By Dorothy Mukasa
Data privacy is a global policy issue, and during the past 30 years, data protection laws started gaining ground on the African continent. At the East African level, Uganda became the first country in the region to enact a comprehensive data protection law in February 2019.
The Data Protection and Privacy Act, 2019 reinforces Article 27 of the 1995 Ugandan constitution, which guarantees citizens’ right to privacy. It thus took the authorities 24 years after promulgation of the national constitution to regulate data protection and 20 years for the drafting of the bill, placing vulnerable communities at risk.
Throughout the legislative process, Unwanted Witness Uganda and other civil society actors undertook a series of advocacy efforts aimed at fostering a rights-based approach to data protection, given the fact that privacy is a fundamental human right. At this year’s workshop on “Privacy and data protection in Africa: Challenges and prospects”, organised by the University of Pretoria and the African Declaration on Internet Rights and Freedoms (AfDec) Coalition, we shared Uganda’s lived experience advocating for data protection legislation.
Changes at the policy making level
In accordance with Uganda’s electoral laws, the country conducts general elections every five years, and the changes usually eliminate over 70% of incumbents. This coupled with a prolonged policy-making process affected the already established networks as well as the advocacy strides made, since a new breed of leaders assumed legislative positions.
The advocacy strategy then had to be revised from simply targeting only policy makers to also include the technical personnel at parliament, since they are more permanent compared to members of parliament.
The majority of policy makers are elected to parliament for different reasons other than their legislative capacity. This lack of technical capacity is particularly concerning when it comes to regulating technology and human rights – a relatively new policy area in the country. Therefore, capacity building and awareness raising became a critical advocacy approach to achieving comprehensive data protection legislation.
Building an active citizenry
While privacy is as old as creation, the low level of data privacy consciousness in the digital era among the public is glaring. Citizens are not aware of the social contract between them, the state and tech companies, creating a lot of power imbalance and subsequent abuse of the right to privacy. Research exposing the effects of unregulated data-intensive systems on citizens’ privacy and subsequent media campaigns greatly contributed to raising privacy awareness among the public. The change in public attitude and perception about data privacy culminated in demanding accountability from both state and non-state data collectors and processors.
Working with the national human rights institution
The Uganda Human Rights Commission is a constitutional body mandated to, among other roles, monitor the government’s compliance with international treaty and convention obligations on human rights and recommend to parliament effective measures to promote human rights. We engaged the commission through sharing our research findings and recommendations and constantly raising the need to monitor and provide recommendations for safeguarding the right to privacy in the digital age. The commission is important because recommendations made in its annual report are debated and implemented by policy makers.
We spearheaded the formation of the privacy coalition with the aim of having a strong and unified voice. The coalition comprises civil society actors working on different thematic areas including health care, media freedom, freedom of association and assembly, education and migration, among others.
Creating a link between the right to privacy and the enjoyment of other human rights was an opportunity to amplify data privacy as a fundamental human right that needs to be advocated for by all right holders and not a reserve for only digital rights advocates.
Law and compliance
Passage of the data protection law remains a milestone for the different advocates over the years. However, the biggest hurdle still remains: enforcement/compliance.
The new law lacks an independent oversight mechanism as it simply establishes a Data Protection Office (DPO) within an existing government agency, raising concerns around conflict of interest, effective compliance, resource capacity and transparency for the appointment of members of the authority.
Indeed, to effectively protect the right to privacy, more strategic advocacy is required during the law enforcement stage. This therefore makes the privacy and personal data protection in Africa advocacy toolkit, as designed by the AfDec initiative, very relevant in shaping the data protection legal regime.