A CRITICAL REVIEW OF UGANDAS DATA PROTECTION AND PRIVACY BILL, 2015

OPPORTUNITIES & THREATS TO CITIZENS

A paper by Dr Ronald Kakungulu Mayambala

Senior Lecturer, Human Rights and Peace Centre
Makerere University

SEPTEMBER 2016

1.0 INTRODUCTION
Article 27 of the Constitution guarantees the right to privacy of person, home and other property. In
particular, article 27(2) of the Constitution provides that a person shall not be subjected to interference
with the privacy of that persons home, correspondence, communication or other property.
Unfortunately there is no comprehensive law giving effect to article 27, yet a lot of data concerning
individuals are collected, stored or processed regularly by various institutions in the private and
public sector, including banks, hospitals, insurance companies, the Uganda Citizenship and
Immigration Control Board, the Uganda Revenue Authority, Uganda Registration Services Bureau,
the Electoral Commission, utility service providers and telecommunications companies under the SIM
card registration exercise.
In the absence of a comprehensive law, its difficult to safeguard the data collected or to ensure that
the data collected is used only for the purposes for which the law authorizes the data to be collected.
In many cases, the data collected is of a personal nature which may easily be abused or misused if a
legal framework is not put in place to govern the integrity and circumstances relating to the use,
storage and processing of data.
With the rapid and dynamic development of technological advances in the area of information and
communication technology, vast amounts of personal information are being transmitted, collected,
stored and used daily. This has opened up an opportunity for processing and misuse of personal data
both by government and private individuals as a form of violence.
2.0 BACKGROUND TO THE DATA PROTECTION AND PRIVACY BILL, 2015
Data protection and privacy laws have been enacted in countries like Ghana, Tunisia, Australia,
Angola, Mauritius, Morocco, Senegal, Benin, Burkina Faso and United Kingdom, among others.
The African Union at its 23rd secession, adopted to have a Convention on Cyber Security for the
region. A Draft Convention on Cyber Security was drafted in 2012 on the directive of the Assembly of
Heads of State and Government of the African Union.
In 2010, the Council of Ministers approved the East African Community (EAC) Legal Framework on
Cyber Laws, and directed the Partner States to implement it by enacting legislation to provide for the
protection of personal data, among others.
2

With regard to countries in the EAC, only Kenya has developed a draft Data Protection Bill that has
been approved by cabinet and is before parliament for enactment. For Tanzania, Article 16 of its
constitution highlights privacy in generic form. It is yet to develop a specific law on data protection
and privacy. Rwanda is at the same stage with Tanzania.
3.0 EXISTING LEGAL FRAMEWORK
A review of the current legal framework indicates that issues of data protection and privacy are not
adequately addressed. Whereas aspects of data protection have been provided for in some laws, they
are piecemeal and only apply to specific sectors. The said laws include the following:a) Constitution of the Republic of Uganda
Article 27 provides for the right to privacy of person, home and other property and that no person
shall be subjected to interference with the privacy of that persons home, correspondence,
communication or other property.
b) The Access to Information Act 2005 (Act No 6 of 2005)
Section 26 protects information relating to privacy of the person in the possession of the state or
agency of the state from disclosure.
c) The Uganda Communications Act, 2013 (Act No. 1 of 2013)
The Act requires operators to ensure that there is no unlawful divulgence, interception or disclosure
of private data.
d) The Electronic Signatures Act, 2011 (Act No. 7 of 2011)
This Act prohibits a person under any powers conferred under the Act from disclosing confidential
information obtained through access to any electronic record, book, register, correspondence,
information, document, other material, or grant access to any other person (s.81).
e) The Computer Misuse Act, 2011 (Act No. 2 of 2011)
Section 18 prohibits a person who has access to any electronic data, record, book, register,
correspondence, information, document or any other material, from disclosing to any other person or
form using the information for any other purpose other than that for which he or she obtained access.
3

f) The Regulation of Interception of Communications Act, 2010

The Act makes provision for lawful interception of certain communications in the course of their
transmission.
Therefore, currently, there is no comprehensive law to safeguard the data collected or to ensure that it
is used only for the purposes for which it was intended. In many cases, the data collected is of a
personal nature which may easily be abused or misused in the absence of a legal framework to govern
the integrity and circumstances relating to the use, storage and processing of data.
4.0 THE SALIENT CLAUSES IN THE BILL
The specific objectives of the Bill are:
a) To give effect to Article 27 of the Constitution by providing for the protection of private and
personal data;
b) To safeguard the interests of individuals whose information or personal data is gathered or
collected by the government, public institutions, private entities;
c) To provide for the rights of individuals whose personal data is collected and processed;
d) To provide for the regulation of collection, holding, processing and use of personal data;
e) To ensure that the rights of individuals during the collection and processing of data are upheld
against threats and attacks capable of compromising the information;
f) To provide mechanisms for redress and remedies in cases where rights of individuals are
infringed; and
g) To provide for administrative mechanisms of ensuring that the processing of personal data is
conducted in accordance with the procedures set out in the proposed law.
1. The proposed Bill applies to:
i)

To written and electronic records in both Public and Private sectors. This is because
personal data in whatever form should be protected from abuse (Clause 1).

