Policy and Regulatory Framework
Data privacy policy and regulatory framework for DFS and related principles.
- Establish governance and consultation arrangements.
- Assess current DFS legal and regulatory framework and market.
- Establish overarching policy and regulatory principles.
- Develop data privacy legal framework.
Overarching Data Protection and Privacy Law
The Law on the Protection of Personal Data and Privacy (Data Privacy Law) was passed in 2021. It applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda and processing personal data while in Rwanda. It also applies to those that are not established or resided in Rwanda, but process personal data of data subjects located in Rwanda. Implementation and supervisory powers reside with the National Cyber Security Authority ('NCSA').
Rwanda’s Data Privacy Law was enacted after a comprehensive consultation process. During the consultation process, multiple additions and revisions were received from private companies in Rwanda. The most feedback and corrections received were from the financial sector, which widely deals with citizens' sensitive personal data.
The law sets out obligations for data controllers and processors, which also include registration requirements. The law prohibits the transfer of data to third parties without the authorisation from the NCSA. Similarly, the law states that personal data must be stored in Rwanda, unless the NCSA has provided authorization to do so outside the country. Among other obligations, data controllers and data processors must carry out Data Protection Impact Assessments ('DPIAs') where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person.
The law establishes the following data subject rights,
- Right to be informed.
- Right to access.
- Right to rectification.
- Right to erasure.
- Right to object/opt-out.
- Right to data portability.
- Right not to be subject to automated decision-making.
Finally, the law also sets out several penalties for data controllers and processors who fail to meet obligations.
Privacy by Design
Kenya’s Data Protection Act (2019) follows a privacy by design approach. Section 25 of the Act sets out the principles of data protection that data controllers and processors shall abide by. These are:
- Lawfulness, fairness, and transparency. Data should be processed lawfully, fairly, and in a transparent manner. In addition, where a valid explanation is provided whenever information relating to family or private affairs is required.
- Purpose limitation. Data is collected for an explicit, specified, and legitimate purpose and not further processed in a manner incompatible with those purposes.
- Minimisation. Data is collected for adequate and relevant purposes and is limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy. Data collected is accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure inaccurate data is erased or rectified promptly.
- Storage limitation. Data should be kept in a form that identifies the data subject for no longer than is necessary for the purposes which it was collected.
- Data should not be transferred cross-border. Data collected is not to be transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
- Data should be processed in accordance with the right to privacy of the data subject.
Section 41 ‘Data protection by design or by default’ requires data controllers and processors to put in place appropriate technical and organizational measures:
- To implement Kenya’s data protection principles and necessary safeguards.
- To ensure that, by default, only personal data necessary for each specific purpose is processed, taking into account specified factors such as the amount of personal data collected, the extent of processing, the storage period and processing costs.
Kenya’s Data Protection Act also contains requirements for data controllers and processors to consider relevant risks to personal data, safeguards, the pseudonymization and encryption of personal data and the ability to restore data.
State-level Law
The California Privacy Rights Act (CPRA) takes effect on January 1, 2023. It expands on the California Consumer Privacy Act (CCPA) of 2018 which was already one of the most comprehensive data protection and privacy laws in the United States. The CPRA applies to businesses, financial institutions, and employers.
The CPRA requires service providers to make contractual commitments on the protection and use of data as well as requires businesses to include details regarding the retention period — how long they will keep the data — for each category of personal data or explain how retention is determined in the consumer privacy notice.
In addition, the CPRA also expands the breach liability to include unauthorized access or disclosure of certain data elements (e.g., email address, passwords, or security questions).
For implementation, the CPRA transferred rulemaking authority from the California Attorney General to the California Privacy Protection Agency. The new California Privacy Protection Agency is created by the CPRA and is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CPRA.
Data Controller and Processor Obligations
Obligations imposed on data controllers and data processors, including key data processing principles.
- Require effective internal governance arrangements.
- Establish overarching data processing principles.
- Create model for informed and effective consent.
- Require Data Protection Officer where appropriate.
Consent
Processing of personal data is only lawful to the extent that the data subject has given their specific consent to the specific purpose of the processing or another exception applies (Article 6).
The concept of ‘consent’ is defined as: ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ (Article 4(11)).
