A recent report from Unwanted Witness, a Uganda-based civil society organisation, reveals that two years on from the implementation of Uganda’s Data Protection and Privacy Act, the nation’s tech companies are still struggling with compliance.
Telecommunication operators are at the core of Uganda’s digital development, and yet are among the worst offenders on privacy violations, raising questions about their ability to protect sensitive user data.
Law in action
Uganda implemented its first codified legislation on data protection, the Data Protection, and Privacy Act, in 2019. The act, which establishes principles surrounding the protection, collection, and storage of customers’ personal data, designates the National Information Technology Authority – Uganda (NITA-U) as the official regulator for data protection in the country and lays out penalties for violators.
Since its implementation, Uganda’s core data privacy act has proven to be an effective regulator, to some extent.
Though no punitive measures were taken against Safeboda, the NITA-U did publish a report on its own investigation into the company’s practices in early 2021. The regulator concluded that Safeboda was, in fact, in violation of the Data Protection and Privacy Act and ordered the company to address “all areas of non-compliance” over a four-month period.
While the work of Unwanted Witness and Uganda’s Data Privacy Act helped stop some of Safeboda’s practices, Uganda’s telecommunication operators are still among the worst offenders.
The Privacy Scorecard Report 2021 revealed that telecom operators in Uganda failed to give adequate information to data subjects, mention third-party sharing of personal data, and give information on the quantity of information shared.
This resulted in a low overall score of 35% for the industry when it came to data compliance.
These digital failures have real-life consequences.
According to Dorothy Mukasa, CEO at Unwanted Witness, “Telecom companies are the highest data collectors [in Uganda]”, and they are still struggling to ensure that they protect individuals.”
This is particularly dangerous in an environment where telecom companies occupy a fundamental position in a nation’s economy and tech industry.
The number of mobile subscribers in Uganda is rapidly on the rise, increasing by 21,200% from 2000–2020. As mobile subscriptions have grown, telcos in Uganda have also received new access to personal information from Ugandan citizens.
In 2018, the Uganda Communications Commission (UCC) issued new SIM card validation guidelines that required telcos to verify a registered mobile number against a citizen’s National Identification Number (NIN). The regulation was meant to tackle fraud and crime, but, in the hands of telcos with suboptimal data privacy frameworks, it offered new capabilities for exploitation.
Since the onset of COVID-19, the use of mobile money—of which MTN and Airtel Uganda maintain a 90% share of the market—has increased by around 12.7%.
Alongside this jump in users has also been more frequent instances of cyber fraud aimed at telecom companies, revealing just how essential proper data management and protection is.
A 2019 Uganda Police Annual Crime Report revealed a 25% increase in cybercrime over a one-year period, leading to a loss of around $11 million from SIM card swapping and hacking digital financial accounts.
In 2020, MTN and Airtel Uganda were forced to temporarily suspend mobile money operations after their systems were compromised by hackers. Unconfirmed reports estimate that billions of Ugandan shillings were lost in the breach.
Why tech offends
Beyond the value that an application garners from its products and services is the data it collects. Generally, a tech company, in its early stages, is not profitable in the traditional sense. At this point, its value is, in part, based on the data the company has access to through its user base.
Often, as in the case of Safeboda, tech companies add trackers and third-party software on top of their applications to process the data they collect. Updating users each and every time a company adds a new tracker and explaining exactly what that tracker does can be bad for business.
When Apple rolled out a new update allowing customers to opt-out of data trackers used by social media platforms earlier this year, digital citizens leaped at the opportunity, resulting in an estimated loss of $9.85 billion in revenue by Snap, Meta (formerly Facebook), Twitter, and YouTube.
In Uganda’s case, the tech companies that operate there gather data on a traditionally underserved tech market where there is “low awareness of the power that they have to change and control their personal data,” according to Mukasa.
This leaves Uganda’s digital citizens vulnerable to unscrupulous tech companies who “are exploiting the low levels of awareness among the population to be able to collect as much as they can,” said Mukasa.
Countries around the world whose tech industries developed faster than regulation could keep up with had to learn hard lessons about digital privacy.
The Cybersecurity Administration of China (CAC) has embarked on a year-long campaign to rein in powerful tech companies the government feels have had unchecked access to user data for far too long.
Facebook has also been in and out of courts in the US and UK over data privacy issues, since 2018.
As Uganda’s tech industry continues to develop, it too will have to contend with the benefits and costs of tech development.
While this is going on, monitoring and evaluation by independent, civil society organisations like Unwanted Witness will become more important than ever.