Is Foreign Malign Influence Inspiring Digital Authoritarianism in Uganda?

By CIPESA Writer |

A new policy brief by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) on the deteriorating state of digital rights in Uganda examines whether the east African country is drawing inspiration from China for its brand of digital authoritarianism.

Uganda is ranked as “Partly Free” by Freedom House’s annual Freedom on the Net report, with the biggest contributing factor being the repressive laws governing the digital civic space and surveillance, particularly those that enable internet censorship, network disruptions, and deployment of surveillance technologies such as spyware and video surveillance.

China has been a notable source of support in developing Uganda’s digital communication and other infrastructure. For example, Chinese telecom firm Huawei helped set up a video surveillance system for the Uganda Police, and reportedly aided security agencies to spy on political opponents in the country. China has also organised numerous study tours for Ugandan officials and journalists that are centred on popularising its economic and governance systems.

The brief illuminates how China and its model of governance and state surveillance may be influencing or inspiring retrogressive laws and undermining digital rights in Uganda. It explores the legal reforms necessary to advance digital rights in Uganda and the role that legislators, civil society organisations, human rights defenders (HRDs), and journalists should play.

Uganda has mirrored some practices from China, a country which various global indices consider a leading player in digital authoritarianism. While it is not patently clear whether China has directly influenced legislation in Uganda, the brief notes that “it has arguably inspired some of the legal frameworks and practices that fuel digital authoritarianism in the east African country.”

There is ample evidence indicating that African autocracies are exploiting the adoption of Chinese technology and model of internet controls to roll back democratic gains through surveillance and censorship.

China invested more than USD 110 million in Uganda’s National Backbone Data Transmission Project and also supported the National Fibre-Optic Project. There are suggestions that the national backbone and fibre-optic projects are part of a digital infrastructure that has enhanced the Uganda government’s surveillance capabilities that violate the right to privacy and freedom of expression.

China has continually buttressed its influence over Uganda’s social-economic development through the seemingly no-strings-attached loan schemes that have often been acknowledged and praised by President Museveni. This non-interference policy in the internal affairs of other countries allows their governments greater leeway to suppress dissent and democratic processes without facing criticism or repercussions from China.

By contrast, the Uganda government or senior public officials have during 2023 and 2024 attracted sanctions by the United States of America, the United Kingdom, and the World Bank over governance and human rights concerns. As such, the Chinese no-governance-strings-attached model is criticised for emboldening authoritarian tendencies in the countries it partners with.

However, the brief states that claims of China actively seeking to export its governance model and influencing local laws and practices in Africa are often anecdotal and inconclusive. Moreover, such claims and, often, the evidence they advance, assume that African governments are incapable of developing home-grown systems of governance and thoughtlessly rely on models from other continents.

Recommendations

Uganda should resist all foreign influence and models that promote digital authoritarianism and undermine democracy. The country’s laws must respect internationally recognised human rights standards and promote the use of a free, open, and safe internet.

The brief makes several recommendations, such as:

  • Parliament should strengthen legal and regulatory frameworks by amending or repealing regressive and oppressive frameworks to ensure responsible and ethical use of surveillance technology.
  • Parliament should enact laws that specifically protect journalists, whistle-blowers, human rights defenders, and activists from wanton threats, arrests, and prosecutions over legitimate online communications and activism that advances social accountability, respect for human rights, and good governance.
  • Civil society should conduct evidence-based research into the actions of foreign actors and how they adversely impact local laws, policies, and democratic governance.
  • Various stakeholders, including academia, the media, and lawyers, should engage in public interest litigation to challenge provisions in legislation that limit the exercise of digital rights.

See the full policy brief here.

South Africa’s Elections: A Call for Vigilance Amidst the Rising Tide of Disinformation

By Victor Kapiyo |

South Africa is holding its seventh general election today, May 29, 2024. Over 14,000 candidates are vying for seats as part of the 400 members of the National Assembly and at least 445 members of Provincial Legislatures in the nine provinces.