Other GDPR rules in Article 7 require that the consent request be:
- clearly distinguishable from other matters.
- In an intelligible and easily accessible form.
- In clear and plain language.
The data subject must also have a right to withdraw consent at any time and it must be as easy to withdraw consent as it is to give it.
Data Protection Officers
Article 40 of the Data Protection Law imposes the appointment of a Data Protection Officer (DPO) for private and public entities that process personal data.
The DPO is required to (Article 41 of the Data Protection Law):
- inform and advise the data controller, the data processor and the employees who carry out personal data processing, of their obligations pursuant to this Law.
- monitor, in his or her area of work, compliance with this Law and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in personal data processing operations, and the related audits.
- provide advice where requested as regards the data protection impact assessment and monitor its performance.
- cooperate with the supervisory authority and to act as its contact point on issues relating to processing of personal data, including the prior consultation with the supervisory authority, and to consult, where appropriate, with regard to any other matter.
The DPO is designated on the basis of professional qualities, expert knowledge of personal data protection, practices and the ability to fulfil the tasks assigned to him or her (Article 40 of the Data Protection Law).
The data controller or the data processor must publish the contact details of the DPO and communicate them to the supervisory authority (Article 40 of the Data Protection Law).
Data Subject Rights
Rights to be established and provided to data subjects.
- Establish fundamental rights of data subjects.
- Right of anonymity.
- Right to access.
- Right to rectification / correction.
- Right to erasure / right to be forgotten.
- Right to restrict /object to processing.
- Right to data portability.
- Right not to be subject to a decision based solely on automated processing (e.g., using algorithms and/or machine learning), including profiling other than with express consent or if permitted by law.
- Specify how rights may be exercised by data subjects.
Establishing Rights
The California Privacy Rights Act (CPRA) takes effect on January 1, 2023. It expands on the California Consumer Privacy Act (CCPA) of 2018 which was already one of the most comprehensive data protection and privacy laws in the United States.
The CCPA created six specific rights for consumers:
- the right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom.
- the right to delete personal information collected from the consumer.
- the right to opt-out of the sale of personal information (if applicable).
- the right to opt-in to the sale of personal information of consumers under the age of 16.
- the right to non-discriminatory treatment for exercising any rights.
- the right to initiate a private cause of action for data breaches.
The CPRA creates two additional rights:
- the right to correct inaccurate personal information; and
- the right to limit use and disclosure of sensitive personal information.
Exercising Rights through Opt-in and Opt-out Models
Brazil’s General Data Protection Law (LGPD) uses an “opt-in” model of user consent, which means that in most cases organizations cannot collect or process data until the user – an online shopper, website visitor, app user, etc. – consents to it. This requirement includes both personal data like names and email addresses, but also granular and “behind the scenes” data like that collected by website cookies.
Internationally, other laws, like the European Union’s General Data Protection Regulation and South Africa’s Protection of Personal Information Act also use this consent model. In the United States, however, to date an “opt-out” model of user consent has been implemented at the state level (including California, Virginia, and Colorado). Organizations subject to these regulations do not have to obtain user consent prior to collection of data, except in some specific cases. They only must obtain consent prior to selling the data (also with some specific exceptions).
Automated Decision Making
A data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the data subject (Article 22). Exceptions apply where consent has been given or the decision is necessary for entering into a contract or its performance or the processing has been expressly authorized by law with appropriate safeguards.
‘Profiling’ means, in summary, automated processing, which uses personal data to evaluate personal aspects of a person (e.g., to analyze or predict work performance or health, economic performance, preferences, interests, reliability, location or movements) (Article 4).
Consumer Awareness and Recourse
Complaint and dispute resolution schemes, recourse rights for data subjects and public awareness programs.
- Require effective internal complaints handling procedures.
- Provide for an external dispute resolution scheme for data subjects.
- Consider need for public awareness programs.
Complaint Handling and Dispute Resolution Mechanisms
South Africa’s Protection of Personal Information Act provides detailed information about the data subject’s right to submit complaints. A Code of Conduct has been developed under Section 65 specifically for complaint handling by data controllers and processors. The code also specifies data subjects’ rights pertaining to submitting complaints.
Internal complaint handling processes include the following:
- Outline how a complaint must be lodged.
