Disparity in data collection policies of some Pan-African companies in Uganda raises privacy concernsGlobal Voices Advox
Unwanted Witness, a civil society organization based in Uganda, in its report 2021 on privacy revealed inconsistencies in the privacy policies of telecommunications companies Airtel and MTN, financial services companies such as Stanbic Bank and insurance company Old Mutual. The data protection and privacy policies of these pan-African companies operating in Uganda differ significantly from their policies in other parts of the continent.
Dorothy Mukasa, CEO of Unwanted Witness, told Global Voices in a Zoom interview that the research assessed compliance with the 2019 Ugandan Data Protection and Privacy Law, which was enacted to protect the rights of citizens’ privacy by “regulating the collection of personal information in Uganda and abroad”.
Airtel, MTN, Stanbic Bank and Old Mutual have different data protection and privacy policies in different African countries. “This is evidenced by the notable variations in the duration of privacy policies as well as the number of rights to which users are exposed. This is a practice of inconsistencies in the exercise of private policies ”, Remarks The report.
The consequence of this being that “the fewer words, the less rights mentioned or not mentioned at all”, the Ugandan witness undesirable report to complain.
Poor privacy scoreboard in Uganda
Mukasa said the report assesses “whether Ugandan companies are engaged in data collection and processing. The main reason was to ensure compliance with data collection, to get rid of the exploitation of individuals through data collection.
The research, which began in August 2020, classified 32 Ugandan companies into seven main categories: e-commerce, financial services, telecommunications services, insurance services, government agencies, social security, and health / private hospitals. Adopting a five-star scale, the report categorized these companies into the following areas: compliance with best privacy practices, providing information to the data subject before collecting data, mentioning third parties with whom personal data are shared, robust data security practice, and disclosure of government data requests.
The study analyzed the “visible, clear and publicly accessible privacy policies” of companies. This, according to Mukasa, was to ensure that “data collectors do not secretly change their policies.” The report sought to establish that companies received “informed consent” from customers before acquiring their data. Unwanted Witness has also investigated data sharing with third parties.
The inconsistent data and privacy policies of these companies across Africa make consumers vulnerable in countries without strict data protection policies. For example, the policy documents of these companies in Uganda are superficial, compared to the “more robust” Nigerians and South Africans.rivite policy documents. This suggests that “the law and the authorities” in Nigeria and South Africa “are strong and work”, according to reporting.
The study also showed a significant lack of compliance with the Ugandan Data Protection and Privacy Act 2019, and the presence of location trackers and profiling in many of the companies studied, through mobile and web applications that collect and sell data for commercial purposes without transparent policies.
Analysis of how Ugandan government agencies and businesses are complying with the 2019 data protection regulations reveals that most industries scored well on adhering to robust data security. Ugandan health service providers have been ranked among the worst performers in this area. Many health services “collect data but… do not have the baseline for confidentiality”. Mukasa explained that this personal data is hosted online with trackers that “analyze the data”, thus risking “the privacy and the lives of their patients”.
Data protection rights and African telecommunications companies
The Unwanted Witness report is not the first time that large telecommunications companies like MTN and Airtel have been complicit in violating the data privacy rights of their Ugandan customers, under Ugandan law. For example, the South Africa-based MTN group did not inform users of “how their data is collected, with whom it is shared and why” according to to the 2019 Digital Rights Corporate Responsibility Index.
MTN “discloses very little about how it handles personal data and lacks strong governance mechanisms on human rights issues”, writing Quartz Africa journalist Abdi Latif Dahir. The telecom group provides very little or no information on how much data it collects, how long the data is retained, third-party access, or privacy breach protocols. “The company also did not disclose details of the privacy risks that could arise with its targeted digital advertising services,” Dahir wrote.
In 2020, the MTN group published a transparency report which details how it processes the information of 220 million subscribers in the 22 African countries in which it operates. Although this was an important step in protecting data and privacy, it was not enough.
Isedua Oribhabor and Berhan Taye of the digital rights organization Access Now require that “MTN … expands its reports to disclose critical information regarding data retention requests, communications data, metadata and information regarding the installation of interception technology, and actions taken by MTN to push back requests. inappropriate, including detailed information on how it handles Internet shutdown commands. “
From April 2021, 28 (out of 54) African countries have adopted laws and regulations to protect personal data. This shows that data protection laws are steadily increasing on the continent. However, Mukosa of Unwanted Witness states that “enforcement is the most difficult step in data protection in Africa”. Therefore, Mukasa stressed that civil society, being independent, is better placed to defend data rights and privacy breaches on the continent.