MAKERERE UNIVERSITY

SCHOOL OF LAW

COURSE UNIT: COMPUTER AND THE LAW

COURSE CODE: L4219
REG NUMBER: 18/U/13849/EVE
STUDENT NO: 1800713849
YEAR OF STUDY: YEAR 4, SEMESTER 2
DATE: 15TH JULY, 2022
In Uganda, the right to privacy is enshrined in Article 27 of the constitution which provides that

a person shall not be subjected to interference with the privacy of that person’s home,

correspondence, communication or other property. And was further buttressed with the

enactment of the Data Protection and Privacy Act, 2019 that provides for the protection of the

privacy of the individual and of personal data by regulating the collection and processing of

personal information. It marked a milestone as Uganda became the first country in East Africa to

pass a data protection law.

The law provides for the legal rights of persons whose data is collected and the obligations of

data collectors, data processers and data controllers, as well as regulating the use or disclosure of

personal information.

Prior to the enactment of the Data Protection and Privacy Act, Uganda did not have

comprehensive data protection legislation. What was relied on was mere piece-meal legislation

touching on privacy and generally interpreted to even cover cases of data protection since the

main aim of data protection is to ensure the protection of privacy of the individual. Article 27 of

the Constitution has been used to protect privacy (including data) in Uganda albeit with some

major challenges as can be seen in the case of Human Rights Network for Journalists Uganda

Limited & Legal Brains Trust (LBT) v. Uganda Communications Commission (UCC) &

Attorney General1, the High Court missed out on the opportunity to clarify on Uganda’s law in

respect of rights of the data subject, data processor, data controller and data collector.

The government had passed several other laws and policies that contained several provisions that

permitted the collection and processing of personal data, including biometrics, without proper

safeguards.

1
Misc. App. No. 81 of 2013 Arising out of Misc. Cause No. 219 of 2013
These included the Regulations of Interception of Communications Act, 2010 that requires,

under section 9(2), telecommunication service providers to ensure that existing subscribers

register their SIM cards within the period of six months from the date of commencement of the

act.

The other is the Registration of Persons Act, 2015 that sought to harmonise and consolidate the

law on registration of persons; to provide for registration of individuals; to establish a national

identification register; to establish a national registration and identification authority; to provide

for the issue of national identification cards and aliens’ identification cards and for related

matters.

Unfortunately, it was not until August 2020 that the government issued the first draft of the Data

Protection and Privacy Regulations that specify and give effect to the application of the Act.

But even without the enabling law and regulations, there was some successful litigation against

the infringements on the right to privacy and data protection.

In May 2020, the High Court at Kampala ordered The Pepper Publications Ltd, the publishers of

tabloid newspapers Red Pepper and Kamunye to pay to former Oyam South MP and Former

LRA Commander Dominic Ongwen’s lawyer Krispus Ayena Odongo UGX 75 million (USD

20,000) as compensation for violating his privacy and dignity when they published in 2016

leaked photos of him having sex with an unnamed woman.

Uganda issued the Data Protection and Privacy Regulations, 2021 on the 12th of March 2021

which were intended to implement the Act and provide for a number of forms to bree used to

take certain types of actions.

Uganda is a signatory to several international and regional instruments that provide for the

protection and promotion of the right to privacy and data protection. These include the Universal
Declaration of Human Rights (UDHR) under article 12, International Covenant on Civil and

Political Rights (ICCPR) under article 17, United Nations Convention on the Rights of the Child

(UNCRC) under Article 16, among others. And therefore the influence on the development of

data privacy protection law in Uganda can be said to come from mainly the influences of

international covenants, African Union, the OECD guidelines, the EU General Data Protection

Regulations, and the EAC.

Other Countries in Africa that have enacted comprehensive personal data protection legislation

include, Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho,

Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia etc.

It has been stated in the question that Uganda has one of the best laws on data privacy in Africa,

but to assess the goodness of the Data Protection and Privacy Regulations of Uganda, we have to

measure how the regulations have protected the rights enshrined in the 1995 Constitution, how it

realizes the aspirations of the people, and to what extent it conforms to the international set

standards. And this is discussed below;

The Data Protection and Privacy Regulations of Uganda elaborate on the Rights and duties of

Data Subjects, Data Controller, Data Processor and Data Regulator provided in the Act.

Data Subjects have their rights and obligations elaborated under part vii of the regulations which

include regulations 34 to 39, these include; a right to know about what information is held about

them, right to correction or eraser in respect of inaccurate data, prevent use of their data for

purposes of direct marketing, prevent processing of personal data, access their personal data, and

they have a duty to inform data collector in case data is needed, keep data accurate, notification

of the data collector in case change of information.

Data collection and processing is provided for under part iii of the regulations including

regulations 10 to 12. Also part V provides for registration of data collectors, data processors and

data controllers under regulations 15 to 28.

Part II of the Regulations under regulations 3 to 9 elaborate on the aspects concerning the data

regulator who is the personal data protection office established under regulation 3.

The Regulations also provide for complaints resolving mechanisms under part IX which

elaborates on complaints and investigations in regulations 40 to 46. This helps in the upholding

of the rights of the data subjects and keeping the data handlers in check.

