Analysis of 32 organizations across seven sectors finds a lack of legal compliance in Uganda, inconsistent practices across Africa,
and lack of transparency and accountability in collecting user data

KAMPALA, UGANDA (5th November 2021)—Unwanted Witness today released a first-of-its-kind analysis evaluating how Uganda’s top data collectors—many of whom operate across Africa—adhere to privacy standards and best practices that protect consumers’ personal data. The Privacy  Scorecard Report, which contains three main sections of findings, shows:

• a significant lack of compliance with Uganda’s 2019 Data Protection and Privacy Act;
• inconsistent privacy policies across Africa that leave consumers vulnerable in countries without strong data-protection policies;
• the presence of location and profiling trackers across mobile and web applications that collect and sell data for commercial benefit without transparent policies.   

Overall, the report—released during the third annual Privacy Symposium Africa—finds that in an era of unprecedented data collection and digital surveillance, organizations and companies in Uganda—and across Africa—continue to struggle to keep citizens’ data safe, putting Africans at risk for fraud, identity theft, discrimination, and social and reputational harm.

“We introduced the Scorecard to encourage data collectors and processors to adopt protection best practices and to empower Ugandan citizens to demand information pertaining to the ways in which their personal data is being collected and used,” said Dorothy Makasa, Executive Director of Unwanted Witness, “while also recognizing those actors that are complying with laws and best practices. Every Ugandan has the right to freedom of expression through any media platform without interference. It is a right guaranteed by the constitution, and organizations should know that their responsibility is no longer just about robust service delivery but about protecting their customers’ confidentiality.

Scoring Uganda’s Top Data Collectors Against the 2019 Data Protection and Privacy Act

Part 1 of the analysis provides an in-depth look at how Uganda’s government agencies and companies are living up to the data-protection standards established three years ago, when the government passed the Data Protection and Privacy Act of 2019.

The report evaluates 32 of the most active companies doing business online in Uganda, including representatives from e-commerce, financial services, telecoms, insurance, the government, social security, and private hospitals. Companies include MTN, Airtel, Safeboda,  Absa Bank, Stanbic Bank, Jumia, Maskini, KiKUU, and Centenary Bank. Each is assessed across five crucial areas: practising robust data security; complying with privacy best practices; providing information to users before collecting their data; indicating the third parties with whom one’s personal data will be shared, and disclosing third-party requests for data.

The average overall performance of the companies and agencies is a score of 35%. More than half of those studied practice robust data security, and 40% comply with privacy best practices. When it comes to providing users with information before collecting their data; indicating the third parties with whom that data will be shared, and disclosing how much data will be provided to those parties (including the government and law enforcement), the organizations perform poorly across the board. A surprising number have no Secure Sockets Layer (SSL) certificates or report poor SSL server test results, making them highly vulnerable to attacks.

In addition, organizations tend to not sufficiently disclose what user information they share and with whom. Just 8% indicate third parties with whom personal data will be shared in their privacy policy. None of the 32 organizations disclose how much data is requested and shared with third parties such as government bodies and law-enforcement agencies. (See below for more highlights from Part 1.)

Examining Inconsistent Policies Across Africa

The second part of the report examines the privacy policies and privacy-law compliance among 11 companies with a presence in Uganda and operating across the continent. The firms assessed include MTN, Airtel Safeboda, Bolt, UAP Insurance, Absa Bank, Stanbic Bank, Jumia, Maskini, KiKUU, and Centenary Bank. 

Companies working in countries with more robust privacy legislation, such as Nigeria, South Africa, and Mauritius, tend to enact stronger policies in those places than in the other countries in which they operate. In countries with weaker laws, such as Zambia, Namibia, and Malawi, companies have compromised privacy policies. Uganda ranks seventh among 12 countries studied for privacy legislation.  

“Instead of valuing consumer privacy,” said Allan Sempala Kigozi, Head of Programs for Unwanted Witness and the author of the report, “this analysis shows us that companies are meeting only the minimum requirements in the countries in which they operate. We would like to see a world in which companies set high standards that value the rights of every person — regardless of the strength of their countries’ data-protection laws.”

A few companies, including Jumia, Safeboda, and KiKUU, have consistent privacy policies across the countries in which they operate.

Revealing the Widespread Use of App Trackers in Uganda

For the third section of the report, Unwanted Witness employed a series of tools to study the 66 most commonly used mobile and web applications in Uganda, including King James Bible, Glovo, Stanbic Bank, Jumia, Safeboda, Bolt, Absa Uganda, Jiji.ug, KiKUU, and Airtel.

The findings reveal the presence of trackers in all of the most popular apps used by Ugandans. The trackers include crash reporting, analytics, virtual profiling, digital identity, targeted advertising, and geographical location of mobile devices. The report noted that some apps require many more permissions than necessary compared to other apps in the same category. It also noted that some of these permissions can access private user data and cause fraud transactions or automated clicking activities that further deplete user data.

“Just because these practices are rampant doesn’t mean that they are right,” said Sempala Kigozi. “Using users’ data for commercial benefit without being transparent and clear about it is a clear violation of consumers’ rights.”

A Question of Human Rights and Dignity

During the third Privacy Symposium Africa this week, participants called on companies and organizations to make data collection and privacy a top priority. rPointing to the Scorecard as an important milestone in the empowerment of citizens, they  urged data collectors to adopt best practices that focus more on transparency.

“In an era where Ugandans entrust so much of their personal information with private and public companies,” said Mukasa, “it is imperative that these organizations manage that data responsibly and ethically. Customers have the right to know whether and how their data is being stored, processed, and utilized.”

“By providing objective measurements for analyzing data-handling policies and practices, we believe the Scorecard can act as a vital stopgap against the unfettered abuse of user data,” said Sempala Kigozi. “We look forward to seeing changes to the policies of those organizations studied here,  so that Ugandans can be confident that their digital lives are not being subject to manipulation, and their human rights and dignity remain intact.”

About Unwanted Witness

Unwanted Witness is a civil society organization (CSO) that was established in 2012 to respond to the gap in effective communication using various online expression platforms.

Created by a group of netizens, bloggers, activists, writers and human-rights defenders as an independent, non-partisan and not-for-profit CSO, it seeks to create secure, uncensored online platforms to promote human rights through writing and informing, and to educate the citizenry that utilizes the platform for strengthening free expression and demanding accountability.

Learn more at www.unwantedwitness.org.