07.03.2020 Views

BOOK CHAPTER1 ON DATA PROTECTION AND PRIVACY IN UGANDA

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

DATA PROTECTION AND PRIVACY IN UGANDA

R.Kakungulu-Mayambala*

ABSTRACT

This book chapter deals with data protection and privacy in Uganda. The paper

provides a useful overview of the discourse and enactment of data protection law in

Uganda. It offers a detailed and comprehensive overview of privacy law reforms in

Uganda including the adoption of the European model of governance. Part I of the

paper gives a general introduction to privacy and data protection, Part II on the

context of information privacy analyses a wide range of issues from the history,

political, economic and technological advancements in Uganda. This is more so the

cases since privacy issues are contextual. Part III provides a more detailed analysis of

matters such as perception of privacy, the relevance of knowledge of privacy law by

the public and the authorities and the issue of drafting. Part IV of the paper critiques

the Ugandan data privacy bill with the critique mainly based on the OECD data

privacy framework. Lastly, the paper has concluding remarks and recommendations.

(161 words)

I. Introduction

This chapter deals with information privacy, the social attitudes to privacy and the

legal and regulatory systems of protection of privacy in Uganda ranging from the

Constitution, the right to habeas data, the statutory laws and the common law position

on this right. Uganda does not have a comprehensive data protection legislation.

However, the country is now in the process of enacting a comprehensive law on data

protection and privacy in the country. To this, end, The Data Protection and Privacy

Bill, 2015 has been prepared. 1 In a nutshell, this chapter discusses the data protection

principles, the data protection regulator, and the international transfer of personal

data. All this discussion is done in light of the comparative influences and

interpretation of the data protection legislation especially that of the United Kingdom

(UK) and the European Union (EU). The chapter also deals with the procedural and

enforcement mechanisms, the Regional Economic Communities (RECs), in the

context of Uganda, the East African Community (EAC) and its Additional Protocols

and data protection. Envisaged common markets such as the Protocol for the EAC

Common Market and the movement of information, the transposition of REC data

protection policies are all analyzed. The chapter ends with a conclusion.

II. The Context of Information Privacy

According to Professors Solove and Schwartz:

“Information privacy concerns the collection, use, and disclosure of personal information.

Information privacy is often contrasted with ‘decisional privacy,’ which concerns the freedom

to make decisions about one’s body and family…But information privacy increasingly

*S.J.D. (Arizona). Senior Lecturer, Makerere University School of Law, and Advocate of the Courts

of Judicature in Uganda. Email: rkakungulu@law.mak.ac.ug

1

The draft Bill used herein the text is that as published by the Office of First Parliamentary Counsel

[FPC] on 19 th February 2015.

1


incorporates elements of decisional privacy as the use of data both expands and limits

individual autonomy.” 2

Information privacy remains a relatively new area in Uganda. The courts of law have

however traditionally resorted to the use of common law principles in the absence of a

comprehensive legislation on data protection and privacy in Uganda. It is for this

reason that Uganda still lags behind in relation to the legal regulation and framework

of collection, use, and disclosure of personal information, even when the country has

taken major strides in the areas of national census, voter registration, mandatory

Subscriber Identification Modules (SIM) card registration, and the National Identity

(ID) card registration.

As Privacy International notes:

Privacy enables us to create barriers and manage boundaries to protect ourselves from in our

lives. Privacy helps us limit who has access to our bodies, places and things, as well as our

communications and our information. It's the right to know that your personal

communications, medical records, metadata and bank details are secure, but it is also about

ensuring that they are under your control. Privacy is essential to human dignity and autonomy

in all societies. Privacy is at the cross-section of technology and human rights. The right to

privacy is a qualified fundamental human right - meaning that if someone wants to take it

away from you, they need to have a damn good reason for doing so. 3

However, issues such as the history, political, economic and technological

advancements also greatly impact on the context of information privacy in Uganda

and especially since privacy issues are contextual. A thorough discussion of the

history, political, economic and technological advancements in Uganda goes a long in

giving a comprehensive foundation for the subsequent discussion in respect of the

social attitudes to privacy in Uganda, and the legal and regulatory systems of

protection of privacy.

Whereas technological advancement in Uganda remains a key factor in issues of

privacy, Privacy International cautions thus:

Technologies are enabling new forms of empowerment and interaction as we integrate them

into our lives. They may also enable powerful institutions to amass our personal information.

The threat of terrorism is giving governments across the world carte blanche to ramp up state

surveillance. Industry is voracious in its appetite to profile us, predict what we will do, and

profit from our data. We believe that technological developments should strengthen, rather

than undermine, the right to a private life, and that everyone’s privacy must be carefully

safeguarded, regardless of nationality, gender, race or ethnicity, personal or economic status. 4

Political and religious differences also persist and have had a tremendous impact on

the social attitudes to privacy in Uganda. Those citizens who are supportive of the

political establishment are always shy to point out the excesses of the ruling class in

respect of perceived violations of the right to privacy in the country. Similarly, the

religious groups such as the church and the mosques who voices are always raised

through their leaders tend to toe the strict and usually conservative line when it comes

to privacy issues.

2

DJ Solove & PM Schwartz, Information Privacy Law (3 rd edn, Asep Publishers 2009) 1 – 2.

3

Accessed at https://www.privacyinternational.org on October 17, 2015 at 1525 hours.

4

Ibid.

2


The influence of politics and religion on privacy issues in Uganda as a factor can also

be attributed to historical reasons as best noted by Professor Frans Viljoen, “the initial

‘cultural’ focus on the ‘black race’ of Africa had to be adapted if the ‘political’

dimension of pan-Africanism were to include Arab North Africa’”. 5 The Arab North

Africa, also otherwise known as the Magreb has traditionally been aligned to the Arab

world of the Middle East and has preferred to be referred to as such than as Africans. 6

With the increasing radicalization of the Islam religions, and the emergency of terror

groups such as the al Qaeda and Al-Shabaab who have launched disastrous attacks on

not only the west but also African countries such as Kenya, Tanzania and Uganda. 7

Khalid al-Fawwaz was accused of four counts of conspiring to kill Americans in the

1998 twin bomb attacks on the US Embassies in Kenya (Nairobi) and Tanzania (Dar

es Salaam). 8 A New York Federal Court subsequently convicted Khalid on all the

four counts. 9 The result was massive arrests by the Government of Uganda done

mainly on Moslem Somali nationals living in Uganda. Again, this is in line with the

social attitude that Islam is associated with terrorism in Uganda and the world over. 10

Equally important is the view held by Makulilo who argues “at the same time respect

for privacy is lacking. Laws and conducts of the Government (of Uganda) and private

companies and individuals are in most cases falling outside the protection offered by

the Constitution.” 11

The social attitudes to privacy in Uganda are not helped any further by the State itself

as noted by Kakungulu-Mayambala, thus “the country continues to enforce a colonialera

public interest law on morality that permits the government to interfere with the

private lives of its citizens. Such laws give the government a pretext to invade

people’s private lives and deny them essential human rights and to live in peace and

harmony. A close look at the enjoyment of this rights [to privacy] over the last twelve

years reveals several issues of concern.” 12 The best illustration of such laws includes

the Penal Code Act, Cap. 120 and the Anti-Pornography Act, 2014.

The Privacy context in Uganda is quite fuzzy. What seems clear however, is the fact

that much of the privacy law that exists is mainly intended for regime survival. This

view is supported in part by Privacy International, which states:

State authorities have proactively cultivated the popular perception that surveillance is

systematic, centralised and technically sophisticated. This is not the case; not yet, at least.

5

Frans Viljoen, International Human Rights Law in Africa (2 nd edn, Oxford Publishers 2012), 154.

6

Mahmood Mamdani, Saviours and Survivors: Darfur, Politics, and the War on Terror (New York,

Pantheon Books 2009).

7

A terrorist group, which later claimed to be the Al-Shabaab launched two deadly terrorist attacks on

Kampala City on July 11, 2010 killing over 50 football fans who were watching the final of the 2010

World Cup.

8

Kevin J. Kelley, ‘US Court finds Suspect guilty of Nairobi blast,’ The East African, February 28 –

March 6, 2015, p. 14.

9

Ibid.

10

Mahmood Mamdani, Good Muslim, Bad Muslim: America, the Cold War and the Root of Terror

(Kampala, Fountain Publishers 2004).

11

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 5.

12

See generally, R. Kakungulu-Mayambala, (2009), ‘Data Protection and National Security:

Analyzing the Right to Privacy in Correspondence and Communication in Uganda,’ HURIPEC

Working Paper No. 25, p. 19.

