The President of the Republic of Uganda, Yoweri Museveni, assented, on 25 February 2019, to the Data Protection and Privacy Act, 2019 (‘the Act’). In particular, the Act aims to protect individual privacy and personal data by regulating the collection and processing of personal data, as well as imposing obligations on data controllers and processors.
Brigitte Kusiima Sendi, Partner at Shonubi Musoke & Co Advocates, told DataGuidance, “It is impressive that we finally have a stand-alone act for data privacy and protection. Among other things, the Act empowers data subjects because the use of their information for research, is going to be limited. Businesses such as telecommunication companies which have been using data of their subscribers for a wide range of purposes are going to have to revisit [their policies and practices].”
The Act introduces principles on lawful and adequate processing, accuracy of data records, the consent of data subjects, and establishes a personal data protection office [‘the Office’] under the National Information Technology Authority of Uganda. Moreover, the Act provides that unlawfully obtaining, disclosing or selling personal data is subject to a penalty of up to 240,000 points, where one point is equivalent to UGX 20,000 (approx. €5), imprisonment of ten years, or both, whilst corporations may be fined up to 2% of their annual gross turnover for the same actions.
It would have been helpful to have a time frame expressly for which a data controller must keep information
Sendi noted, “The best features of the Act include its reference to the exceptional circumstances where data may be collected or processed without the prior consent of the data subject; this minimises the likelihood of abuse as consent is required where the circumstances are not part of the exceptions. There are also references to data protection for children, which could otherwise have been exploited. Importantly, the Act also adopts the principle of data collection as stipulated in the African Union Convention on Cyber Security and Personal Data Protection.”
Under the Act, the Office is empowered to investigate complaints and may direct data collectors, controllers and processors to remedy any breaches. Further to this, the Act establishes that where a data subject suffers damage or distress through a data breach, he/she is also entitled to apply to a court of competent jurisdiction for compensation from the data collector, controller or processor, who has the burden of proving that they took reasonable care in all the circumstances.
Sendi concluded, “In terms of areas for improvement, it would have been helpful to have a time frame expressly for which a data controller must keep information as opposed to using broad language that almost leaves it discretionary. It may also have been useful to provide for when personal data may be sold as opposed to making a blanket prohibition. Finally, some of the fines for non-compliance within the Act in some cases could have been more stringent. Moreover, we expect to see more litigation arising from failure to collect data in compliance with the Act and anticipate higher costs for businesses’ compliance with its requirements […] The Act will become effective following the publication of the commencement date in the State Gazette.”
ADETOKUNBO HUSSAIN Privacy Analyst