Ahead of the election, misinformation, disinformation and threats to privacy rights have been noted. These capitalise on the issues at stake in the election, such as poverty and economic inequality, unemployment, violent crime, corruption, service delivery failures, difficult race relations, and xenophobia to polarise and shape public opinion. There has been a proliferation of propaganda and doctored news stories, deployment of coordinated trolls, troops and bots of online influencers as part of smear campaigns, and weaponisation of disinformation campaigns for political purposes, which many warn could undermine the integrity of the elections.

A new Policy Brief by the Collaboration on International ICT Policy (CIPESA) reviews how different actors, including political parties, the Independent Electoral Commission (IEC), and social media platforms have leveraged technology to promote a peaceful and credible election. However, the brief also notes that as the internet, social media and technology adoption increase, attacks on information and election integrity could intensify if multi-actor action does not continue to be taken.

The election pits the ruling African National Congress (ANC) against its main rivals, the Democratic Alliance (DA) and the Economic Freedom Fighters (EFF), even as newer parties such as uMkhonto weSizwe join the fray. The country of 60.7 million people has 27.6 million registered voters, of whom 44.7% are men and 55.2% are women.

South Africa has been renowned for its strong and independent judiciary, free press, vibrant democracy, and generally free and fair elections over the years. However, rankings in press freedom have declined due to increased attacks against journalists, especially by politicians, ahead of the elections.

As of 2024, the country had 45.3 million internet users, representing an internet penetration rate of 74%, and 118.6 million mobile connections, equivalent to a mobile penetration rate of 195%. Also, most people in the country are digitally literate, with the average internet user spending over nine hours a day online. Political parties have leveraged online platforms for political advertising and have since January 2024 spent ZAR 4.94 million (USD 269,961) on Google Ads, with the DA and Freedom Front Plus spending 79.8% of this amount. These developments mean that technology and the internet will play an important role in the election period.

Yet disinformation has taken centre-stage in the election. Some of the misleading information has targeted prominent personalities such as politicians and musicians, highlighted racial and xenophobic undertones or misled the public about the elections. For example, a ‘deepfake’ video published on TikTok and X in March 2024, depicted former United States (US) president Donald Trump endorsing the new uMkhonto weSizwe (MK) party. It was debunked by AFP, which found that the clip was an altered 2017 NBC interview with Trump.

On January 19, a viral video from Brazil of two men assaulting another man was disseminated on social media with the claim that the victim was a white farmer and his assailants were linked to the EFF. Another video that went viral on Facebook and WhatsApp in April made a false claim that Mozambican migrants were being issued with ID cards by state agents to vote in Gauteng province. Another post on May 25 on Facebook, claimed that voters must bring their black ballpoint pens to voting stations as they will only be given pencils to vote, and their marks would be erased upon voting. The IEC rejected this claim as untrue.

In addition, there have been attempts to impersonate key election officials on social media, and concerns around voters’’ privacy and data breaches. For example, in January, it was reported that the IEC Chairperson, Mosotho Moepya had been a victim of an imposter on WhatsApp. The imposter had on two separate incidents conversed with unsuspecting officials of political parties purporting to arrange to influence the election.

Ahead of the elections, various stakeholders and groups have been taking action to address the potential threats to election and information integrity. There are commendable efforts such as the adoption of the Principles and Guidelines for the Use of Digital and Social Media in Elections in Africa; the signing of the election code of conduct by political parties and candidates; and the use of digital platforms by the IEC to share information on election results, political party statistics, voter registration, voter information, voter education, and e-learning. South Africa’s Information Regulator also published a guidance note on how political parties and candidates could use the personal information of voters ahead of the elections.

There are also laudable efforts such as the Real411 portal to track misinformation and disinformation; enhanced efforts to act-check by Africa Check and AFP; and measures by platforms such as Google, Meta, and TikTok to promote election integrity, including working with fact-checkers, conducting content moderation and labelling, media information literacy, transparency on political advertising and directing users to reliable and trustworthy information.