ii) The Bill covers personal data of a natural person (individuals) only.
4

2. Clause 3 of the Data Protection and Privacy Bill also provides for the principles to guide the
data collector, data processor and controllers to protect data subjects. These include:i)

Personal data should be collected and processed fairly and lawfully.

ii) The data collector, data processor and data controller is accountable to the data subject
for data collected, processed held or used;
iii) The data collector, data processor and data controller is required to collect, process, use
or hold adequate, relevant and not excessive or unnecessary personal data;
iv) Personal data should be retained for the period authorized by law or for which the data
is required;
v) The data collector, data processor and data controller shall ensure quality of information
collected, processed, used or held;
vi) The data collector, data processor and data controller shall ensure transparency and
participation of the data subject in the collection, processing, use and holding of the
personal data; and
vii) The data collector, data processor and data controller shall observe security safeguards
in respect of the data.
3. The Bill provides for the purposes for which data may be collected include the following:
a) defense or public security;
b) prevention, investigation, indictment or prosecution of criminal offenses or execution of
penal convictions or security measures;
c) population census;
d) for medical purposes;
e) compilation of personal data directly or indirectly; and
f) processing salaries, pensions, taxes, levies and other payments Clause 4 (2) of the Bill).

Clause 5 prohibits collection of special personal data which is referred to as sensitive data in other
jurisdictions, (a person shall not collect or process personal data which relates to the religious or
philosophical beliefs, political opinion, health or sexual life of an individual). However, the above
clause doesnt apply to information collected under the Uganda Bureau of Statistics Act.
Exceptions
A data collector may collect or process information prohibited where

the processing of the data is in the exercise or performance of a right or an obligation

conferred or imposed by law on an employer;

the information is given freely and with the consent of the data subject; or

the collection or processing of the information is for the purposes of the legitimate
activities of a body or association.

4. The proposed law protects the right of Privacy by requiring a data collector, data processor or
data controller to collect or process the data in a manner which does not infringe the privacy of
the person to whom the data relates (Clause 6 of the Bill).
5. Clause 8 of the Bill states that personal data should be obtained only for a specified and
lawful purpose or purposes, and shall not be further processed in any manner incompatible
with that purpose or purposes.
6. Personal data should be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed. The Bill requires that a person shall not collect or
process personal data which are not strictly necessary for the purpose or purposes for which
they were obtained (Clause 10 of the Bill).
7. Personal data should be accurate and, where necessary, kept up to date. The Bill requires a
data controller to take reasonable steps to ensure the accuracy of personal data which it holds,
and to take steps to correct inaccurate data when requested to do so by a data subject (Clause
11 quality of information).
8. The Bill also provide that personal data processed for any purpose should not be kept for
longer than is necessary for that purpose (Clause 14 on retention of records of personal data).
6

9.

The Bill further provides for the criteria of processing data to a country outside Uganda and
such country should have adequate level of protection for the rights and freedoms of data
subjects in relation to the processing of personal data (Clause 15 of the Bill).

10. The Bill provides that personal data should be processed in accordance with the rights of data
subjects prescribed in the proposed law (Clause 21- 24 of the Bill).
11. The data controllers should ensure the security of personal data which is held electronically
and in manual form, to prevent the misuse of personal data (Clauses 16- 18 of the Bill).
12. The data protection and privacy Bill comprehensively provides for rights of persons whose
personal data is processed and obligations of data collectors, data processors and data
controllers (Clause 21- 22 of the Bill).
13. The Bill provides for the institutional framework and procedures to administer, receive
complaints and settle disputes relating to personal data protection and privacy. It is proposed
that the National Information Technology Authority-Uganda (NITA-U) established under the
National Information Technology Authority- Uganda Act, 2009 (Act No. 4 of 2009), should be
mandated to administer and implement this law since data protection is one of the functions of
the Authority. Section 5 (c) of the Act provides that one of the functions of the Authority is to
coordinate, supervise and monitor the utilisation of information technology in the public and
private sectors. The Act also requires the Authority to set, monitor and regulate standards for
information technology planning, acquisition, implementation, delivery, support, organisation,
sustenance, disposal, risk management, data protection, security and contingency planning
(Clause 2 on the definition of the Authority).
14. The Bill provides for an enforcement mechanism that will allow individuals to enforce their
rights (Clause 27 29 of the Bill on complaint procedures).
15. The Data Protection and Privacy Bill provides for remedies for infringement of the rights of
individuals. The remedies include: compensation, distress and orders for damages (Clause 29
of the Bill).
Once the Data Protection and Privacy Bill is passed into law, there will be adequate measures for the
protection and privacy of personal data. This shall lead to increased confidence by the citizens when
transacting in various forms especially where they may be required to disclose their personal data.
7

5.0 CONCLUSION
It should be noted that Uganda lacks a comprehensive law to protect personal data in conformity with
the provisions of Article 27 of the Constitution on the right to privacy of a person. The proposed Bill is
intended to complement the existing laws on electronic transactions, communications and access to
information by providing for protection privacy and personal data. However, this protection should
balance the prerogatives of the State and other entities that collect and use information in delivery of
services.
Human Rights Implications of the Bill
(a) An Overview of the Implementation of Data Protection Legislation
This section of the paper deals with data protection principles, since Uganda does not have
comprehensive data protection laws, the data regulator, international transfer of personal data and the
relevance of comparative influences and interpretation of data protection legislation.
i)

