The latest decision by the data privacy regulator in Uganda[1] (NITA-U) is instructive for technology companies in Nigeria, for the NITDA[2] and for data privacy regulators across Africa. The decision is based on a report issued by a civil society organisation, Unwanted Witness, indicting Safeboda, a tech-enabled motorcycle transport company with operations in Nigeria and Uganda for certain data privacy breaches. Amongst others, the report alleges that Safeboda was illegally sharing the personal data of its users with Facebook. The NITA-U conducted an investigation into the affairs of Safeboda ( the “Investigation”) and reached a Decision.

Here are a few learning points from the Decision:

(1) Despite the fact that the NITA-U reached a number of conclusions that Safeboda contravened provisions of the extant Data Protection & Privacy Act, (the “Ugandan DP Act”) the NITA-U did not take an immediate decision to impose a fine on Safeboda[3] or to prosecute Safeboda.

(2) Instead, the NITA-U directed Safeboda to address all areas of non-compliance within a 4-month cure period and to submit an action plan within a 2-week period from the date of the Decision or risk prosecution. This is, in our view, an instructive point of reference for data privacy regulators in Africa.

(3) The approach of NITA-U is commendable because NITA-U decided to provide Safeboda the opportunity to cure the identified breaches. This is good regulation and what we consider to be the better approach to enforcing data privacy regulation giving the emergent state of infrastructure in Nigeria as well as evolving nature of data privacy regulation in Africa. We think that, at the minimum, offending persons should be made to pay a percentage of the costs incurred by the regulator in empanelling an investigation However, it is also important for regulators to take into consideration the overall circumstances of a matter in coming to a decision on whether or not to impose a fine or to prosecute a breach. In our view, the imposition of fines or prosecution should not always be the primary occupation of regulators or civil society.

(4) This approach appears to be in consonance with the approach under Nigerian data privacy laws, which allows Nigeria’s data privacy regulator to generally impose fines for data privacy breaches. However, the quantum of fines that can be imposed is, by law, based on the:

      • nature, gravity and severity of the breach;
      • the number of data subjects affected;
      • damage suffered by data subjects;
      • opportunity for curtailment left unexplored;
      • whether the breach is the first by the offending entity; and
      • national security, cohesion and sovereignty

(5) In its decision, the NITA-U took specific notice of the following facts and it appears that these facts operated in the mind of the NITA-U in providing Safeboda with an opportunity to first self-remediate.

(a)The fact that Safeboda was cooperative during the Investigation;

(b) The fact that Safeboda had developed an improved data protection and privacy   policy at the time of the Investigation;

(c) The fact that Safeboda had made an effort to adhere to best practices in terms of its data protection policies; and

(d) The fact that Safeboda had made efforts to create awareness to its staff on the provisions of the Ugandan DP Act.

(6) The approach of the Unwanted Witness in providing a comprehensive investigative report to support its allegations is commended to civil society. We believe it meets with good industry practice for civil society organisations to provide rational bases for data breach allegations and to afford local data privacy regulator the opportunity of a technical review before filing an action in court. Our view is that this approach will significantly elevate the discourse and intellectual bearing of the practice of data privacy.

(7) Whilst the Ugandan DP Act specifically prohibits  the sale or offer for sale of personal data[4], there is no such express provision in the Nigeria’s data privacy laws.

(8) Under Nigerian law, it would possible for a civil society organisation to seek an order of mandatory injunction from the courts, mandating a regulator, in the shoes of the NITA-U to prosecute Safeboda based on the finding of the NITA-U in the Decision, that Safeboda contravened the provisions of section 35 of the Ugandan DP Act, in failing to obtain specific consent for sharing the personal data of its users with data analytics firm, Clevertap.

(9) The Decision highlights the requirement under Nigerian data privacy laws for companies to conduct annual data privacy audits and to file the reports of such audits with the NITDA and the need for Nigerian companies  to comply with the obligation to file an audit report before the deadline, that is March 15, 2021.

 

 

Balogun Harold is a licensed Data Protection Compliance Organisation. Balogun Harold conducts data privacy audits and provides protective litigation support to corporate entities before administrative tribunals and courts dealing with data privacy breach allegations. For enquiries, please reach out to support@baloguhnarold.com

[1] National Information Technology Authority, Uganda, popularly referred to as “NITA-U”

[2] NITDA is the local data privacy regulator in Nigeria

[3] Section 35 of the Data Protection & Privacy Act, 2019 in Uganda imposes an imprisonment term of up to 10 years ( or an option of a fine of not less than 240 currency points) or both for unlawful disclosure of personal data. One currency point is equal to 20,000 shillings

[4] Section 37