“We require that a player hosts data locally. We are not ready to leave people’s data in the hands of another country,” said Patrick Nyirishema, the director general of Rwanda Utilities Regulatory Authority.
Mr Nyirishema said that government has put in place policies touching on areas deemed likely to pose a risk.
In 2017, Rwanda fined MTN up to Rwf7 billion ($8.5 million) for running its IT services in Uganda. The government termed MTN’s action a breach of its licence.
“What was even worse was the fact that MTN decided to host the data outside the country behind our back; the fine was meant to teach them a lesson” said Mr Nyirishema.
GSMA however criticised the decision to fine telecom companies for hosing data in another African country.
“Imposing fines for operating efficiently within Africa or innovating for the benefit of African people is counterproductive. Instead governments should focus on promoting responsible data governance practices that boost trust and enable the uptake of new technology and business ideas,” said the GSMA.
Rwanda has expressed concerns over allowing external control of its data saying that once the data is hosted in another country, it is subject to the laws of that country.
“If you subject call data records to another country, for example, that data is subject to the laws of that country and whenever that country wants to check that data it can. We can’t take such risks,” said Mr Nyirishema.
GSMA has been lobbying Rwanda to allow cross-border data flows by aligning its data laws with regional frameworks and international standards.
“Any requirement that prevents the flow of personal data across Rwanda’s border such as the requirement to use domestic IT services would only act as a disincentive” reads a statement from GSMA sent to Rwanda Today in response to questions on the matter.
GSMA further noted: “Taken as a whole, they fall far short of being a privacy framework that benefits the economy and society or that meets international standards such as the African Union Convention on Cyber Security and Personal Data Protection or Convention 108 of the Council of Europe which several African countries are ratifying.”
According to the GSMA, clamping down on security and data flows can be detrimental not only to Rwanda but Africa as a whole, and that enabling the data-driven economy, innovation and societal change is important much as the security, safety and well-being of citizens is any country’s primary duty.
GSMA added that if the rules are crafted in the right way and there is increasing alignment around data privacy approaches across Africa, personal data can flow across borders without endangering privacy.
Regarding government’s concerns on surveillance by foreign intelligence services, GSMA said that this can be addressed partially through proper encryption while data is in transit or at rest while domestic intelligence services can continue to require home-grown companies to give them the data they need to pursue legitimate investigations in accordance with law.
GSMA further said that international co-operation around the exchange of intelligence data can also be improved so as to ensure national security services access what they need.
“Some concerns around national security are legitimate but they should be divorced from data privacy and governments should continue to cooperate to find ways to address these concerns in a way that does not impede the flow of data,” said GSMA.