Data Protection

Uganda does not have a comprehensive data protection legislation yet. What can be relied upon is
mere piece-meal legislation touching on privacy and generally interpreted to even cover cases of data
protection since the main aim of data protection is to ensure the protection of privacy of the
individual. Article 27 of the Constitution has been used to protect privacy (including data) in Uganda
albeit with some major challenges as can be seen in the case of Human Rights Network for Journalists
Uganda Limited & Legal Brains Trust (LBT) v. Uganda Communications Commission (UCC) & Attorney
General (supra).
However, the government of Uganda has now introduced a comprehensive law to deal with this
subject viz: The Data Protection and Privacy Bill, 2015 (hereinafter referred to as the DPP Bill) which
now awaits approval by Cabinet and introduction to Parliament. A discussion of the draft Bill is
therefore necessary and will follow later.
ii) Data Protection Principles
It is imperative to first list what has come to be classified as the eight (8) basic principles of data
protection, which are worth noting and which almost every data protection law must have as core

minimum standards to abide by. The analysis of the Uganda Data Privacy Bill (DPP Bill) follows the
standard of the OECD, and its based on this standard that the author is analyzing the Bill.
The definition of personal data as given above in the OECD Guidelines, has been amplified by the
DPP Bill, which in Clause 2 on Interpretation, defines personal data to mean:
Information about a person from which the person can be identified that is recorded in any
form and includes
a. data that relates to the nationality, age or marital status of the person;
b. data that relates to the educational level, or occupation of the person or data that relates
to a financial transaction in which the person has been involved;
c. an identification number, symbol or other particulars assigned to the person; and
d. identity data;
e. other information which is in the possession of, or is likely to come into possession of
the data controller, and includes an expression of opinion about the individual.
Although non-binding, the OECD Guidelines have had a tremendous impact on the development and
enactment of data protection laws, not only among members of the OECD but the world over. Indeed,
the Guidelines have been a trailblazer for not only the OECD members but also non-members Uganda inclusive, as seen in the DPP Bill.
Owing to the great influence that the OECD Guidelines have had on the development of data
protection across the world, a mention of these Guidelines in detail is done here below.
Solove and Schwart observe that the OECD Privacy Guidelines establish eight principles regarding
processing of personal data:
1. Collection Limitation Principle. There should be limits to the collection of personal data and any
such data should be obtained by lawful and fair means and, where appropriate, with the
knowledge or consent of the data subject.

2. Data Quality Principle. Personal data should be relevant to the purposes for which they are to
be used, and, to the extent necessary for those purposes, should be accurate, complete and kept
up-to-date.
3. Purpose Specification Principle. The purposes for which personal data are collected should be
specified not later than at the time of data collection and the subsequent use limited to the
fulfillment of those purposes or such others as are not incompatible with those purposes and
as are specified on each occasion of change of purpose.
4. Use Limitation Principle. Personal data should not be disclosed, made available or otherwise
used for purposes other than those specified in accordance with [the purpose specification]
except: a) with the consent of the data subject; or b) by the authority of law.
5. Security Safeguards Principle. Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction, use, modification or
disclosure of data.
6. Openness Principle. There should be a general policy of openness about developments, practices
and policies with respect to personal data. Means should be readily available of establishing
the existence and nature of personal data, and the main purposes of their use, as well as the
identity and usual residence of the data controller.
7. Individual Participation Principle. An individual should have the right: (a) to obtain from a data
controller, or otherwise, confirmation of whether or not the data controller has data relating to
him; (b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at
a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is
readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a)
and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to
him and, if the challenge is successful to have the data erased, rectified, completed or
amended.
8. Accountability Principle. A data controller should be accountable for complying with measures
which give effect to the principles stated above.1

Ibid, 997 998.

10

Principle One of the OECD Guidelines on collection limitation has been captured in Clause 3(1)(a) of
the DPP Bill. The clause deals with the usual sections on collection limitation such as transparency,
and has security safeguards to the data collected.
In order to further strengthen and ensure the quality of the data or information collected, Clause 11 of
the DPP Bill states that a person who collects or processes personal data shall ensure that the data is
complete, accurate, up-to-date and not misleading, having regard to the purpose for its collection or
processing.
Purpose specification has been dealt with in Clauses 8 and 13 of the DPP Bill. In particular, Clause 8
states that a person who collects personal data shall collect the data for a lawful purpose which is
specific, explicitly defined and is related to the functions or activity of the person or public body.
Clause 3(2) then enjoins the Authority NITA, to ensure that every data collector, data controller,
data processor or any other person collecting or processing data complies with the principles of data
protection and this Act. Not only does the principle of purpose specification seek to ensure that the
data is collected for a lawful purpose, it also seeks to ensure that the data is put to or used for the
purpose for which it was sought. Indeed, putting the data to another purpose without the prior
informed consent of the data subject is prohibited in Clause 13.
On use limitation, the Bill deals with this issue in Clause 8. Similarly, Clause 13(1) of the DPP Bill
states that where a person holds personal data collected in connection with a specific purpose,
further processing of the personal data shall be only for that specific purpose. The use limitation
principle underscores the principle of Clause 3(1)(b) on collecting and processing data fairly and
lawfully.
The Bill also underscores security safeguards, through Clauses 3(1)(g), 15 and 16 of the DPP Bill.
Clause 3(1)(g) states that a data collector shall observe security safeguards in respect of the data.
Even when the data controller seeks to process personal data outside Uganda, he or she shall ensure
that the security safeguards in respect of the data are secured.2 Clause 16(1) obliges to data controller
to secure the integrity of personal data in the possession or control of a person by adopting
appropriate, reasonable, technical and organizational measures to prevent loss, damage, or
unauthorized destruction and unlawful access to or unauthorized processing of the personal data.

