Disparity in the data collection policies of some pan-African firms in Uganda raises privacy concerns

Image by Mr_Achraf taken on August 17, 2021. Free to use, no attribution required (CC0)

Image by Mr_Achraf taken on August 17, 2021. Free to use, no attribution required (CC0)

By Nwachukwu Egbunike

Unwanted Witness, a Uganda-based civil society organisation, in its 2021 report on privacy revealed inconsistencies in the privacy policy of the telecoms companies Airtel and MTN, financial services firms such as Stanbic Bank, and the insurance company Old Mutual. The data protection and privacy policies of these pan-African companies operating in Uganda significantly differs from their policies in other parts of the continent.

Dorothy Mukasa, CEO of Unwanted Witness, told Global Voices in a Zoom interview that the research evaluated compliance with the 2019 Ugandan Data Protection and Privacy Act, which was enacted to protect the rights of privacy of citizens by “regulating the collection of personal information in Uganda and outside.” 

Airtel, MTN, Stanbic Bank, and Old Mutual have different data protection and privacy policies across different African countries. “This is evidenced from the noticeable variations in length of privacy policies as well as the number of rights that users are exposed to. This is a case of practicing inconsistencies in exercising private policies,” notes the report.

Unwanted Witness analysed the number of words in these companies’ data and privacy policy documents for Nigeria, South Africa and Uganda. They found that there were fewer words in Ugandan policy statements than that of Nigeria and South Africa.

The consequence of this being that “the fewer the words, the fewer rights mentioned or not mentioned at all” the Ugandan Unwanted Witness report laments. 

Poor privacy scorecard in Uganda

Screenshot of the level of data protection prevalent in seven organisational categories investigated in the 2021 Unwanted Witness privacy scorecard report.

Mukasa said that the report evaluates “if companies in Uganda that are engaged in the business of data collection and processing. The core reason was to ensure that there’s compliance with data collection, to get rid of the exploitation of individuals through data collection.” 

The research, which started in August 2020, categorized 32 Ugandan companies into seven main categories: e-commerce, financial services, telecom services, insurance services, government agencies, social security, and health/private hospitals. Adopting a five-star scale, the report graded these companies in the following areas: compliant with privacy best practices, giving information to the data subject before collecting data, mentioning third parties with whom personal data is shared with, practicing robust data security, and disclosing government requests for data.

The study analyzed the “noticeable, clear and publicly available privacy policies” of the firms. This, according to Mukasa, was to ensure that “data collectors do not secretly change their policies.” The report sought to establish that the companies received the “informed consent” of customers before acquiring their data. Unwanted Witness also investigated the sharing of data with third parties.

Inconsistent data and privacy policies by these companies across Africa leaves consumers vulnerable in countries without strong data-protection policies. For instance, the policy documents of these companies in Uganda is superficial, when compared to the “more robust” Nigerian and South African privacy policy documents. This suggests that “the law and the authorities” in Nigeria and South Africa “are strong and working,”  according to the report.

The study also showed a significant lack of compliance with Uganda’s 2019 Data Protection and Privacy Act, and the presence of location and profiling trackers in many companies investigated, across mobile and web applications that collect and sell data for commercial benefit without transparent policies. 

Analysis of how Uganda’s government agencies and companies are conforming to the 2019 data-protection regulation reveals that most sectors garnered good scores for adhering to robust data security. Ugandan health services providers ranked in the lowest performance in this area. Many health services “collect data but…lack the basic baseline for privacy.” Mukasa explained that these personal data are hosted online with trackers that “analyse the data,” hence, risking “the privacy and lives of their patients.”

Data protection rights and African telecom firms

The Unwanted Witness report is not the first time big telecom companies like MTN and Airtel have been complicit in the violation of the data privacy rights of their Ugandan clients as laid out by Ugandan law. For example, the South African-based MTN group failed to inform users of “how their data is collected, with whom it is shared, and why,” according to the 2019 Digital Rights Corporate Accountability Index. 

MTN “divulges very little of how it handles personal data and lacks strong governance mechanisms over human rights issues,” writes journalist Abdi Latif Dahir of Quartz Africa. The telecoms group provides very little or no information on the amount of data it collects, how long it retains data, whether third parties have access, or protocols in case of privacy breach. “The company also didn’t release details about the privacy-related risks that could come with its targeted digital advertising services,” Dahir wrote.

In 2020, the MTN group published a transparency report that details how it processes the information of 220 million subscribers in the 22 African countries in which it operates. While this was a milestone in data and privacy protection, it was not enough.

Isedua Oribhabor and Berhan Taye of the digital rights organisation Access Now demanded that “MTN … expand its reporting to disclose critical information regarding data retention requests, communication data, metadata and information around the installation of interception technology, and steps MTN takes to push back against improper requests, including detailed information regarding how it handles internet shutdown orders.”

As of April 2021, 28 (out of 54) African countries have enacted laws and regulations to protect personal data. This shows that data protection laws are on a steady rise in the continent. However, Mukasa of Unwanted Witness states “enforcement is the hardest stage of protecting data in Africa.” Hence, Mukasa emphasized that civil society, being independent, is better positioned to advocate for data rights and privacy violations in the continent.

Extracted from Global Voices