After procrastination, which culminated into international pressure, Uganda finally has a data protection and privacy law on its statute books. Government agencies rather not surprisingly led the way in praising the law as a “landmark.”
The praise singers were led by the National Information Technology Authority-Uganda (NITA-U), the agency whose role is to coordinate and regulate information technology services in Uganda.
NITA released a statement on February 28, 2019, enumerating the objectives of the law; as to: protect the privacy of the individual and personal data, regulate the collection and processing of personal information, provide obligations of data collectors and processors and regulate the use or disclosure of personal information and for related matters.
By having this law, Uganda has bragging privacy rights in the region. Kenya is still undergoing the long and painful legislative process to make its own Act while Tanzania, Rwanda, Burundi and South Sudan are yet to give it a thought.
On the face of it, the law contains provisions related to obtaining informed consent, when and how to notify the subject that their data has been processed, how to keep personal data secure and rules on transferring data across borders. But as the saying goes, the devil is in the detail.
By way of example, the Act, which actually will only have a bite once the minister of ICT puts in place regulations to operationalize it, talks about establishing an office described as personal data protection office.
The head of this office will be called the national personal data protection director whose major role will be to oversee people’s personal data and implementing this Act. Though the Act in theory says that this director shall work independently and won’t take orders from anybody, history has proven that believing in such would be bordering on naivety.
How sure are we that when push comes to shove, this director, who most likely will be a political appointee, won’t summarily surrender people’s personal information to security agencies or other government bodies without following the now laid-out procedure?
The law isn’t clear how the state will strike a balance between data protection and surveillance, sometimes referred to as national security. And how it will be held accountable in case there is any breach.
In 2014, the UN General Assembly passed a resolution which was cosponsored by 57 member states. Therein, it asked all member states to review their procedures, practices and legislation related to communications surveillance, interception and collection of personal data, emphasizing the need for states to ensure the full and effective implementation of their obligations under international human rights law.
a good look at the law, one would arrive to the conclusion that Uganda has tried to mimic the European Union’s General Data Protection Regulation (GDPR). The regulation that requires EU member states to protect data use privacy rights of its citizens, both within and outside the economic bloc.
Nevertheless, when you compare both legislations, you have no option but to conclude that the Ugandan law falls short of international data privacy best practices. One area where the Ugandan law is found lacking is accountability.
The Ugandan law doesn’t compel data controllers to have appropriate technical and organisational procedures, which include suitable privacy policies and keeping sufficient records of their processing activities - yet that’s the case with GDPR.
The enactment of the law came at the time when the EU had mounted considerable pressure on African governments to pass laws which protect data use and privacy rights lest they lose out on the $14 billion digital export market in the EU.
With the coming into force of GDPR in May of last year, African exports to Europe, it was predicted, were set to plummet. So, President Museveni’s move to assent onto the bill which was passed by parliament at the end of last year, was ostensibly meant to boost Uganda’s economy, which in itself is highly welcome, but a lot needs to be done, going forward.
Most worryingly, there is no timeframe set in the law in which the minister must table the much-needed regulations. This government’s history in tabling regulations that operationalize an Act isn’t impressive.
Take for instance, in 2005, parliament adopted the Access to Information Act. But it took six years to have the regulations tabled. We hope such a snail’s pace won’t repeated this time round.
The author works at Unwanted Witness