Uganda, Kenya doing badly in data protection

In the midst of criticisms that governments and politicians lack the goodwill to put in measures and safeguards to create a safe and secure internet environment, Unwanted Witness, a privacy and data protection watchdog, on Friday launched the 2022 Privacy Score-card Report, a monitoring tool set to determine the legal protections of personal data and privacy, writes Ernest Jjingo.

The scorecard was unveiled during this year’s fourth Privacy Symposium Africa (PSA) in Kenya’s capital Nairobi. The report was tailored for both Kenya and Uganda. The survey, done in collaboration with Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT), was unveiled at the culmination of a three-day Privacy Symposium Africa 2022 held at Strathmore University. The event attracted panels and participants from across the continent.

The report highlighted solutions to improve compliance with data laws, not only in the two subject countries but also in Africa as a whole. Speakers, however, noted that governments are not moving at the speed of abusers of digital rights and, unfortunately, some governments have fallen short on enforcement and implementation of the very laws they have passed.

Dorothy Mukasa, the Unwanted Witness executive director, said “The scorecard report compliments the discussion we have had for the past three days #PSA2022 to ensure that data subjects have reference and can be helped to understand how entities observe data protection and privacy standards”.

Speakers at the symposium sponsored by Privacy International, Civil Rights Defenders (CRD), GIZ and Association for Progressive Communications (APC), among others, highlighted that data protection and privacy remain contentious subjects, which are largely a push and pull between accountability and responsibility for the entire continent.

Lack of accountability continues to expose individuals to damage and companies to deep lawsuits and, in return, harboring a risky online environment.

“It is important to note that, while digital transformation holds great promise, the world has turned information technology into both a powerful tool and a formidable weapon. We are in an era that is likely to be defined by even more disruptive innovations, like artificial intelligence, which can be used for the good of humanity but, if not properly managed, could also be used to hurt and oppress people,” said Dorothy Mukasa at the closing ceremony.

In a quest to create a secure, and uncensored online environment for data controllers, processors, and subjects, Unwanted Witness has delved into critical issues on data protection in the 2022 Scorecard report. The report, which mainly focuses on key sectors; telecommunications, e-commerce, and financial services in Kenya and Uganda, was hailed by Kenya’s data protection commissioner, Immaculate Kassait, who was also one of the contributing panelists during the three-day event.

She underscored the fact that data had become a new king on the block and ultimate responsibility has to be ensured by its collectors and managers as well as regulators. Kassait reassured participants that data protection laws can be mobilized in Africa for human rights.

“There are steps towards harmonization and we are having conversations as data protection regulators on Africa continent and we are looking at the common aspects that can be harmonized,” she said.

However the African Union treaty on cyber security and personal data protection, the Malabo convention, has only had 14 countries ratifying it. It shows gaps and long journey the continent has to take before cyber uhuru. Kenya, Uganda and Rwanda are, however, among the East African countries which have put cyber laws in place.

Burundi, DR Congo and South Sudan have not even started on drafting any national law to govern the sector, which denies their people safeguards to their digital rights. The scorecard analyses the policies and practices of these data collectors. Like a double-edged tool, the scorecard  report seeks to empower data collectors to adopt legitimate data protection practices, and in the same breath, a call upon citizens to push for accountability in the area of personal data protection.

In this report, Unwanted Witness also revealed the nature of abuse and violations of the rights to privacy by the assessed companies in the respective countries. Also, the Ugandan-based institution aims to arm citizens with a toolkit for evaluating compliance of data collectors and could rely on it for better protection.

DATA PROTECTION AND PRIVACY FINDINGS

The report details an assessment of compliance of six private companies in Uganda and Kenya; for each sector, two companies were identified for analysis.

Unwanted Witness, in partnership with CIPIT, awarded scores for key categories that define data protection and privacy. The categories also known as indicators will help in scrutinizing how data is handled concerning Data Protection Acts (DPA) in Kenya and Uganda.

The rating in percentage focuses on the level of compliance in; Existence of an accessible readable and noticeable privacy policy, Informed Consent, Data collection and Third-Party data transfers, Robust data security, and Data accountability.

In the existence of public, published, readable, and noticeable privacy policies Kenya and Uganda scored 73 per cent and 70.8 per cent respectively. Uganda scored higher on informed consent showing companies could prove they obtained data with permission from subjects for a specified use more in Uganda than in Kenya.

Uganda scored 66.7 per cent while Kenya scored 60 per cent. There was a big difference in the data collection and third-party data sharing with Kenya scoring 63 per cent and Uganda at 47 per cent. Despite the difference in this particular indicator, this shows that a good number of data subjects are unaware of existing third parties and what their data is used for by these parties in both countries.

On the data security indicator, both countries scored poorly with Kenya at 41 per cent and Uganda at 38.9 per cent This means that companies in both countries are not keen on safeguarding personal data from accidental access, erasure, alteration, disclosure, or destruction. Finally, the accountability indicator in both countries read zero per cent This means that no company in both countries published a transparency report in the year under review to disclose key metrics and information regarding data governance and enforcement measures.

The overall compliance of Kenya and Uganda stood at 47.4 per cent and 43.6 per cent respectively. This is an indication that both countries have a lot to do to ensure privacy policies adhere to legally acceptable parameters of personal data protection. The 2022 scorecard report goes ahead to review specific sectors; telcos, financial institutions, and e-commerce in both
countries showing the most compliant to the least in compliance.

According to Unwanted Witness, transparency, accountability, and intentionality in data protection are key in the three sectors of focus. This requires political will, however. In order to create a secure and intact online environment, Stella Alibeteese, Uganda’s personal data protection official, added, “There’s a need for capacity building or awareness and it shouldn’t only be for the technocrats... It should start with the political leadership because they are the ones that make the decisions”.

The three-day privacy symposium Africa 2022 was also addressed by Mauritius’ Drudeisha Madhub, Dr Martina Francesca Ferracane, a research fellow with the European University Institute, Dr Vincent Olatunji, Patricia Adusei Poku from Ghana, Tsitis Mariwo, Tanzania MP Neema Lugangira, and several Kenyan advocates in the field of ICT.