Consent and Personal Data, Two Intrinsic Notions
Over the past decade, data has become increasingly valuable, with some comparing it to oil in terms of economic importance[1]. Data companies now generate more profit than oil companies. The Covid-19 pandemic further heightened the demand for data as we rely more on the internet, leading to increased awareness of the need to protect our shared data[2]. Despite this, few people read the data protection policies of the apps they use. In 2018, the European Union enacted the General Data Protection Regulation to safeguard data subjects’ rights, hold data processing companies accountable, and create harmonized legislation across European countries[3]. This was driven by technological and societal changes.
Data Protection in Kenya
In November 2022, the Kenyan Office of the Data Protection Commissioner issued an enforcement notice against Oppo Kenya, a mobile phone reseller, for violating a customer’s privacy rights by using their photo on the company’s Instagram account without consent[4]. The customer filed a complaint, leading to an enforcement notice ordering Oppo Kenya to remove the image. The company failed to comply and was fined Sh5 million (USD 44,000), the maximum penalty under the Kenyan Data Protection Act[5]. It was also revealed that Oppo Kenya did not have a data protection policy, which is a requirement under the Act.
Kenya is among the few African countries with a data privacy framework. The Data Protection Act, effective in 2019, is overseen by the Data Protection Commissioner, who ensures compliance through audits and can impose fines for non-compliance[6]. Article 20 of the Act stipulates that commercial use of personal data requires prior consent from the data subject. Furthermore, any entity processing personal data must have a data protection policy. Violations of these rules can result in fines of up to Sh5 million or one percent of the company’s annual turnover.
Data Protection in Rwanda
Rwanda also has a data protection law Nº .058/2021 of 13/10/2021 that came into effect on October 15, 2021, with a two-year transition period for compliance. According to the law, the processing of personal data must be based on informed consent, presented clearly and in a language understood by the data subject. Data controllers and processors must implement appropriate measures to comply with the law.
The National Cyber Security Authority (NCSA) in Rwanda oversees and ensures the proper implementation of the data protection law.
Where does BRD stand?
BRD is subject to the data protection law as a data controller and processor. Therefore, the bank must obtain prior consent from data subjects before collecting or processing their personal data. It must also establish data privacy policies, address data subjects’ rights, and implement compliance programs and safeguards. Data subjects have the right to receive a response to their requests within 30 days and can appeal to the National Cybersecurity Authority if unsatisfied.
Taking the example of the marketing department, BRD must put in place strong safeguards to ensure prior consent from individuals appearing in any promotional materials. As the transitional period is ongoing until October 2023, BRD has five more months to fully comply with the data protection framework.
Penalties for non-compliance with the Data Protection Act
Data processing companies must adhere to these regulations to avoid fines that may be as much as 5% of their annual turnover. After the transition period, should BRD be found guilty of offenses such as unlawful processing of personal data, it may face fines of up to Rwf 265,000,000.
Safeguarding client data is essential in today’s data-driven world. Governments have implemented data protection laws for companies to implement them. Protecting client data is a collective responsibility for individuals, organizations, and governments.
Nadine Munyemana
[1] https://aln.africa/insight/data-protection-commissioner-imposes-fine/
[2] Section 63 of the Data Protection Act and Regulation 20 of the Data Protection Act (Complaints Handling Procedure and Enforcement)
[4] The world’s most valuable resource is no longer oil, but data (economist.com)
[5] The world’s most valuable resource is no longer oil, but data (economist.com)
[6] Le règlement général sur la protection des données (RGPD), mode d’emploi | economie.gouv.fr