without prejudice to the principle of free flow of personal data. Regarding the Data Protection Authority, it will, to start with, implement the data protection legislation once it’s in place. Secondly, it would establish and maintain a register of data controllers and data processors. Thirdly, to formulate, implement and oversee programs intended to raise public awareness about data protection. Fourth, to exercise control on all data processing activities, either of its own motion or at the request of a data subject, and verify whether the processing of data is in accordance with any proposed law. The Convention also sets out obligations for businesses and organisations that collect, process and store individuals’ personal data. Such as lawfulness, fairness and transparency: processing personal data lawfully, fairly and in a transparent manner in relation to the data subject. Purpose limitation: collecting personal data for a specific, explicit and legitimate purpose. It must clearly states what this purpose is, and only collect data for as long as necessary to complete that purpose. Data minimisation: ensuring that personal data processed is adequate, relevant and limited to what is necessary in relation to your processing purpose. Accuracy: taking every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month. Storage limitation: deleting personal data when is no longer needed. The timescales in most cases aren’t set. They will depend on whether business’ circumstances and the reasons why they collect this data. Integrity and confidentiality: keeping personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measure. More principally, the AU Convention enshrines the fundamental rights of data subject (data owner). The right to information: the data controller should provide the natural person whose data are to be processed with the following information, no later than the time when the data are collected, and regardless of the means and facilities used. Right of access: any natural person whose personal data are to be processed may request from the controller, in the form of questions. Right to object: any natural person has the right to object, on legitimate grounds, to the processing of the data relating to him. Right to rectification: the right to be informed before personal data relating to him/her are disclosed for the first time to third parties or used on their behalf for the purposes of marketing, and to be expressly offered the right to object, free of charge, to such disclosures or uses. To sum up, the lawfulness of processing, the duties regarding the processing of special personal data categories, and so on stretch much further than the data subject rights. The Convention also accommodates processing of sensitive data, transfer of personal data outside the country and retention of personal data for legitimate reasons. In a technologically-driven world, personal data regulation is vitally important. To be effective with such regulation, there’s a need to shift the mindset to why and how personal data’s integrity, confidentiality and security to be ensured. Jitendra rightly described data as the oxygen that moves the world. The writer is a law expert.
