Our democratic institutions are under threat today and the groundwork is being set to destabilize them into the future. Private, political, and state actors are creating an environment that is rife for the manipulation of democratic outcomes, and the loss of confidence in democratic institutions and processes. We need laws or regulations enforced, changes in technologies and industry behavior, and expert allies to understand the role data exploitation plays in heightening this threat.

Elections are about more than voting and the entire election cycle is increasingly data-dependent. Voter registration, voter authentication, voting and results transmission all involve the collection of at least some personal data. Political parties depend on data to drive their campaigns, from deciding where to hold rallies, which campaign messages to focus on in which area, and how to target supporters, undecided voters, and non-supporters, including with ads on social media.

In the recent past, Uganda has witnessed data exploitation during the election cycle hence undermining the fundamental democratic processes.

In March 2018, a British political consulting firm Cambridge Analytica that combined misappropriation of digital assets, data mining, and data brokerage and data analysis with strategic communication during the electoral processes, acquired and used personal data about Facebook users from an external researcher who had told Facebook that they were collecting it for academic purposes. 

The personal data of up to 87 million Facebook users were acquired via the 270,000 Facebook users. By giving third-party permission to acquire their data, this gave the third party access to information on the user’s friends network; this resulted in the data of about 87 million users, the majority of whom had not explicitly given Cambridge Analytica permission to access their data, being collected. 

In 2019, Uganda enacted the Data Protection and Privacy Act 2019 to regulate the processing of personal data by both public and private entities with the aim of protecting people and their data from various risks that could result in not only infringements of the right to privacy but also other rights such as property rights with varying consequences.

Data Protection and Privacy Act 2019 does not offer sufficient safeguards and it lacks regulations which makes it had to enforce. The electoral laws have not been updated either to sufficiently address changes in digital campaigning, are disjointed, and lack teeth, an issue exacerbated by a lack of resources, coordination, and enforcement action. As a result, they risk not being effective.

In June 2020, Uganda Electoral Commission announced the revised road map that detailed politicians to conduct digital campaigns ahead of the 2021 general elections. Electoral Commission condensed the new 2021 electoral roadmap and modified campaign schedules while balancing the dictates of Article 61(2) of the 1995 Constitution and government SOPs for social distancing in the fight against the spread of coronavirus.

Digital campaigning may have made it easier and cheaper for legitimate campaigners to communicate with voters. It is a sign of a healthy democracy when campaigners tell voters about their policies and political views. However, one couldn’t help but take note of how these techniques were misused.

Ahead of the 2021 General Elections, Electoral Commission used the National Information Register to voter verify, validate and authenticate the National Voters. National Identification and Registration Authority (NIRA) is a government-owned organisation whose mandate is to register births and deaths in the country and to develop a National Identification Register for both citizens and legally resident non-citizens. NIRA failed to comply with the Data Protection and Privacy Act when the agency shared this registered information with the Uganda Electoral Commission without the consent of the data subjects. 

One of the qualities of a trusted data collector is the ability to be transparent and accountable to the data subjects as enshrined in Section 3 (a)and (f) of the Data Protection and Privacy Act 2019. NIRA signed a Memorandum of Understanding with Electoral Commission prior to the verification and unfortunately, this information cannot be accessed by the public hence the data subjects aren’t aware of the extent to which their data was shared by NIRA. 

NIRA and Electoral Commission’s lack of transparency led to voters missing out on the voting exercise because the voters’ register was unclean with voters’ names repeated, name-face mismatches, and deletion of some voters’ names from the register. NIRA as a data collector isn’t close to complying with the best privacy practices of the Data Protection and Privacy Act because it is short of a privacy policy. 

These techniques further manifested through the failure of Political parties and campaign groups to fully comply with the Data Protection and Privacy Act 2019, by being accountable for all the work they do both directly and indirectly, and subject that work to close public scrutiny. Political parties were not transparent about their data processing activities, including publicly identifying the mechanisms they used to engage with voters (e.g. social media, websites, direct messaging) and how they collected people’s data, what data they collected, and the sources of it and how they used it.

A few days before elections, voters received random campaign messages from different aspiring candidates most of whom unknown to the voters. This left the voters wondering how the candidates got a hold of their contacts. The source of the data might be unknown but however, it’s always important for the data collectors to seek permission from the data subjects before using personal data.

Circumventing Censorship with VPN 

Authorities in Uganda seem to have normalized shutting down the internet during key democratic processes, forcing citizens to use Virtual Private Networks (VPNs) as a circumvention tool. VPNs first gained traction among Ugandans during the 2016 General Election when the government switched off social media sites on account of protecting National security. 

Since then, VPNs have become popular and further gained ground when the government introduced social media tax, commonly known as Over the Top Tax (OTT) in 2018. To date, VPNs seem to be the only solution for Ugandans to access social media after the Government shut down all social media sites and the Internet ahead of this year’s General Election and for a week, the Internet remained shut. 

VPN applications are free but they have permissions and trackers pre-installed which one cannot control or uninstall by design and therefore cannot be trusted. Using them in our daily lives creates an addiction but they siphon our data in form of names, addresses to do behavioral analytics for marketing and profiling. This information is transferred to third party users or the makers without the users’ consent. 

In developed countries there are eco-systems that punish developers that intrude or go beyond the preservation of the privacy law, Ugandans are using VPNs so as to access social media without any clarity.

As we commemorate International Data Privacy Day, the government of Uganda has to expedite the enactment of Data Protection and Privacy regulations for effective enforcement of the Data Protection and Privacy Act 2019 and to fully restore the internet to avoid data privacy risks that come with the use of VPN.