Uganda: A comparison between Uganda's data protection framework and the GDPR
In 2019, Uganda passed the Data Protection and Privacy Act 2019 ('the Act'), to protect the privacy of the individual, alongside personal data, and to provide for the rights of persons whose data is collected. One year later, the statute has considerably changed how Uganda responds to issues of data protection. Kenneth Muhangi Esq, Managing Partner at KTA Advocates, provides a comparison between the implementation and enforcement of the Act and of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), alongside the enforcement provisions envisaged under the Act.
The right to privacy is already enshrined in Article 27 of the Constitution of the Republic of Uganda, 1995. Although 'data' was defined in a number of statutes, there was no law specifically providing for the processing of data and the principles of data protection.
Despite this, data protection for many companies and institutions in Uganda is still an afterthought, and many data subjects continue to handle data with little regard to the enacted law and international standards of data protection. Uganda applies common law through the Judicature Act.
The GDPR seeks to provide for the safeguarding of the personal data of EU citizens throughout the world and offers an appropriate yardstick for comparison with the Act.
In August 2020, the Ministry of Information and Communications Technology and National Guidance ('the Ministry of ICT') prepared a draft of the Data Protection and Privacy Regulations, 2020 ('the 2020 Draft') made under section 39 of the Act which was availed to the public. Although the 2020 Draft has not yet been passed, it offers a good comparison of what is envisaged as the enforcement procedure under the upcoming law. The Act created the personal data protection office in National Information Technology Authority - Uganda ('NITA-U'), also an independent body synonymous to the UK's Information Commissioner's Office ('ICO') in the UK, set up under Chapter 6 of the GDPR. The independence of NITA-U goes to the root of its functions and mode of operation, and it is critical that this office, and by extension, the Director, is a watchdog for data protection in Uganda. The functions conferred on NITA-U by the Act impress upon the data subjects, data controllers, and data processors, that it is a heavy regulator as regards to upholding data protection and privacy.
This institutional setup was created by the legislator. However, the functionality of NITA-U primarily comes down to navigating bureaucratic obstacles in its interfaces with other governmental institutions and the need to have checks on the personal data protection office itself, accordingly bringing in the discussion of self- policing.
In furtherance to this, Section 6 of the Act provides for the designation of a data protection officer ('DPO'), similar to that created under Article 37 of the GDPR. The NITA-U determines the persons, institutions, and public bodies required to designate a DPO. The DPO has to remain independent from the organisation's duties and the Act should provide for their tasks and mode of reporting to NITA-U.
An important difference to note is that the Act does not provide schedules1 to expound on special categories of data. Borrowing from the Data Protection Act 2018 ('the UK Act'), Schedule 1 of the UK Act provides for special categories of data, and it is preferable that each of these categories should be individually provided for.
The 2020 Draft provides that NITA-U shall make public a list of the processing operations subject to this assessment. This obligation placed on NITA-U proves difficult and taxing because data protection is a moving target. It is complicated to make this list of the processing operations public as there are no known criteria of how NITA-U comes to this deduction.
Section 19 of the Act makes provisions for processing personal data outside Uganda, similar to Article 44 and 45 of the GDPR. R. 28 of the Act provides for two important standards for the transfer of data, that is: implementation of adequate measures for data protection; and the contractual approach to consent in data protection. However, the Act does not qualify the conditions which apply to transfers of personal data outside of Uganda, as envisaged under Chapter 5 of the GDPR (Articles 44-50), and precisely Article 49 on derogation of specific situations on transfers to third countries or international organisations. Taking from the UK Act, the Act caters for transfers to third countries where the transferring controller must make it a condition of the transfer that the data is not to be further transferred to a third country or international organisation without the authorisation of the transferring controller or another competent authority2.
The Act offers a narrow criterion for the processing of data outside Uganda and the conditions to be met for a data controller to transfer data abroad. Again, in comparison to the UK Act, which implements Articles 44 and 45 of the GDPR on the general principle for transfers and transfers based on an adequacy decision, under Section 73(2) of the Act, a condition is that the transfer is necessary for any of the law enforcement purposes3. This places an obligation on a data controller to consider whether the transfer is indeed for a lawful purpose. Common law states that 'the test of necessity is a strict one, requiring any interference with the subject's right to be proportionate to the gravity of the threat to the public interest.' This criterion is vital for contextualising data transfers under Section 19 of the Act.
Another condition is that the transfer be based on there being appropriate safeguards in place, based on specific circumstances, as seen in Section 73 of the UK Act. This criterion would offer a more buttressed approach and fuller explanation for determining the procedure for the processing of data outside Uganda. Data protection is a moving target and the mere act of selecting countries providing adequate measures for data protection and publishing them in the gazette, or even its amending the gazette periodically to this effect, does not present the appropriate safeguard.
Consent is an interesting area that is covered by the Act and the GDPR. Sub- regulation 8(2) of the 2020 Draft, which an enforcement provision for Section 7 of the Act, provides that consent may be obtained in a manner and form that takes into consideration the nature of the data sought to be processed or stored outside Uganda. This provision allows for the contractual approach to data protection and so rightly data controllers, processors of data collectors are in a position to adduce appropriate safeguards, in particular from contractual data protection clauses to ensure compliance with the level of protection accorded by the Act.
In summation, Uganda is among the few African countries that have made significant positive steps towards data protection and regulation. The efforts to draft and enact laws to provide for data protection are an indicator that there is progress being made regarding data protection. However, there is a long way to go until the point of actual enforcement and self-regulation.
Kenneth Muhangi Managing Partner
KTA Advocates, Kampala
1. See: https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/enacted
2. See: https://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/5/enacted
3. See: https://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/5/crossheading/general-principles-for-transfers/enacted