In an age where data is often called the new oil, Rwanda’s 2021 Data Protection and Privacy Law was a groundbreaking step aimed at safeguarding citizens’ personal information in an increasingly digital society.
As the government pursues its Vision 2050 and transforms public service delivery through platforms like Irembo and smart ID systems, concerns about how personal data is collected, stored, and used have become more urgent.
“I don’t even know what personal data means,” says Alice Umutoni, a 24-year-old university student in Kigali. “Every app I download asks for my name and ID number, but I’ve never thought about where that information goes.”
Alice’s confusion is not unique. Despite being in force for nearly three years, the law’s practical meaning is still unclear to the majority of citizens.
A Law That Promises Protection
The Data Protection and Privacy Law provides Rwandans with several key rights:
• The right to consent before their personal data is collected or shared.
• The right to access their data and be informed about how it’s used.
• The right to correct or request deletion of incorrect or outdated data.
• The right to data portability, allowing individuals to move their data between service providers.
• The right to object to the processing of their data under certain conditions.
Data controllers—including banks, hospitals, telecom providers, government agencies, and online platforms—are required to protect the privacy of this information and obtain clear, informed consent before using it. Penalties for violations can include heavy fines and even criminal liability in extreme cases.
According to the law, sensitive personal data includes information such as health records, biometric data, political opinions, religious beliefs, and sexual orientation—categories requiring even stricter handling protocols.
Despite the law’s potential to empower individuals, awareness remains low—especially outside urban areas. A 2023 survey by Rwanda Internet Community and Technology Alliance (RICTA) found that only 17% of respondents were aware that Rwanda had a data protection law. Most citizens were unaware of their rights or how to challenge misuse of their data.
“In Kigali, a few tech-savvy people might have heard about it, but in Nyagatare or Karongi, the average citizen doesn’t even know companies are legally bound to protect their data,” says Noella Musabyimana, a digital rights advocate and consultant. “And yet, they use mobile money, Irembo, and health insurance platforms every day.”
The gap is most stark among vulnerable populations—rural women, the elderly, people with disabilities, and informal workers—who often use digital services without understanding the risks or their rights.
For example, when a person applies for a land title through Irembo, they are required to input their full name, ID number, and phone number. When someone signs up for a mobile wallet or health insurance, similar information is collected. In some cases, that data may be accessed or processed by third-party companies, especially in tech development or financial services.
While Rwanda’s Smart Nation ambition is rooted in efficiency and innovation, the exponential growth in digital footprints opens up risks—from identity theft and spam to profiling and surveillance.
Earlier in 2024, a viral case in a Kigali suburb exposed the leakage of patient data from a private clinic, sparking public debate about how secure digital health platforms really are.
The National Cyber Security Authority (NCSA) is the body responsible for enforcing the data protection law. It has developed guidelines for compliance and is conducting awareness campaigns among public institutions and some private entities.
“The law is there, and now we are in the phase of building a compliance culture,” said an NCSA spokesperson in a recent interview. “We encourage citizens to report violations.”
But experts argue that more investment is needed in public education, especially in Kinyarwanda. Many terms used in the law—like “data processor,” “consent mechanism,” or “profiling”—are technical and unfamiliar to the average citizen.
Furthermore, there is currently no independent Data Protection Authority—a gap that could weaken accountability and enforcement. Advocacy groups are pushing for this office to be established with clear powers and autonomy.
As more services go digital—from education and health to banking and e-commerce—the media has a vital role to play in helping the public understand digital rights.
“Journalists should break down these complex topics through radio programs, storytelling, and practical examples,” says Eric Ndayishimiye, a media trainer focused on tech policy. “When people hear real cases—like someone whose SIM card was hacked or whose loan application was denied because of inaccurate data—they begin to understand what’s at stake.”
Civil society organizations such as Digital Rights Rwanda and Internet Society Rwanda Chapter are also holding community trainings and legal clinics to help citizens understand how to demand their rights.
Why It Matters Now
As Rwanda continues to digitize governance, economy, and everyday life, trust in digital systems is essential. If citizens feel vulnerable, monitored, or exploited, they may opt out of using digital services altogether—defeating the goal of inclusive digital development.
“People must feel that their data is theirs—not something companies or the state can use without consequence,” says Noella. “Otherwise, digital transformation becomes a risk instead of a tool for empowerment.”
For Alice and millions of others, the road to digital dignity begins with awareness. Rwanda’s Data Protection Law offers powerful tools—but only if people know they exist and how to use them.
