Recent Developments in Telecoms Regulation Threaten Online Rights in Uganda

By Edrine Wanyama |
In April 2017, the parliament of Uganda gave the minister in charge of Information and Communication Technologies (ICT) powers to single-handedly make regulations that govern the telecommunications sector. Hitherto, regulations proposed by the minister had to receive parliamentary approval.
The Uganda Communications (Amendment) Bill (2016), which parliament passed on April 6, 2017, means that making regulations for the telecommunications sector is in the sole preserve of the minister. Among others, such regulations are related to licensing and fees, operator obligations, competition, consumer rights and protection. It is for this reason that the newly passed law, which was gazzetted back in February 2016 when still a bill faced criticism from civil society.

The Minister may, after consultation with the Commission and with the approval of Parliament, by statutory instrument, make regulations for better carrying into effect the provisions of this Act.” Section 93(1) of the Uganda Communications Act 2013

  “The Minister may, after consultation with the Commission, by statutory instrument, make regulations for better carrying into effect the provisions of this Act.” Section 93(1) of the Uganda Communications (Amendment) Bill (2016)

The authority, Uganda Communications Commission (UCC), was set up in 1997 by the now repealed Communications Act, Cap. 106 (section 3) and now established by the Uganda Communications Act, 2013 (section 4) (the Act)  as the regulator of the communications sector but has since inception faced criticism over lack of independence from the government. The Act gives extensive powers to the minister of ICT, including to appoint the commission’s executive director and board members and to approve its budgets.

Meanwhile, there are growing concerns about mass surveillance particularly in the absence of a data protection and privacy  law to safeguard citizen data collected by the state and private parties. These are further aggravated by the haphazard implementation of laws which have an impact on citizens’ communications.
On April 12, 2017, the telecom industry regulator Uganda Communications Commission (UCC) announced a seven-day deadline for subscribers to update their registration details using national identity (ID) cards in a move reportedly to address cybercrime. Mandatory SIM card registration has been in force since March 2012. At the time of the original deadline for conclusion of the exercise in August 2013, the commission reported that 92% of SIM cards were registered. However, investigations into past and recent crimes have revealed the continued existence and use of unregistered SIM cards.
The April 12 directive raised concerns about the conflicting requirements for the validation of SIM cards, with subscribers pointing out that various other forms of identification other than a national ID should be recognised. Pursuant to the Regulation of Interception of Communications Act 2010, Section 9(1), SIM card registration requires the subscriber’s full name, residential address, business address, postal address and identity number as contained in an identity document. Other forms of identification  that have previously been used by subscribers have included employer identity cards, driving licenses, students’ identity cards and passports.
However, following an interim order as well as public statements by the Uganda Law Society and other stakeholders, the Prime Minister issued a directive extending the SIM card verification and validation deadline for a month to May 19, 2017.
The SIM card registration exercise has attracted criticisms from human rights defenders who claim it violates freedom of expression and goes against Article 27 of the Constitution which guarantees the right to privacy by possibly enabling mass surveillance of communications. Further, the absence of a data protection and privacy law continues to expose citizens’ data which is increasingly and now repeatedly being collected by the state. There is accordingly no guarantee that personal data will not be unlawfully processes and used.
Over the past year, national security has been cited as the basis for directives by the UCC including instructions given to telecommunications service providers to enforce two social media shutdowns during 2016.
Although Uganda has signed and ratified the African Charter on Human and Peoples Rights and also fully subscribes to the international bill of rights, specifically the Universal Declaration for Human Rights and the International Covenant on Civil and Political Rights there are repeated affronts to the rights enshrined in these instruments.
It is for this reason that the Collaboration on International Policy for East and Southern Africa (CIPESA) calls for the following actions to be taken:

  1. The Government should adopt a multistakeholder approach in decisions affecting the ICT industry in Uganda. Decisions that affect the rights of citizens should be evidence-based and reached in consultation with other stakeholders including academia, civil society, media and the private sector.
  2. The Parliament should immediately pass the Data Protection and Privacy Bill, 2015 subject to the proposed amendments from the citizenry.
  3. Government should harmonise the implementation of laws pertaining to registration of data of citizens, refugees and non-citizens in Uganda, including the Regulation of Interception of Communications Act (2010) and the Registration of Persons Act (2015).
  4. There is a need to reinstate the oversight role of the Parliament over the Minister for ICT in making regulations for the ICT sector. Failure to do so will leave excessive powers within the ambit of the minister and resultantly, lead to abuse.

