Are Ugandan telcos equipped to protect user data?

By Alexandria Sahai Williams

recent report from Unwanted Witness, a Uganda-based civil society organisation, reveals that two years on from the implementation of Uganda’s Data Protection and Privacy Act, the nation’s tech companies are still struggling with compliance.

Telecommunication operators are at the core of Uganda’s digital development, and yet are among the worst offenders on privacy violations, raising questions about their ability to protect sensitive user data. 

Law in action

Uganda implemented its first codified legislation on data protection, the Data Protection, and Privacy Act, in 2019. The act, which establishes principles surrounding the protection, collection, and storage of customers’ personal data, designates the National Information Technology Authority – Uganda (NITA-U) as the official regulator for data protection in the country and lays out penalties for violators. 

Since its implementation, Uganda’s core data privacy act has proven to be an effective regulator, to some extent. 

In 2020, Unwanted Witness investigated motorcycle ride-hailing startup Safeboda’s compliance with data privacy regulations in the country. Their findings revealed that the company was not only guilty of using a privacy policy that did not comply with Uganda’s data protection standards but also using a third-party tracker called CleverTap. When asked about its use of CleverTap, Safeboda’s Chief Financial Officer claimed it was for “tracking marketing communication and identifying product issues”.

Though no punitive measures were taken against Safeboda, the NITA-U did publish a report on its own investigation into the company’s practices in early 2021. The regulator concluded that Safeboda was, in fact, in violation of the Data Protection and Privacy Act and ordered the company to address “all areas of non-compliance” over a four-month period.  

Telecom offenders 

While the work of Unwanted Witness and Uganda’s Data Privacy Act helped stop some of Safeboda’s practices, Uganda’s telecommunication operators are still among the worst offenders. 

The Privacy Scorecard Report 2021 revealed that telecom operators in Uganda failed to give adequate information to data subjects, mention third-party sharing of personal data, and give information on the quantity of information shared. 

This resulted in a low overall score of 35% for the industry when it came to data compliance. 

These digital failures have real-life consequences. 

According to Dorothy Mukasa, CEO at Unwanted Witness, “Telecom companies are the highest data collectors [in Uganda]”, and they are still struggling to ensure that they protect individuals.”

This is particularly dangerous in an environment where telecom companies occupy a fundamental position in a nation’s economy and tech industry. 

The number of mobile subscribers in Uganda is rapidly on the rise, increasing by 21,200% from 2000–2020. As mobile subscriptions have grown, telcos in Uganda have also received new access to personal information from Ugandan citizens.

In 2018, the Uganda Communications Commission (UCC) issued new SIM card validation guidelines that required telcos to verify a registered mobile number against a citizen’s National Identification Number (NIN). The regulation was meant to tackle fraud and crime, but, in the hands of telcos with suboptimal data privacy frameworks, it offered new capabilities for exploitation.