Rwanda Recording Laws 2026: All-Party Consent, Penalties & Surveillance

Rwanda Recording Laws 2026: All-Party Consent, Penalties, and Surveillance

Rwanda operates an all-party consent framework for recording communications. Law No. 60/2013 prohibits interception of any public or private communication without prosecutorial authorization, and Law No. 60/2018 on Cybercrimes imposes criminal penalties of one to five years imprisonment for unauthorized digital interception.

Information last verified on 2026-05-15. This article has not yet been reviewed by a licensed lawyer. It presents general legal information about Rwandan law and does not constitute legal advice for any specific situation.

Jurisdiction scope: This article addresses recording and interception law in Rwanda under national statutes, including Law No. 60/2013 (interception of communications), Law No. 60/2018 (cybercrimes), Law No. 68/2018 (Penal Code), and Law No. 058/2021 (data protection). It does not address recording laws in other African countries. For broader international comparisons, see our world recording laws overview.

Quick Answer: Is Recording Legal in Rwanda?

No, recording communications without the consent of all parties is not legal in Rwanda for private individuals. Rwanda does not recognize a one-party consent exception. The country enforces an all-party consent standard through three overlapping legal instruments. Law No. 60/2013 prohibits intercepting any public or private communication without authorization from a designated National Prosecutor. Law No. 60/2018 on Cybercrimes imposes criminal penalties for unauthorized digital interception under Article 19 and for nonconsensual recording of persons under Article 35. The Penal Code (Law No. 68/2018) adds general privacy crime provisions that cover secret recording and surveillance of individuals. For businesses, Law No. 058/2021 on Data Protection and Privacy creates additional registration and compliance obligations for any entity that records communications as part of its operations. The combined effect is that anyone who records a conversation, phone call, meeting, or digital communication in Rwanda without the knowledge and consent of all participants faces criminal liability under one or more of these statutes.

Constitutional Foundation: Article 23

The starting point for Rwanda's recording laws is Article 23 of the Constitution of the Republic of Rwanda (2003, revised 2015). Article 23 states that a person's private life, family, home, and correspondence shall not be subjected to arbitrary interference, and that a person's honor and good reputation are protected. On the specific question of communications, the constitution declares that confidentiality of correspondence and communication shall not be subject to waiver except in circumstances and in accordance with procedures determined by law.

This is not a policy preference. It is a constitutional guarantee that sits above ordinary legislation. Every statute governing recording, interception, and data collection in Rwanda flows from this provision. The phrase "except in circumstances and in accordance with procedures determined by law" is the constitutional authorization for the warrant-based lawful interception regime established by Law No. 60/2013. Courts interpreting disputes about unauthorized recording look first to Article 23 as the foundational standard.

The constitution also guarantees freedom of expression under Article 38, but Rwandan courts and authorities have consistently treated privacy and national security interests as outweighing free expression claims in communications interception cases. This constitutional balance matters for understanding why the lawful interception gateway is deliberately narrow.

Law 60/2013: Interception of Communications

What the Law Covers

Law No. 60/2013 of 22 August 2013, Regulating the Interception of Communications, is Rwanda's primary statute on communications surveillance. It replaced Law No. 48/2008, which had governed the same subject since 2008. Article 5 states the core prohibition: the interception of any communication made by means of a public or private communication system without authorization from a competent authority is unlawful.

The scope is broad. "Communication" covers telephone calls, text messages, emails, internet-based messaging, and any other electronic or non-electronic method of transmitting information between parties. Both public telecommunication networks operated by providers such as MTN Rwanda or Airtel Rwanda and private systems such as a company's internal phone or messaging network fall within the law.

The prohibition is absolute for private individuals and most organizations. There is no carve-out for recording your own conversations, no journalistic exception, and no business necessity defense. Consent of all parties, or a prosecutorial warrant, is the only path to lawful interception.