Clause 15 of the DPP Bill.

11

Equally, a data controller shall observe generally accepted information security practices and
procedures, and specific industry or professional rules and regulations3.
Key to data protection in any country is the principle of openness which is somewhat dealt with in the
DPP Bill, albeit in a vague manner. Though not specifically referred to as such in the Bill, the openness
principle is covered in Clauses 3(1)(b)(c), 5, 10 and 14. The data controller should (b) collect and
process data fairly and lawfully; and (c) collect, process, use or hold adequate, relevant and not
excessive or unnecessary personal data.4 To strengthen the openness principle further, a person
shall not collect or process personal data which relates to the religious or philosophical beliefs,
political opinion, or sexual life of an individual.5 Clause 5 of the DPP Bill is intended to secure the
privacy of the individual and to avoid discrimination based on any of the grounds listed in sub-clause
1. Clause 10 of the Bill also obliges a data controller or data processer to process only the necessary or
relevant personal data and nothing in excess of that. The minimality principle, which is treated as an
independent principle in both the Bill and other jurisdictions, is also useful in promoting openness in
data protection since only data that is necessary shall be processed. In the same vein, a person who
collects personal data shall not retain the personal data for a period longer than is necessary to achieve
the purpose for which the data is collected and processed unless the retention of the data is required
or authorized by law or for any other purposes as is authorized under the Bill.6
In a bid to secure and entrench democratic principles in the Bill, individual participation has been
covered adequately in the DPP Bill. At its core, this principle seeks to ensure that data controllers and
users oblige to transparency and participation of data subjects in processing personal data.7 According
to Makulilo, who has offered an analysis of the DPP Bill, the principle of individual participation
entails a number of things: obtaining consent prior to processing of personal information (sec 4);
collection of data directly from a data subject (sec 7); right to object [to] processing (sec 4(3), 20, 21);
right to access personal information (sec 19); right to demand rectification, blocking, erasure and
destruction of personal data (sec 24). 8 It can therefore be ascertained that the Bill offers great
protection of the principle of individual participation just in line with the widely accepted OECD
Guidelines.
3

Ibid, Clause 16(3).

Ibid, Clause 3(1)(b)(c).
5
Ibid, Clause 5(1).
6
Ibid, Clause 14(1).
7
Ibid, Clause 3(1)(e).
8
Alex B. Makulilo, (2015), Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file with the author), p. 8.
4

12

Lastly, another key principle is that of accountability which has been well articulated above and more
specifically in Clause 3(1)(a). However, it should be observed that the attainment of the principle of
accountability is largely dependent on other principles such as principle on transparency and data
subject participation.
Alongside the above principles, the DPP Bill offers extra protection in a number of contexts, including:
Gives a data subject the right to require a data controller to stop processing data for purposes of direct
marketing (sec 21(1)). The term direct marketing includes any communication by whatever means of
any advertising or marketing material, which is directed at an individual (sec 21(5)). Likewise, the Bill
gives a data subject the right to require a data controller to stop making decisions taken by or on her
behalf which significantly affects the data subject as it is based solely on the processing of personal data
by automatic means (sec 22).9

In a nutshell, Ugandas DPPs guarantees the protection of most of the recognized principles of data
protection, save for a few which need to be included in the draft Bill as discussed here below.
iii) Data Protection Regulator
Most data protection legislations the world over have a regulator, sometimes in the form of an
authority, which is usually independent in the performance of its duties. Ugandas DPP Bill is no
exception. Clause 25 of the Bill bestows upon the National Information Technology Authority
Uganda (NITA-U); the power to keep and maintain a Data Protection Register. This is clearly in line
with the functions of NITA-U viz: co-ordinate, supervise and monitor the utilization of information
technology in the public and private sectors; and to create and manage the national databank, its
inputs and outputs.10 NITA-U is also required to ensure access to register by any member of the
public11. As the regulator, NITA-U is meant to play a leading role in matters touching on data
protection in Uganda such as receiving and hearing of complaints of data subjects, and it is therefore
imperative to examine the objects, powers, and functions of NITA-U and the extent to which the
regulator is able to carry out the mandate which has been bestowed upon it by the DPP Bill.