3


The attributes that have made Uganda’s human intelligence network strong and allowed it to

infiltrate opposition and other circles considered threatening to the Government are poorly

suited to conducting communications surveillance on a large and automated scale. 13

State surveillance has increased in Uganda thereby blurring the privacy and data

protection line. 14 Whereas the Government of Uganda has vehemently denied

carrying out covert surveillance on its political opponents 15 it is an open secret and

widely perceived view across Uganda that the State practices covert surveillance on

its citizens especially on the political opposition. 16 Amidst the government of

Uganda’s claim to sue the BBC for the Privacy International report on its security

situations, 17 all the above, comes on the backdrop of:

“the fact that in 2010, President Museveni signed into law, the Regulation of Interception of

Communications Act, giving powers to security officials to listen into private communication

if they (security officials) suspect the communication is in aid of criminal activity. But

security agencies must seek a court order to intercept communication.” 18

Indeed, “according to intelligence briefing prepared for President Museveni, which

Privacy International accessed to author its report, the Chieftaincy of Military

Intelligence (CMI) launched the spy program on December 5, 2012.” 19 The spy

program, code named Fungua Macho (Kiswahili for ‘Open Your Eyes’) uses the Fin

Fisher spyware which “government purchased in December 2011 from Gamma

International GmbH of Germany.” 20 Already the report casts the government of

Uganda’s human rights record in bad light and this is well captured in the report thus:

Along with more heavy-handed tactics, the use of surveillance technology has chilled free

speech and legitimate expressions of political dissent. Covert, extrajudicial surveillance

projects like those documented in this report have contributed towards making Uganda a less

open and democratic country in the name of national security. This situation is unlikely to

improve any time soon, particularly with the eventual addition of the centralised

communications monitoring centre under the intelligence services’ control. Until and unless

this is addressed, claims that Uganda is a burgeoning democracy ring hollow. 21

The above scenario presents a rather sad social attitude to privacy in Uganda. Owing

to the rather massive violation of other human rights in Uganda, the Ugandan public

has resorted to cynicism and indifference when it comes to the right to privacy. The

right to privacy in Uganda is not only taken in a lasses-faire manner but is also seen

13

Privacy International Report, For God and My President: State Surveillance in Uganda, October

2015, p. 37.

14

E.Mukiibi Serunjogi, How Government Taps Opposition Leaders’ Phone Calls, Saturday Monitor,

October 17, 2015, pp. 1, 4.

15

N. Wesonga & S. Kafeero, Government denies bugging citizens’ information, Saturday Monitor,

October 17, 2015, p. 4, and C. Kiwawulo & J. Masaba, Government Denies Buying Gadgets to Spy on

Opposition, Saturday Vision, October 17, 2015, p. 3.

16

See generally, URN, Government ‘bugged and spied’ on Parliament, 21 Hotels – Report, The

Observer, October 15 – 16, 2015, accessed from http://www.observer.ug on October 18, 2015 at 1630

hours.

17

C. Etukuri, CMI Boss to Sue the BBC, New Vision, October 19, 2015, pp. 1, 4.

18

Ibid, p. 4.

19

T. Butagira, Government Targets Houses, Cars in New Spy Operation, Sunday Monitor, October 18,

2015, p.3.

20

B.H. Oluka, Government Spends Shs200bn on Spying Gadgets, The Observer, October 19 – 21, 2015

accessed from http://www.observer.ug/news-headlines/40521-govt-spends-shs-200bn-on-spyinggadgets

at 1455 Hours.

21

Privacy International Report, Supra, note 13.

4


largely as an elitist right. The few groups that seem to advocate for this right are

mainly the Non-Government Organizations (NGOs) that are donor funded. This also

aids in alienating the right farther as it is now seen as a mainly western-influence

right.

The contextual extent of privacy and data protection has been analysed above. Privacy

issues are contextual. 22 However, the perception of privacy remains varied in

Uganda, with the State deeply interested in violating this right in the name of national

security.

III. Social Attitudes to Privacy

Privacy and how it is understood and perceived may vary from society to society and

individual to individual. Indeed, the Americans and Europeans perceive privacy

differently. This is not only unique to Americans and Europeans; even Africans may

perceive privacy differently, depending on social, cultural and economic standing.

Professors Solove and Schwartz best capture the differences between American and

European perspectives of privacy, thus:

U.S. and foreign privacy regimes differ in some respects. Consider the standard description of

privacy legislation in Europe as “omnibus” and privacy law in the United States as “sectoral.”

In Europe, one statute typically regulates the processing of personal information in public and

private sectors alike. In the absence of more specific legislation, the general information

privacy law in Europe sets terms for the processing, storage, and transfer of personal

information. In the United States, in contrast, a series of narrower laws focus on specific

sectors of the economy or certain technologies. 23

Solove and Schwartz argue further that:

To people accustomed to the continental way of doing things, American law seems to tolerate

relentless and brutal violations of privacy in all these areas of law. I have seen Europeans

grow visibly angry, for example, when they learn about routine American practices like credit

reporting. How, they ask, can merchants be permitted access to the entire credit history of

customers who have never defaulted on their debts? Is it not obvious that this is a violation of

privacy and personhood, which must be prohibited by law? [Differences about privacy in the

United States and Europe] are clashes in attitude that go well beyond the occasional social

misunderstanding. In fact, they have provoked some tensions and costly transatlantic legal

trade battles over the last decade and a half. 24

Differences in the perception of privacy do not only exist between Americans and

Europeans. Whereas Africans are largely “homogenous” in relation to colour, and are

traditionally communal 25 , differences remain abound when it comes to perceptions of

privacy. 26 The clash between private life and dignity of the individual in Uganda is

largely premised on the fact that Uganda’s understanding of rights is premised on that

22

A. Hughes, Human Dignity and Fundamental Rights in South Africa and Ireland (Pretoria: Pretoria

University Law Press, 2014), pp. 260 – 270, p. 267.

23

Ibid, p. 996.

24

Ibid, p. 998 – 999.

25

See generally, E. Khiddu-Makubuya, (1974), ‘The Concept of Human Rights in Traditional Africa,’

Makerere Law Journal, Vol. 1, No.1.

26

See generally, R. Kakungulu-Mayambala, (2009), ‘Data Protection and National Security:

Analyzing the Right to Privacy in Correspondence and Communication in Uganda,’ HURIPEC

Working Paper No. 25.

5


of the African traditional understanding of rights, which placed the community at the

forefront of the individual. 27

(a) Perception of Privacy in Uganda

The way a given community perceives privacy goes along way in determining how

conscious that particular society will respond to alleged violations of the right to

privacy let alone recognize or fight for its protection and promotion. This is especially

the case in light of the fact that a discussion of privacy issues is contextual. The

perception of privacy in Uganda is largely based on the history, political, economic

and technological advancements. Religion too plays a lead role. Religious groups

mainly Christians and Muslims form a solid majority in Uganda and the thinking of

most Ugandans is largely influenced by either their religious background or culture. 28

Invariably, the ordinary Ugandan’s perception of privacy is clouted with both

religious and cultural connotations. 29 Islam too offers a clear-cut line of co-existence

and brotherliness among the faithful, to mutual respect for one another including the

respect for the rights of each individual. “Indeed Islam enjoins us to guard our

honour and privacy, and that of others as basic right.” 30 The traditional African belief

and the African traditionalists in Uganda in general perceive human rights including

the right to privacy or privacy generally “as those legitimate enjoyments of the

individual that are consistent with the dignity of the community. The avoidance of

shame for the community is a dominant impulsion.” 31 Thus, by far and large,

perception of privacy in Uganda is greatly influenced by one’s religious belief(s);

namely Christianity, Islam or African (oral) tradition.

(b) The relevance of Knowledge of privacy law by the public and the authorities

and the Issue of Drafting

As discussed above, knowledge on privacy law in Uganda remains scanty not only

among the ordinary citizens but also the elites. The dismal knowledge of privacy law

by the public and the authorities presents such a conundrum that is not only untenable

in respect of protection and promotion of the right to privacy but is also cumbersome

to the authorities. In a way, such a situation presents a fertile ground for the public

not to demand for recognition and enforcement of the right to privacy in the country

whereas the authorities remain unaccountable. In the end, no tangible laws have been

enacted to foster privacy in the country except for a single Constitutional Article 27.

The major tangible goal and step in the right direction remains the yet to be passed

Data Protection and Privacy Bill, 2015 which was approved by the Cabinet

(Executive) last month and now awaits tabling before the national legislative

assembly – Parliament.

Even when the Data Protection and Privacy Bill is finally passed into an Act of

Parliament, knowledge of privacy law in the country may still remain unless

corrective steps are boldly taken to entrench a deeper understanding of this right to

27

E. Khiddu-Makubuya, supra.

28

Huripec, Religion, Rights and Peace Fellowship Monograph on Human Rights through the Lens of

Religion, Vol. 1, No. 1, 2014 at p.12.

