Rwanda Recording Laws: All-Party Consent Rules and Penalties (2026)

Rwanda's Approach to Recording and Surveillance

Rwanda takes a strict position on the recording and interception of communications. The country operates under an all-party consent framework, meaning that recording phone calls, digital communications, or in-person conversations without the knowledge and authorization of all involved parties is illegal.

This approach is built on multiple layers of legislation. The 2003 Constitution (as revised in 2015) establishes privacy as a fundamental right. Law 60/2013 governs the interception of communications specifically. Law 60/2018 addresses cybercrimes, including digital interception. And Law 58/2021 provides a comprehensive data protection and privacy framework modeled on international standards.

For anyone conducting business in Rwanda, working with Rwandan contacts remotely, or visiting the country, the bottom line is clear: do not record any conversation or communication without explicit authorization from every party involved.

Constitutional Foundation: Article 23

The starting point for Rwanda's recording laws is Article 23 of the Constitution of the Republic of Rwanda.

Article 23 states that a person's private life, family, home, and correspondence shall not be subjected to arbitrary interference. It further provides that a person's honor and good reputation are protected.

On the specific matter of communications, the constitution declares that confidentiality of correspondence and communication shall not be subject to waiver except in circumstances and in accordance with procedures determined by law. This is not a policy suggestion. It is a constitutional guarantee that sits above ordinary legislation.

Every statute that governs recording, interception, and data collection in Rwanda flows from this provision. Courts interpreting disputes about unauthorized recording will always look first to Article 23 as the foundational standard.

Law 60/2013: Interception of Communications

What the Law Covers

Law No. 60/2013 of 22 August 2013 is Rwanda's primary statute regulating the interception of communications. It replaced and updated the earlier Law 48/2008, which had governed the same subject since 2008.

Article 5 of Law 60/2013 states the core prohibition: the interception of any communication made by means of a public or private communication system without authorization from a competent authority is unlawful.

The scope is broad. "Communication" covers telephone calls, text messages, emails, internet-based messaging, and any other electronic or non-electronic method of transmitting information between parties. Both public telecommunication networks (such as those operated by MTN Rwanda or Airtel) and private systems (such as a company's internal phone network) fall under the law.

Who Can Authorize Lawful Interception

Article 9 restricts the power to authorize interception to a single authority: a National Prosecutor designated by the Minister in charge of Justice. In practice, this means the Prosecutor General of Rwanda or delegates appointed by the Prosecutor General.

Only three security organs are authorized to apply for interception warrants:

• Rwanda Defence Force (RDF) - the national military
• Rwanda National Police (RNP) - the civilian police service
• National Intelligence and Security Service (NISS) - the intelligence agency

No other government body, private entity, or individual may apply for or carry out lawful interception. The limitation to these three organs, combined with the requirement for prosecutorial authorization, creates a narrow gateway for legal surveillance.

Emergency Interception Procedures

Law 60/2013 includes a provision for urgent situations. When public security interests require immediate action, the National Prosecutor may issue an interception authorization verbally. However, a written warrant must follow within 24 hours.

If the written warrant does not arrive within that window, the interception is presumed illegal. Any evidence gathered during the unauthorized period becomes tainted, and the officials who carried out the interception may face legal consequences.

Obligations on Service Providers

Article 7 of Law 60/2013 requires all communication service providers operating in Rwanda to ensure their systems are technically capable of supporting lawful interceptions at all times. Telecom companies, internet service providers, and other communication platforms must build interception capability into their infrastructure.

This obligation runs alongside the prohibition on unauthorized access. Providers must facilitate lawful interception when presented with a valid warrant, but they are prohibited from allowing or enabling interception without one.

Law 60/2018: Cybercrimes and Digital Interception

How It Supplements Law 60/2013

Law No. 60/2018 of 22 August 2018, the Law on Prevention and Punishment of Cybercrimes, builds on the interception framework by targeting digital and computer-based interception specifically.

Article 19 of Law 60/2018 addresses anyone who, knowingly and by any means, without authorization by law, intercepts or causes to be intercepted any function or data within a computer or computer system. This provision fills a gap that Law 60/2013 does not fully cover: the interception of digital data, stored files, cloud-based communications, and computer network traffic.

Penalties for Unauthorized Interception

The penalties under Law 60/2018 are concrete:

• Standard offense: Imprisonment of not less than one year and not more than two years, plus a fine of RWF 1,000,000 to RWF 3,000,000 (approximately USD $750 to $2,250)
• State secrets or national security: Imprisonment of not less than two years and not more than five years, plus a fine of RWF 1,000,000 to RWF 2,000,000 (approximately USD $750 to $1,500)

These penalties apply to individuals. Corporate entities involved in unauthorized interception face additional regulatory consequences, including potential suspension of operating licenses.

