Privacy wins as Uganda’s data regulator finds data controller unlawfully disclosed data to third-party.

Unwanted Witness Uganda welcomes the first-ever data protection investigation report by the Ugandan data regulator, National Information Technology Authority, Uganda (NITA-U) into the operations of Guinness Transporters Limited, trading as SafeBoda. NITA-U has ordered SafeBoda to make fundamental reforms regarding sharing of people’s personal data with third parties.

SafeBoda has until the end of May 2021 to amend its privacy notices so that people can be provided with specific and informed consent, in particular, to clearly inform its customers of the third parties it may disclose their personal data to, in accordance with the principle of fairness under section 3(1)(b) of the Data Protection and Privacy Act, 2019. NITA-U further requires SafeBoda to specify safeguards in place for cross-border transfer of personal data. 

The regulator’s report is a result of our early 2020 investigation into SafeBoda’s non-compliance with the Data Protection and Privacy Act, 2019. Our report revealed how the transportation app was sharing people’s personal data with third parties without the knowledge and consent of consumers, falling short of fundamental data protection principles.  

NITA-U investigation found that SafeBoda’s Data Privacy Policy and Data Protection Policy versions of 2017 and 2019 respectively, were not transparent and failed to provide information on third-party recipients of users’ personal data. The investigation report concluded that this showed that SafeBoda did not address the non-compliance pointed out by Unwanted Witness in their report, and in order to be in compliance with the Data Protection and Privacy Act, 2019, their policy and practices needed to be amended.

The NITA-U report notes that “it was established that SafeBoda shared its users’ personal data with CleverTap – a data processor that offered Software as a Service for customer lifecycle management and mobile marketing” and “since ‘consents’ relied upon for the disclosure were not specific neither were they informed” as users were not informed about the extent of personal data collected nor the potential disclosure to third parties, NITA-U concluded that this amounted to personal data unlawfully being disclosed to a third party.  The disclosure of its users’ personal data to CleverTap contravened Section 35 of the Data Protection and Privacy Act, 2019 – likely to affect millions of users.

Furthermore, in order to effectively apply its own policy and demonstrate compliance with its obligations and protections of the rights of individuals, in particular the rights to access and to an effective remedy, the report noted the need for SafeBoda to improve its process for access to information requests as well as its incident response and breach management.

Applications like SafeBoda heavily rely on collecting personal data for their operations, meaning that they must have clear policies and practices that meet required data protection standards and principles. The app must provide sufficient information to users to meet the principle of transparency, and provide the user with a choice to opt-out from their data being shared for marketing and analytics purposes. 

NITA-U’s maiden data protection investigation report has thus made it clear that the consent relied on by SafeBoda to share customers’ data with third parties was invalid. SafeBoda and other data controllers shouldn’t bundle consent altogether for all purposes but ask users to provide consent in a granular and specific way. This helps users to know what they are consenting to and they are equally offered a choice to object to any processing operations that are not strictly necessary for the provision of the services.

The regulator’s report is a significant step towards restraining data exploitation and protecting personal data in Uganda. We will closely monitor SafeBoda’s implementation of all recommendations made by NITA-U.  

Background.

• In February 2019, Uganda passed the Data Protection and Privacy Act, regulating the processing of personal data.  

• Between June 2019 and 2020 Unwanted Witness conducted research assessing the compliance by SafeBoda to the data protection law, international standards, and principles of data protection. 

• In July 2020, UW released the report revealing concerns of personal data exploitation by SafeBoda, whose operations fail to comply with the Data Protection principles of transparency, lawfulness, fairness, purpose limitation, and data minimization. 

• Mid-July 2020, a petition was filed to the Speaker of Parliament against SafeBoda.

• In August 2020, the speaker ordered NITA-U through the ministry of ICT to conduct further investigations into concerns of unlawful data sharing. 

• Read our full report here.