29

Ibid, p. 21.

30

Ibid, p. 31.

31

Ibid, p. 39.

6


the ordinary people. The broadly understood rights remain the obvious ones of right

to life and property that are as well anchored in both religion 32 and politics. The

relevance of knowledge of privacy law by the public and the authorities and the issue

of drafting would be the hallmark to understanding this right in Uganda,

unfortunately, the country’s history of military and political tyranny. 33 Knowledge on

the few existing privacy law also remains scanty. Even when the current government

which has been in power since 1986 aims high in trying to restore democratic rule and

good governance 34 , the country still remains at a crawling stage when it comes to

issues of privacy.

Power belongs to the people in Uganda and indeed all forms of governance can only

emanate from the power of the people. 35 As Niringiye notes, in good political

governance, “laws are to be enacted by appropriate institutions according to the

Constitution.” 36 In Uganda, the Constitution bestows upon Parliament the power to

make laws for “the development, peace and good governance of the country.” 37

However, the issue of drafting still remains a challenge, as most of the

parliamentarians never seem to fully appreciate issues of data protection and privacy,

and would rather concentrate on peripheral matters. Similarly, “Uganda has been

lagging behind in signing, ratifying and domesticating key international codes and

standards” 38 even when the Constitution obliges the country to do so under Article

123. 39 Domestication of international law in Uganda goes through a length process.

As Busingye Kabumba notes, “it (Uganda) is a dualist country, and international law

therefore does not operate automatically but requires a process of domestication and

incorporation into the national legal system.” 40

Knowledge of privacy law by the public and the authorities is key, however, what

does one do especially if the very privacy law conflicts with Uganda’s international

human rights obligations? This is an issue of drafting but is also sometimes and

indeed most of the times deliberate as the government of Uganda struggles for regime

survival at the expense of human rights. A clear case in point is the Regulations of

Interception of Communications Act, 2010 in which case Privacy International “the

government to reform the laws and its actions” 41 by stating that:

“Ugandan laws and oversight mechanisms need to be significantly reformed and strengthened

to ensure compliance with international human rights, including privacy, freedom of

expression and peaceful assembly. This is particularly important in light of the use of

surveillance technologies such as FinFisher malware as described in the evidence obtained by

Privacy International.” 42

32

The Biblical Ten Commandments include thee shall not “kill or steal”.

33 See generally, M. Mamdani, Imperialism and Fascism in Uganda (Nairobi: Heinemann, 1983).

34

Y.K. Museveni, Sowing the Mustard Seed (London: MacMillan Publishers Ltd, 1997), p. 187.

35

Article 1 of the Constitution.

36

D.Z. Niringiye, The Political Governance Crisis of Uganda @50: Institutional Failure, Rule by Law

and Law of the Ruler, HURIPEC, Religion, Rights and Peace Fellowship (RRPF), 2014, P. 38.

37

Article 79.

38

Niringiye, Supra, note 25.

39

See generally, Busingye Kabumba, The Application of International Law in the Ugandan Judicial

System: A Critical Enquiry, in Killander, M. (Ed), International Law and Domestic Human Rights

Litigation in Africa, (Cape Town: PULP, 2010) pp.83-107.

40

Ibid, p. 84.

41

Oluka, Supra, note 20.

42

Ibid, quoting the UK-based Organization.

7


In a nutshell, the Ugandan privacy and data protection malaise is more than merely

knowledge of privacy law by the public and the authorities or a good draftsman, it

surely goes beyond that to involve a sitting government which is hell bent on regime

survival and suppressing human rights.

IV. Legal and Regulatory Systems of Protection of Privacy

(a) Protection of Privacy in General Law

The Constitution of the Republic of Uganda firmly protects the right to privacy.

Article 27 thereof provides as follows:

(1) No person shall be subjected to—

(a) unlawful search of the person, home or other property of that person; or

(b) unlawful entry by others of the premises of that person.

(2) No person shall be subjected to interference with the privacy of that person’s home,

correspondence, communication or other property.

As Kakungulu-Mayambala rightly notes:

“Although the Constitution provides for the right to privacy in Uganda, it is a right still in the

nascent stages of evolution with scanty jurisprudence in Uganda. Both the Government of

Uganda (GoU) and some private entities continue to flagrantly violate this right through their

commissions/ommissions and policies, while the citizens remain ignorant of such violations or

choose to take no action against the violators.” 43

Once again, the above state of affairs as referred to by Mayambala, are only but a

critical reflection of the social attitudes to privacy in Uganda, viz: a right largely

treated with cynicism and taken to be an elitist right or a “western-influence” kind of

right, at least in the eyes of the ordinary Ugandan. This fact is farther compounded by

the fact that under Article 44 of the Constitution, the right to privacy is not absolute

and is actually among the derogable rights in Uganda. 44 Thus, “any limitations of the

enjoyment of the right to privacy may be placed on this right in what is acceptable

and demonstrably justifiable in a free and democratic society, or what is provided in

the Constitution.” 45 The test as given in Article 43(2)(c) of the Constitution was

interpreted in the case of Charles Onyango Obbo & Anor v. Uganda 46 in which the

Canadian case of R. v. Oakes 47 was cited with approval as “the yardstick is that the

limitation must be acceptable and demonstrably justifiable in a free and democratic

society. This is what I have referred to as ‘the limitation upon limitation.’” 48 A

43

R. Kakungulu-Mayambala, (2010), ‘Examining The Nexus Between ICTs and Human Rights in

Uganda: A Survey of Key Issues,’ East African Journal of Peace and Human Rights, Vol. 16, Issue 1, p.

5.

44

Philbert M. Nyakahuman, ‘Conflict between Right to Privacy and the Law,’ Daily Monitor,

Thursday, November 20, 2014, p. 14.

45

See Article 43 of the Constitution.

46

Const. App. No. 1 of 2000 [unreported].

47

[1986] 1 S.C.R. 103.

48

See judgment of Mulenga J.S.C. in Obbo’s case.

8


delicate balance therefore needs to be struck between the enjoyment of the right to

privacy in Uganda and any limitations that may be placed on such a right. 49

Article 27 of the Constitution has covered data protection and privacy issues in

Uganda. Save for the several laws which have been passed by the Parliament of the

Republic of Uganda, all of which are aimed at placing limitations on the enjoyment of

the right to privacy in Uganda, no detailed law has been passed to tackle the question

of data protection in Uganda. Currently, Uganda has no specific privacy or data

protection legislation to give effect or to operationalize the constitutional provision.

Only the Data Protection and Privacy Bill, 2015 seeks to fill that lacuna. Thus, to

date, Uganda does not have a comprehensive law on data protection and only relies on

Article 27 of the Constitution and other international instruments or practices. Owing

to the fact that Uganda does not have a comprehensive law on data protection, the

country does not therefore have a right of Habeas data. Without the right to habeas

data, it is almost impossible for any aggrieved person to seek a remedy from court in

respect of any data that may be in the possession of a data controller for it is only by

way of the writ of habeas data that court would command a data controller to release

such data to the data subject.

Uganda has passed a host of statutory laws, which have a strong bearing on the right

to privacy. Among these is the Anti-Terrorism Act, 2002; the Regulation of

Interception of Communications Act (RICA), 2010; which seeks to operationalize and

create an enabling law for Sections 18 and 19 of the Anti-Terrorism Act; the Access

to Information Act, 2005; the Access to Information Regulations, 2013; the Computer

Misuse Act, 2011; the Electronic Transactions Act, 2011; the Electronic Transactions

Regulations, 2011; the Electronic Signatures Act, 2011; the Anti-Pornography Act,

2014 and the Whistleblowers Protection Act, 2010. Each of these laws should be

analyzed in detail in the ensuing discussion to come. What, however, be observed

right from the on-set is that the “these laws have limited provisions to protection of

privacy which have in most cases insufficient safeguards.” 50

The above laws offer the main legal and regulatory systems of protection of privacy

in Uganda. However, the Common Law also remains key for under Section

14(2)(b)(i) of the Judicature Act 51 the Common Law remains part of the law

applicable in Uganda. 52 Uganda is a Common Law country owing to the fact that it is

a former British Protectorate. The civil law does not apply in Uganda since the two

are considered to be independent legal systems, and Uganda did not adopt a hybrid

legal system at independence. Since Uganda does not have a comprehensive law on

Data Protection and Privacy, it remains to be seen whether the Common Law still

applies to the protection of say personal information.

The reasons for the passing of statutory laws with far reaching effects on the

enjoyment of the right to privacy in Uganda are best captured by Kakungulu-

Mayambala, thus:

49

See generally, H. Odimbe-Ojambo, (2008), ‘Reflections on Freedom of Expression in Uganda’s

Fledgling Democracy: Sedition, “Pornography” and Hate Speech,’ HURIPEC Working Paper, No. 18.