Who Can Authorize Lawful Interception

Article 9 of Law 60/2013 restricts the power to authorize interception to a single authority: a National Prosecutor designated by the Minister in charge of Justice. In practice, this means the Prosecutor General of Rwanda or a delegate appointed by the Prosecutor General.

Only three security organs are authorized to apply for interception warrants:

• Rwanda Defence Force (RDF): the national military
• Rwanda National Police (RNP): the civilian police service
• National Intelligence and Security Service (NISS): the national intelligence agency

No other government body, private entity, or individual may apply for or carry out lawful interception. This limitation to three organs, combined with the requirement for prosecutorial authorization, creates a deliberately narrow gateway for legal surveillance.

Law No. 30/2013 (Code of Criminal Procedure) Article 72 provides parallel authority for interception within criminal investigations, permitting surveillance when other investigative methods fail, with warrants valid for three months and renewable once.

Emergency Interception Procedures

Law 60/2013 includes a provision for urgent situations. When public security interests require immediate action, the National Prosecutor may issue an interception authorization verbally. A written warrant must follow within 24 hours. If the written warrant does not arrive within that window, the interception is presumed illegal and any evidence gathered during the unauthorized period becomes tainted. Officials who carried out the interception face potential legal consequences.

Obligations on Service Providers

Article 7 of Law 60/2013 requires all communication service providers operating in Rwanda to ensure their systems are technically capable of supporting lawful interceptions at all times. Telecom companies, internet service providers, and other communication platforms must build and maintain interception capability in their infrastructure. Providers must facilitate lawful interception when presented with a valid warrant but are prohibited from enabling interception without one.

Law 24/2016: ICT Minister Interruption Power

Law No. 24/2016 of 18 June 2016 Governing Information and Communication Technologies grants a further executive power under Article 126. The ICT Minister may interrupt or cause to be interrupted any private communication that appears to be detrimental to national sovereignty, or suspend electronic services in designated circumstances. This provision operates alongside the prosecutorial warrant system and reflects the government's broad administrative authority over the communications infrastructure.

Law 60/2018: Cybercrimes, Digital Interception, and Covert Recording

Article 19: Interception of Computer Systems

Law No. 60/2018 of 22 August 2018 on Prevention and Punishment of Cybercrimes adds specific criminal liability for digital interception. Article 19 addresses anyone who, knowingly and by any means, without authorization by law, intercepts or causes to be intercepted any function or data within a computer or computer system. This provision fills the gap that Law 60/2013 does not fully cover: the interception of digital data, stored files, cloud-based communications, and computer network traffic.

The penalties under Article 19 are:

• Standard offense: Imprisonment of not less than one year and not more than two years, plus a fine of RWF 1,000,000 to RWF 3,000,000 (approximately USD 750 to 2,250)
• State secrets or national security: Imprisonment of not less than two years and not more than five years, plus a fine of RWF 1,000,000 to RWF 2,000,000 (approximately USD 750 to 1,500)

Article 19 covers a wide range of digital activities. Installing spyware on another person's phone, intercepting WhatsApp messages through a third-party tool, using packet-sniffing software to capture network traffic, and accessing someone's voicemail without permission all fall within its reach. The law does not require that the interceptor listen to or read the captured data. The act of interception itself is sufficient for criminal liability.

Article 35: Covert Recording and Cyber-Stalking

A provision that receives less attention but has direct practical significance for recording law is Article 35 of Law 60/2018, which governs cyber-stalking. Article 35 explicitly includes within its definition of cyber-stalking the act of taking photographs, videos, or sounds of any person without that person's consent or knowledge using a computer or connected device.

The penalty for an Article 35 offense is imprisonment of not less than six months and not more than two years, plus a fine of RWF 1,000,000 to RWF 2,000,000 (approximately USD 750 to 1,500).

