As the government is gradually easing Covid-19 containment measures, businesses which cannot operate without physical contact, such as those in hospitality industry, have been required to collect personal identifications of their customers to allow contact tracing should any of the latter be found to be carrying the virus.

Such a measure adds up to the fact that digital service systems are built so that they collect and process personal data of their customers.

Collected personal data may be used beyond the purposes of service provision or shared with third parties with or without uninformed consent of the data subjects.

Handling such an issue would be difficult in the absence of an exhaustive law relating to privacy and personal data protection.

Computerised sets of personal data collected by a certain business about its customers constitute “big data”. The latter allow their holder to analyse patterns, trends, and associations of the data subjects, and serve for the holder as a foundation for its economic and/or security decisions especially in relation to the data subjects.

Despite the absence of an exhaustive privacy and data protection law, the Constitution, through various laws, guarantees the respect for privacy. Indeed, provisions of law in relation to the privacy and data protection are scattered in different laws and do not cater for all important issues pertaining to privacy and personal data.

For example, while the information and communications technology (ICT) law relates to providers of electronic communication network or services, it is almost silent about other service providers using electronic systems just as means of service delivery or electronic transactions.

In the same vein, while the penal law criminalises revelation of professional secrecy that may include sharing of personal data by an offender who acquired them by virtue of their function, the victim may not even be aware of who collected or shared their data because it is done within electronic systems beyond their control or to which they unknowingly gave consent while installing a certain app or software, or visiting a certain website.

In other cases, the victims themselves do not care about their privacy. With the Internet accessible across the country and with initiatives such as “connect Rwanda,” which aim at assisting vulnerable families get smartphones to access digital services, an exponential increase inbpersonal data traffic can be expected — without a matching pace in digital literacy, leading to more victims.

But the pain stemming from the absence of a law on privacy and personal data protection would be cured if the Bill on the website of the Ministry of ICT and Innovation is translated into a law.

The Bill enshrines the safeguards for collecting and processing personal data, including the rights of the data subject to be informed of the reason for data processing, to provide their consent and withdraw it at any time, mto object to the processing of their data, to request for the data correction or deletion, and to request for the transfer or sharing of her/his data from one data controller to another.

Jean Nepomuscene Mugengangabo is a corporate commercial lawyer, and a partner at Landmark Advocates, Kigali-Rwanda. Email: [email protected]