From the foregoing, it is clear that the fault lines that have fragmented the unity of the Rainbow Nation are being manipulated in ways that threaten its democracy. Various stakeholders must continue to make concerted efforts to promote a healthy information ecosystem and to defend electoral integrity. Therefore, we make the following recommendations:

We call upon all stakeholders including civil society, the IEC, social media platforms, media, fact-checking organisations, political actors, election observers, and law enforcement to be vigilant before, during and after the elections.

We call upon stakeholders to collaborate in monitoring digital threats to election and information integrity and implement robust responses to combat them whilst protecting digital rights.

We call upon civil society and election observers to document the actions of and hold the government, IEC, social media platforms and other actors accountable for their responses.

We call upon the IEC, political parties, candidates and social media platforms to adhere to the Principles and Guidelines for the Use of Digital and Social Media in Elections in Africa.

Read the full Brief here.

Does Kenya’s Digital Health Act Mark A New Era for Data Governance and Regulation?

By Edrine Wanyama |

In October 2023, Kenya enacted the Digital Health Act which seeks to promote the safe, efficient and effective use of technology for healthcare and to enhance privacy, confidentiality and security of health data. It also provides for the safe transfer of personal, identifiable health data and medical records to and from health facilities within and outside Kenya, and the development of standards for provision of m-Health, telemedicine, and e-learning.

While Kenya enacted the Data Protection Act earlier in 2019, the dedicated digital health law is a positive step towards addressing the potential data privacy challenges related to health data. The law could deliver dividends for the e-health sector by leveraging data and technology to devise interventions and solutions that improve health services delivery.

In a recent brief, CIPESA analyses the Digital Health Act and what it portends for health data governance in Kenya. As the brief notes, if rightly implemented, the law will offer lessons in proper health data governance, while ensuring the rights of data subjects and the principles of data protection are respected and promoted.

The new law is the latest addition to Kenya’s policy and legal initiatives that aim to buttress the health care system including through technology and improved data governance. Others include the National eHealth Policy 2016-2030 and the Guidance Note on the Processing of Health Data developed by the data protection authority.

The Digital Health Act presents an opportunity for strengthening patient data protection while making strides in addressing privacy challenges by emphasising the need to comply with the Data Protection Act, 2019. The law has set the pace for health data governance in Africa as it deals with data related to medical insurance, physician notes and diagnosis, medical records on current and past health history, and health data governance. Appropriate data governance will provide safeguards against breaches and misuse such as in disease surveillance, research and innovation.

Section 4 of the Act emphasises the data principles to be applied to health data: treating health data as a strategic national asset; safeguarding privacy, confidentiality and security of health data for information sharing and use; facilitating data sharing and use for informed decision-making at all levels; and using the digital health eco-system to serve the health sector and to facilitate, in a progressive and equitable manner, the highest attainable standard of health.

Data, including health data, requires specialised agencies to guarantee its protection. The Digital Health Act establishes a Digital Health Agency which is charged with establishing and managing an integrated health information system. The system will ensure quality assurance in the health sector, since it will be guided by data protection principles, scalability and interoperability, efficiency and effectiveness, simplicity and accessibility, and consistency. The Digital Health Agency will potentially promote accountability and transparency in the health sector.

While integrated data and information management systems offer numerous benefits, they also pose risks of abuse and privacy violations, especially during pandemics such as Covid-19, when there was surveillance on individuals based on health data. During the surge of Covid-19, several countries such as Kenya and Uganda adopted measures to contain the virus but with adverse impacts on data protection and privacy. It is imperative therefore that the Digital Health Agency takes all necessary measures to ensure that the Integrated Health Information System robustly guards against unauthorised access, processing, use and transfer of individuals’ private health information within the country as well as across its borders. 

Section 45 on e-Waste Management offers indications in the right direction for the management of e-waste in the health sector. It also provides pointers to promoting the use of sustainable models for e-waste management through public-private partnerships. Nevertheless, in promoting reuse and lifetime extension of e-waste in health data, the law potentially creates opportunities where e-health data may be used unfairly by unscrupulous individuals.