50

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 6.

51

Cap. 13, LoU.

52

See also Article 132(4) of the Constitution.

9


Several reasons are offered by the Ugandan government for this course of action including:

claims related to national security, law enforcement, the fight against terrorism and illegal

immigration, administrative efficiency and welfare fraud, technological advances,

technological standards, interoperability between information systems and globalization of

information. All these factors are said to exert extraordinary pressure on the few remaining

privacy safeguards in Uganda. 53

As Makulilo notes, “there is little case law by Ugandan courts that interpret Article 27

of the Constitution.” 54 The three landmark cases by the High Court of Uganda are

worth of mention here. In the case of Victor Juliet Mukasa & Yvonne Oyo v. Attorney

General 55 , where 206 agents of the State broke into the residence of the plaintiffs in

search for evidence of suspected lesbianism, the applicants sued for unlawful

confiscation of their property [CDs], correspondence and trespass to their home.

Stella Arach-Amoko, J. held thus:

In respect of the 1 st applicant, the evidence on record shows that the police did not handle her

documents properly. They gave the LC1 Chairman unlimited access to the said documents

even after he had handed them over to police, and detained the said documents over night

without entry in their books in accordance with the laid down procedures. She is accordingly

awarded 3 million shillings for violation of her right to property contrary to article 27(2) of the

Constitution. 56

Makulilo notes further that:

The High Court (of Uganda) held that the actions (of the defendants) were a violation of the

applicant’s privacy regardless of their sexual orientation and that the right to privacy entails a

right to choose the way in which and the people with whom one seeks to pursue intimacy

[with]. Following the approach taken by the European Commission of Human Rights [now

defunct], the Ugandan High Court held that the right to privacy includes the right to establish

and develop relationships with other human beings.” 57

Another very important case from the High Court of Uganda in respect of the right to

privacy is that of Kasha Jacqueline, Pepe Onziema & David Kato v. Giles Muhame

and the Rolling Stone Publication Ltd 58 , in which the 2 nd defendant, which was a

weekly tabloid newspaper published in Uganda with the sole purpose of fighting

homosexuality published the identities and contacts of people based on their real and

perceived sexual orientation with the plaintiffs being the first victims of such

publication. The applicants sued the defendants alleging a violation of their right to

privacy and also sought an injunction against the defendants to stop the publication of

the identities of persons and homes of the applicants, arguing that the said publication

was not only a violation of their right to privacy but also a threat to their personal

security in light of the homophobia which the Ugandan society holds against gays and

lesbians. This homophobia was taken to high levels, when in December 2013; the

Parliament of the Republic of Uganda overwhelmingly passed the Anti-

53

R. Kakungulu-Mayambala, (2010), p.6.

54

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 5.

55

Misc. Cause No. 247 of 2006, High Court of Uganda in Kampala, (2008) AHRLR 248 (UGHC

2008).

56

See H. Nsamba, (2009), ‘Government to pay suspected lesbians sh13m,’ The New Vision.

57

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 6.

58

Misc. Cause No. 163 of 2010, High Court of Uganda in Kampala (Unreported).

10


Homosexuality Bill as a “Christmas gift” to Ugandans. President Museveni assented

to the Bill in February 2014 effectively turning it into an Act of Parliament. The Act

was subsequently nullified in the constitutional petition of Prof. J.Oloka-Onyango &

Others v. the Attorney General, 59 on a technicality, that the impugned law had been

passed without the required quorum. The petitioners also alleged that the Act was a

violation of the right to property and privacy of alleged homosexual and lesbians in

Uganda. However, the court did not go to the merits of the petition and merely upheld

the petition on a technicality.

Makulilo notes:

The High Court held that with regard to the right to privacy of the person and home, under

Article 27 of the Constitution, it has no doubt, again using the objective test, that the exposure,

of the identities of the persons and homes of the applicants for the purpose of fighting gays

and the activities of gays, as can easily be seen from the general outlook of the impugned

publication, threatens the rights of the applicants to privacy of the person and their homes.

The Court emphasized that the applicant were entitled to enjoy their right to privacy in

Uganda and banned the publication of the Rolling Stone. 60

The one and only Ugandan case on data protection came as a surprise albeit a

blessing. In 2010, the Parliament of the Republic of Uganda passed the Regulation of

Interception of Communications [RICA] Act and in 2011, the Regulation of

Interception of Communications Regulations, S.I, No. 2011 were also enacted by the

Minister responsible for Security as required under the RICA. Section 9(2) of the

RICA requires all telecommunication service providers to ensure that existing

subscribers register their SIM cards within a period of six months from the

commencement of the Act. Regulation 7 of S.I No. 42 of 2011 sought to

operationalize Section 9(2) of the RICA as much as the RICA itself seeks to

operationalize Sections 18 and 19 of the Anti-Terrorism Act, 2002 of Uganda. In line

with the requirements under the RICA, the Uganda Communications Communication

(UCC) established by the UCC Act of 2013 with the sole mandate of regulating the

broadcasting and telecommunications industry of Uganda threatened to switch off or

to direct all service providers to switch off the users of unregistered SIM cards on 31 st

/08/ 2013. Based on this threat and fearing to register their information or data with

private and mainly foreign telecommunication service providers in Uganda in the

absence of a comprehensive law on data protection and privacy in Uganda, two NGOs

namely the Human Rights Network for Journalists Uganda Limited (HRNJUL) and

the Legal Brains Trust (LBT) brought a public interest case on behalf of all the

unregistered SIM card users in Uganda.

Thus, a case by the name, Human Rights Network for Journalists Uganda Limited &

Legal Brains Trust (LBT) v. Uganda Communications Commission (UCC) & Attorney

General 61 , the applicants sought an injunction to restrain the defendants from

effecting their [defendant’s] threat of switching off unregistered SIM card users. The

applicants also complained about the fact that the telephone service providers may use

the information [data] collected from subscribers for purposes other than those for

59

Constitutional Petition No. 08 of 2014.

60

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 6.

61

Misc. App. No. 81 of 2013 Arising out of Misc. Cause No. 219 of 2013 (the main suit is yet to be

determined).

11


which the registration was conducted [security and identification of subscribers]. 62

However, the High Court declined to grant an injunction against the defendants. In so

doing, and in a strange turn of events, the High Court missed out on the opportunity to

clarify on Uganda’s law in respect of rights of the data subject, data processor, data

controller and data collector. It was indeed a missed opportunity.

(b) An Overview of the Implementation of Data Protection Legislation

This section of the paper deals with data protection principles since Uganda does not

have comprehensive data protection laws, the data regulator, international transfer of

personal data and the relevance of comparative influences and interpretation of data

protection legislation.

(i) Data Protection

Uganda does not have a comprehensive data protection legislation yet. What can be

relied upon is mere piece-meal legislation touching on privacy and generally

interpreted to even cover cases of data protection since the main aim of data

protection is to ensure the protection of privacy of the individual. Article 27 of the

Constitution has been used to protect privacy (including data) in Uganda albeit with

some major challenges as can be seen in the case of Human Rights Network for

Journalists Uganda Limited & Legal Brains Trust (LBT) v. Uganda Communications

Commission (UCC) & Attorney General (supra).

However, the government of Uganda has now introduced a comprehensive law to deal

with this subject viz: The Data Protection and Privacy Bill, 2015 (hereinafter referred

to as the “DPP” Bill) which now awaits approval by Cabinet and introduction to

Parliament. A discussion of the draft Bill is therefore necessary and will follow later.

(ii) Data Protection Principles

It is imperative to first list what has come to be classified as the eight (8) basic

principles of data protection, which are worth noting and which almost every data

protection law must have as core minimum standards to abide by. The analysis on the

Uganda Data Privacy Bill (DPP Bill) follows the standard of the OECD and its based

on this standard that the author is analyzing the Bill.

The definition of ‘personal data’ as given above in the OECD Guidelines has been

amplified by the “DPP” Bill, which in Clause 2 on Interpretation defines ‘personal

data’ to mean:

Information about a person from which the person can be identified that is recorded in any

form and includes—

(a) data that relates to the nationality, age or marital status of the person;

(b) data that relates to the educational level, or occupation of the person or data that

relates to a financial transaction in which the person has been involved;

62

This claim by the applicants is misconceived since under Section 18 of the Computer Misuse Act,

2011, any person or organization who collects information or data from another person is required to

use the information or data only for the purpose for which the data was collected and in case of need of

any further use of the information or data, express permission must be sought from the person whom

the information or data was got.