This provision is significant in several ways. It specifically covers the use of smartphones and other devices to covertly record individuals, not just the interception of communications between parties. Someone who secretly records a person's image, voice, or activities using a mobile device without consent commits an Article 35 offense regardless of whether any communication is being "intercepted" in the traditional sense. This closes a potential gap between the communication-focused framework of Law 60/2013 and general unauthorized recording of individuals.

Penal Code (Law 68/2018): Privacy Crimes

Overview of the Penal Code Framework

Law No. 68/2018 of 30 August 2018 Determining Offences and Penalties in General is Rwanda's comprehensive penal code, published in the Official Gazette No. Special of 27 September 2018. The Penal Code operates alongside the specialized cybercrime and interception statutes rather than replacing them. Where Law 60/2018 targets computer-mediated offenses and Law 60/2013 targets communications interception, the Penal Code provides the general criminal law framework for violations of individual privacy and dignity, including secret recording and unauthorized surveillance that does not fit neatly into the cybercrime or interception categories.

Privacy Crimes Provisions

The Penal Code includes a chapter on offenses against persons that encompasses privacy crimes. Article 156 addresses violations of the private sphere through unauthorized recording, surveillance, and related intrusions. It prohibits secretly listening to or disclosing confidential statements, and taking or disclosing photos, audio, or visual recordings without a person's authorization. Article 159 extends these protections to telecommunications correspondence, covering the recording, interception, diversion, or disclosure of correspondence sent or received by any means of telecommunications, or installing devices designed to carry out such interceptions without authorization of the judicial or public prosecution authorities.

The Penal Code's privacy provisions apply to conduct that causes harm to individual dignity and private life. This includes secretly recording conversations in private settings using a physical device, placing recording equipment in private spaces such as residences, hotel rooms, or medical offices without consent, and distributing recordings made without consent regardless of the method used to capture them. The Penal Code framework is particularly relevant for in-person recording scenarios where no "computer system" is involved within the meaning of Law 60/2018, although in practice the two frameworks overlap substantially given that most recording devices today qualify as computers under the broad statutory definition.

Penalties under Article 156 are imprisonment of not less than six months and not more than one year, plus a fine of RWF 1,000,000 to RWF 2,000,000, or either penalty alone. Article 159 carries a heavier penalty of one to two years imprisonment and a fine of RWF 1,000,000 to RWF 3,000,000, reflecting the broader reach of the telecommunications interception provision. Article 160 (unauthorized collection of personal data in computers) carries six months to one year imprisonment and a fine of RWF 1,000,000 to RWF 2,000,000.

Relationship to the Cybercrime and Interception Laws

The three-law framework creates overlapping but complementary coverage:

Law 058/2021: Data Protection and Privacy

Overview

Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy entered into force on 15 October 2021 and established a legal framework modeled on the European Union's General Data Protection Regulation (GDPR). While not a recording law in the traditional sense, Law 058/2021 directly affects how recorded data, audio files, video footage, and any other personal data captured through recording activities can be collected, stored, processed, and shared.

Key Principles

The law establishes foundational requirements for anyone processing personal data in Rwanda:

• Lawful basis: Every instance of data processing must rest on a valid legal basis, whether consent, contractual necessity, legal obligation, or legitimate interest.
• Purpose limitation: Data collected for one purpose cannot be repurposed without additional authorization.
• Data minimization: Organizations may collect only the data necessary for the stated purpose.
• Storage limitation: Personal data must not be kept longer than necessary to fulfill the stated purpose.
• Accuracy: Data controllers must take reasonable steps to ensure data remains accurate and current.

For recording specifically, even a lawfully obtained recording must be handled according to these principles. Recording a business meeting with all parties' consent does not grant unlimited rights to store, share, or repurpose that recording.

