News

The Data Privacy and Protection Bill, 2018

"Is the right to privacy a non-derogable right?"

At the end of 2018, Parliament passed the New Data Privacy and Protection Bill, 2018 which Bill is currently awaiting Presidential assent.

In a country where data privacy has been unregulated for decades, the slightest details of the Bill become vital to all Ugandans.

This legal update will provide an insight into the key highlights of the Bill and a brief commentary on the expected developments.

Purpose of the Bill

The purpose of this legislation is; to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processers and data controllers; to regulate the use or disclosure of personal information; and for related matters.

Mandatory consent from the data subject

The backbone of the Bill is the requirement for mandatory consent from the individual prior to the collection of personal data by all persons and organizations collecting or intending to collect personal data.

This consent once given does not last a lifetime as the data collector will be required to retain such data for only the period within which the data is required. For the individual (“data subject”), this is the time to embrace a law that gives force to the constitutional right to privacy hence safeguarding their securities and welfare.

Worldwide reach of the legislation

Every law maker knows that there are three ingredients to a good law; obligations, sanctions and enforceability. Sometimes even these maybe lacking. The geographical applicability of the law plays a major role in its effectiveness. The Data Privacy and Protection Bill will regulate all data collectors collecting personal data from Ugandans irrespective of the fact that the data collector is not physically or geographically present in Uganda. The prediction is that this will foster the use of the global digital market by several Ugandans.

Processing and retention of personal data

With the new Law, data collectors must have a specific purpose for collecting personal data. Data collection is only permitted in instances where the collection is statutorily authorized, proper performance of a public duty, national security and for performance of a contract among other set parameters.

In addition to that, all data collectors will be required to maintain accurate and updated personal data should they opt to retain it. On the positive side, this will create a systematic updated network of personal data among data collector’s especially public bodies. The days of having to submit the same information at every public institution you walk to will be long gone. It is therefore important that all data collectors prepare to keep abreast with this compliance requirement before the new Law commences.

Data relating to children

A child in Uganda is a person under the age of eighteen years. The new Law seeks to regulate the collection of personal data relating to children.

The only parameters set by law as to when such information may be collected is if parental consent is obtained; or if required by law and for research or statistical purposes. This will demand a high level of regulatory and internal administration measures from the data collectors considering the fact that a vast number of data collectors do not request for submission of proof of authenticity of information provided during online market transactions.

Data subjects’ rights and obligations

The ordinary Ugandan, who is the data subject will have an obligation to avail the data collector with information that is complete, accurate and up to date.

The subject nonetheless shall retain  rights to request the data collector to stop processing their personal data in circumstances where the continued retention of such data is likely to cause unwarranted substantial damage to the data subject, access their personal information that is in the hands of the collector, prevent processing of personal data for direct marketing, among others.

Data collectors’ obligations

In addition to obtaining consent prior to collection of data and maintenance of accurate and up to date information, the data collectors will be required to verify the information they obtain from the data subject.

Sanctions of the law

The law comes with pretty hefty sanctions. This therefore imposes an obligation on all collectors of data whether individuals or corporations to take all reasonable steps within their means to comply with the new Law as it is in their best interests that they do so. Non-compliance with this law will attract fines up to UGX 4.8m and or imprisonment of up to 10 years. Corporations that dishonor the law and are found liable may have to forfeit 2% of their annual gross turnover as a fine.           

Suffice it to note that in addition to these sanctions, an aggrieved data subject shall retain the right to bring an action against the infringing data collector, controller or processor for compensation. The enforceability of this law will also require that Uganda as a country invests in new technologies to safe guard data collected.

However given the fact that the new Law is yet to take effect, the success or failure of the same cannot be predetermined. What is certain is that Uganda as a country is committed to the protection of the constitutional right to privacy.