Practical Scope

Law 60/2018 covers a wide range of digital activities that someone might not immediately associate with "recording." Installing spyware on a colleague's phone, intercepting WhatsApp messages through a third-party tool, using packet-sniffing software to capture network traffic, or accessing someone's voicemail without permission all fall within its reach.

The law does not require that the interceptor listen to or read the captured data. The act of interception itself is sufficient for criminal liability.

Law 58/2021: Data Protection and Privacy

Overview

Law No. 58/2021 of 13 October 2021 is Rwanda's comprehensive data protection statute. It came into effect on 15 October 2021 and established a legal framework similar in structure to the European Union's General Data Protection Regulation (GDPR).

While not a recording law in the traditional sense, Law 58/2021 directly affects how recorded data, audio files, video footage, and any other personal data captured through recording activities can be collected, stored, processed, and shared.

Key Principles

The law establishes several foundational requirements for anyone processing personal data in Rwanda:

• Lawful basis: Every instance of data processing must have a valid legal basis, whether consent, contractual necessity, legal obligation, or legitimate interest.
• Purpose limitation: Data collected for one purpose cannot be repurposed without additional authorization.
• Data minimization: Organizations may collect only the data necessary for the stated purpose.
• Storage limitation: Personal data must not be kept longer than necessary.
• Accuracy: Data controllers must take reasonable steps to ensure data remains accurate and up to date.

For recording specifically, this means that even a lawfully obtained recording must be handled according to these principles. Recording a business meeting with all parties' consent, for example, does not grant unlimited rights to store, share, or repurpose that recording.

Registration Requirements

All data controllers and processors operating in Rwanda must register with the NCSA. The registration process requires disclosure of:

• The identity and contact details of the data controller or processor
• The types of personal data being processed
• The purposes of processing
• Categories of data subjects
• Any third parties receiving the data
• Whether data is transferred outside Rwanda
• Security measures in place

Operating without registration carries penalties of RWF 2,000,000 to RWF 5,000,000 (approximately USD $1,500 to $3,750) or one percent of the entity's total revenue from the previous fiscal year.

Cross-Border Data Transfers

Personal data may only be transferred outside Rwanda if the receiving country provides an adequate level of data protection, as determined by the NCSA, or if the data controller obtains an NCSA-issued certificate authorizing offshore storage. This provision has direct relevance for multinational companies that record calls or store communication data on servers outside Rwanda.

The NCSA's Role as Supervisory Authority

Establishment and Mandate

The National Cyber Security Authority (NCSA) was established in July 2017 and serves as Rwanda's supervisory authority for data protection and cybersecurity. In 2022, the NCSA formally launched its Data Protection Office (DPO), which handles day-to-day enforcement of Law 58/2021.

The DPO operates through the website dpo.gov.rw and has been actively issuing guidance since its launch.

Enforcement Powers

The NCSA holds broad enforcement authority under Law 58/2021:

• Monitoring compliance across all sectors
• Conducting investigations into suspected violations
• Issuing binding decisions and orders
• Imposing administrative penalties
• Maintaining the official register of data controllers and processors
• Issuing certificates for cross-border data transfers

Recent Guidance

The DPO has published several important guidance documents since becoming operational:

• June 2023: Guidance on registration requirements for data controllers and processors, including an online application process
• April 2024: Guidance on contractual provisions required for data processing agreements
• July 2024: Guidance on designating representatives for data controllers and processors based outside Rwanda

As of early 2026, the NCSA has not published reports of major public enforcement actions. The regulatory approach appears to be focused on building compliance infrastructure rather than punitive enforcement in these early years of the law's operation. That approach could shift as the regulatory framework matures.

Phone Calls vs. In-Person Conversations

Recording Phone Calls

Recording telephone calls in Rwanda without the consent of all parties on the call is prohibited under Law 60/2013 and reinforced by Law 60/2018. This applies to:

• Calls made over Rwanda's mobile networks (MTN, Airtel)
• Landline calls
• VoIP and internet-based calls (WhatsApp calls, Zoom, Microsoft Teams, Google Meet)
• Calls routed through business phone systems or call centers

There is no one-party consent exception. Being a participant in the call does not grant the right to record it. A business owner who records a call with a client, an employee who records a conversation with a manager, or a journalist who tapes a phone interview without disclosure all face criminal liability.

In-Person Conversations

The same prohibition applies to face-to-face conversations. Recording a meeting, a negotiation, a medical consultation, or a casual discussion without the knowledge and consent of all participants violates the law.

Using a hidden microphone, activating a smartphone voice recorder in your pocket, or wearing recording devices to capture in-person conversations all constitute unauthorized interception under the legal framework.

Digital Messages

Law 60/2018 extends protections to digital communications. Intercepting, capturing, or recording text messages, emails, chat conversations, or social media exchanges without authorization is a criminal offense. Screenshot capture of private messages for the purpose of distribution could also trigger data protection obligations under Law 58/2021.