This elaboration by the Regulations on the aspects of data subjects, data controller, data

processor, and data controller is a promotion of the right to privacy (including data protection)

enshrined in the 1995 Constitution, and international conventions for example, under Article 9 of

the African Union Convention on Cyber Security and Personal Data Protection (also referred to

as the Malabo Convention), state parties are required to provide for the establishment of a

national data protection authority/office, which is independent and is responsible for ensuring

that the processing of personal data is done in accordance with the provisions of the convention.

The Data Protection and Privacy Regulations 2021 are a reflection of both the OECD principles

and the EU General Data Protection Regulations which are the recognized standard principles of

data protection.

The OECD guidelines are classified as the eight (8) basic principles of data protection, which are

worth noting and which almost every data protection law must have as core minimum standards

to abide by. Uganda Data Protection and Privacy Regulations follow the standard of the OECD

and it’s based on this standard. These principles are the same as those embedded in the EU

General Data Protection Regulations, and these include; Collection Limitation Principle, Data
Quality Principle, Purpose Specification Principle, Use Limitation Principle, Security Safeguards

Principle, Openness Principle, Individual Participation Principle, and Accountability Principle.

Although non-binding, the OECD Guidelines have had a tremendous impact on the development

and enactment of data protection laws not only among members of the OECD but the world

over. Indeed, the Guidelines have been a trailblazer for not only the OECD members but also

non-members, Uganda inclusive. These principles are embedded in section 3 of the Data

Protection and Privacy Act 2019, and articulated in the Regulations for example regulation 34(1)

articulates collection limitation principle, regulations 31, 32, 33 articulate security safe guards

principle, regulations 29(1)(a), 39 articulating data quality principle, accountability principle

under part ii of the regulations, among others. This reflection of the principles indicates

fulfilment of protection of data privacy of the people enshrined in the various Ugandan statutes

in particular the 1995 Constitutrion.

The Data Protection and Privacy Regulations 2021 elaborate on international transfer of data.

One of the key highlights of the data protection regulations is that it guarantees international

transfer of personal data. Such transfer is not only regional, but can be continental or even

intercontinental. This is elaborated under regulation 30 which is to the effect that where a data

processor or data controller processes personal data outside Uganda, the data processor or data

controller shall ensure that the country in which the data is processed has adequate measures in

place for the protection of the personal data, which are at least equivalent to the protection

provided by this Act.

The United Nations set the standard, as recent as 2011, in which it calls upon all its members to

protect personal data as a form of respect for the right to privacy including developing

comprehensive guidelines and rules on not only automated data files but also cross border and
international transfer of personal data. Therefore, regulation 30 fulfils Uganda’s obligation to the

international covenants and to the citizens’ protection of their right to privacy including data

privacy.

As discussed, the Regulations are progressive and comes at a time when government and other

private entities are engaged in massive collection and processing of personal data. The law also

ticks most of the boxes of international human rights instruments on privacy and data protection,

such as the UDHR and ICCPR.

The law does not only reflect the generally accepted international standards, but also takes care

of the Ugandan and African values to Data Protection and privacy.

However, the Regulations fall short of the human rights-based approach, specifically on

participation as there was limited participation in terms of wider consultations. The regulations

are also yet to be translated and widely disseminated.

There are also some concerns on the independence of the personal data protection office as

evidenced by regulation 6. The data protection and privacy regulations do not provide for

independent financing of the office.

Also factors outside the legislations affect the application and implementation of the

Regulations.

Nonetheless, the Data Protection and Privacy Regulations is one of the best laws on privacy in

Africa as illustrated above as what’s written in the regulations, with good implementation yields

the best protection envisaged by both the Act and the Regulations.
BIBILIOGRAPHY.

1. Data Protection and Privacy Act, 2019

2. Data Protection and Privacy Regulations, 2021

3. Internet Society & Commission of the African Union. (2018). Personal Data Protection

Guidelines for Africa.

https://www.internetsociety.org/wp-content/uploads/2018/05/AUCPrivacyGuidelines_20

18508_EN.pdf

4. Kimumwe, P. (2020). Media Regulation and Practice in Uganda: A Journalists

Handbook, 2nd ed. https://www.scribd.com/document/226805466/Media-Regulation-

and-Practice-in-Uganda-A-Journalists-Handbook

5. Kakungulu-Mayambala R, Data Protection and National Security: analyzing the Right to

Privacy in Correspondence and Communication in Uganda, HURIPEC Working Paper

No. 25, 2009.

6. Kakungulu-Mayambala R, Examining the Nexus Between ICTs and Human Rights in

Uganda: A Survey of Key Issues, East African Journal of Peace & Human Rights, Vol.

16, Issue 1, 2010

7. Parliament of Uganda. (2018). Report of the Sectoral Committee on Information,

Communication Technology and National Guidance on the Data Protection and Privacy

Bill, 2015. https://parliamentwatch.ug/wp-content/uploads/2019/11/ICT3-18-Report-

onthe-Data-Protection-and-Privacy-Bill-2015-1.pdf

8. Sendi, B. K. (2019, June). Uganda: Overview of the Data Protection and Privacy Act,

2019. Data Guidance. https://www.dataguidance.com/opinion/uganda-overview-data-

protection-and-privacy-act-2019