A win for Unwanted Witness: Uganda’s data protection authority finds ride sharing app unlawfully disclosed personal data to third parties

Unwanted Witness’ research into motorcycle ride sharing app Safeboda, highlighting their failures to comply with data protection law, leads data protection regulator to take enforcement action.

Achieved Result

As a result of Unwanted Witness’ complaint, NITA-U (the Ugandan data protection authority) has taken enforcement action against Safeboda. It concluded that the company unlawfully disclosed data to third parties and is requesting that they make fundamental changes to how they handle people's personal data, in particular on their information notices and data sharing practices.

Key points
  • The Ugandan data protection authority, NITA-U, takes enforcement action against Safeboda
  • Unwanted Witness had filed a petition to the Speaker of the Parliament against Safeboda’s data processing activities in 2020
  • Investigation by NITA-U found Safeboda unlawfully disclosed data to third parties
News & Analysis

Unwanted Witness’ research into Safeboda highlighted the company’s failure to comply with some of the law's core data protection principles, with a number of implications for the exercise of data subject rights. The enforcement action against Safeboda by National Information Technology Authority, Uganda (NITA-U) requires the company to make fundamental changes to how they handle people's personal data in order to comply with the Data Protection and Privacy Act, 2019.

This first landmark investigative report of NITA-U sets an important precedent to holding data controllers, both private and public entities, to account for their legal obligations under the Data Protection and Privacy Act, 2019.

Importantly, this development is also a true testament to the essential work being undertaken by civil society organisations to protect people and their data, utilising regulatory mechanisms to ensure existing safeguards are enforced.

Below is Unwanted Witness' statement welcoming the outcome of this investigative process and the decision of NITA-U. This statement was originally published on their website on 11 February 2021.

Unwanted Witness Uganda welcomes the first-ever data protection investigation report by the Ugandan data regulator, National Information Technology Authority, Uganda (NITA-U) into the operations of Guinness Transporters Limited, trading as SafeBoda. NITA-U has ordered SafeBoda to make fundamental reforms regarding sharing of people’s personal data with third parties.

SafeBoda has until the end of May 2021 to amend its privacy notices so that people can be provided with specific and informed consent, in particular, to clearly inform its customers of the third parties it may disclose their personal data to, in accordance with the principle of fairness under section 3(1)(b) of the Data Protection and Privacy Act, 2019. NITA-U further requires SafeBoda to specify safeguards in place for cross-border transfer of personal data.

The regulator’s report is a result of our early 2020 investigation into SafeBoda’s non-compliance with the Data Protection and Privacy Act, 2019. Our report revealed how the transportation app was sharing people’s personal data with third parties without the knowledge and consent of consumers, falling short of fundamental data protection principles. 

NITA-U investigation found that SafeBoda’s Data Privacy Policy and Data Protection Policy versions of 2017 and 2019 respectively, were not transparent and failed to provide information on third-party recipients of users’ personal data. The investigation report concluded that this showed that SafeBoda did not address the non-compliance pointed out by Unwanted Witness in their report, and in order to be in compliance with the Data Protection and Privacy Act, 2019, their policy and practices needed to be amended.

The NITA-U report notes that “it was established that SafeBoda shared its users’ personal data with CleverTap – a data processor that offered Software as a Service for customer lifecycle management and mobile marketing” and “since ‘consents’ relied upon for the disclosure were not specific neither were they informed” as users were not informed about the extent of personal data collected nor the potential disclosure to third parties, NITA-U concluded that this amounted to personal data unlawfully being disclosed to a third party.  The disclosure of its users’ personal data to CleverTap contravened Section 35 of the Data Protection and Privacy Act, 2019 – likely to affect millions of users.

Furthermore, in order to effectively apply its own policy and demonstrate compliance with its obligations and protections of the rights of individuals, in particular the rights to access and to an effective remedy, the report noted the need for SafeBoda to improve its process for access to information requests as well as its incident response and breach management.

Applications like SafeBoda heavily rely on collecting personal data for their operations, meaning that they must have clear policies and practices that meet required data protection standards and principles. The app must provide sufficient information to users to meet the principle of transparency, and provide the user with a choice to opt-out from their data being shared for marketing and analytics purposes.

NITA-U’s maiden data protection investigation report has thus made it clear that the consent relied on by SafeBoda to share customers’ data with third parties was invalid. SafeBoda and other data controllers shouldn’t bundle consent altogether for all purposes but ask users to provide consent in a granular and specific way. This helps users to know what they are consenting to and they are equally offered a choice to object to any processing operations that are not strictly necessary for the provision of the services.
The regulator’s report is a significant step towards restraining data exploitation and protecting personal data in Uganda. We will closely monitor SafeBoda’s implementation of all recommendations made by NITA-U. 

Background.

  • In February 2019, Uganda passed the Data Protection and Privacy Act, regulating the processing of personal data. 
  • Between June 2019 and 2020 Unwanted Witness conducted research assessing the compliance by SafeBoda to the data protection law, international standards, and principles of data protection.
  • In July 2020, UW released the report revealing concerns of personal data exploitation by SafeBoda, whose operations fail to comply with the Data Protection principles of transparency, lawfulness, fairness, purpose limitation, and data minimization.
  • Mid-July 2020, a petition was filed to the Speaker of Parliament against SafeBoda.
  • In August 2020, the Speaker ordered NITA-U through the ministry of ICT to conduct further investigations into concerns of unlawful data sharing.