Ibid, p.9.
See Section 5(c)(e) of the National Information Technology Authority, Uganda Act, Act No. 4 of 2009.
11
Clause 26 of the Bill.
10

13

Clauses 20(4), 21(4), 22(5) of the DPP Bill. NITA-U has been empowered to ensure access to personal
information once a request has been made by a data subject to a data controller.12 The data subject also
has a right to prevent the processing of personal data, by the data controller or processor in writing,
and in the event of non-compliance, the Authority, if satisfied that the request by the data subject is
justified, may direct the data controller to comply. 13 The Bill also empowers the data subject to
prevent processing of personal data for direct marketing14 and direct marketing has been stated to
include the communication by whatever means of any adverting or marketing material which is
directed at an individual15. NITA-U is also empowered to handle complaints in respect of rights in
relation to automated decision-making16 and where the Authority is satisfied on a complaint by a
data subject that a person taking a decision has failed to comply, the Authority may order the
responsible person to comply.17. More importantly however, is that where the Authority is satisfied
on a complaint of a data subject that personal data on that data subject is inaccurate, the Authority
may order the data controller to rectify, update, block, erase, or destroy the data18.
NITA-U has the responsibility of handling complaints as stipulated in Part VII of the Bill. All
complaints against breach and non-compliance with the Act 19 , the duty to investigate every
complaint against a data collector, data processor or data controller20, and where a data subject
suffers damage or distress through the contravention by a data collector, data processor or data
controller of the requirements of this Act21, the Authority shall ensure that such a data subject is
compensated.
On the independence of NITA-U, it is a generally accepted principle that the data regulator shall be
independent. This connotes independence from both the public and private sectors or any other
individual since the Bill covers data in both the public and private sectors.
Makulilo notes as follows on the independence of NITA-U:

12

Clause 20(4) of the Bill.

Clause 21(4) of the Bill.
14
Clause 22(1) of the Bill.
15
Clause 22(5) of the Bill.
16
Clause 23(1) of the Bill.
17
Clause 23(4) of the Bill.
18
Clause 24(1) of the Bill.
19
Clause 27 of the Bill.
20
Clause 28 of the Bill.
21
Clause 29(1) of the Bill.
13

14

NITA-U is an agency of the government of Uganda. As such, it operates under the general
supervision of the Minister responsible for technology (sec3(3), 34 of the National Information
Technology Authority, Uganda Act, 2009). The Authority is also under the general direction and
supervision of the Board of Directors (sec 16(5). Likewise, the Executive Director is appointed by the
Minister upon recommendations of the Board (16(1)). His or her tenure may be terminated by the
Minister after consultation with the Board of Directors (sec 16(8). Other relevant provisions are that staff
of the authority are required to abide with confidentiality (sec 22); they are protected for personal
liability that arises in the course of employment and done in good faith (sec 35); funding of the
Authority comes from the Parliamentary budget and other sources (sec 24); the Director is to submit a
report to the Minister who forwards it to the Parliament (sec 36, 37). It is submitted that considering the
overall functions and powers of the Authority, NITA-U may not be an independent privacy Authority
similar to those in international data privacy policies. 22

Apart from listing the objects, functions and powers of the Authority, the NITA-Uganda Act does not
expressly provide for the independence of the regulator as is required and has been stated in most
international data privacy Conventions and to that extent, it can be said that NITA-U is not fully
independent of the Government of Uganda or the Minister for Technology. It would have been better,
if the DPP Bill had gone ahead to create an independent regulator for data protection in Uganda other
than NITA-U or in the absence of that, giving the NITA-U, such independence under the DPP Bill in
respect of data privacy protection in the country.
Not only does the NITA-U face a litany of shortcomings as a regulator in the DPP Bill, but also has the
weakest enforcement provisions. Makulilo has again highlighted upon the weaknesses in these
provisions in the Bill thus:
There are no complaints resolving mechanisms in the Bill. In the three situations where the Authority is
empowered to issue an order for compliance to data controllers, there is no right to the aggrieved data
controller who wish to challenge the order by way of appeal. The Bill provides for civil remedies where
a data subject suffers damage or distress in the event that data controller contravenes the law (23(1)).
There is neither limit set for the maximum damages nor guidance on how to assess them. The Bill is also
silent as to forum where a data subject will pursue his claim for compensation. Will this be the
Authority itself or court of law? There is no any indication to the response of this question from the Bill.
The right of appeal for the aggrieved party is also not provided [for] in the Bill. The data controller may
raise the defence of reasonable care against claims for compensation (sec 23(2)). Similarly, the Bill creates

22

Alex B. Makulilo, (2015), Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file with the author), p. 8.

15

offenses for unlawful obtaining and disclosure of personal data, whose conviction is fine not exceeding
120 currency points or imprisonment for a period not exceeding five years or both (sec 27). It is also an
offense to sale personal data (sec 28). The punishment of which is the same as in the unlawful disclosure
of personal data. There is also an administrative penalty sort of where the Authority may direct the data
controller to punish the fact of the compromise to the integrity or confidentiality of the personal data
(sec 18(7)).23