12


(c) an identification number, symbol or other particulars assigned to the person; and

(d) identity data;

(e) other information which is in the possession of, or is likely to come into

possession of the data controller, and includes an expression of opinion about

the individual.

Although non-binding, the OECD Guidelines have had a tremendous impact on the

development and enactment of data protection laws not only among members of the

OECD but the world over. Indeed, the Guidelines have been a trailblazer for not only

the OECD members but also non-members Uganda inclusive as seen in the DPP Bill.

Owing to the great influence that the OECD Guidelines have had on the development

of data protections across the world, a mention of these Guidelines in detail is done

here below.

Solove and Schwart observe that the OECD Privacy Guidelines establish eight

principles regarding processing of personal data:

1. Collection Limitation Principle. There should be limits to the collection of personal data

and any such data should be obtained by lawful and fair means and, where appropriate,

with the knowledge or consent of the data subject.

2. Data Quality Principle. Personal data should be relevant to the purposes for which they

are to be used, and, to the extent necessary for those purposes, should be accurate,

complete and kept up-to-date.

3. Purpose Specification Principle. The purposes for which personal data are collected

should be specified not later than at the time of data collection and the subsequent use

limited to the fulfillment of those purposes or such others as are not incompatible with

those purposes and as are specified on each occasion of change of purpose.

4. Use Limitation Principle. Personal data should not be disclosed, made available or

otherwise used for purposes other than those specified in accordance with [the purpose

specification] except: a) with the consent of the data subject; or b) by the authority of law.

5. Security Safeguards Principle. Personal data should be protected by reasonable security

safeguards against such risks as loss or unauthorized access, destruction, use,

modification or disclosure of data.

6. Openness Principle. There should be a general policy of openness about developments,

practices and policies with respect to personal data. Means should be readily available of

establishing the existence and nature of personal data, and the main purposes of their use,

as well as the identity and usual residence of the data controller.

7. Individual Participation Principle. An individual should have the right: (a) to obtain from

a data controller, or otherwise, confirmation of whether or not the data controller has data

relating to him; (b) to have communicated to him, data relating to him (i) within a

reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner;

and (iv) in a form that is readily intelligible to him; (c) to be given reasons if a request

made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial;

and (d) to challenge data relating to him and, if the challenge is successful to have the

data erased, rectified, completed or amended.

8. Accountability Principle. A data controller should be accountable for complying with

measures which give effect to the principles stated above….” 63

Principle One of the OECD Guidelines on collection limitation has been captured in

Clause 3(1)(a) of the DPP Bill. The clause deals with the usual sections on collection

limitation such as transparency, and has security safeguards to the data collected.

63

Solove & Schwartz, supra, 997 – 998.

13


In order to further strengthen and ensure the quality of the data or information

collected Clause 11 of the DPP Bill states that “a person who collects or processes

personal data shall ensure that the data is complete, accurate, up-to-date and not

misleading having regard to the purpose for its collection or processing.”

On purpose specification has been dealt with in Clauses 8 and 13 of the DPP Bill. In

particular, Clause 8 states that “a person who collects personal data shall collect the

data for a lawful purpose which is specific, explicitly defined and is related to the

functions or activity of the person or public body.” Clause 3(2) then enjoins the

Authority – NITA, to ensure “that every data collector, data controller, data processor

or any other person collecting or processing data complies with the principles of data

protection and this Act.” Not only does the principle of purpose specification seek to

ensure that the data is collected for a lawful purpose but it also seeks to ensure that the

data is put to or used for the purpose for which it was sought. Indeed, putting the data

to another purpose without the prior informed consent of the data subject is prohibited

in Clause 13.

On use limitation Bill deals with this issue in Clause 8. Similarly, Clause 13(1) of the

DPP Bill states that “where a person holds personal data collected in connection with

a specific purpose, further processing of the personal data shall be only for that

specific purpose.” The use limitation principle underscores the principle of Clause

3(1)(b) on “collecting and processing data fairly and lawfully.”

The Bill also underscores security safeguards, through Clauses 3(1)(g), 15 and 16 of

the DPP Bill. Clause 3(1)(g) states that a data collector shall “observe security

safeguards in respect of the data.” Even when the data controller seeks to process

personal data outside Uganda, he or she shall ensure that the security safeguards in

respect of the data are secured. 64 Clause 16(1) obliges to data controller to “secure the

integrity of personal data in the possession or control of a person by adopting

appropriate, reasonable, technical and organizational measures to prevent loss,

damage, or unauthorized destruction and unlawful access to or unauthorized

processing of the personal data.” Equally, “a data controller shall observe generally

accepted information security practices and procedures, and specific industry or

professional rules and regulations.” 65

Key to data protection in any country is the principle of openness which is somewhat

dealt with in the DPP Bill, albeit in a vague manner. Though not specifically referred

to as such in the Bill, the openness principle is covered in Clauses 3(1)(b)(c), 5, 10

and 14. The data controller should “(b) collect and process data fairly and lawfully;

and ‘(c) collect, process, use or hold adequate, relevant and not excessive or

unnecessary personal data’”. 66 To strengthen the openness principle further, “a person

shall not collect or process personal data which relates to the religious or

philosophical beliefs, political opinion, or sexual life of an individual.” 67 Clause 5 of

the DPP Bill is intended to secure the privacy of the individual and to avoid

discrimination based on any of the grounds listed in sub-clause 1. Clause 10 of the

Bill also obliges a “data controller or data processer to process only the necessary or

64

Clause 15 of the DPP Bill.

65

Ibid, Clause 16(3).

66

Ibid, Clause 3(1)(b)(c).

67

Ibid, Clause 5(1).

14


relevant personal data and nothing in excess of that”. The minimality principle, which

is treated as an independent principle in both the Bill and other jurisdictions is also

useful in promoting openness in data protection since only data that is necessary shall

be processed. In the same vein, “a person who collects personal data shall not retain

the personal data for a period longer than is necessary to achieve the purpose for

which the data is collected and processed unless the retention of the data is required or

authorized by law” or for any other purposes as is authorized under the Bill. 68

In a bid to secure and entrench democratic principles in the Bill, individual

participation has been covered adequately in the DPP Bill. At its core, this principle

seeks to ensure that data controller and users oblige to transparency and participation

of data subjects in processing personal data. 69 According to Makulilo, who has

offered an analysis of the DPP Bill, the principle of individual participation “entails a

number of things: obtaining consent prior to processing of personal information (sec

4); collection of data directly from a data subject (sec 7); right to object [to]

processing (sec 4(3), 20, 21); right to access personal information (sec 19); right to

demand rectification, blocking, erasure and destruction of personal data (sec 24).” 70 It

can therefore be ascertained that the Bill offers great protection of the principle of

individual participation just in line with the widely accepted OECD Guidelines.

Lastly, another key principle is that of accountability which has been well articulated

above and more specifically in Clause 3(1)(a). However, it should be observed that

the attainment of the principle of accountability is largely dependent on other

principles such as principle on transparency and data subject participation.

Alongside the above principles, the DPP Bill offers extra protection in a number of

contexts including:

“Gives a data subject the right to require a data controller to stop processing data for purposes

of direct marketing (sec 21(1)). The term ‘direct marketing’ includes any communication by

whatever means of any advertising or marketing material, which is directed at an individual

(sec 21(5)). Likewise, the Bill gives a data subject the right to require a data controller to stop

making decisions taken by or on her behalf which significantly affects the data subject as it is

based solely on the processing of personal data by automatic means (sec 22).” 71

In a nutshell, Uganda’s DPP’s guarantees the protection of most of the recognized

principles of data protection, save for a few which need to be included in the draft Bill

as discussed here below.

(iii) Data Protection Regulator

Most data protection legislations the world over have a regulator sometimes in the

form of an authority, which is usually independent in the performance of its duties.

Uganda’s DPP Bill is no exception. Clause 25 of the Bill bestows upon the National

Information Technology Authority – Uganda (NITA-U); the power to keep and

maintain a Data Protection Register. This is clearly in line with the functions of

68

Ibid, Clause 14(1).

69

Ibid, Clause 3(1)(e).

70

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 8.

71

Ibid, p.9.

15


NITA-U viz: “‘co-ordinate, supervise and monitor the utilization of information

technology in the public and private sectors’; and ‘to create and manage the national

databank, its inputs and outputs.” 72 NITA-U is also required to ensure “access to

register by any member of the public.” 73 As the regulator, NITA-U is meant to play a

leading role in matters touching on data protection in Uganda such as receiving and

hearing of complaints of data subjects, and it is therefore imperative to examine the

objects, powers, and functions of NITA-U and the extent to which the regulator is

able to carry out the mandate which has been bestowed upon it by the DPP Bill.