Registration Requirements

All data controllers and processors operating in Rwanda must register with the NCSA through the Data Protection and Privacy Office at dpo.gov.rw. Registration requires disclosure of:

• The identity and contact details of the data controller or processor
• The types of personal data being processed
• The purposes of processing
• Categories of data subjects
• Any third parties receiving the data
• Whether data is transferred outside Rwanda
• Security measures in place to protect the data

Operating without registration carries penalties of RWF 2,000,000 to RWF 5,000,000 (approximately USD 1,500 to 3,750) or one percent of the entity's total revenue from the previous fiscal year. Providing false information during registration is a separate offense carrying imprisonment of one to three years plus a fine of at least RWF 3,000,000.

Cross-Border Data Transfers

Personal data may only be transferred outside Rwanda if the receiving country provides an adequate level of data protection as determined by the NCSA, or if the data controller obtains an NCSA-issued certificate authorizing offshore storage. This provision has direct relevance for multinational companies that record calls or store communication data on servers outside Rwanda.

The NCSA's Role as Supervisory Authority

Establishment and Mandate

The National Cyber Security Authority (NCSA) was established in July 2017 and serves as Rwanda's supervisory authority for both data protection and cybersecurity. In 2022 the NCSA formally launched its Data Protection and Privacy Office (DPO), which handles day-to-day enforcement of Law 058/2021. The DPO operates through the website dpo.gov.rw and has been issuing compliance guidance since its launch.

Enforcement Powers

The NCSA holds broad enforcement authority under Law 058/2021:

• Monitoring compliance across all sectors
• Conducting investigations into suspected violations
• Issuing binding decisions and orders
• Imposing administrative penalties
• Maintaining the official register of data controllers and processors
• Issuing certificates for cross-border data transfers

Guidance Issued Since Launch

The DPO has published key guidance documents since becoming operational:

• June 2023: Guidance on registration requirements for data controllers and processors, with an online application process through the DPO portal
• April 2024: Guidance on contractual provisions required for data processing agreements, covering scope of processing, security measures, and data subject rights
• July 2024: Guidance on designating representatives for data controllers and processors based outside Rwanda

In August 2024, the NCSA launched Rwanda's National Cybersecurity Strategy, outlining seven objectives including cyber risk management and critical infrastructure protection.

As of May 2026, the NCSA has not published reports of major public enforcement actions imposing fines under Law 058/2021. The regulatory approach has focused on building compliance infrastructure, including the registration system and guidance documents, during the law's first years of operation. That approach may shift as the registration deadline passes and the regulatory framework matures.

Phone Calls and VoIP Communications

Recording telephone calls in Rwanda without the consent of all parties is prohibited under Law 60/2013 and reinforced by Law 60/2018 Article 19. This applies to:

• Calls made over Rwanda's mobile networks (MTN Rwanda, Airtel Rwanda)
• Landline calls
• VoIP and internet-based calls, including WhatsApp, Zoom, Microsoft Teams, and Google Meet
• Calls routed through business phone systems or call centers
• Calls that originate outside Rwanda but are received by a party in Rwanda

There is no one-party consent exception. Being a participant in the call does not grant the right to record it. A business owner who records a call with a client, an employee who records a conversation with a manager, or a journalist who records a phone interview without disclosure all face criminal liability under the same framework.

The prohibition extends to automated recording systems. A company that deploys an automatic call recording system without obtaining consent from callers before recording begins violates both Law 60/2013 and Law 058/2021. Playing a recorded announcement that "this call may be recorded" satisfies the notice requirement only if callers receive a genuine opportunity to decline or disconnect before recording starts.

In-Person Conversations

The prohibition on recording applies equally to face-to-face conversations. Recording a meeting, a negotiation, a medical consultation, or any in-person discussion without the knowledge and consent of all participants violates the legal framework.

Using a hidden microphone, activating a smartphone voice recorder in a pocket, or wearing a recording device to capture in-person conversations all constitute unauthorized interception or covert recording under the combined framework of Law 60/2013, Law 60/2018 Article 35, and the Penal Code (Law 68/2018). The method of recording, whether analog or digital, physical device or computer-connected equipment, does not affect the legal conclusion.