Alongside the complaints on enforcement as raised by Makulilo above, lies penalties for unlawful
obtaining and disclosure of personal data (Clause 30); sale of personal data (Clause 31) and offences
by corporations (on Clauses 30 and 31) shall also be liable. The weaknesses that are apparent in the
Bill as given above by Makulilo can also be rectified through the Regulations. Under the Bill, the
Minister for Technology is given power to make regulations by a statutory instrument for (b)
administrative or procedural matter which is necessary to give effect to this Act; (c) retention period of
personal data; or (d) matter which is necessary and expedient to give effect to this Act.24 Similarly,
the Minister is given power to amend the Schedule by a statutory instrument with the approval of
Cabinet25. It is therefore possible that using Clauses 33 and 34 of the Bill, the Minister can effectively
address some of the loopholes of the Act.
iv) International Transfer of Personal Data
One of the key highlights in terms of assessing the adequacy and appropriateness of a data protection
law, is the guarantees that such legislation seeks to offer in relation to international transfer of
personal data. Such transfer is not only regional, but can be continental or even inter-continental.
Thus, its imperative to assess the provisions of the DPP Bill and the guarantees it offers in this aspect.
For this purpose, Clause 15 of the Bill is reproduced here below in extenso:
Where a data processor or data controller processes personal data outside Uganda, the data
processor or data controller shall ensure that the country in which the data is processed has
adequate measures in place for the protection of the personal data, which are at least
equivalent to the protection provided by this Act.
It can therefore be said that Clause 15 of the Bill offers a bare minimum protection for cases of
personal data processed outside Uganda. However, the above clause is not adequate on all fronts in
23

Ibid, p.12.
Clause 33 of the Bill.
25
Clause 34 of the Bill.
24

16

respect of international transfer of personal data and especially when analyzed from the lenses of
standards that have been set in international legislations on this subject. Makulilo argues thus:
In contrast to the sixteen (16) African countries which have so far adopted data privacy legislations (i.e.,
Cape Verde, Seychelles, Burkina Faso, Mauritius, Tunisia, Senegal, Morocco, Benin, Angola, Gabon,
Ghana, Mali, Ivory Coast, Lesotho, South Africa and Madagascar), the Ugandan Data Protection and
Privacy Bill does not provide any regime of cross-border transfer of personal data. It means that
personal data of Ugandans can be transferred to Uganda from countries whose laws have no such
restrictions to transfer of personal [data] abroad. As one of the reasons for the proposed privacy Bill in
Uganda is to improve the business outsourcing sector (BPO), this is unlikely to be achieved. This is due
to the fact that significant investments in such business come from foreign companies particularly the
ones in Europe. The EU Directive restricts transfer of personal data to third countries, which do not have
adequate level of protection of personal data (Article 25). Lack of a regime of cross-border transfer of
personal data alone, is enough to render loopholes in the Ugandan law to the extent that it may act as a
safe haven for onward transfer of personal data by controllers who escape stringent regulations in their
home countries. Definitely [the] EU will limit transfer [of] personal data of its citizens to Uganda. 26

The above criticism of Bill by Makulilo is true in part and false in another. If Clause 15 of the Bill is
implemented even in its current form, it will be able to curb and address some of the fears being
raised by Makulilo. For, under Clause 15, any processor or data controller shall ensure that the
country in which the data is processed has adequate measures in place for the protection of the
personal data, which are at least equivalent to the protection provided by this Act [Uganda]. Thus, in
a way, the Bill seeks to guarantee the international data export and extra territoriality issues that arise
in relation to data. Again Makulilo argues:
The privacy Bill does not propose any rule for this. It is safe to argue that the privacy Bill will only apply
to controllers established in Uganda. The Bill does not cater for a controller who is not domiciled or
having principal place of business in Uganda but uses automated or not automated equipment located
in Uganda. This provision is too restrictive and will as well affect the business-outsourcing sector.27

The Bill may need re-writing to capture some of the key concerns such as extra-territorial and crossborder protection of personal data. The Bill offers protection in Clauses 22 and 23 and these can be

Alex B. Makulilo, (2015), Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file with the author), p.
10-11.
27
Ibid.
26

17

used to curtail any data controller who wants to use personal data for direct marketing28 (be it in
Uganda or abroad) and a data subject may by notice in writing to a data controller require the data
controller to ensure that any decision taken by or on behalf of the data controller which significantly
affects that data subject, is not based solely on the processing by automatic means of personal data in
respect of that data subject29.
The United Nations has called upon member states to pass laws which respect the right to privacy
and personal data in relation to the Human Rights Committee, general comment No. 16 on article 17
of the International Covenant on Civil and Political Rights, para.10.30 Frank La Rue, noted that:
the protection of personal data represents a special form of respect for the right to privacy. State
parties are required by article 17(2) to regulate, through clearly articulated laws, the recording,
processing, use and conveyance of automated personal data and to protect those affected against misuse
by State organs as well as private parties. In addition to prohibiting data processing for purposes that
are incompatible with the Covenant, data protection laws must establish rights to information,
correction and, if need be, deletion of data and provide effective supervisory measures. Moreover, as
stated in the Human Rights Committees general comment on the right to privacy, in order to have the
most effective protection of his private life, every individual should have the right to ascertain in an
intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what
purposes. Every individual should also be able to ascertain which public authorities or private
individuals or bodies control or may control their files. 31

In a way therefore, the United Nations has set the standard, as recent as 2011, in which it calls upon all
its members to protect personal data as a form of respect for the right to privacy, including developing
comprehensive guidelines and rules on not only automated data files but also cross-border and
international transfer of personal data.
v) Comparative Influences and Interpretation of the data protection Legislation
Uganda has never had a comprehensive data protection law. As Makulilo notes, the last two decades
have witnessed privacy law reform in Africa. Yet there is no privacy legislation in any of the countries
in the East African Community (EAC) comprising Kenya, Uganda, Tanzania, Rwanda and Burundi.

28

Clause 22(1) of the Bill.