Clauses 20(4), 21(4), 22(5) of the DPP Bill. NITA-U has been empowered to ensure

access to personal information once a request has been made by a data subject to a

data controller. 74 The data subject also has a right to “prevent the processing of

personal data, by the data controller or processor in writing, and in the event of noncompliance,

the Authority, if satisfied that the request by the data subject is justified,

may direct the data controller to comply.” 75 The Bill also empowers the data subject

to “prevent processing of personal data for direct marketing” 76 and “‘direct

marketing’ has been stated to include the communication by whatever means of any

adverting or marketing material which is directed at an individual.” 77 NITA-U is also

empowered to handle complaints in respect of “rights in relation to automated

decision-making” 78 and “where the Authority is satisfied on a complaint by a date

subject that a person taking a decision has failed to comply, the Authority may order

the responsible person to comply.” 79 More importantly however, is that “where the

Authority is satisfied on a complaint of a data subject that personal data on that data

subject is inaccurate, the Authority may order the data controller to rectify, update,

block, erase, or destroy the data.” 80

NITA-U has the responsibility of handling complaints as stipulated in Part VII of the

Bill. All complaints “against breach and non-compliance with the Act” 81 , the duty to

“investigate every complaint against a data collector, data processor or data

controller” 82 , and “where a data subject suffers damage or distress through the

contravention by a data collector, data processor or data controller of the requirements

of this Act” 83 the Authority shall ensure that such a data subject is compensated.

On the independence of NITA-U, it is a generally accepted principle that the data

regulator shall be independent. This connotes independence from both the public and

private sectors or any other individual since the Bill covers data in both the public and

private sectors.

72

See Section 5(c)(e) of the National Information Technology Authority, Uganda Act, Act No. 4 of

2009.

73

Clause 26 of the Bill.

74

Clause 20(4) of the Bill.

75

Clause 21(4) of the Bill.

76

Clause 22(1) of the Bill.

77

Clause 22(5) of the Bill.

78

Clause 23(1) of the Bill.

79

Clause 23(4) of the Bill.

80

Clause 24(1) of the Bill.

81

Clause 27 of the Bill.

82

Clause 28 of the Bill.

83

Clause 29(1) of the Bill.

16


Makulilo notes as follows on the independence of NITA-U:

…NITA-U is an agency of the government of Uganda. As such it operates under the general

supervision of the Minister responsible for technology (sec3(3), 34 of the National

Information Technology Authority, Uganda Act, 2009). The Authority is also under the

general direction and supervision of the Board of Directors (sec 16(5). Likewise, the

Executive Director is appointed by the Minister upon recommendations of the Board (16(1)).

His or Her tenure may be terminated by the Minister after consultation with the Board of

Directors (sec 16(8). Other relevant provisions are that staff of the authority are required to

abide with confidentiality (sec 22); they are protected for personal liability that arises in the

course of employment and done in good faith (sec 35); funding of the Authority comes from

the Parliamentary budget and other sources (sec 24); the Director is to submit a report to the

Minister who forwards it to the Parliament (sec 36, 37). It is submitted that considering the

overall functions and powers of the Authority, NITA-U may not be an independent privacy

Authority similar to those in international data privacy policies. 84

Apart from listing the objects, functions and powers of the Authority, the NITA,

Uganda Act does not expressly provide for the independence of the regulator as is

required and has been stated in most international data privacy Conventions and to

that extent it can be said that NITA-U is not fully independent of the Government of

Uganda or the Minister for Technology. It would have been better, if the DPP Bill had

gone ahead to create an independent regulator for data protection in Uganda other

than NITA-U or in the absence of that, giving the NITA-U, such independence under

the DPP Bill in respect of data privacy protection in the country.

Not only does the NITA-U face a litany of shortcomings as a regulator in the DPP

Bill but also the weakest enforcement provisions. Makulilo has again highlighted

upon the weaknesses in these provisions in the Bill thus:

There are no complaints resolving mechanisms in the Bill. In the three situations where the

Authority is empowered to issue an order for compliance to data controllers, there is no right

to the aggrieved data controller who wish to challenge the order by way of appeal. The Bill

provides for civil remedies where a data subject suffers damage or distress in the event that

data controller contravenes the law (23(1)). There is neither limit set for the maximum

damages nor guidance on how to assess them. The Bill is also silent as to forum where a data

subject will pursue his claim for compensation. Will this be the Authority itself or court of

law? There is no any indication to the response of this question from the Bill. The right of

appeal for the aggrieved party is also not provided [for] in the Bill. The data controller may

raise the defence of reasonable care against claims for compensation (sec 23(2)). Similarly,

the Bill creates offenses for unlawful obtaining and disclosure of personal data, whose

conviction is fine not exceeding 120 currency points or imprisonment for a period not

exceeding five years or both (sec 27). It is also an offense to sale personal data (sec 28). The

punishment of which is the same as in the unlawful disclosure of personal data. There is also

an administrative penalty sort of where the Authority may direct the data controller to punish

the fact of the compromise to the integrity or confidentiality of the personal data (sec 18(7)). 85

Along side the complaints on enforcement as raised by Makulilo above lies penalties

for unlawful obtaining and disclosure of personal data (clause 30); sale of personal

data (clause 31) and offences by corporations (on clauses 30 and 31) shall also be

liable. The weaknesses that are apparent in the Bill as given above by Makulilo can

also be rectified through the Regulations. Under the Bill, “the Minister for

Technology is given power to make regulations by a statutory instrument for (b)

84

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 8.

85

Ibid, p.12.

17


administrative or procedural matter which is necessary to give effect to this Act; (c)

retention period of personal data; or (d) matter which is necessary and expedient to

give effect to this Act.” 86 Similarly, “the Minister is given power to amend the

Schedule by a statutory instrument with the approval of Cabinet.” 87 It is therefore

possible that using clauses 33 and 34 of the Bill, the Minister can effectively address

some of the loopholes of the Act.

iv. International Transfer of Personal Data

One of the key highlights in terms of accessing the adequacy and appropriateness of a

data protection law is the guarantees that such legislation seeks to offer in relation to

international transfer of personal data. Such transfer is not only regional, but can be

continental or even inter-continental. Thus, its imperative to assess the provisions of

the DPP Bill and the guarantees it offers in this aspect. For this purpose, Clause 15 of

the Bill is reproduce here below in extenso:

Where a data processor or data controller processes personal data outside Uganda, the data

processor or data controller shall ensure that the country in which the data is processed has

adequate measures in place for the protection of the personal data, which are at least

equivalent to the protection provided by this Act.

It can therefore be said that Clause 15 of the Bill offers a bare minimum protection for

cases of personal data processed outside Uganda. However, the above clause is not

adequate on all fronts in respect of international transfer of personal data and

especially when analyzed from the lenses of standards that have been set in

international legislations on this subject. Makulilo argues thus:

In contrast to the sixteen (16) African countries which have so far adopted data privacy

legislations (i.e., Cape Verde, Seychelles, Burkina Faso, Mauritius, Tunisia, Senegal,

Morocco, Benin, Angola, Gabon, Ghana, Mali, Ivory Coast, Lesotho, South Africa and

Madagascar), the Ugandan Data Protection and Privacy Bill does not provide any regime of

cross-border transfer of personal data. It means that personal data of Ugandans can be

transferred to Uganda from countries whose laws have no such restrictions to transfer of

personal [data] abroad. As one of the reasons for the proposed privacy Bill in Uganda is to

improve the business outsourcing sector (BPO), this is unlikely to be achieved. This is due to

the fact that significant investments in such business come from foreign companies

particularly the ones in Europe. The EU Directive restricts transfer of personal data to third

countries, which do not have adequate level of protection of personal data (Article 25). Lack

of a regime of cross-border transfer of personal data alone, is enough to render loopholes in

the Ugandan law to the extent that it may act as a safe haven for onward transfer of personal

data by controllers who escape stringent regulations in their home countries. Definitely [the]

EU will limit transfer [of] personal data of its citizens to Uganda. 88

The above criticism of Bill by Makulilo is true in part and false in another. If Clause

15 of the Bill is implemented even in its current form, it will be able to curb and

address some of the fears being raised by Makulilo. For, under Clause 15 “any

processor or data controller shall ensure that the country in which the data is

processed has adequate measures in place for the protection of the personal data,

which are at least equivalent to the protection provided by this Act [Uganda].” Thus,

86

Clause 33 of the Bill.

87

Clause 34 of the Bill.

88 Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 10-11.

