TMT Alert: What you should know about the draft Data Protection & Privacy Regulations, 2020

By: Alice Namuli Blazevic, Patrick Mugalula and Andrew Wandera

BACKGROUND:

Joe Kaeser, the current Chief Executive Officer of Siemens is quoted as having stated,

“Data is the oil, some say the gold, of the 21st century — the raw material that our economies, societies and democracies are increasingly being built on.”

With the ubiquitous spread of information and communication technologies across the globe constantly charting new territory and connecting more and more people instantaneously; comes an entirely new world of real time communications, social media, online gaming, e – commerce, augmented and virtual reality, the internet of things, among others.

One could say, that through the relentless march of information and communication technologies, our lives have taken on a new digital dimension in cyberspace. In this dimension bits and pieces of information relating to our real-world existence known as data represent us and when considered in totality, form our digital identity. It is conceivable that there will come a time when there is a de facto merger of our physical (real world) and digital identity to form a congruent spectrum of facts that are our identity.

As we progress through this silent revolution, it is important to take a step back and consider the fundamental underpinnings and norms around the use, ownership and storage of this data. There are numerous questions that will arise from this new social order, such as: who may use my data? What control can I exert over my data even when it is in the control of another party? What rights attain to a data subject, collector or processor? What are the intrinsic rights a data owner/subject should have in respect to their data?

All of this is unfolding in the context of our rapidly globalizing world where a few mega corporations have the tools to utilize data of persons in the remotest corner of the world in a profitable manner. These corporations such as Facebook, Apple, Amazon, Netflix and Google (Alphabet) have built massively successful business models based on the intrinsic worth of a data subjects’ data to a third party. Given that background, the stakes have bever been higher for countries world over when it comes to data protection and privacy. The sharing and use of personal information drives most of the daily activities in today’s digital economy, which justifies the existence of a legal framework that seeks to create a safe space for data subjects in a digital economy that is breaking geographical barriers. There is a need to have a discussion about data norms, ethics and laws that will both facilitate this brave new and progressive world and protect the rights and privacy of data owners.

It is upon this background that Uganda enacted the Data Protection and Privacy Act, 2019 (‘the Act’). The Government of Uganda through its Ministry of ICT and National Guidance now seeks to put in place regulations that will effectively operationalize the rules set out in the Act known as the Data Protection and Privacy Regulations, 2020 (hereafter referred to as the Regulations). These regulations have been made pursuant to Section 39 of the Act.

THE ACT:

At a very high level, the Act establishes a set of rules for the protection of personal data to strengthen individual rights and facilitate businesses that use data in the process of generating revenue. It identifies legitimate bases for data processing and sets out common rules for date retention, storage limitation and record keeping. This means that organizations or businesses whose business model is premised on the use of personal data have compliance requirements they have to meet. The Regulations, therefore come in to further the implementation and operationalization of the Act

This article gives insight on the shortcomings of the Regulations, opportunities for business and challenges ahead. It is no exaggeration to say that the European General Data Protection Regulation 2016/679 (GDPR) was the motivation behind and simultaneously, the blue print for the enactment of most data protection regimes around the world. Following that blue print, the Act is a strong piece of legislation, with the right intentions. Its punitive sections have real teeth and are likely to be the primary incentive for compliance. The Regulations for their part are more attuned to the local setting, borrowing certain thematic aspects from international and other foreign instruments.

THE REGULATIONS:

The Regulations come in to fill the gaps left by the Act by addressing the details and establishing the mechanism envisaged in the Act.

The Regulations are similar to the average regulations in structure comprising ten distinct parts; (i) preliminary, (ii) the Personal Data Protection Office (iii) Data Collection and Processing (iv) Data Protection Register (v) Registration of data collectors, processors and controllers (vi) Data Collection and Processing (vii) Security of data (vii) Rights of Data Subjects (ix) Complaints and investigations and (x) general provisions.

PART 1: PRELIMINARY

This part of the Regulations, deal with introductory matters such as definition of terms and the title.

PART 2:  THE PERSONAL DATA PROTECTION OFFICE

While the Act under Sections 4,5 and 6 creates the Personal Data Protection Office (‘the Office), sets out its functions and delineates that it will be headed by a Director while also including a Data Protection Officer in charge of ensuring compliance with the law, the Regulations go a step further. They provide that while the Office will be a part of the National Information Technology Authority (NITA), their affairs will be managed separately.

The Regulations also provide additional roles for the office including guiding data collectors, processors and controllers and generally overseeing the implementation of the Act by regulating collection, carrying out audits and research as well as advising the government on data protection and privacy matters.

This part of the Regulations provides for other administrative matters such as the qualifications of the director of the office and the grounds for his/her removal.

PART 3: DATA COLLECTION AND PROCESSING:

This part relates to the right of a subject to refuse another party to collect or process their data, legitimate interest as a basis for collection of data, collection of data of children and data protection assessments.

