This law delineates cybercrimes and prescribes corresponding penalties. Individuals found guilty of such offenses may face imprisonment for a specified period as outlined in the law.
For example, under Article 24, engaging in unauthorized activities such as altering, hindering, or interfering with the functioning of a computer, computer system, or computer network—including the unauthorized introduction or transmission of malicious code—constitutes an offense.
Upon conviction, he/she is liable to imprisonment for a term of not less than two (2) years and not more than five (5) years and a fine of not less than one million Rwandan francs (Rwf1,000,000) and not more than two million Rwandan francs (Rwf2,000,000). If the computer data belongs to a security state organ, the offender is liable to imprisonment for a term of not less than five (5) years and not more than seven (7) years and a fine of not less than three million Rwandan francs (Rwf3,000,000) and not more than five million Rwandan francs (Rwf5,000,000).
If the computer or computer system data is stored in critical national information infrastructure, he/she is liable to imprisonment for a term of not less than ten (10) years and not more than fifteen (15) years and a fine of not less than ten million Rwandan francs (Rwf10,000,000) and not more than thirty million Rwandan francs (Rwf30,000,000).
Alignment with International Standards
The legislation aligns Rwanda with global data protection standards, a crucial development for a nation aspiring to thrive in the contemporary digital economy. This move facilitates services such as e-commerce, international financial transactions, and various online services, positioning Rwanda as a player in the global digital arena.
Objectives of the Law
The primary objectives of this law are manifold, aiming to empower citizens, foster secure data flows domestically and internationally, provide regulatory certainty for businesses, attract prospective investors, and create an environment conducive to the growth of small and medium enterprises (SMEs). Moreover, it propels Rwanda toward becoming a technology-enabled and data-driven economy.
With the advancement of technological innovation and cross-border digital trade, adequate personal data protection legislation is essential to fully harness the benefits of the global digital economy while safeguarding the privacy of individuals.
Non-compliance with data protection legislation, in Rwanda and internationally, could impede Rwanda- based organizations from participating in cross-border business as well as detract foreign direct investment from companies looking to take advantage of Rwanda’s enabling business environment and rising reputation as a proof-of-concept hub in the ICT sector.
Implementation and Compliance
The law mandates a 2-year journey to compliance, allowing individuals and institutions to establish the necessary processes for handling personal data securely and responsibly. In accordance with global best practices, the National Cyber Security Authority (NCSA) has been designated as the supervisory authority responsible for enforcing the law.
Applicability of the Law
The law applies to individuals and institutions established or residing in Rwanda that process the personal data of individuals in Rwanda, irrespective of citizenship. Additionally, it extends its jurisdiction to individuals and institutions established or residing outside of Rwanda but processing the personal data of individuals within Rwanda.
Rwanda’s commitment to data protection is not just a legal imperative but a strategic move to foster innovation, economic growth, and global competitiveness.