Digital messages receive equivalent protection under Law 60/2018. Intercepting, capturing, or recording text messages, emails, chat conversations, or social media direct messages without authorization is a criminal offense. Screenshot capture of private messages for the purpose of distribution could also trigger data protection obligations under Law 058/2021, particularly if the screenshots identify the sender and capture personal information.

Workplace Recording and Employee Monitoring

Employer Obligations

Rwanda does not have a standalone workplace surveillance law. Workplace recording and employee monitoring fall under the combined framework of Law 60/2013 (interception of communications), Law 058/2021 (data protection), and Law No. 66/2018 (labor law). Employers who wish to monitor workplace communications, install security cameras, or record business calls must:

• Obtain clear, informed consent from employees before monitoring begins
• Register as data controllers with the NCSA if monitoring activities involve processing personal data
• Limit monitoring to what is necessary for a legitimate business purpose
• Inform employees about the scope, methods, and duration of monitoring
• Maintain records of all monitoring activities and their legal justification

CCTV in the Workplace

Installing security cameras in business premises is generally permitted, but employers must comply with data protection requirements. Cameras in areas where employees have a reasonable expectation of privacy, including restrooms, changing rooms, and break areas used for personal phone calls, would likely violate the law. Cameras monitoring production floors, parking areas, and building entrances where no reasonable privacy expectation exists are on firmer legal ground, provided employees receive notice of their installation.

Kigali's extensive public CCTV network operated by the Rwanda National Police is governed by public security authorities and does not create a precedent for private employer surveillance in sensitive areas.

Call Center and Customer Service Recording

Businesses that record customer service calls must obtain consent from both the employee and the customer before recording begins. The standard practice of playing a recorded announcement that "this call may be recorded for quality assurance purposes" satisfies the notice requirement only if it provides callers with a genuine opportunity to decline or disconnect before the recording starts. A post-connection announcement that merely informs callers they are being recorded, with no opt-out mechanism, may not satisfy the all-party consent standard.

Recording Police and Government Officials

Legal Framework and Practical Risk

Recording police officers or other government officials in Rwanda is a high-risk activity that requires careful attention to both the formal legal framework and the practical enforcement environment.

From a formal legal standpoint, the same all-party consent rule applies to recording interactions with officials as to any other recording. There is no explicit statutory exemption that permits recording a police officer performing public duties. A person who records a police stop, an official proceeding, or a government encounter without the consent of all parties present faces potential liability under Law 60/2013, Law 60/2018 Article 35, and the Penal Code.

Beyond formal liability, the practical risk is substantially elevated. Rwanda ranked 146 out of 180 countries in the RSF World Press Freedom Index 2025, placing it in the "very serious" category. A 2021 investigation by an international media consortium identified Rwanda among approximately 20 countries using the Pegasus spyware system to monitor journalists and other targets. Rwanda National Police intelligence agents have been documented following journalists while they report. The government monitors social media and digital communications.

Documented Cases

The case of Yvonne Idamange illustrates the stakes. Idamange, a YouTube commentator, received a 15-year sentence in 2021 for posting videos that criticized government narratives. Two additional years were added in March 2023 on review. While the charges related to her published content rather than the act of recording itself, the case demonstrates the legal risk attached to documenting and distributing government-critical material.

John Williams Ntwali, a journalist who had reported to Human Rights Watch that he had received threats, died in a suspicious road accident in 2023. The pattern of journalist disappearances, imprisonments, and deaths documented by RSF and Freedom House reflects a broader environment in which recording activity involving official conduct carries risk beyond the scope of any single statute.

The Genocide Ideology Law Overlay

Law No. 84/2013 on the Crime of Genocide Ideology and Related Crimes, as revised in 2018, creates an additional layer of legal risk for recorded content. The law prescribes five to seven years imprisonment for denying, minimizing, or justifying the 1994 Rwandan genocide. It covers statements made through documents, speeches, pictures, media, and other means, including social media and online platforms.