Objection to collection of data:

In objecting to the collection of their data one merely needs to complete a form and submit the same to the collector or processor. In the event that the collector/processor is not doing so under any of the authorizations in Sec 7(2) of the Act, to wit: (a) as authorized by law, (b) where it is necessary to perform a public duty/for national security/prevent, detect, investigate, prosecute of punish an offence or breach of the law, (c) to perform a contract to which the subject is a party (d) for medical purposes (e) to comply with a legal obligation on the controller, then he/she will have no legal right to collect the subjects data once they receive the objection notification.

Legitimate interest:

The Regulations introduce legitimate interest as a basis for collection or processing of data. This should arguably have been included in the Act but is a welcome addition, albeit one that needs to be handled delicately. Legitimate interest is a flexible case by case standard that permits collectors or processors who can demonstrate some reasonable basis for collection or processing of data to do so even where no other basis exists. The elasticity of this basis can be a benefit and a demerit and as with all things, ‘the proof of the pudding will be in the eating.’

We strongly recommend that the Office proactively regulates legitimate interest by putting out advisory notes and guidance to curtail its use in the interests of data subjects’ rights. The British data ombudsman in its guidance on the same, highlights that the three-part test for the assessment as to whether there exists a legitimate interest are: the purpose of collection, the necessity of collection and the balancing (determination) as to whether the collector’s interest to collect override the subject’s expectation and interests in privacy. The duty to prove a legitimate interest is on the collector.

Collection of personal data relating to children:

In perhaps the biggest failing in the Regulations, they leave it up to collectors, processors and controllers to put in place systems for ascertainment of the age of natural persons whose data they will collect prior to collection and systems for obtaining consent from a parent or guardian. It is not inconceivable that the collectors will put in place the cheapest systems regardless of their actual efficacy in determining the age of minors. Many of us have clicked a box confirming that we are above 18 even when we weren’t, so there is a need to buttress this Regulation and make it more robust to avoid exposing minors to unscrupulous entities on the internet. A good way forward is to consider the approach adopted by the USA in the Children’s Online Privacy Protection Act, known as (‘COPPA’) which places a higher standard of getting verifiable parental consent. This requires collectors to use means which are verifiable such as toll-free phone calls to parents or guardians, knowledge-based questions, providing driving license or identification, in addition to other means to make it harder for children to misrepresent that they have parental consent whereas not.

Data protection impact assessment:

The Regulations, require a data collector, possessor or controller who believes that their activities may pose a high risk to the rights of natural persons to conduct a data protection impact assessment prior to collection, processing among others. This is a welcome introduction especially since the Office will specify when an activity is deemed high risk by its very nature and release a list of such high-risk activities.

PART 4: DATA PROTECTION REGISTER

This part of the Regulations operationalizes the National Data Protection Register which essentially is a record of all data collectors, processors and controllers in the country and the reason that they assign for collection, processing and/or controlling the data in their control.

PART 5: REGISTRATION OF DATA COLLECTORS, PROCESSORS AND CONTROLLERS

Part V of the Regulations requires data collectors, data processors and data controllers to apply for registration with the Personal Data Protection Office. The Regulations make it an offence to fail to register as required under this provision and for corporations this offence is deemed to be committed by every officer who knowingly and willingly permits the offence to occur. It is critical to emphasize that the knowledge and will in this case is knowledge of the collection activities by the company (and not knowledge of the fact that there is a legal requirement to register since ignorance of law is never a defense to a crime). It is worth noting thatthis registration shall last for a period of 12 months and will need to be renewed after that.

The Regulations spell out the process and requirements to apply for registration. Furthermore, they require a collector, processor to submit as part of their application a written undertaking by the applicant not to process or store personal data in a country outside Uganda unless such country has adequate measures in place, at least equivalent to the protection provided by the Act, for the protection of personal data.

PART 6: DATA COLLECTION AND PROCESSING

This part which is erroneously also referred to as Part 5 in the Regulations, deals with the rights of subjects to request correction or deletion of personal data and processing data outside Uganda.

The right to correction and/or deletion of data is an interesting aspect of the Regulations and a much needed one, since it has the double benefit of ensuring the integrity of data and the enhancement of the right to privacy. In the field of privacy litigation this has often manifested itself as the right to be forgotten, earning recognition in the European justice system and being mulled in e-privacy legislation as the ‘the right to erasure.’

Also, of note in this Part is the requirement to, only transfer data to countries of equivalent data protection regimes as Uganda. This requirement seeks to ensure data protection, but it’s also an issue of data sovereignty. Data sovereignty is the principle that data, especially in electronic form, is regulated by the laws of the country in which such data resides. As Ugandans, the laws that govern us are passed by our Government. However, as stated above, we live in an increasingly connected global village and the dictates of economics, business and ordinary life require data flows across national borders and continental boundaries.

