Context and Background

Rwanda continues to position itself as a regional leader in digital transformation, anchored in long-term strategies such as Vision 2050 and the Smart Rwanda Master Plan. As reflected in the 2024 analysis, ICT remains central to Rwanda's ambition to build a knowledge-based economy, supported by near-universal 4G coverage, high mobile penetration, and strong growth in mobile money and e-government services. Between 2024 and 2025, this trajectory has largely been sustained. Digital services continue to expand across telecommunications, fintech, e-commerce, online betting, healthcare, and public administration. The increasing digitisation of justice systems (e.g., IECMS), financial services, and public platforms has deepened data-driven governance and commercial activity.

However, as in 2024, this transformation entails large-scale collection and processing of sensitive personal data including financial, biometric, health, and location data across both public and private sectors. While digital innovation advances inclusion and efficiency, it also intensifies risks relating to privacy, cybersecurity, profiling, and cross-border data transfers. The central policy tension remains unchanged: how to sustain innovation while safeguarding constitutional privacy guarantees and data protection rights.

Positive Developments and Emerging Issues

A major milestone, already noted in 2024 and retained for 2025, is the enactment of Law No. 058/2021 Relating to the Protection of Personal Data and Privacy (DPP Law). The two-year compliance grace period ended in October 2023, marking the transition from normative adoption to expected operational compliance.

Institutionally, the establishment of the Data Protection and Privacy Office (DPPO) within the National Cyber Security Authority (NCSA) in 2022 represented an important step toward operationalising the framework. Public sensitisation campaigns (e.g., Tekana Online), publication of complaint forms and transfer authorisation templates, and issuance of initial regulatory guidance signalled early implementation efforts.

For 2025, these developments remain relevant and should be retained as indicators of institutional progress. However, emerging concerns identified in 2024 persist: limited publicly accessible compliance data (e.g., no comprehensive public register of controllers/processors), minimal transparency regarding investigations, sanctions, or enforcement statistics, and limited secondary regulations or sector-specific guidance to clarify operational obligations.

New and continuing issues for 2025 include increasing reliance on cross-border cloud services, AI-driven analytics, and expanded fintech ecosystems, which heighten the urgency for clearer adequacy rules, supervisory coordination, and technical oversight mechanisms.

Legal and Institutional Framework

Rwanda's data protection regime is grounded in Law No. 058/2021, which provides a comprehensive legal basis governing collection, processing, storage, transfer, and protection of personal data. The law aligns with international and regional instruments, including the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) and principles comparable to the GDPR.

Key elements of the framework include:

• Broad definition of personal data (including biometric and sensitive data)
• Lawful processing principles (lawfulness, fairness, purpose limitation, proportionality)
• Recognition of data subject rights (access, rectification, erasure, restriction, objection, portability)
• Mandatory security safeguards and breach notification obligations
• Requirements for appointment of Data Protection Officers (DPOs) in high-risk processing contexts
• Conditions governing cross-border data transfers based on adequacy or appropriate safeguards

Enforcement authority rests with the National Cyber Security Authority, which maintains the registry of controllers and processors, receives complaints, conducts investigations, and may impose administrative sanctions. Sector regulators including Rwanda Utilities Regulatory Authority (telecommunications and betting), National Bank of Rwanda (financial services), and Rwanda Information Society Authority (ICT systems and e-government infrastructure) play complementary roles.

Compared to 2024, the legal framework itself remains stable and robust on paper. The core structure does not require revision; rather, the emphasis for 2025 shifts toward operationalisation, regulatory detailing, and institutional strengthening.

Enforcement Dynamics and Challenges

The primary continuity between 2024 and 2025 lies in the implementation gap. While Rwanda's legal framework is comprehensive, enforcement dynamics remain relatively opaque. Just like last year, efforts were made to engage with Rwanda's Data Protection and Privacy Office to gain direct insights into critical regulatory areas such as registration, enforcement, institutional capacity, public engagement, and compliance oversight. However, direct outreach to obtain specific data and detailed status updates on enforcement and monitoring efforts proved unsuccessful. Moreover, the lack of direct responses from the DPPO made it difficult to assess the full scope of enforcement effectiveness and implementation progress.

Key challenges retained from the 2024 assessment include:

1. Institutional Independence and Capacity – The DPPO operates under the NCSA, limiting its administrative and financial autonomy. Resource constraints may affect staffing, audit capacity, and proactive investigations.
2. Limited Transparency – There is no fully accessible public database of registered data controllers and processors, nor regular publication of enforcement statistics.
3. Regulatory Gaps – Few detailed implementing regulations, dispute resolution mechanisms, or appellate procedures have been publicly elaborated.
4. Low Public Awareness – Citizen understanding of complaint procedures and enforceable rights remains limited.
5. Limited Proactive Oversight – There is little publicly available evidence of sector-wide audits or risk-based investigations in high-risk sectors such as telecoms, finance, and health.

This assessment suggests incremental progress but no structural transformation in enforcement visibility. As digital ecosystems expand and cross-border processing intensifies, the absence of consistent public reporting and robust sanctioning practice risks weakening deterrence and public trust.

Accordingly, the core priority moving forward remains bridging the gap between legal design and practical enforcement through enhanced regulatory independence, transparent reporting, sector-specific guidance, capacity building, and strengthened inter-agency coordination.