18


in a way, the Bill seeks to guarantee the international data export and extra

territoriality issues that arise in relation to data. Again Makulilo argues:

The privacy Bill does not propose any rule for this. It is safe to argue that the privacy Bill will

only apply to controllers established in Uganda. The Bill does not cater for a controller who is

not domiciled or having principal place of business in Uganda but uses automated or not

automated equipment located in Uganda. This provision is too restrictive and will as well

affect the business-outsourcing sector. 89

The Bill may need re-writing to capture some of the key concerns such as extraterritorial

and cross-border protection of personal data. The Bill offers protection in

Clauses 22 and 23 can be used to curtail “any data controller who wants to use

personal data for direct marketing” 90 (be it in Uganda or abroad) and “a data subject

may by notice in writing to a data controller require the data controller to ensure that

any decision taken by or on behalf of the data controller which significantly affects

that data subject is not based solely on the processing by automatic means of personal

data in respect of that data subject.” 91

The United Nations has called upon member states to pass laws which “respect the

right to privacy and personal data in relation to the Human Rights Committee, general

comment No. 16 on article 17 of the International Covenant on Civil and Political

Rights, para.10.” 92 Frank La Rue, noted that:

…the protection of personal data represents a special form of respect for the right to privacy.

States parties are required by article 17(2) to regulate, through clearly articulated laws, the

recording, processing, use and conveyance of automated personal data and to protect those

affected against misuse by State organs as well as private parties. In addition to prohibiting data

processing for purposes that are incompatible with the Covenant, data protection laws must

establish rights to information, correction and, if need be, deletion of data and provide effective

supervisory measures. Moreover, as stated in the Human Rights Committee’s general comment on

the right to privacy, “in order to have the most effective protection of his private life, every

individual should have the right to ascertain in an intelligible from, whether, and if so, what

personal data is stored in automatic data files, and for what purposes. Every individual should also

be able to ascertain which public authorities or private individuals or bodies control or may control

their files. 93

In a way therefore, the United Nations has set the standard, as recent as 2011, in

which it calls upon all its members to protect personal data as a form of respect for the

right to privacy including developing comprehensive guidelines and rules on not only

automated data files but also cross-border and international transfer of personal data.

(iv) Comparative Influences and Interpretation of the data protection Legislation

Uganda has never had a comprehensive data protection law. As Makulilo notes “the

last two decades have witnessed privacy law reform in Africa. Yet there is no privacy

legislation in any of the countries in the East African Community (EAC) comprising

of Kenya, Uganda, Tanzania, Rwanda and Burundi. At the moment, Kenya and

89

Ibid.

90

Clause 22(1) of the Bill.

91

Clause 23(1) of the Bill.

92

Frank La Rue, ‘Report of the Special Rapporteur on the promotion and protection of the right to

freedom of opinion and expression,’ Human Rights Council, 17 th Session, Agenda Item 3, 2011, p. 16.

93

Ibid, para.58.

19


Tanzania have draft data privacy bills. Recently, Uganda has issued a draft privacy

bill following suit to Kenya and Tanzania.” 94 However, the comparative influences on

the development of data privacy protection law in Uganda can be said to come from

mainly the influences of African Union, the OECD, the EU Directive and the EAC.

(c) Other Procedural and Enforcement Mechanisms

In order to effectively achieve data protection and privacy, the DPP should espouse

universally accepted procedural and enforcement mechanism. 95 The procedural and

enforcement mechanisms should guarantee the right to privacy akin to those, which

have been developed to ensure the enjoyment of rights in the fight against terrorism. 96

Comprehensive guidelines also need to be developed, mostly by subsidiary law to

deal with issues of public interest and national security in relation to data protection

and privacy. 97 This is particularly important as Nowak notes “in the fight against

organized crime and terrorism, modern police and intelligence agencies are using

information and surveillance technology, including racial profiling, that potentially

affects numerous innocent citizens and constitutes far-reaching interference with the

right to privacy and data protection.” 98 The application of international data privacy

rules has to be harmonized with Uganda’s national laws. 99

V. Regional Economic Communities (RECs) and Data Protection

Uganda is a member of the East African Community (EAC) as established by the

Treaty for the Establishment of the EAC. 100 Uganda has domesticated the Treaty

through the EAC Act of 2006. The Community operates on its fundamental principles

which include: “good governance including adherence to the principles of democracy,

the rule of law, accountability, transparency, social justice, equal opportunities,

gender equality, as well as the recognition, promotion and protection of human and

peoples rights in accordance with the provisions of the African Charter on Human and

Peoples’ Rights.” 101 The EAC has also passed the Protocol on the Establishment of

the East African Community Common Market.

(a) Envisaged Common Markets and the Movement of Information

The “Common Market Protocol (CMP) became operational in 2010 and negotiations

are under way to achieve a Monetary Union and Political Federation by the year

94

Alex B. Makulilo, (2015), ‘Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file

with the author), p. 1.

95

See generally Daniel J. Solove, ‘Understanding Privacy,’ (Harvard University Press 2009).

96

See generally Steve Foster, ‘Human Rights and Civil Liberties,’ (3 rd edn, Pearson Education Limited

2011).

97

See general S. Dycus, A.L. Berney, W.C. Banks & P. Raven-Hansen, ‘National Security Law,’ (4 th

edn, Apen Publishers 2007).

98

Manfred Nowak, ‘Introduction to the International Human Rights Regime,’ (Martinus Nijhoff

Publishers 2003), p. 346.

99

See generally Joel R. Reidenberg, ‘Resolving Conflicting International Data Privacy Rules in

Cyberspace,’ Stanford Law Review, 2000, vol. 52, p. 1315 – 1371.

100

Under Article 3 of the EAC Treaty, the EAC has five (5) Partner States, i.e., the Republic of

Uganda, the Republic of Kenya and the United Republic of Tanzania. The Republics of Rwanda and

Burundi have also since joined the Community.

101

Article 6(d) of the EAC Treaty.

20


2015.” 102 The EAC region has a population of nearly 150 million people with a

Common Market. Thus, the movement of both people (labour) and goods and the

corresponding information is massive. Some strides have been made in the area as

noted by Makulilo:

Uganda acceded to the International Covenant on Civil and Political Rights (ICCPR) 1966 on

21 June 1995. She is also a part to its optional Protocols. The ICCPR protects the right to

privacy (Art 17). Likewise, Uganda is a party to the Convention on the Rights of the Child

(CRC) 1990 and its optional Protocols. The CRC offers to children protection of privacy (Art

16). Similarly, Uganda is a member of the East African Community (EAC). In 2010 the EAC

adopted the EAC Legal Framework for Cyber Law (Phase I). Although not a model law, it

recommended to the best practices. Uganda is also a member of the African Union (AU). On

27 June 2014, the AU adopted the African Union Convention on Cyber Security and Personal

Data Protection 2014. The Convention provides for principles of data protection and oversight

institution hence filling the gap left in the African Charter on Human and Peoples’ Rights

1981 as far as protection of privacy is concerned. However, it is not yet in force and Uganda

will only be bound by this Convention upon ratification. 103

The recently adopted African Union Convention on Cyber Security and Personal Data

Protection is a landmark model law, which can guide its members on cyber security

and personal data protection. The AU Convention mirrors similar legislations such as

the OECD model law, the UK Data Protection Act, 1998, and the EU Directive.

Indeed, the AU Convention is like a response to the observations of UN Special

Rapportuer Frank La Rue who observed [in 2011] thus:

…there is insufficient or inadequate data protection laws in many States stipulating who is

allowed to access personal data, what it can be used for, how it should be stored, and for how

long. The necessity of adopting clear laws to protect personal data is further increased in the

current information age, where large volumes of personal data are collected and stored by

intermediaries, and there is a worrying trend of States obliging or pressuring these private

actors to hand over information of their users. Moreover, with the increasing use of cloudcomputing

services, where information is stored on servers distributed in different

geographical locations, ensuring that third parties also adhere to strict data protection

guarantees is paramount. 104

Uganda is therefore duty bound to develop detailed laws on personal data protection.

(b) Transposition of REC Data Protection Policies

At the regional level, apart from the EAC Treaty, which obliges Partner States to

observe the principles of good governance and human rights, the EAC has also

adopted the EAC Legal Framework for Cyber Law (Phase I), which can be quite

informative on the processes and procedures for EAC Partner States to follow in order

to come up with meaningful REC data protection policies. The Data Protection

principles of the EU and the UK have greatly influenced the development of data

protection legislation in Uganda. 105 Data protection remains key in securing the

102

K. Gastorn, H. Sippel & U. Wanitzek, ‘Introduction: Regional Cooperation and Legal Integration

in East Africa,’ in K. Gastorn, H. Sippel & U. Wanitzek (eds.) Processes of Legal Integration in the

East African Community (TGCL, Dar es Salaam University Press 2011), p.1.

103

Makulilo, supra, p.5.

104

Frank La Rue, supra, p.15, para. 56.

105

David Bainbridge, ‘Data Protection Law,’ (2 nd edn, XPL Publishing 2005), p. 61.