Read more on the State of Internet Freedom Uganda 2016.
 

CIPESA Convenes Journalists to Discuss Uganda’s Data Protection Bill

By Esther Nakkazi |
Ugandan citizens’ personal data may be at risk of misuse if the Uganda Data protection and Privacy Bill (2014) to be tabled before parliament is passed in current form. Currently, large entities like telecommunications service providers, insurers, hospitals and even schools retain the information of millions of citizens who remain unaware of how secure their information is, especially as more of it becomes digitised.
While Uganda called for comments to the Bill in late 2014, little progress was made on it over the course of 2015. According to Gloria Katuuku from the Ministry of ICT, the comments received have been incorporated into a revision of the bill. “We brought this Bill before the public so that we get conclusive remarks. The bill has been gazetted and will be tabled in parliament, meaning at this time we shall just compile the concerns,” said Katuuku. She was speaking at a workshop convened by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) where Ugandan parliamentary journalists discussed data protection and privacy with reference to the bill.

CIPESA Policy Officer being interviewed by journalists
CIPESA Policy Officer being interviewed by journalists

The workshop was organised in conjunction
with the Uganda Parliamentary Press Association (UPPA) and aimed to create awareness among parliament journalists about clauses in the proposed law that contravene citizens’ rights, including to privacy. Few journalists were aware that government had drafted the law and called for robust media engagement with Members of Parliament so as to generate debate on data protection and privacy issues.
The former Chairman of parliament’s ICT Committee, Edward Baliddawa, said the data protection law should have been the basis for other cyber laws in Uganda. He added that as the country edges towards e-commerce, such as business process outsourcing, there is a need to regulate data controllers.
“This Bill is good for our safety and privacy as individuals and to become an e-commerce country,” he said. However,he also called for continuous engagement with all stakeholders across the lifespan of the bill – drafting, tabling to parliament and any eventual amendments.
Although existing laws such the Electronic Signatures Act, 2011, the Computer Misuse Act, 2011, the Regulation of Interception of Communications Act 2010 and the Communications Commission Act 2013 cover aspects of data protection and privacy, they contain contradictions and potentially expose users’ information to unwarranted access and misuse by authorities. Lillian Nalwoga, CIPESA’s Policy Officer, said of the laws: “These laws have broad terminologies that should be amended to repeal contradictory provisions and this can be done within the Data protection and Privacy Bill, 2014 in the contexts of data users and collectors, and to prevent abuse.”

See this Overview of How ICT Policies Infringe on Online Privacy and Data Protection in Uganda

But the proposed data protection and privacy law that is meant to address privacy of citizens’ communications and data still has ambiguous terminologies, unclear definitions and arbitration issues that will negate its purpose.
According to CIPESA officials, the drafting phrase should further engage with and seek consultations with different stakeholders including civil society, private sector, the media and academia for an extended period prior to tabling it before parliament. This would  ensure that the law passed “is inclusive, accommodative and addresses the concerns raised by all the stockholders,” said Wakabi Wairagala, the head of CIPESA.
At the workshop, CIPESA officials referred journalists to various areas of concern in the draft bill including some of its ambiguous terminologies, such as Section 4 (2) which  states that personal data may be collected or processed where necessary for ’national security’ or for the  ‘proper performance’ of a public duty’ by a public body. However, these words can be misinterpreted and leave room for the access to and abuse of citizens’ information.
Meanwhile, Section 7 (2) says data can be collected from another person, source or public body in certain circumstances without the consent of the owner. The length of time that the collected personal data can be retained is also not indicated. Section 14 (1) states that the data cannot be held for a period longer than is necessary and says it will be retained for national security purposes.
Overall, the bill does not explicitly state what constitutes a ‘privacy infringement’, thereby leaving users’ data open to abuse by data collectors and processors. It also does not state the procedures for citizens to access their data.

See CIPESA’s review of the Bill: Reflections on the Draft Data Protection and Privacy Bill