- Global Voices Advox - https://advox.globalvoices.org -

Despite updates in legislation, organisations in Uganda struggle with data protection and privacy compliance

Categories: Uganda, Sub-Saharan Africa, Activism, Advocacy, Human Rights, Law, Privacy, Regulation, Tech Industry, UPROAR

 

Angella Tugume, Manager Data Protection Affairs at the Uganda Personal Data Protection Office, speaks during the 3rd Africa Privacy Symposium in Kampala. Screenshot from Unwanted Witness YouTube channel [1].

While Ugandan legislation was recently updated to include more provisions aimed at protecting digital privacy, reality on the ground shows the majority of Ugandans are not guaranteed those rights in daily practice.

When Uganda’s Data Protection and Privacy Act [2] came into force in May 2019, then-executive director of the National Information Authority Uganda [3] (NITA-U), James Saaka, while commenting on the privacy law said [4], “the law provides the much-needed protection for personal identifiable information which is key in this digital age. It provides important safeguards that will protect Ugandan citizens as they use online services [5].’’ Aside from the broad constitutional [6] guarantees on the right to privacy of person, property and  correspondence, Uganda did not have any specific safeguards on the privacy of citizens’ data, and the law was supposed to give force to the provisions in the 1995 Constitutional Bill of Rights [6]on the right to privacy, with specific regard to the privacy of data.

However, a new report, titled “A Privacy Policy Scorecard Report: The Scorecard Approach,” reveals glaring gaps in most Ugandan organisations’ compliance with data protection and privacy laws. The report was released on November 5, 2021, by Unwanted Witness, a Ugandan digital rights organisation, at the 3rd Africa Privacy Symposium [7] in Kampala. 

The report specifically details how the Ugandan government and 32 major data collectors in Uganda are complying with privacy and data  privacy standards as outlined in the Privacy and Data Protection Act 2019. [8] The non-state entities covered include telecom companies, banks and e-commerce platforms. Each organisation is assessed against five crucial areas: practising robust data security, complying with privacy best practices, providing information to users before collecting their data, indicating the third parties with whom personal data will be shared, and disclosing third-party requests for data. 

The average score of companies assessed was 35 percent, a worrying start for compliance with Uganda’s Privacy and Data Protection Act [8], in an already troublesome broader context of a clamp down on digital rights [9] and digital surveillance by the government [10]. More than half of the organisations assessed had robust data security, and 40 percent comply with privacy best practices. However, when it comes to providing users with information before collecting their data, indicating the third parties with whom that data will be shared, and disclosing how much data will be provided to those parties (including the government and law enforcement), the organizations perform poorly across the board. Only 8 percent of organisations mention third parties with whom personal data is shared  but all declined to reveal how much data was requested and shared with third parties such as government bodies and law-enforcement agencies.

Sealing a regulatory gap

The enactment of the data protection law was crucial as more Ugandans were starting to use the internet. As of January 2021, Uganda’s internet penetration was at 26.2 percent [11], a 14 percent growth in one year. This is despite a 12 percent excise tax [12] the government introduced on the purchase of data in 2021,  and a social media tax [13] in 2018. The growth in the number of internet subscribers implies more data is being collected and processed, not just by the government and telecom companies, but also the numerous e-commerce companies and ride hailing apps present in Uganda. 

Uganda’s government began [14] its first ever mass enrollment for government-issued national identity cards in 2014. In 2017, the Uganda Communications Commission and Uganda Police issued [15] a mandatory requirement for all persons in the country to re-register their SIM-cards using national identity cards. This re-registration implied sharing the personal data of millions of citizens between telecom companies and the government, which raised concern among citizens: .

Conversely, the government’s recent questionable decision [22]to install digital trackers on all vehicles, and concerns about surveillance of political opponents [23] demonstrate that it may not be trusted to comply with privacy and data protection laws, as some netizens point out:

There are also concerns that the law might be too lenient with corporations. The act affirms, among other provisions, that  data collectors are obliged to collect, process and hold data for the specific purpose that the data was collected for. The penalties include imprisonment of up to ten years and/or a fine not exceeding USD 1400.  This fine is nominal in contrast with the volume of personal data that government and corporate data collectors hold, and the potential for damage to citizens should privacy be abused, and the potential revenue that can be raked in from the sale of personal data to third parties.

A transnational challenge

The right to privacy is particularly inconsistently applied within companies with a pan-African presence, with companies strengthening or weakening their policies depending on the country, the report indicates. 

The privacy policies of Stanbic Bank, one of Africa’s leading financial institutions, vary according to country. In South Africa, for example, the bank’s privacy policy covers seven aspects of the right to privacy, which include access; update and correct; delete, erase, cancel;  restrict data processing and object data processing; opt out of marketing, and not be the subject; withdraw consent; and query, report and complaint, whereas, in Tanzania, Stanbic Bank's privacy policy covers only four of the seven aspects assessed. In Malawi, it doesn’t covers any.

Similarly, Airtel, MTN, Standard Bank, and Old Mutual have different privacy policies in different African countries. According to the report, this difference in compliance could be explained by the stringent nature of regulation in some countries, as evidenced by the existence of data protection laws or authorities. Only a few companies, including Jumia, Safeboda, and KiKUU, have consistent privacy policies across the countries in which they operate. 

The report cites Uganda’s government as the best performer in terms of data security, based on 3 scores out of 4. However, the report recognises an urgent need to enhance the state’s capacity to regulate data collectors in the private sector while protecting the rights of citizens. The government’s Personal Data Protection Office [26] and justice system need improved human resource and financial capacities. Sempala Kigozi, head of programs at Unwanted Witness told Global Voices in a Zoom interview, ‘’The courts are not as stringent and punitive  in enforcing the laws. … Our laws are a bit conservative but we will not wait for the laws to be amended to cater for loopholes.’’  

The private sector also presents several challenges. According to the report, 66 of Uganda’s most used mobile and web applications, including King James Bible [27], Glovo [28], Stanbic Bank [29], Jumia [30], SafeBoda [31], Bolt [32], AbsaUganda [33] Jiji.ug [34], KikUU [35], and Airtel [36] contain trackers. The trackers include crash reporting, analytics, virtual profiling, digital identity, targeted advertising, and geographical location of mobile devices. Some apps were found to require more permissions than other apps in the same category, and some of these permissions can access private user data and cause fraud transactions or automated clicking activities that further deplete  user data.

“In an era where Ugandans entrust so much of their personal information with private and public companies,” said Unwanted Witness CEO, Dorothy Mukasa, “it is imperative that these organizations manage that data responsibly and ethically. Customers have the right to know whether and how their data is being stored, processed, and utilized.’’

“Just because these practices are rampant doesn’t mean that they are right,” added Kigozi. “Using users’ data for commercial benefit without being transparent and clear about it is a clear violation of consumers’ rights. ”

Accountability

In the interview with Global Voices, Kigozi said that the report was already adding to accountability for privacy rights in Uganda, saying, “as CSOs, we have come up with a report and companies will know that they are being watched. For instance, we petitioned NITA [3] over SafeBoda [31] which did not have a privacy policy. SafeBoda changed for the better and now has one of the best privacy policies.” 

The report affirms that there are gaps in digital privacy in Uganda, and without stringent compliance with data protection and privacy rules, as pointed out by the report, both government and corporations are indeed at risk of violating citizens’ rights.