Clause 23(1) of the Bill.
30
Frank La Rue, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and
expression, Human Rights Council, 17th Session, Agenda Item 3, 2011, p. 16.
31
Ibid, para.58.
29

18

At the moment, Kenya and Tanzania have draft data privacy bills. Recently, Uganda issued a draft
privacy bill following suit to Kenya and Tanzania.32 However, the comparative influences on the
development of data privacy protection law in Uganda can be said to come from mainly the
influences of African Union, the OECD, the EU Directive and the EAC.
b) Other Procedural and Enforcement Mechanisms
In order to effectively achieve data protection and privacy, the DPP should espouse universally
accepted procedural and enforcement mechanisms.33 The procedural and enforcement mechanisms
should guarantee the right to privacy akin to those which have been developed to ensure the
enjoyment of rights in the fight against terrorism. 34 Comprehensive guidelines also need to be
developed, mostly by subsidiary law to deal with issues of public interest and national security in
relation to data protection and privacy.35 This is particularly important as Nowak notes; in the fight
against organized crime and terrorism, modern police and intelligence agencies are using information
and surveillance technology, including racial profiling, that potentially affects numerous innocent
citizens and constitutes far-reaching interference with the right to privacy and data protection.36 The
application of international data privacy rules has to be harmonized with Ugandas national laws37.
Regional Economic Communities (Recs) and Data Protection
Uganda is a member of the East African Community (EAC) as established by the Treaty for the
Establishment of the EAC.38 Uganda has domesticated the Treaty through the EAC Act of 2006. The
Community operates on its fundamental principles which include: good governance including
adherence to the principles of democracy, the rule of law, accountability, transparency, social justice,
equal opportunities, gender equality, as well as the recognition, promotion and protection of human
and peoples rights in accordance with the provisions of the African Charter on Human and Peoples

Alex B. Makulilo, (2015), Ugandan Privacy Bill: a cosmetic tokenism? Unpublished paper (on file with the author), p. 1.
See generally Daniel J. Solove, Understanding Privacy, (Harvard University Press 2009).
34
See generally Steve Foster, Human Rights and Civil Liberties, (3rd edn, Pearson Education Limited 2011).
35
See general S. Dycus, A.L. Berney, W.C. Banks & P. Raven-Hansen, National Security Law, (4th edn, Apen Publishers
2007).
36
Manfred Nowak, Introduction to the International Human Rights Regime, (Martinus Nijhoff Publishers 2003), p. 346.
37
See generally Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, Stanford Law
Review, 2000, vol. 52, p. 1315 1371.
38
Under Article 3 of the EAC Treaty, the EAC has five (5) Partner States, i.e., the Republic of Uganda, the Republic of
Kenya and the United Republic of Tanzania. The Republics of Rwanda and Burundi have also since joined the Community.
32
33

19

Rights39. The EAC has also passed the Protocol on the Establishment of the East African Community
Common Market.
a) Envisaged Common Markets and the Movement of Information
The Common Market Protocol (CMP) became operational in 2010 and negotiations are under way to
achieve a Monetary Union and Political Federation by the year 2015. 40 The EAC region has a
population of nearly 150 million people with a Common Market. Thus, the movement of both people
(labour) and goods and the corresponding information is massive. Some strides have been made in
the area as noted by Makulilo:
Uganda acceded to the International Covenant on Civil and Political Rights (ICCPR) 1966 on 21 June
1995. She is also a part to its optional Protocols. The ICCPR protects the right to privacy (Art 17).
Likewise, Uganda is a party to the Convention on the Rights of the Child (CRC) 1990, and its optional
Protocols. The CRC offers to children protection of privacy (Art 16). Similarly, Uganda is a member of
the East African Community (EAC). In 2010, the EAC adopted the EAC Legal Framework for Cyber
Law (Phase I). Although not a model law, it recommends the best practices. Uganda is also a member of
the African Union (AU). On 27 June 2014, the AU adopted the African Union Convention on Cyber
Security and Personal Data Protection 2014. The Convention provides for principles of data protection
and oversight institution, hence filling the gap left in the African Charter on Human and Peoples
Rights, 1981, as far as protection of privacy is concerned. However, it is not yet in force and Uganda will
only be bound by this Convention upon ratification. 41

The recently adopted African Union Convention on Cyber Security and Personal Data Protection is a
landmark model law, which can guide its members on cyber security and personal data protection.
The AU Convention mirrors similar legislations such as the OECD model law, the UK Data Protection
Act, 1998, and the EU Directive. Indeed, the AU Convention is like a response to the observations of
UN Special Rapporteur Frank La Rue who observed [in 2011] thus:
there is insufficient or inadequate data protection laws in many States stipulating who is allowed to
access personal data, what it can be used for, how it should be stored, and for how long. The necessity of
adopting clear laws to protect personal data is further increased in the current information age, where

39

Article 6(d) of the EAC Treaty.