The Digital Health Act is a progressive move towards appropriate regulation of digital health services in Kenya. It points to the relevance of technology in enhancing health care amidst the growing significance of personal data, its protection, management and governance. Other countries in the region could borrow from Kenya’s example to enact similar legislation on digital health and health data governance.

Read the full brief here.

Advancing Sustainable Cross-border Data Transfer Policies and Practices in Africa

By Paul Kimumwe |

Over the years, several African governments have enacted laws and policies that limit cross-border data flows, citing the need to protect national security, promote the local digital economy, and safeguard users’ privacy. The limitations range from complete bans on cross-border transfers of all data to conditional cross-border transfer of specific data, with authorization sought from relevant government bodies.

The legal provisions prohibiting cross-border data transfers are scattered in different legal frameworks in countries such as Ethiopia, Nigeria, Rwanda, and Uganda, whose limitations are contained in their financial services and cybersecurity laws. In Rwanda, for example, Article 3 of Regulation No. 02/2018 of 24/01/2018 on cyber security provides that any bank licensed by the Central Bank must maintain its primary data within the territory of Rwanda. In Uganda, Article 68 of Uganda’s National Payment Systems Act 2020 requires all electronic money issuers to establish and maintain their primary data centre in relation to payment system services in Uganda.

For other countries such as Kenya, Nigeria, South Africa, Tunisia, and Uganda, the limitations are contained within their data protection laws. For example, sections 48 and 49 of Kenya’s Data Protection Act 2019 prohibit cross-border transfer of personal data to a country

lacking appropriate data security safeguards. South Africa’s 2013 Protection of Personal Information Act prohibits cross-border data transfers without the data subject’s consent or unless the foreign country is believed to have adequate safeguards. In Nigeria, sections 41-43 of the 2023 Data Protection Act sets conditions under which cross-border data transfers may occur, such as the requirement for the destination country to have data protection safeguards and consent from the data subject, among other conditions.

Critics of these data localization provisions and practices have often argued that the current data localisation policies and practices are not pro-people as they do not mitigate any genuine cybersecurity or online targeting but instead serve to undermine personal data privacy by facilitating government agencies’ unrestricted access to citizens’ personal data, including for purposes of conducting state surveillance.

These practices do not also conform to the key provisions of the 2019 African Commission on Human and Peoples’ Rights (ACHPR) Declaration of Principles on Freedom of Expression and Access to Information in Africa, which prohibits countries from adopting laws and other measures that criminalize and encryption practices, including backdoors, key escrows, and data localisation requirements unless such measures are justifiable and compatible with international human rights law.

The legal data localization requirements have been identified as the most restrictive and disruptive barriers to international trade, pushing foreign registered businesses to incur extra and unnecessary costs of establishing multiple infrastructures such as local data centres and in each of their countries of operation as opposed to having one center in their country of choice. In addition, the “limited policy and regulatory reforms to facilitate the interconnection of networks across borders, including national and commercial backbones, or supervisory frameworks for data protection, data storage/processing/handling” were identified as additional weaknesses in achieving Africa’s economic potential.

The success of several initiatives, such as the African Continental Free Trade Area (ACFTA) whose mandate is to create “a single continental market with a population of about 1.3 billion people and a combined GDP of approximately US$ 3.4 trillion,” hinges on eliminating trade barriers and the harmonization of cross-border transfers through the amendment of restrictive data localisation policies and practices.

In addition, under the African Union’s Digital Transformation Strategy for Africa (2020-2030), countries are called upon to “promote open data policies that can ensure the mandate and sustainability of data exchange platforms or initiatives to enable new local business models, while ensuring data protection and cyber resilience to protect citizens from misuse of data and businesses from cybercrime.”

