Predominant Data Protection and Privacy Concerns ahead of the 2021 General Elections in Uganda
On Thursday, 7th January 2021, images containing the personal data of Ugandan presidential candidate Robert Kyagulanyi’s children were shared across various social media platforms. This violated the children’s and privacy rights as their personal data was shared without the consent of their parents. It also amounted to a violation of several provisions of the Data Protection and Privacy Act 2019 by the Immigration Department/officers at Entebbe International Airport who in this case were data collectors and/or data processors. These actions raise key concerns about the citizenry’s privacy rights and expectations, especially as the electoral process approaches its climax. This article thus offers insight into the privacy and data protection issues that ought to be considered during the electoral process.
Privacy and data protection violations have featured in Uganda’s past elections. In the run-up to the 2016 election, Unwanted Witness, a non-profit focused on privacy rights, documented how the telecom company MTN had sent its 10 million subscribers an unsolicited pre-recorded voice note of the President without their consent. A biometric voter verification system was also deployed within the election. Apart from the constitutional guarantee of the right to privacy under Article 27, there was no other legal provision to support the use of such a system within the election and, most importantly, to govern the user information and data collected during the process. Judging from both current state and individual actions, the 2021 general elections promise to be no different if the governing laws are not applied.
First, it is important to understand how we got here. After the 2016 elections, the Supreme Court recommended that a law be enacted to regulate the use of technology in the conduct and management of elections. As such, parliament amended the Electoral Commission Act in 2020. Under Section 12 of the amendment, the commission was granted exclusive powers to adopt technology to manage elections. Additionally, the parliament enacted and passed the Data Protection and Privacy Act of 2019 to ensure user privacy and data protection. As a result, the conduct of 2021 has been the most technology-reliant election, in part due to these enabling laws.
However, it is important to understand that using technology in the context of an election involves collecting, storing, and processing sensitive user information such as voters’ names, age, National Identification Numbers (NINs), and addresses. This sensitive personal information is defined as “personal data” under Section 2 of the Data Protection and Privacy Act. Data subjects are the individuals from whom this personal data is requested, collected, collated, processed, or stored under this Act. Most importantly, the act grants these data subjects the right to exercise control over their data, including consent to its collection and processing or requesting the correction and deletion of personal data. Therefore, citizens are entitled to know what personal data is being collected and how it is being used, especially at every electoral process stage.
Indeed, the Electoral Commission has adopted and used technology for voter registration, verification and will employ it to transmit results. Political parties have also used social media platforms and tailored campaign applications. However, there is still a lot to be desired regarding the compliance and enforcement of the data and privacy laws based on the lack of a strong institutional, infrastructural and implementation framework. For example, the negligent handling of personal data has already been reported in the distribution of voter location slips, containing information about a voter’s name, NIN, voter number, date of birth, and photo. Whereas each voter is personally supposed to collect his slip, in many areas, politicians and their agents have been picking the slips allegedly on their supporters’ behalf — even without their consent. This raises legitimate fears that voters’ data may be misused by those who fraudulently collect it. The negligent distribution also threatens to disenfranchise voters if they fail to obtain their voter location slips or are easily impersonated on polling day. Additionally, there has been a drastic increase in calls to install and use applications within or outside the main application stores purportedly for independent vote tallying purposes.
To preserve the election’s credibility and protect themselves from liability arising from the infringement of the right to privacy and breaches relating to personal data, the Electoral Commission and the political parties, as data controllers and/or collectors, must ensure personal data integrity in their possession by adopting appropriate measures to prevent the loss, damage, or unauthorized destruction and unlawful access to the personal data. However, the absence of clear guidelines on how each of the aforementioned entities safeguards the data collected and ensures that the data is used for the intended purposes presents a huge likelihood of potential misuse of the citizenry’s information as we approach the polling days.
As evidenced by the episode of presidential candidates Kyagulanyi’s children’s privacy violation, we all are susceptible to privacy breaches despite the enacted laws in place. However, persons seeking to enforce their right to privacy or who suffer damage or distress due to the misuse of their personal data can seek remedy or redress, including compensation through a court of competent jurisdiction. The Data Protection and Privacy Act prescribe three offenses that carry fairly heavy punishments, including conviction to a fine of up to two hundred and forty-five currency points (UGX 4,800,000) or imprisonment not exceeding ten years or both. These offenses are: unlawfully obtaining, disclosing, or procuring the disclosure to another person of personal data held by a data collector, data controller, or data processor; unlawfully destroying, deleting, misleading, concealing, or altering personal data; and selling or offering for sale any personal data.
As the electoral process heats up, we hope the citizens and electoral stakeholders comprehend and comply with the Data Protection and Privacy Act.
Many thanks to Moses Namara with whom this article was jointly written.