- Provide details of a person with whom a complaint must be lodged.
- Outline requirements which must be met in a case where a complaint is lodged on behalf of a data subject.
- Outline steps which will be followed to investigate a complaint, from receipt to the resolution.
- Make provision for notifying the complainant on the progress of the investigation.
- Stipulate a reasonable timeframe within which a complaint must be resolved.
- Make provision for informing the complainant of the outcome of the complaint and reasons for the decision taken.
- Outline the remedy that can be provided by a responsible party.
- Outline the circumstances in which a complaint can be escalated directly to the Information Regulator.
- Make provision for informing a complainant of their right to refer a complaint to the independent adjudicator if they are aggrieved by the decision of a responsible party.
- Outline the procedure for referring a complaint to an independent adjudicator.
- Provide the time frame within which a complaint may be referred to an independent adjudicator.
- Provide details of an independent adjudicator.
- The law provides for the appointment of an independent adjudicator to whom complaints may be made.
The law also allows data subjects to submit a complaint to the Information Regulator regarding any concerns about data protection of personal information or to submit a complaint concerning the determination of an adjudicator.
Finally, the law states that data subjects also have the right to institute civil proceedings any concerns about data protection of personal information.
General Customer Recourse
Mexico’s Law on the Protection of Private Data held by Private Parties (2012) contains extensive provisions on the procedures for exercising data subject rights.
The data subject may submit a request for access, rectification, cancellation and opposition at any time. The designated person or personal data department shall respond within 20 days with the proposed determination. The determination becomes effective 15 dqys after the response during which the relevant action is completed.
Overall, the right shall be exercised by the holder free of charge. The delivery of personal data shall be free of charge, with provisions to cover justified costs of shipping or the cost of reproduction in copies or other formats. If similar requests are received more than once a year, the costs will not be greater than three days of the General Minimum Wage in the Federal District, unless substantial modifications are made to the notice of privacy.
Public Awareness
The Office of the Privacy Commissioner (OPC) of Canada develops and shares presentations, educational materials, and other resources through an online platform.
OPC celebrates a week-long initiative called the Data Privacy Week annually. During the week, OPC highlights the impact technology is having on data privacy rights and underlines the importance of valuing and protecting personal information.
The information is tailored to different segments. For example, in 2022, one of the materials created was a graphic novel, Social Smarts: Nothing Personal! To help young Canadians to better understand and navigate privacy issues in the online world. This was accompanied by a discussion guide that educators can use to generate further discussion and learning.
OPC also publishes Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector.
Supervision and Enforcement
Risk based principles, supervisory mandate, powers, capacity, coordination, enforcement, and regulatory sandbox environments.
- Take a risk-based and proportionate approach to supervision.
- Ensure supervisors have effective mandate, powers, capacity, and resources.
- Establish clear consultation and coordination framework.
- Consider data privacy and protection issues in regulatory sandbox environments.
- Ensure credible threat of enforcement.
Supervisory Mandate and Enforcement Capacity
In the Philippines, the Data Privacy Act of 2012 established the independent National Privacy Commission. The Commission, which is attached to the Department of Information and Communications Technology, is headed by a Privacy Commissioner who is assisted by two Deputy Privacy Commissioners (one responsible for Data Processing Systems and one responsible for Policies and Planning). All three Privacy Commissioners must be expert in the field of information technology and data privacy, and all are appointed by the President for three-year terms and are eligible for reappointment for a second term of office.
The Commission has its own secretariat. The Commission’s many duties include monitoring compliance with the data privacy law; receiving and investigating complaints; regularly publishing a guide to all laws relating to data protection; reviewing and approving privacy codes voluntarily adopted by personal information controllers; providing opinions on the data privacy implications of proposed national or local statutes, regulations or procedures; and coordinating with data privacy regulators in other countries (See Philippines Data Privacy Act of 2012, Chapter II.)
Regulatory Sandbox
The Information Commissioner (empowered through the Data Protection Act 2018) is an independent official appointed by the Crown and operates the UK Information Commissioner’s Office (ICO). It is an independent regulatory body which seeks to monitor, investigate and enforce all applicable data protection and privacy legislation in the UK (including Scotland, to a limited extent).
