One Year On, what has Uganda’s Data Protection Law Changed?

Unwanted Witness, PI's partner in Uganda, reflects on what has changed since the adoption of the Data Protection and Privacy Act, 2019.

Key points
  • Unregulated data processing activities in Uganda by public and private entities are still on-going despite the existence of regulation.
  • The government of Uganda must take active measures to effectively implement the Data Protection and Privacy Act, 2019.
  • For Uganda to comply with its national and international obligations to protect people, their privacy and their data, it must enforce the Act.
News & Analysis
W_social media card_25Feb

This piece was originally published by Unwanted Witness here.

Today marks exactly one year since Uganda passed its data protection law, becoming the first East African country to recognize privacy as a fundamental human right, as enshrined in Art 27 of the 1995 Uganda Constitution as well as in regional and International laws.

The Data Protection and Privacy Act, 2019 aims to protect individuals and their personal data by regulating processing of personal information by state and non-state actors, within and outside Uganda.

The law expands the rights of individuals to control how their personal data is collected and processed, placing a range of obligations on those processing, which includes both public bodies and companies, personal data to be more accountable for data protection. It further regulates and limits the processing of special categories of personal data, including tribe, religion and health, amongst others.  

But, for all these achievements, what has the law actually changed?

Unregulated data processing still on-going and augmenting

So far, the existence of Uganda’s data protection law has not in any resulted in state or non-state actors taking measures to change their policies and practices as per the obligations under the Act.

Incredible amounts of personal data, including sensitive personal data continues to be collected by both government and companies in a manner which disregards the standards set by the data protection law.

What we are actually observing is that the government has intensified their mandatory collection of sensitive personal data as seen with the National ID system, as well as different government agencies like the Uganda Police Force already unveiling plans to integrate CCTV forensic systems with National ID data and immigration.

Furthermore, a centralized local data Centre for all government agencies and departments was built with the aim of increasing efficiency and effectiveness of government. Through the system, different government agencies and departments share information about citizens without their knowledge. By failing to respect the principles and obligations provided for in the law to regulate such processing, it is negating personal data safeguarding.

Section 10 of the Data Protection and Privacy Act, 2019 prohibits the collection and processing of personal data in manner that infringes on the privacy of a data subject. It is therefore essential to review the deployment of such a data centre which will include amongst other changes limiting the purpose for which a database is built and used.

Similarly, the trend of collecting personal data has increased among companies particularly telecommunication service providers countrywide.

The 2018 report by Unwanted Witness pointed to weak policies and terms of reference, of telecommunication providers which were compromising costumers’ communication privacy and personal data, but even with the data protection law in place, we have not seen companies reviewing their policies and practices to ensure that they meet the standards and obligations provided by the Act.

Meanwhile the telecommunication providers continue to collect biometric and bio-data as a requirement for SIM card registration, which has been reported to result into repeated identity theft scandals.           

The Absence of regulations

The failure to effectively Implement the new law has been the biggest impediment over the past year. This in turn continues to expose millions of citizens to data exploitation.

The Ministry of Information Communications Technology and National Guidance has the mandate to formulate regulations to provide for the accountability and enforcement mechanisms of the data protection law. The Data Protection Office, who should be in charge of the overall implementation of the law, providing for administrative, civil or criminal sanctions and penalties among others, has yet to be established.

Throughout the year Unwanted Witness has continuously reminded the ministry of its obligation to expeditiously formulate enforceable regulations to ensure that the law effectively protects people and their personal data.

The prolonged and unnecessary delays in formulating regulations for effective implementation of Uganda’s data protection law, is not only a continuous threat to citizens’ right to privacy and dignity but compromises the country’s trade relations and investors’ confidence.

Unauthorized processing of personal data can lead to grave violation of human rights, therefore a data protection law becomes critical in safeguarding fundamental rights and freedom of persons.

Involvement of different stakeholders through an open and transparent process of drafting regulations is key to ensuring an effective implementation of the law.

What we expect next

As we mark the first anniversary of the Data Protection Act, we take the opportunity to call on the government to take active measures to effectively implement the law to ensure that it complies with its national and international obligations to protect people, their privacy and their data.

To keep up to date with the work by Unwanted Witness, follow them: http://www.unwantedwitness.org/

Find out more about Privacy International's work with Unwanted in Uganda here