The Data Protection Law applies to controllers and processors located in Rwanda, but also to controllers and processors with no local presence, so long as they process the data of individuals located in the country. African countries are increasingly departing from the rule set out in the now repealed Copyright Directive 1995, according to which, the law would apply to controllers without a local presence only where they used local processing "equipment" (or "means" depending on the translation of "moyens" in the French version of the Directive).
The latest African countries that have enacted data protection laws tend to adopt the extraterritorial approach similar to GDPR. This is the case for Benin, Uganda, Egypt, Kenya and Nigeria. In addition, Cape Verde, the first African country to have passed a data protection act (in 2001), had initially adopted the Copyright Directive's approach and, in its 2021 Amendment, changed it to the territorial scope based on the location of the data subjects.
The Rwandan Data Protection Law goes further than GDPR in that it does not limit its extraterritorial scope to processing activities related to the offering of goods or services and the monitoring of data subjects' behaviour taking place in Rwanda.
As a consequence, organisations, with no presence or equipment in Rwanda but that process small or large volumes of personal data collected from individuals located in Rwanda, would need to comply with the Law. This rule applies to both data controllers and data processors. In this respect, processors are directly liable under Rwandan Law and are subject to almost the same obligations and the same sanctions as the controllers. They should therefore be proactive in seeking to comply with Rwandan law, beyond the instructions of the controller on behalf of whom they process the data.
Under the Data Protection Law, there are eight legal bases for processing personal data, namely consent, contractual necessity, legal obligation, protection of the data subject's vital interest, duty carried out in the public interest or in the course of an official authority, performance of the duties of a public entity, legitimate interest of the data controller or third-party recipient, research purposes subject to authorisation by the relevant institution.
Consent must be provided on an opt-in basis and for a specified purpose. With regard to children under the age of 16, consent must be obtained from the child's guardian.
Rwanda is one of the 17 African countries, out of 32 with a data protection legal framework, which allows data processing on the basis of the controller's legitimate interest. Amongst the countries that do not recognise such legitimate interest are 8 ECOWAS (Economic Community of West African States) member states. Their exclusion of legitimate interest is in line with the provisions of the 2010 ECOWAS Supplementary Act on Personal Data Protection, which is the only binding regional data protection law in Africa.
Rights of data subjects
Under the Rwandan Data Protection Law, data subjects can exercise several rights, including the right to access, erase and rectify their data, as well as the right to object to processing, to restrict processing, to data portability and information. In addition, data subjects also have the right to designate an heir to personal data. Pursuant to this right, even though personal data is not subject to succession, where a deceased data subject had left a will, the heir is given full or restricted rights relating to the processing of the personal data held by the controller or the processor.
Data protection authority
Rwanda is one of the few Africa jurisdictions (along with Chad and the Ivory Coast) which has decided to legislate on data protection without creating a separate data protection authority. Note that the Nigerian ICT regulator, NITDA also acts as a data protection authority under the 2019 Nigerian Data Protection Regulation. However, the enactment of a data protection statute, that would provide for the creation of a dedicated data protection authority, is currently under discussion.
With regard to Rwanda, the supervisory authority is the National Cybersecurity Authority (NCSA). Rwanda also has sector-specific regulatory authorities (such as the Rwanda Utility Regulatory Authority in the ICT sector) responsible for overseeing sector-specific compliance. The competent authority may, in conjunction with the supervisory authority, put in place other sector-specific regulations governing the protection of personal data and privacy.
With the supervisory authority already in place, knowledge exchange between the different functions of the authority, which are interdependent, especially with regard to data security, are expected to be smoother than if there was a separate data protection authority.
Furthermore, the supervisory authority will be able to issue its mandatory and optional regulations more promptly. This would allow controllers and processors to have sufficient information in order to be compliant with the new law before it becomes enforceable in 2023.
Accountability and data protection officer
Under the Data Protection Law, controllers and processors must log their processing activities for the purpose of monitoring and auditing. The processing activities concerned are, at least the (i) collection, (ii) alteration, (iii) access, (iv) disclosure and transfer, (v) combination and (vi) erasure of personal data.
In addition, controllers and processors are required to record their processing activities, in a way that is comparable to the recording obligation set out in Article 30 GDPR.
The Data Protection Law also imposes the appointment of a data protection officer (DPO) where the legal entity's core activities consist of processing personal data with regular and systematic monitoring of data subjects on a large scale or where sensitive data is processed on a large scale. Further useful information is provided in the Data Protection Law, such as the clarification that a single DPO may be appointed in a group of companies or that the DPO may be a permanent employee or a contractor of the legal entity.
The Data Protection Law includes a breach notification requirement, stricter than the GDPR obligation, according to which the controller and the processor have 48 hours from becoming aware of a data breach to disclose it respectively to the supervisory authority and the controller.
The controller is also required to disclose the breach to the data subjects unless the breach is unlikely to result in a high risk to their rights and freedoms. The controllers must inform the data subjects “after having become aware” of the breach. No notification timeframe is provided in terms of hours or days. However, a timeframe could later be defined by a regulation issued by the supervisory authority.
Furthermore, the Data Protection Law imposes the obligation to conduct a data protection impact assessment where a processing activity is likely to result in high risks to the rights and freedoms of an individual, including in the case of profiling or large-scale processing of sensitive data.
Lastly, like the vast majority of African countries with data protection laws, the Rwandan Law provides for the obligation to register with the supervisory authority prior to processing personal data. This registration obligation applies to both the controller and the processor. As part of the registration application, international data transfers should be described. The issuance of a registration certificate takes no longer than 30 days from receipt of the application and would cover cross-border transfers, if applicable. The registration certificates are to have an expiry date, to be determined by regulation from the supervisory authority.
Penalties for companies are comparable to the GDPR sanction regime when it comes to the calculation method. Under the Data Protection Law, the maximum administrative fine amounts to 1% of the global turnover of the preceding financial year and the maximum criminal fine amounts to 5% of the annual turnover of the previous financial year. It is not specified whether the criminal fine is calculated on the turnover generated in Rwanda, or the global turnover, but this determination would be essential to multinational organisations.
Other sanctions include, amongst others, up to 10 years' imprisonment and cancellation of the registration certificate, which would in effect mean a ban on processing the personal data.
The supervisory authority is required to put in place implementation tools. By way of examples, it must issue regulations on (i) the designation of the representative of the controllers and processors, (ii) the management and migration of personal data in case of business closure or business change (iii) the additional requirements to be met in order to register as a controller or a processor or (iv) the period of validity of the registration certificate as well as the conditions for its renewal.
The supervisory also has the possibility to issue regulations on other matters such as regulations (i) determining other administrative misconducts and sanctions that are not provided for in the 2021 Law (ii) defining additional grounds for retention of personal data for a longer period, or (iii) defining additional reasons of sharing or transferring personal data to a third party outside Rwanda.
New controllers and processors are expected to immediately comply with the Data Protection Law, whereas those who already process personal data within the scope of Rwandan law have until 14 October 2023 to become compliant.
By complying with GDPR, controllers will cover the majority of the requirements of the Rwandan Law. However, a gap analysis is recommended, as some obligations are stricter under the Rwandan Law. With regard to processors, their level of exposure to liability is almost as high as the controllers', which is not common. As a consequence, processors should at least review the Law, their contracts and their governance model.
Authored by Aissatou Sylla and Yves Sangano.
Yves SANGANO is a Senior Associate in General Business Law with K-Solutions & Partners in Rwanda.