Any recording that captures or is alleged to capture content deemed genocide ideology carries potential liability under this law upon distribution. The statute has been criticized by international organizations including Human Rights Watch and ARTICLE 19 for vague terminology that enables broad application against critics of government policy. Someone who records an official encounter and then distributes that recording may face exposure under genocide ideology provisions if the content is characterized by authorities as minimizing or justifying historical atrocities, even where the original recording purpose was documentary or journalistic.

Public Spaces and Government Surveillance

Kigali's CCTV Network

Since 2020, the Rwandan government has deployed an extensive network of CCTV cameras across Kigali's major roads, intersections, and public spaces. These cameras connect to a central command center operated by the Rwanda National Police and serve traffic enforcement, crime prevention, and public safety functions. The government's Smart City Master Plan envisions further expansion of this surveillance infrastructure, including speed cameras, red-light cameras, and license plate readers.

Legal Basis for Government Surveillance

Government-operated surveillance in public spaces is authorized under Rwanda's public security laws and the broader mandate of the Rwanda National Police. The deployment of government CCTV does not create any right for private citizens to conduct their own surveillance in those same spaces.

Private individuals recording other people in public spaces without consent remain subject to the interception, cyber-stalking, and data protection laws. The presence of a government camera recording the same scene does not alter the legal obligations of private actors. Additionally, Law No. 24/2016 Article 126 grants the ICT Minister broad authority to interrupt any private communication appearing detrimental to national sovereignty. This provision, read alongside the communications interception framework, creates a comprehensive government surveillance architecture operating above and alongside the restrictions placed on private recording.

Rwanda's Digital Governance and International Commitments

Smart Africa and Digital Ambition

Rwanda has positioned itself as one of Africa's most digitally forward nations. The country hosts the Smart Africa Alliance secretariat in Kigali and has invested heavily in broadband infrastructure, e-government services, and ICT-sector development. The World Bank-funded Digital Acceleration Project, approximately USD 200 million running through 2026, is expanding broadband access and digitalizing public services.

Law 058/2021 was deliberately modeled on international data protection standards to signal Rwanda's commitment to digital governance credibility. The NCSA's dual role as cybersecurity authority and data protection supervisor reflects an integrated approach to digital regulation.

Budapest Convention Accession (January 2025)

On 10 January 2025, Rwanda deposited its instrument of accession to the Council of Europe Convention on Cybercrime (Budapest Convention, ETS 185), along with its Additional Protocol on racist and xenophobic content through computer systems (ETS 189). Rwanda became one of the relatively few African countries to formally accede to the Budapest Convention, which sets international standards for criminalizing illegal access, data interference, systems interference, and the interception of content data.

Accession signals Rwanda's alignment with European cybercrime legal standards and its commitment to international cooperation frameworks for investigating digital interception offenses. The Budapest Convention's interception provisions, particularly those covering real-time collection of traffic data and interception of content data, will inform Rwanda's future development of implementing regulations under Law 60/2018 and Law 60/2013.

National AI Policy (2023)

On 20 April 2023, Rwanda's Cabinet approved the National Artificial Intelligence Policy, making Rwanda the first African country to adopt a comprehensive national AI policy. The Ministry of ICT and Innovation leads implementation, with the NCSA overseeing data protection compliance relevant to AI-powered systems. In February 2025, Rwanda signed the Statement on Inclusive and Sustainable AI alongside the African Union, EU, G20, and UN.

AI, Deepfakes, and Synthetic Media

Current Legal Framework

Rwanda has not yet enacted legislation specifically addressing artificial intelligence-generated recordings, deepfakes, or synthetic media as of May 2026. The National AI Policy (2023) establishes governance principles but does not create new criminal offenses.