K. Gastorn, H. Sippel & U. Wanitzek, Introduction: Regional Cooperation and Legal Integration in East Africa, in K.
Gastorn, H. Sippel & U. Wanitzek (eds.) Processes of Legal Integration in the East African Community (TGCL, Dar es
Salaam University Press 2011), p.1.
41
Makulilo, supra, p.5.
40

20

large volumes of personal data are collected and stored by intermediaries, and there is a worrying trend
of States obliging or pressuring these private actors to hand over information of their users. Moreover,
with the increasing use of cloud-computing services, where information is stored on servers distributed
in different geographical locations, ensuring that third parties also adhere to strict data protection
guarantees is paramount.42

Uganda is therefore duty bound to develop detailed laws on personal data protection.
b)

Transposition of REC Data Protection Policies

At the regional level, apart from the EAC Treaty which obliges Partner States to observe the principles
of good governance and human rights, the EAC has also adopted the EAC Legal Framework for
Cyber Law (Phase I), which can be quite informative on the processes and procedures for EAC Partner
States to follow in order to come up with meaningful REC data protection policies. The Data
Protection principles of the EU and the UK have greatly influenced the development of data
protection legislation in Uganda. 43 Data protection remains key in securing the privacy of the
individual since such data may be very sensitive.44 However, whereas the Data Protection Act, 1998,
of the UK gives conditions for processing sensitive data, the DPP Bill of Uganda does not have
similar or corresponding provisions.45 Even with this shortcoming, the DPP Bill still fulfills the key
objectives of data protection law, viz: those who process information concerning individuals are
subject to a regulatory framework within which they can process personal data lawfully, [and
secondly] as individuals we all have rights under data protection law46.
Conclusion
Uganda needs to pass a comprehensive data protection law that not only reflects the generally
accepted international standards,47 but also takes care of the Ugandan and African values to data
protection and privacy.48 Even with the present day challenges of terrorism49, increasing organized

42

Frank La Rue, supra, p.15, para. 56.

David Bainbridge, Data Protection Law, (2nd edn, XPL Publishing 2005), p. 61.
44
Chris Reed, Database Protection, in Chris Reed & John Angel (eds), Computer Law (6 th edn, Oxford University Press
2007), p. 402.
45
David Bainbridge, Introduction to Computer Law, (5th edn, Pearson Longman 2008), p. 467 468.
46
David I. Bainbridge, Introduction to Information Technology Law, (6th edn, Pearson Longman 2008), p. 498.
47
Andrew Charlesworth, Data Privacy in Cyberspace: Not National vs. International but Commercial vs. Individual, in
Lillian Edwards & Charlotte Waelde (eds), Law & The Internet: A Framework for Electronic Commerce (Hart Publishing
2000), p.79-122.
48
See generally, Therese Murphy (ed), New Technologies and Human Rights (OUP 2009).
43

21

crime and political instability50, Uganda needs to remain steadfast in its pursuit of human rights.51 The
law should not be used to victimize or violate rights of any group in Uganda and beyond.52 The core
values and principles of data protection and privacy should be well observed in the law. Above all,
Ugandas Data Protection and Privacy Bill should be revised so as to align it more with human
rights.53 The tensions that come with balancing the civil liberties, human rights and national security
alongside data protection and privacy also need to be addressed very carefully.54
Important aspects left out of the Bill Left or not addressed in detail in respect to right to privacy &
proposals Parliament should incorporate in the Bill

The Bill needs to give more remedies for breach of the right to privacy on top of those listed in
Clauses 27 29;

The Bill applies to only data relating to the natural person/could it be made to apply to the
juristic person too?

The Bill does not have an express provision on sensitive data, the closest Clause 5 should be
redrafted to read prohibition on collection and processing of sensitive personal data instead
of special personal data;

The Bill does not provide for a right of appeal against decisions taken by the data collector,
processor, controller or regulator of: this needs to be included;

The Bill needs to provide for clear grievance solving mechanism

See generally, Benjamin J. Goold, Privacy, Identity and Security in Benjamin J. Goold & Liora Lazarus (eds) Security
and Human Rights (Hart Publishing 2007), p. 45 71.
50
Benjamin J. Goold & Daniel Neyland (eds), New Directions in Surveillance and Privacy (William Publishers 2009).
51
Olive Kobusingye, The Correct Line? Uganda Under Museveni (Author House 2010).
52
See generally Mary Frank Fox, Deborah G. Johnson & Sue V. Rosser (eds), Women, Gender and Technology (University
of Illinois Press 2006).
53
See generally Gudmundur Alfredsson & Asbjorn Eide (eds), The Universal Declaration of Human Rights: A Common
Standard of Achievement (Martinus Nijhoff Publishers 1999); Henry J. Steiner, Philip Alston & Ryan Goodman,
International Human Rights in Context: Law, Politics, Morals (3rd edn, OUP 2007); Richard B. Lillich, Hurst Hannum, S.
James Anaya & Dinah L. Shelton, International Human Rights: Problems of Law, Policy and Practice (4th Aspen
Publishers 2006).
54
Neil Hicks, The Impact of Counter Terror on the Promotion and Protection of Human Rights: A Global perspective, in
Richard Ashby Wilson (ed), Human Rights in the War on Terror (New York: CUP, 2005), pp. 209 224; Peter Galison &
Martha Minow, Our Privacy, Ourselves in the Age of Technological Intrusions, in Richard Ashby Wilson (ed), Human
Rights in the War on Terror (New York: CUP, 2005), pp. 258 294; Kenneth Roth, The Tension between Combating
Terrorism and Protecting Civil Liberties, in Richard Ashby Wilson (ed), Human Rights in the War on Terror (New York:
CUP, 2005), pp. 157 168.
49

22