Most people feel safe when they are within the confines of a perimeter wall. Others feel more secure when there is someone watching over their home. Children seek relief in the sight and knowledge that their parents are paying attention to what is happening to them. The advent of the internet has changed how the world works, but it has also facilitated the collection, processing, sharing and harvesting of personal information or data in a way we had never anticipated. As such, our safety today goes beyond secure environments to include protection of our personal information.
Your personal information includes; your address, identification card number, location data, phone number, date of birth, biometrics, employment and financial history, racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data and health data. In the hands of the wrong person, this information can be commercialized or used to harm you. What guarantee of protection do you have over the intermediaries to whom you inevitably give this information if you use any device such as a mobile phone, computer, tablet or other mode of communication.
In Uganda, the National Information Technology Authority (NITA) found that in 2021, a ride-hailing company had shared data with a third-party company without the express consent of the owners of this data, namely the customers of the ride-hailing business. Other global companies like Facebook and Amazon have been implicated in disclosing personal data of their users across Europe without lawful authority. Who is watching over your privacy as you interact with the internet and different data collectors? Are there adequate safeguards to protect you from both the disclosure of your personal information and how it may be used?
This essay shall highlight the legal framework on Uganda’s data protection laws by specifically focusing on the role of the Personal Data Protection Office (PDPO) in Uganda. The article shall highlight the primary mandate of the PDPO as the enforcer and supervisor of Uganda’s data privacy laws.
Global practice of Data Protection Authorities
Sovereign states have recognized that informational (data) privacy is important and control of one’s data is a basic right. Over the last ten years, different countries have passed landmark legislation providing for Data Protection Authorities (DPAs). For instance the General Data Protection Regulation empowers different member states of the European Union to set up Data Protection Authorities. One such example is The German Federal Data Protection Authority. In Kenya, the principal legislation is the Data Protection Act of 2019. This legislation is supplemented by the Data Protection (General) Regulations of 2021 which among other provisions, establishes the Office of the Data Protection Commissioner. Data protection authorities are empowered to take the central role in the implementation and enforcement of data protection laws in the various jurisdictions.
The Ugandan Approach
The Data Protection and Privacy Act 2019 and its Regulations establish the Personal Data Protection Office (PDPO) as the principal guardian over privacy and data protection. It is headed by the National Personal Data Protection Director, Ms. Stella Alibateese. The PDPO is the primary enforcer of data protection and privacy in Uganda. Of course, other people may exercise the role to watch over privacy in their individual capacity. For example, a data subject (any person whose data is collected) can individually exercise caution over the information they share and may also withdraw consent from their information being used in a particular way.
Data collectors and processors themselves play a critical role in ensuring that they use the data collected for the specific purpose for which it was collected and do not share it with anyone except under circumstances authorized by the law. However, regulators such as the PDPO play the most critical role in enforcement of data protection laws as discussed below.
Implementation and Enforcement
The PDPO is mandated under the law to oversee the implementation of, and be responsible for, the enforcement of Uganda’s data privacy laws. Specifically, the PDPO is mandated to promote the protection and observance of the right to the privacy of the person and of personal data. The right to privacy is guaranteed in the 1995 Uganda Constitution under Article 27. This right is informed and also emanates from the international framework which includes in the Universal Declaration of Human Rights, to which Uganda is a signatory, under Article 12. As such, it is expected that the PDPO not only has the duty to guarantee the right to privacy in municipal legislation, but it does so as a part of a global mandate arising from Uganda’s obligations at an international level.
The PDPO is mandated to monitor, investigate and report on the observance of the right to privacy. To this effect, the PDPO is required to keep and maintain a Data Protection Register. The Register must include every person, institution or public body collecting or processing data and the purpose for which the personal data is collected or processed. This register is accessible to the public. As of the date of this publication, 377 organizations are registered with the PDPO according to the PDPO website. The deadline for registration with the Uganda PDPO was 31 December 2021 and all those who have not registered already have been encouraged to comply. By doing the above, it is presupposed that the PDPO is able to keep track of data collectors, processors, or controllers countrywide and provide an insightful report on their respective and overall performance in relation to the observance of the right to privacy.
Investigatory Powers into Complaints
The PDPO is mandated to receive and investigate complaints relating to infringement of the rights of the data subject under the Ugandan Data Privacy and Protection Act, 2019. Any aggrieved data subject or person has the right to make a complaint to the Authority regarding anything they consider a violation of the right to privacy by a data collector, processor, or controller. Accordingly, the Authority is mandated to investigate each complaint raised and proceed to direct for remedies where the complaint in question is upheld.
Recently, the PDPO launched the Data Protection and Privacy Web Portal to ease reporting, processing, and resolving of data protection and privacy complaints and ease registration of data controllers, data collectors and data processors. This is critical because it helps to facilitate the monitoring of the processing of data. The PDPO is also mandated to conduct audits into possible breaches of the data protection laws in Uganda in order to ensure compliance It is expected that the scope of these powers shall incentivize data collectors and processors to comply with the data protection and privacy laws in Uganda by making it easier to do so.
In other jurisdictions, companies have been fined significant sums for breaching data protection laws. For example, Marriott International, the hotel chain, was fined GBP £18.4 million by the United Kingdom’s Information Commissioner’s Office, for various breaches. British Airways was fined GBP £20 million for a data breach of its obligations under European data protection laws. This signals the importance of the investigatory powers of data protection authorities. However, in Uganda, before the imposition of any fines or sanctions, the alleged culprit must be prosecuted before a court of law.
The PDPO is also required to formulate, implement and oversee programs intended to raise public awareness about the data protection laws. An example of this effort is the Data Privacy Day event organized by the PDPO that sought to inform and educate the population about their rights as Data Subjects and ultimately the Data Privacy and Protection Act. Guests such as Ms. Susan Namondo, the UN Resident Coordinator, was invited and this helped to increase the publicity of the PDPO and the data privacy campaign at large.
It is inevitable that any person collecting or processing data, must comply with the Data Protection and Privacy Act, 2019 and its relevant regulations. Failing which, the PDPO has a mandate to investigate upon their own initiative or in response to a complaint. The repercussions for global companies that have failed to comply have been financial in nature. It remains to be seen whether similar sanctions may be imposed by the PDPO. The Guardian, we hope, is watching.
Contacts for this Publication
Head | Tech Privacy Legal Lab | Uganda
Asiimwe Davis Mugisha
Contributor | Tech Privacy Legal Lab | Uganda