21


privacy of the individual since such data may be very sensitive. 106 However, whereas

the Data Protection Act 1998 of the UK gives conditions for processing ‘sensitive’

data, the DPP Bill of Uganda does not have similar or corresponding provisions. 107

Even with this shortcoming, the DPP Bill still fulfills the key objectives of data

protection law, viz: “those who process information concerning individuals are subject

to a regulatory framework within which they can process personal data lawfully, [and

secondly] as individuals we all have rights under data protection law.” 108

V. Conclusion

Uganda needs to pass a comprehensive data protection law that not only reflects the

generally accepted international standards, 109 but also takes care of the Ugandan and

African values to data protection and privacy. 110 Even with the present day challenges

of terrorism 111 , increasing organized crime and political instability 112 , Uganda needs

to remain steadfast in its pursuit of human rights. 113 The law should not be used to

victimize or violate rights of any group in Uganda and beyond. 114 The core values and

principles of data protection and privacy should be the well observed in the law.

Above all Uganda’s Data Protection and Privacy Bill should be revised so as to align

it more with human rights. 115 The tensions that come with balancing the civil liberties,

human rights and national security alongside data protection and privacy also need to

be addressed very carefully. 116

Books

References

106

Chris Reed, ‘Database Protection,’ in Chris Reed & John Angel (eds), Computer Law (6 th edn,

Oxford University Press 2007), p. 402.

107

David Bainbridge, ‘Introduction to Computer Law,’ (5 th edn, Pearson Longman 2008), p. 467 – 468.

108

David I. Bainbridge, ‘Introduction to Information Technology Law,’ (6 th edn, Pearson Longman

2008), p. 498.

109

Andrew Charlesworth, ‘Data Privacy in Cyberspace: Not National vs. International but

Commercial vs. Individual,’ in Lillian Edwards & Charlotte Waelde (eds), Law & The Internet: A

Framework for Electronic Commerce (Hart Publishing 2000), p.79-122.

110

See generally, Therese Murphy (ed), New Technologies and Human Rights (OUP 2009).

111

See generally, Benjamin J. Goold, ‘Privacy, Identity and Security’ in Benjamin J. Goold & Liora

Lazarus (eds) Security and Human Rights (Hart Publishing 2007), p. 45 – 71.

112

Benjamin J. Goold & Daniel Neyland (eds), New Directions in Surveillance and Privacy (William

Publishers 2009).

113

Olive Kobusingye, The Correct Line? Uganda Under Museveni (Author House 2010).

114

See generally Mary Frank Fox, Deborah G. Johnson & Sue V. Rosser (eds), Women, Gender and

Technology (University of Illinois Press 2006).

115

See generally Gudmundur Alfredsson & Asbjorn Eide (eds), The Universal Declaration of Human

Rights: A Common Standard of Achievement (Martinus Nijhoff Publishers 1999); Henry J. Steiner,

Philip Alston & Ryan Goodman, International Human Rights in Context: Law, Politics, Morals (3 rd

edn, OUP 2007); Richard B. Lillich, Hurst Hannum, S. James Anaya & Dinah L. Shelton, International

Human Rights: Problems of Law, Policy and Practice (4 th Aspen Publishers 2006).

116

Neil Hicks, The Impact of Counter Terror on the Promotion and Protection of Human Rights: A

Global perspective, in Richard Ashby Wilson (ed), Human Rights in the ‘War on Terror’ (New York:

CUP, 2005), pp. 209 – 224; Peter Galison & Martha Minow, Our Privacy, Ourselves in the Age of

Technological Intrusions, in Richard Ashby Wilson (ed), Human Rights in the ‘War on Terror’ (New

York: CUP, 2005), pp. 258 – 294; Kenneth Roth, The Tension between Combating Terrorism and

Protecting Civil Liberties, in Richard Ashby Wilson (ed), Human Rights in the ‘War on Terror’ (New

York: CUP, 2005), pp. 157 – 168.

22


Bainbridge D, Introduction to Computer Law (Pearson Longman 2004)

Bainbridge D, Data Protection Law (XPL Publishing 2005)

Bainbridge DI, Introduction to Information Technology Law (Pearson Longman

2008)

Charlesworth A, Data Privacy in Cyberspace: Not National vs. International but

Commercial vs. Individual, in Edwards L. & Waelde C, (eds) Law & The Internet: A

Framework for Electronic Commerce (Hart Publishing 2000)

Dycus S, Berney AL, Banks WC & Raven-Hansen P, National Security Law (Aspen

Publishers 2007)

Foster S, Human Rights and Civil Liberties (Pearson Education Limited 2011

Fox MF, Johnson DG & Rosser SV (eds), Women, Gender and Technology

(University of Illinois Press 2006)

Hughes A, Human Dignity and Fundamental Rights in South Africa and Ireland

(PULP 2014)

Huripec, Religion, Rights and Peace Fellowship Monograph on Human Rights

through the Lens of Religion, 2014

Gastorn K, Sippel H, & Wanitzek U, Introduction: Regional Cooperation and Legal

Integration in East Africa, in Gastorn K, Sippel H & Wanitzek U (eds) Processes of

Legal Integration in the East African Community (Dar es Salaam University Press

2011) Goold BJ, Privacy, Identity and Security in Goold BJ & Lazarus L (eds)

Security and Human Rights (Hart Publishing 2007)

Gudmundur A & Eide A (eds), The Universal Declaration of Human Rights: A

Common Standard of Achievement (Martinus Nijhoff Publishers 1999)

Kabumba Busingye, The Application of International Law in the Ugandan Judicial

System: A Critical Inquiry in Killander, M. (Ed), International Law and Domestic

Human Rights Litigation in Africa (PULP 2010)

Kobusingye O, The Correct Line? Uganda Under Museveni (Author House 2010)

Niringiye DZ, The Political Governance Crisis of Uganda @50: Institutional Failure,

Rule by Law and Law of the Ruler, Huripec, RRRF 2014

Mamdani M, Imperialism and Fascism in Uganda (Heinemenn 1983)

Mamdani M, Good Muslim, Bad Muslim: America, the Cold War and the Root of

Terror (Fountain Publishers 2004)

Lillich RB, Hannum H, Anaya SJ & Shelton DL, International Human Rights:

Problems of Law, Policy and Practice (Apsen Publishers 2006)

Mamdani M, Saviours and Survivors: Darfur, Politics, and the War on Terror

(Pantheon Books 2009)

Murphy T (ed), New Technologies and Human Rights (OUP 2009)

Nowak M, Introduction to International Human Rights Regime (Martinus Nijhoff

Publishers 2003)

Odimbe-Ojambo H, Reflections on Freedom of Expression n Uganda’s Fledgling

Democracy: Sedition, “Pornography” and Hate Speech, HURIPEC Working Paper,

No. 18, 2008

Steiner HJ, Alston P & Goodman R, International Human Rights in Context: Law,

Politics, Morals (OUP 2007)

Solove DJ, Understanding Privacy (Harvard University Press 2008)

Solove DJ & Schwartz, Information Privacy Law (Aspen Publishers 2009)

Viljoen F, International Human Rights Law in Africa (OUP 2012)

Wilson, RA (ed), Human Rights in the ‘War on Terror’ (CUP 2005)

23


Articles

Kakungulu-Mayambala R, Data Protection and National Security: analyzing the

Right to Privacy in Correspondence and Communication in Uganda, HURIPEC

Working Paper No. 25, 2009.

Kakungulu-Mayambala R, Examining the Nexus Between ICTs and Human Rights in

Uganda: A Survey of Key Issues, East African Journal of Peace & Human Rights,

Vol. 16, Issue 1, 2010

Khiddu-Makubuya E, The Concept of Human Rights in Traditional Africa, Makerere

Law Journal, Vol. 1, No. 1, 1974

Makulilo A, Ugandan Privacy Bill: a cosmetic tokenism, Unpublished paper (on file

with the author 2015)

Reidenberg JR, Resolving Conflicting International Data Privacy Rules in

Cyberspace, Standford Law Review, Vol. 52, 2000

Reports

La Rue F, Report of the Special Rapporteur on the promotion and protection of the

right to freedom of opinion and expression, Human Rights Council 2011

Privacy International Report, For God and My President: State Surveillance in

Uganda, October 2015

Newspapers

Kelly JK, US Court finds Suspect guilty of Nairobi blast, The East African, February

28 – March 6, 2015

Nyakahuman PM, Conflict between Right to Privacy and the Law, Daily Monitor,

Thursday, November 20, 2014

Nsamba H, Government to pay suspected lesbians sh13m, The New Vision, 2009

Mukiibi Serunjogi E, How Government Taps Opposition Leaders’ Phone Calls,

Saturday Monitor, 2015

24

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!