Importantly, the ICO and the UK’s Financial Conduct Authority also have a 2019 Memorandum of Understanding establishing a framework for cooperation, coordination and information sharing between the regulators.
The ICO has established a sandbox, and their 2020-2021 key areas of focus include innovations related to data sharing. Participants included firms focused on identity assurance/verification and cybersecurity within international data sharing initiatives. For 2021-2022, the key area of focus is biometric technologies and the processing of biometric data.
The sandbox provides specific benefits,
- informal steers (mentors).
- statement of regulatory comfort.
- progress monitoring.
- informal advice on risk mitigation that might need to be considered in completing a data protection impact assessment.
Enforcement and Penalties
In Peru, violations are classified as minor, serious, or very serious with the level of fines varying accordingly. The penalties prescribed in the Peruvian legislation for organizations found in non-compliance are unique. All offending organisations are penalized "tax units" rather than a fixed monetary amount. One tax unit is equivalent to approximately US$1022 or PEN 4400. The organisation must then pay this amount directly as part of their taxes, ensuring the national treasury receives the penalty amount.
Minor infringements (sanctioned 0.5-5 tax units) include:
- processing personal data without adopting security measures.
- collecting personal data that is not necessary, relevant, or appropriate regarding the purposes for which it had been obtained.
- not modifying or rectifying the personal data object of treatment when it is inaccurate or incomplete.
- not replying to, impeding, or obstructing the exercise of data subjects' rights.
Serious infringements (sanctioned 5-50 tax units) include:
- processing personal data without the data subject's consent.
- processing personal data while not fulfilling the Law's principles.
- not complying with the obligation of confidentiality.
- not replying to, impeding, or obstructing, in a systematic way, the exercise of data subjects' rights.
- obstructing audits by National Authority for the Protection of Personal Data (APDP).
- not registering the personal database despite having been required by the APDP.
Very serious infringements (sanctioned 50-100 tax units) include:
- when the processing of personal data does not comply with the Law's principles, and this circumstance impedes or obstructs the exercise of data subjects' rights.
- creating, modifying, or cancelling a database without complying with the Law.
- giving false documents or information to the APDP.
- not ceasing the unlawful processing of personal data when this was previously required.
- not complying with the corrective measures established by the APDP.
The fine imposed may not exceed under any circumstances 10% (ten percent) of the annual gross income received by the presumed violator during the previous fiscal year. The Law also allows coercive fines for an amount not exceeding ten (10) Tax Units. However, the imposition of coercive fines does not prevent the exercise of other forced execution mechanisms.
Data Protocols in Emergencies
Data privacy policy issues during emergencies such as natural disasters or pandemics
- Provide policy guidance on application of data privacy framework in emergencies.
- Ensure legal framework makes provision for emergencies.
- Exercise appropriate flexibility as to enforcement in appropriate cases.
Emergency Declarations
Very few countries provide relief from the strict rules in data privacy frameworks to allow for data flows to assist in responses to emergencies (such as COVD- 19). A rare example comes from Australia.
In summary, Part VIA of Australia’s Privacy Act (1988) provides for the making of emergency declarations that allow the collection, use and disclosure of information for a permitted purpose. These purposes relevantly include assisting individuals in obtaining financial or other humanitarian assistance. The declarations can apply for a limited time period up to 12 months. Where an entity validly relies on such a declaration then they will not be liable for breaching specified laws or codes, including the Australian Privacy Principles or a registered code.
Data Privacy During COVID-19
The OECD has made a number of recommendations on data privacy in their guidance on COVID-19. The headline key recommendations are (in summary):
- Governments need to promote the responsible use of personal data.
- Governments should consult Privacy Enforcement Authorities (PEAs) before introducing measures that risk infringing on established privacy and data protection principles.
- PEAs should address regulatory uncertainties.
- Subject to necessary and proportionate safeguards, governments should support national and international co-operation in collecting, processing, and sharing personal health data.
- Governments and data controllers should be transparent and accountable.
Policy makers, in consultation with privacy enforcement authorities, must assess the possible trade-offs in data utilization during this crisis (reconciling the risks and benefits), but must ensure that any extraordinary measures are proportionate to the risks and are implemented with full transparency, accountability and a commitment to immediately cease or reverse exceptional uses of data when the crisis is over.