The existing legal framework provides partial coverage through three routes:

Law 058/2021 (Data Protection): AI-generated synthetic media that includes identifiable individuals' personal data, including voice or facial likeness, is personal data under the law's definitions. Processing such data requires a lawful basis and compliance with data minimization, purpose limitation, and accuracy principles. Creating a deepfake of an identifiable person without their consent lacks a lawful basis.

Law 60/2018 Article 35 (Cyber-stalking): The article's prohibition on taking sounds or images of a person without consent using a computer device may apply to AI tools that extract and process a person's recorded voice or likeness to generate synthetic media, depending on how the source material was obtained. If the underlying recordings were made without consent, the derivative synthetic content is created from unlawfully obtained material.

Law 60/2018 Article 38 (Indecent Electronic Content): This provision prohibits the transmission of indecent messages in electronic form, with enhanced penalties where the content is false or targets a child. Deepfake videos that are sexual in nature or that place false statements in an identifiable person's mouth qualify as indecent or false electronic content under this article. Penalties: six months to two years imprisonment plus RWF 1,000,000 to RWF 2,000,000, rising to three to five years if the content is false or targets a child.

Anticipated Regulatory Development

Rwanda's AI Office within the Ministry of ICT and its partnership with Singapore on the AI Playbook for Small States (September 2024) suggest that more specific AI governance regulations are under development. Given Rwanda's data protection framework alignment with the GDPR, and the EU's adoption of the AI Act, Rwanda is likely to introduce AI-specific provisions within its existing data protection and cybercrime infrastructure. Organizations deploying AI recording transcription, voice analysis, or synthetic media tools in Rwanda should monitor NCSA and MINICT guidance for regulatory updates.

Penalties Summary

Business Compliance Checklist

Organizations operating in Rwanda or processing personal data of Rwandan residents should take the following steps:

• Register with the NCSA. All data controllers and processors must register through the Data Protection and Privacy Office at dpo.gov.rw. This applies to any organization that records calls, stores audio/video files, or processes personal data.
• Audit recording systems. Identify every system that captures audio, video, or communication data, including phone systems, conferencing platforms, CCTV, call center tools, and customer service recording software.
• Obtain explicit all-party consent. Before recording any call, meeting, or interaction, secure documented consent from all participants. Playing a recording announcement satisfies notice but must include a genuine opt-out mechanism.
• Appoint a Data Protection Officer. Organizations processing personal data should designate a DPO responsible for compliance oversight and NCSA liaison. The NCSA's July 2024 guidance specifically addresses foreign organizations operating through local representatives.
• Conduct data protection impact assessments. Evaluate risks before implementing any new recording or monitoring system, particularly those involving biometric data or AI-powered analysis.
• Restrict cross-border data transfers. If recorded data leaves Rwanda, verify that the receiving country meets NCSA adequacy standards or obtain the required transfer certificate before transmission.
• Maintain processing records. Keep detailed records of all personal data processing activities including recordings, their purposes, their legal basis, and retention schedules.
• Train employees. All staff should understand that recording conversations without all-party consent is a criminal offense in Rwanda carrying up to two years imprisonment.
• Monitor NCSA guidance. Rwanda's regulatory framework is actively developing. Subscribe to NCSA and DPO guidance updates to track compliance obligations as the data protection regulatory regime matures.

Disclaimer

This article presents general legal information about recording and interception laws in Rwanda. It does not constitute legal advice and does not address any specific individual or business situation. The information was verified against available sources as of 15 May 2026. Statutes cited reflect their in-force version as of that date.

Rwandan law evolves through new legislation, regulations, and enforcement guidance from the NCSA. Persons or organizations with specific compliance questions should consult a lawyer licensed to practice in Rwanda who has current knowledge of applicable statutes and regulatory guidance.

This site is not a law firm and does not establish a lawyer-client relationship with readers.

---

Last updated: 2026-05-15. Statutes cited reflect their in-force version as of 2026-05-15.