On the other hand, the AU Data Policy Framework requires countries to create an enabling legal environment that would achieve and maximize the benefits of a data-driven economy by encouraging private and public investments necessary to support data-driven value creation and innovation. The framework offers guidance on policy interventions to optimise cross-border data flows and harmonise data governance frameworks. In terms of cross-border data governance and transfers, Principle 14(6)(a) of the African Union Convention on Cyber Security and Personal Data Protection prohibits data controllers from transferring “personal data to a non-Member State of the AU unless such a State ensures an adequate level of protection of the privacy, freedoms, and fundamental rights of persons whose data are being or are likely to be processed.”

A critical challenge for the continent is how to translate and localise these initiatives into workable solutions. Most autocratic governments are reluctant to amend their laws to be more open to cross-border data transfers. The reluctance is based on unfounded fears that sending their citizens’ data abroad could increase citizens’ vulnerability to serious security and privacy threats from foreign actors. On the other hand, civil society actors lack the requisite skills and knowledge to proactively engage in strategic advocacy both at national and regional levels. In addition, there is a paucity of evidence-based research on the key issues around data localization, particularly how various countries are implementing their data localisation policies as guided by the AU Data Policy Framework and Digital Transformation Strategy.

Lessons from previous policy advocacy engagements show that national governments are open to progressive policy reforms, as evidenced by the rapid adoption of data protection laws, particularly if they trust that such measures will not injure their national interests.

Key Interventions

Even with this promise and the abundance of international and regional frameworks to guide the adoption and implementation of progressive national data governance frameworks, interventions would require the adoption and implementation of multiple and mutually reinforcing strategies such as (a) building research and advocacy capacity of digital rights and data rights actors; (b) undertaking research and policy analysis; and (c) engaging in national and regional policy processes on data governance regulation, particularly that related to cross-border data flows and harmonisation of data governance frameworks.

Building on the success of her previous work on data governance and engagement with the AU Union Data Policy Framework, under the current project, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) is continuing with regional engagements as well as working in our countries – Cameroon, Ghana, South Africa, and Uganda, to build the capacity of country-based research partners as well as generate evidence that addresses fears that informs states’ restrictive regulatory stances, shows benefits of free data flows and policy harmonisation.

1. Capacity Building in Research and Advocacy

Central to CIPESA’s interventions is the need to generate a critical mass of engaged actors that understand the cross-play of national and regional policy frameworks on data regulation and their implication for data policy harmonisation and national policy and practice. Further, these actors will need the skills to research and produce evidence to inform engagements with actors such as policymakers and to conduct effective, collaborative advocacy to inform policymaking.

2. Research and Policy Analysis

CIPESA also supports country-based research partners to produce and communicate research-based commentaries, briefs, policy analyses, and think pieces on data localisation regulation and cross-border data policies and advocate for flexible cross-border data flows and respect for data privacy. These outputs will inform engagements with policymakers at national and regional levels and with multilateral treaty bodies that mandate data protection and monitor privacy and data rights.

3. National and Regional Advocacy and Engagement

The third strand involves strategic deployment of the published commentaries, analyses, and think pieces to attract the attention of state and non-state actors and form the basis of deliberations on how to improve the policy and practice around data governance in the region, notably on cross-border data flows, data harmonisation, and the need to embrace the AU Data Policy Framework. The advocacy will target national actors, such as data regulators, telecom regulators, and policymakers, as well as regional entities, such as the African Union, the African Commission on Human and People’s Rights, and regional regulators’ and telecom operators’ associations such as Compassionate Rural Association for Social Action (CRASA) and East African Communication Organisations (EACO).

By building on pivotal and live continental initiatives such as the AU Data Policy Framework, the Digital Transformation Strategy for Africa, and the African Continental Free Trade Area (ACFTA), and working at regional and four-country levels through a multi-sector network of actors, CIPESA hopes to generate evidence that demystifies the unfounded fears used by states to engage in restrictive cross-border data regulatory policies and practices while demonstrating the benefits of free data flows and proposing harmonisation measures.

The article was first published by CIPESA’s partner NIYEL on April 22, 2024.