It is therefore important to ensure that the law encourages rather than impinges upon data flows and business operations. The Regulations and Act envisage that this can be achieved by ensuring that data collected in Uganda is only transferred to countries with data protection regimes at least as stringent as ours, or equivalent. Who assesses equivalence? This problem has been addressed in the EU by the issuance of adequacy decisions which are declarations by the EU that another jurisdiction’s data regime is equivalent to their own; as such EU data subjects will have the same data rights even if their data is transferred to that country. Our Regulations and Act envisage this same concept but have no procedural infrastructure for the same decisions to be made other than vesting this power in the Office. We therefore recommend that the Office come out strongly to guide on which specific countries regimes meet this test of equivalence.

PART 7: SECURITY OF DATA

This Part bolsters the provisions of the Act that require data controllers, collectors and processors to have watertight systems within which to contain data to avoid ‘leaks’ and breaches. Generally, these parties are required to comply with best security practices published by the Office and more than that, notify the Office of any breach as soon as they become aware of it.

PART 8:  RIGHTS OF DATA SUBJECTS

This Part is also erroneously referred to as Part 7 in the Regulations and it basically fleshes out the rights given to data subjects in the Act. These broadly include consenting to collection of their data, accessing their data in the possession of a controller, collector or possessor, preventing the processing of their data, challenging the refusal, mis action or inaction of a data collector, processor or controller administratively by appealing their refusal, mis action or inaction to the office and also the right to ensure that decisions affecting the data subject’s data are not made by completely automated means. These create the corollary rights of rectification, blocking, erasure and destruction of one’s personal data.

PART 9: COMPLAINTS AND INVESTIGATIONS

This Part refers generally to the requirement of a data collectors, controllers and processors to have in place mechanisms by which subjects may make complaints and by which these may be handled.

Additionally, Part 9 lays out the processes for making a complaint to the Office against a data collector, controller or processor for breach or non-compliance with the law and appeals to the Minister for Information and Communications Technology in the event the complaint is dissatisfied with the Office’s solution.  

PART 10: GENERAL PROVISIONS.

Finally, Part 10, provides for the general miscellany of provisions including:

  1. The duty of institutions (private and public) to appoint data protection officers to ensure compliance with the law.
  2. The duty of the Office to prepare annual compliance reports for the Minister. 

OUR COMMENTS:

The Regulations represent a remarkable step forward in the process of laying the foundational frameworks for data governance in Uganda. However, there are a few aspects of therein that leave some gaps in the protection of rights and operationalize of the Act. These include the following:

  1. Independent data protection oversight:

To ensure checks and balances in the digital economy, the data subject must have the right to an effective remedy against the data controller and processor. In exercise of this remedy, a data subject must have the right to submit a complaint to the independent supervisory authority.

In consideration of the Regulations, the Personal Data Protection Office established under the regulations will be under the National Information Technology Authority, Uganda (NITA) which leaves a lot to be desired in practical terms as to how it shall be independent of the National Technology Authority, Uganda. Further, an appeal against the decision of the Office is lodged with the Minister.

Another concern from an enforcement perspective is that appeals from the Personal Data Protection Office shall lie with the Minister who is part of the executive branch of the government. This stifles the already questionable independence of the Personal Data Protection Office. Prudence would require that parties dissatisfied by the decision of the Personal Data Protection Office could have the opportunity to have their matter before the independent courts of law. It is desirable to have an independent body that can oversee data protection unchained to the ballast that is the political system in the country.

  • Advisory notes to provide clarity on what amounts to legitimate interest in practice to avoid abuse.

There is a need for the Office to come up with some guidance on what exactly amounts to legitimate interest to avoid its abuse.

  • Consent for children

The Regulations are woefully inadequate when it comes to prescribing systems for ensuring that the consent of children/minors is actually provided by parents/guardians.

  • Equivalence mechanism (under Part 5)

The Office needs to provide a clear equivalence mechanism and make some adequacy decisions to open up the rest of the world for data transfers.

CONCLUSION:

In consideration of the ecosystem of the internet economy, there is a great and growing power imbalance between individuals (data subjects) and those controlling and processing personal data. This therefore calls for collective redress since most individuals will not have the resources to investigate and uncover non–compliance, draft complaints and take further legal action. The cost and complexity of the process can render their redress mechanisms inaccessible and ineffective in practice. Allowing collective redress would be an effective means to strengthen enforcement, but unfortunately the Regulations just like the Act have not provide for this important component of enforcement.

With this increasingly advancing digital economy, emphasis on data protection can not only be visited on the legal regime. Technical decisions like privacy by design and default made in the design stage of systems can play a strong role in putting data protection rules into practice as they can limit data collection, prevent unnecessary access and prevent further data processing. The digital economy requires a progressive legal regime that is alive to advancements in technology that accelerates innovation and at the same time regulates the excess. The use of data is the lifeblood of the digital economy and the Regulations offer a starting point to ensuring data protection and privacy in Uganda, although more can be done to have an efficient regulatory environment.

This alert provides general information only. It is not intended to provide advice with respect to any specific set of facts, nor is it intended to advise on all developments in the law.