Workplace Recording and Employee Monitoring

Employer Obligations

Rwanda does not have a standalone workplace surveillance law. Instead, workplace recording and employee monitoring fall under the combined framework of Law 60/2013 (interception), Law 58/2021 (data protection), and Law 66/2018 (labor law).

Employers who wish to monitor workplace communications, install CCTV cameras, or record business calls must:

• Obtain clear, informed consent from employees before monitoring begins
• Register as data controllers with the NCSA if they process personal data through monitoring activities
• Limit monitoring to what is necessary for a legitimate business purpose
• Inform employees about the scope, methods, and duration of monitoring
• Maintain records of all monitoring activities and their legal justification

CCTV in the Workplace

Installing security cameras in business premises is generally permitted, but employers must comply with data protection requirements. Cameras in areas where employees have a reasonable expectation of privacy, such as restrooms, changing rooms, or break areas used for personal phone calls, would likely violate the law.

Kigali's growing network of public CCTV cameras, operated by the Rwanda National Police, is governed separately under public security authorities and does not establish a precedent for private employers.

Call Center and Customer Service Recording

Businesses that record customer service calls must obtain consent from both the employee and the customer before recording begins. The standard practice of playing a recorded message announcing that "this call may be recorded for quality assurance purposes" satisfies the notice requirement only if it provides callers with a genuine opportunity to decline or disconnect.

Public Spaces and Government Surveillance

Kigali's CCTV Network

Since 2020, the Rwandan government has deployed an extensive network of CCTV cameras across Kigali's major roads and public spaces. These cameras are connected to a central command center operated by the Rwanda National Police and are used for traffic enforcement, crime prevention, and public safety monitoring.

The government's Smart City Master Plan envisions further expansion of this surveillance infrastructure. Speed cameras, red-light cameras, and license plate readers operate alongside traditional CCTV systems.

Legal Basis for Government Surveillance

Government-operated surveillance in public spaces is authorized under Rwanda's public security laws and the broader mandate of the RNP. The deployment of CCTV does not create any right for private citizens to conduct their own surveillance.

Individuals recording other people in public spaces without consent remain subject to the interception and data protection laws. The fact that a government camera may be recording the same area does not change the legal obligations of private actors.

Rwanda's Digital Governance Context

Understanding Rwanda's recording laws requires understanding the country's broader approach to digital governance.

Rwanda has positioned itself as one of Africa's most digitally ambitious nations. The country hosts the Smart Africa Alliance secretariat in Kigali and has invested heavily in broadband infrastructure, digital government services, and ICT-sector growth. The $200 million Digital Acceleration Project, funded by the World Bank and running through 2026, is expanding broadband access and digitalizing public services.

This digital ambition comes with a regulatory framework designed to match. Law 58/2021 was deliberately modeled on international data protection standards to signal that Rwanda takes digital governance seriously. The NCSA's role as both cybersecurity authority and data protection supervisor reflects the government's integrated approach to digital regulation.

For businesses, this means Rwanda's regulatory environment is not static. The legal framework around recording, data protection, and digital communications is actively developing. Companies operating in Rwanda should monitor NCSA guidance and regulatory updates regularly.

Penalties Summary

Offense	Law	Prison Term	Fine
Unauthorized interception of communications	Law 60/2013, Art. 5	Criminal offense (penalties in Law 60/2018)	See below
Digital interception (standard)	Law 60/2018, Art. 19	1-2 years	RWF 1M-3M (~$750-$2,250)
Digital interception (state secrets)	Law 60/2018, Art. 19	2-5 years	RWF 1M-2M (~$750-$1,500)
Operating without NCSA registration	Law 58/2021	N/A	RWF 2M-5M (~$1,500-$3,750) or 1% of revenue
False information during registration	Law 58/2021	1-3 years	RWF 3M+ (~$2,250+)

Business Compliance Checklist

Organizations operating in Rwanda or handling data from Rwandan residents should take the following steps:

• Register with the NCSA. All data controllers and processors must complete registration through the Data Protection Office at dpo.gov.rw.
• Audit recording systems. Identify every system that captures audio, video, or communication data, including phone systems, conferencing platforms, CCTV, and customer service tools.
• Obtain explicit consent. Before recording any call, meeting, or interaction, secure documented consent from all parties involved.
• Appoint a Data Protection Officer. Organizations processing personal data should designate a DPO responsible for compliance oversight and liaison with the NCSA.
• Conduct data protection impact assessments. Evaluate risks before implementing any new recording or monitoring system.
• Restrict cross-border transfers. If recorded data leaves Rwanda, ensure the receiving country meets NCSA adequacy standards or obtain the required transfer certificate.
• Maintain processing records. Keep detailed records of all personal data processing activities, including recordings, their purposes, and their legal basis.
• Train employees. Staff should understand that recording conversations, whether in person or on the phone, without all-party consent is a criminal offense in Rwanda.