Dorothy Mukasa, CEO of Unwanted Witness, told Global Voices in a Zoom interview that the research evaluated compliance with the 2019 Ugandan Data Protection and Privacy Act, which was enacted to protect the rights of privacy of citizens by “regulating the collection of personal information in Uganda and outside.”
Airtel, MTN, Stanbic Bank and Old Mutual have different data protection and privacy policies across different African countries. “This is evidenced from the noticeable variations in length of privacy policies as well as the number of rights that users are exposed to. This is a case of practicing inconsistencies in exercising private policies,” notes the report.
The consequence of this being that “the fewer the words, the fewer rights mentioned or not mentioned at all” the Ugandan Unwanted Witness report laments.
Poor privacy scorecard in Uganda
Mukasa said that the report evaluates “if companies in Uganda that are engaged in the business of data collection and processing. The core reason was to ensure that there’s compliance with data collection, to get rid of the exploitation of individuals through data collection.”
The research, which started in August 2020, categorized 32 Ugandan companies into seven main categories: e-commerce, financial services, telecom services, insurance services, government agencies, social security, and health/private hospitals. Adopting a five-star scale, the report graded these companies in the following areas: compliant with privacy best practices, giving information to the data subject before collecting data, mentioning third parties with whom personal data is shared with, practicing robust data security, and disclosing government requests for data.
The study analysed the “noticeable, clear and publicly available privacy policies” of the firms. This, according to Mukasa, was to ensure that “data collectors do not secretly change their policies.” The report sought to establish that the companies received the “informed consent” of customers before acquiring their data. Unwanted Witness also investigated the sharing of data with third parties.
The study also showed a significant lack of compliance with Uganda’s 2019 Data Protection and Privacy Act, and the presence of location and profiling trackers in many companies investigated, across mobile and web applications that collect and sell data for commercial benefit without transparent policies.
Analysis of how Uganda’s government agencies and companies are conforming to the 2019 data-protection regulation reveals that most sectors garnered good scores for adhering to robust data security. Ugandan health services providers ranked in the lowest performance in this area. Many health services “collect data but…lack the basic baseline for privacy.” Mukasa explained that these personal data are hosted online with trackers that “analyse the data,” hence, risking “the privacy and lives of their patients.”
Data protection rights and African telecom firms
The Unwanted Witness report is not the first time big telecom companies like MTN and Airtel have been complicit in the violation of the data privacy rights of their Ugandan clients as laid out by Ugandan law. For example, the South African-based MTN group failed to inform users of “how their data is collected, with whom it is shared, and why,” according to the 2019 Digital Rights Corporate Accountability Index.
MTN “divulges very little of how it handles personal data and lacks strong governance mechanisms over human rights issues,” writes journalist Abdi Latif Dahir of Quartz Africa. The telecoms group provides very little or no information on the amount of data it collects, how long it retains data, whether third parties have access, or protocols in case of privacy breach. “The company also didn’t release details about the privacy-related risks that could come with its targeted digital advertising services,” Dahir wrote.
In 2020, the MTN group published a transparency report that details how it processes the information of 220 million subscribers in the 22 African countries in which it operates. While this was a milestone in data and privacy protection, it was not enough.
Isedua Oribhabor and Berhan Taye of the digital rights organisation Access Now demanded that “MTN … expand its reporting to disclose critical information regarding data retention requests, communication data, metadata and information around the installation of interception technology, and steps MTN takes to push back against improper requests, including detailed information regarding how it handles internet shutdown orders.”
As of April 2021, 28 (out of 54) African countries have enacted laws and regulations to protect personal data. This shows that data protection laws are on a steady rise in the continent. However, Mukosa of Unwanted Witness states “enforcement is the hardest stage of protecting data in Africa.” Hence, Mukasa emphasized that civil society, being independent, is better positioned to advocate for data rights and privacy violations in the continent.