Image by JanBaby on Pixabay
On Thursday 28 February, 2019 President Yoweri Museveni signed and assented to the Data Protection and Privacy Act.
The new law, the first of its kind in Uganda, is intended to:
- protect the privacy of individual and personal data;
- regulate the collection and processing of personal information;
- provide for the rights of the people whose data is collected;
- provide obligations of data collectors and data processors; and
- regulate the use or disclosure of personal information .
Uganda is now one of just a handful of African countries with data protection and privacy laws. Much of the continent is lagging behind international moves to shore up data protection regulation, and most African countries have not signed or ratified the 2014 African Union Convention on Cyber Security and Personal Data Protection.
The Data Protection and Privacy Act will be implemented by the National Information Authority, Uganda (NITA-U). In a statement announcing the President’s assent, NITA-U Executive Director, Mr James Saaka, said “the law provides the much-needed protection for personal identifiable information, which is key in this digital age.”
While widely lauded, the Data Protection and Privacy Act is not without its critics.
A year after the Data Protection and Privacy Bill was tabled in Parliament, Makerere University senior human rights lecturer, Dr Ronald Kakungulu Mayambala, published a paper that called for the draft law to be more strictly aligned to constitutional guarantees on personal privacy rights.
In comments presented to the parliamentary committee on information and communication technologies, the Collaboration of International ICT Policy in East and Southern Africa (CIPESA) welcomed the bill as a necessary buttress to data protection in Uganda. CIPESA however raised concerns about the implementation of the law by government body NITA-U. It called for the creation of an independent data protection commission that would be “free from external or undue influence such as political pressure that might otherwise compromise the right to privacy of the data subject.”
Similar recommendations were made by freedom of expression advocates Article 19 and Unwanted Witness.
In a detailed analysis of the Bill, Article 19 noted a significant flaw: the failure of the Bill to “recognise the importance of the right to freedom of expression and its interaction with the rights to privacy and personal data.”
It further stated that “the Bill entirely fails to provide for a broad exemption for the exercise of freedom of expression, including for journalistic, academic, artistic, literary or any other forms of expressive purposes.” It called the draft law “out of step with international standards and best practices in this area.”
The Data Protection and Privacy Act joins a growing list of laws enacted by Uganda over the past eight years that are aimed at protecting consumers, regulating electronic transactions and combating cybercrime. The laws include the Electronic Transactions Act 2011, the Electronic Signatures Act 2011, and the much-contested Interception of Communications and Computer Misuse acts.