The Pursuit for Digital Security among Women Journalists in Uganda

By Juliet Nanfuka |

The media sector in Uganda has grown exponentially since its liberalisation in the 1990s, which saw a shift away from state-owned media to the pluralism of print media, radio and television stations and the eventual entry of digital media at the turn of the century. Yet despite this, women journalists appear to have remained on the periphery of the media industry and, in more recent times, are bearing the brunt of a society that continues to make attempts at muting them, particularly through online spaces.  

The Human Rights Network for Journalists (HRNJ) in Uganda has documented a concerning rise in violations and abuses against female journalists between 2017 and 2022. Although there was a slight decrease in incidents in 2020 and 2021, there was a resurgence thereafter, with reported cases increasing to 17% in 2022 compared to 12% in 2017. These abuses have included  instances of sexual and gender-based harassment of female journalists while at work and in the field, as well as  attacks in online spaces.

Indeed, research shows that the attacks experienced by women journalists in online spaces include sexist comments, age, and body shaming, as well as character assassination. Further, stories related to politics triggered more attacks than other beats as perpetrators accuse journalists of being politically biased. More recent developments have seen these attacks further exacerbated by the increasing use of artificial intelligence and the ease of access to bots.

Yet, women journalists who experience abuse online rarely seek justice and often struggle to have their complaints taken seriously and properly investigated. Thus, according to a study by UNESCO and the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the full extent of online violence against female journalists remains unknown However, there are numerous illustrative cases that indicate that Technology Facilitated Gender Based Violence (TFGBV) against women journalists is a growing problem not only in Uganda, but across the continent.

At a workshop hosted in March 2024, by UNESCO and CIPESA to further insights and awareness on the  State of Media Freedom and Safety of Journalists in Africa participants narrated their online experiences on trolling, attacks, threats and concerns about surveillance and limited practical skills or legal recourse in how to navigate incidents. Some participants noted that they had withdrawn from social media spaces, and limited their interactions only to closed platforms such as Whatsapp, while others indicated high levels of self-censorship in the nature of the content they posted.

Additionally, there was a common concern regarding the uncertainties surrounding various aspects of the Internet. This included discussions about the protective measures implemented by platforms, such as the prompt takedown of malicious or harmful content once reported.

Present at the workshop were 40 participants representing a mix of radio and television stations, print media and online content creators based in Kampala. Speakers at the workshop included Jan Ajwang, Projects Manager at Media Focus on Africa, Isabella Akitung, a Human Rights Policy Consultant, Jimmy Haguma, the Head of Electronic Counter Measures at Uganda Police, and Rehema Baguma, an Associate Professor of Information Systems, Makerere University and Sylvia Musalagani, Head of Safety Policy  Africa, Middle East and Turkey at Meta.

Each speaker made distinct contributions to the workshop, including a call for the plight of rural-based journalists in Uganda to be recognised when it comes to TFGBV, the recognition of the impact that online attacks have not only on victims but on the broader community of existing and aspiring women journalists, and the continuing efforts of the Uganda Police in addressing technology-related affronts to women and girls in the country.

Similarly, it was noted that Meta is working on its proactive detection and removal of harmful content in a bid to improve the experiences of more women across its different platforms. However, the growing pervasive use and presence of AI amongst more users remains a concern that more users should be aware of and pursue more proactive measures to better detect its presence in misinformation and disinformation narratives.

Meanwhile, running concurrently with the discussion was a Digital Security Cafe which entailed tailored practical responses to the digital security concerns that the participants had about their phones and laptops.

This practical support served as an extension of CIPESA’s digital resilience work in Africa, which includes the provision of the Digital Security Hub at the annual Forum on Internet Freedom in Africa (FIFAfrica),  the Road to FIFAfrica annual digital security campaign and an ongoing digital security assessment for human rights defenders in Uganda.

The workshop was hosted in partnership with the Media Challenge Initiative and the Uganda Radio Network. Similar workshops and Digital Security Cafe’s are planned for women journalists, media practitioners, and content producers in Ethiopia and Tanzania as part of efforts aimed at bridging this work between Women’s Day and World Press Freedom Day.