Information Is The New Oil

While Privacy/data protection is not always directly mentioned as a separate right in constitutions, nearly all States recognize its value as a matter of constitutional significance. Although this right is enshrined in Article 27 of the constitution, the applicability/and enforceability of the right is a laughable notion in Uganda.

Data is defined as information which is being processed by means of equipment operating automatically in response to instructions given for that purpose.

Because Uganda lacks express legislation for Data protection, the terms of data protection are dependent on the contract that the parties have entered into. The disclosure and non-disclosure of data would thus depend on that contractual relationship or the existence of a privacy policy.

The Government of Uganda, through the Ministry of Justice and Constitutional Affairs with support from the National Information Technology Authority Uganda (NITA-U), has tried to bridge this gap by preparing a law meant to protect the privacy of Ugandans in cyberspace. The “Draft Data Protection and Privacy Bill”, is aimed at protecting the privacy of an individual and personal data by regulating the collection and processing of personal information; and to provide for the rights of the persons whose data is being collected and the obligations of the data collectors and processors.

It also aims to regulate the use or disclosure of personal information and for related matters. Generally, this draft law is aimed at empowering Ugandans to have control over their personal information such as texts, images, sounds, and software.

The Bill comprehensively provides for- rights of persons whose data is collected and obligations of data collectors and data processors; and governance measures and procedures to administer, receive complaints and settle disputes.

It also provides for-guidance for data controllers and processors to protect data subjects; an enforcement mechanism that will allow individuals to enforce their rights and remedies for infringement of the rights of individuals.

The draft Bill further requires that data subjects should be informed of-who the data controller is; the purpose of collecting the data; how long the data will be kept and any third parties to whom the data will be disclosed.

The draft bill, recognizes the ownership rights of a Data controller, Data processor and Data Collector.

Generally, the existing law does not provide for a reasonable balance between ownership rights which prevent third parties from using data on the one hand, and access rights which grant access to data on the other hand.

There is also a dire need to enact the Data protection law into force. This is aggravated by the proliferation of e-commerce websites, which pose a big risk to data and computer security. Legislators must consider this threat if we are to get a comprehensive law that covers computer and data security.

Defining “computer security” or data security is not as trivial as it makes its self out to be. The difficulty is enshrined in developing a broad definition that encompasses all the areas of data security, which cuts across what data, is and whether it can actually be secured in either a physical way or a “technological” way.

In a generic sense, security is “freedom from risk or danger.” In the context of computer science, security is the prevention of, or protection against,

  • access to information by unauthorized recipients, and
  • intentional but unauthorized destruction or alteration of that information

Hence, data security involves various measures to ensure data is stored in a safe, non evasive way. The nature of online retail businesses requires it to collect and keep customer data. So, while companies themselves through due diligence might take steps to control and secure this data, it is important to enact legislation that provides a standardized way of handling data properly.

In Europe, the first steps taken towards regulating data protection were taken through the council of Europe convention 1981.This opened the floodgates to countries specifically within the European Union to enact specific laws to address the issues of data security.

 In 1995, the UK, thus eventually adopted directive 95/46/EEC. This directive, required through article three, for all member states to protect the fundamental rights and freedoms of natural persons and in particular the right to privacy with respect to the processing of personal data.

The gist of this article was to compel member states, to enact or supplement on already existing legislation recognizing the right to privacy in regard to personal data. In the UK for example, although the Data protection act, 1984, was existent, it had failed to address new issues that had evolved and as such needed to be strengthened. It had been designed, to control the storage and use of data in a computer. The road leading to the 1984 Act was paved with Parliamentary Bills, Reports and White Papers concerning privacy and data protection.[5] It finally came into force on 11 November 1987.[6]

Uganda’s data protection law will most likely mirror the UK Data Protection Act 1998[7] which implements Directive 95/46/EC[8]. However, Legislators must be wary of the ambiguities which have placed the act under scrutiny.

One such ambiguity is in the definition of the term “personal data”. The act defines it as data:-

“Which relate to a living individual who can be identified–

(a) From those data, or

(b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Firstly, the effect of this seems to be that data security/protection only deals with the “living”. Also, it seems to indicate that as long as data relates to a person then that data is subject to the law. So, even if a data base contains only a number identifying someone, (like a national insurance number) then that is classified as personal data.

Another aspect is the term “data controller”. The Act states:-

“Data controller’ means . . . a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

In the case of DURANT V FINANCIAL SERVICES AUTHORITY EWCA Civ 1746, Court of Appeal (Civil Division) decision of Lord Justices Auld, Mummery and Buxton dated 8thDecember 2003, the Court of Appeal discussed “personal data” and who a “data controller was”. It was concluded that data will relate to an individual if it is information that affects a person’s privacy, whether in his personal or family life, business or professional capacity.


The Data Protection act 1998 revolves around eight principles concerning data protection and these are the gist of this act. They propose that data should be collected in a lawful and fair manner; it should be adequate, and not excessive, accurate, shouldn’t be kept longer than necessary, should be secure and shouldn’t be transferred outside the EU.

A number of cases have come up concerning the principles like in Rhondda BC v Data Protection Registrar, where the Tribunal upheld the Registrar’s interpretation of the fourth Principle (third Principle under the 1998 Act) and confirmed the enforcement notice issued against the officers in charge of collecting information.

However, when it comes to data security, the seventh principle will be our main area of interest. It states that all personal data shall have appropriate security measures in place. However, the DPA 1998 falls short in defining what “appropriate” measures are.

It is not disputed that a data controller should be always vigilant, and ensuring data is secure to the best of his ability. Also, it seems like the DPA 1998, places a lot of obligation on the data controller. In fact, in 1998, the European Commission forwarded a paper on the implementation of Platform for Privacy Preferences (P3P) that tried to reduce this liability by proposing that data protection be between the internet user whose data is being collected and the data controller.

If this were implemented it would reduce the influx of cases involving security breaches reported daily. In November 2007 for example, two CD-ROMs containing 25 million records of child benefit recipients, including names, addresses and bank details, were lost by Her Majesty’s Revenue and Customs (HMRC) when sent by courier.

In December 2007, sensitive data, including religious beliefs and sexual orientation, relating to junior doctors were accessible to anyone accessing a website of the Department of Health.

In the same month, the Driving Agency’s US contractor lost a computer hard drive containing contact details of three million candidates for the driving theory test.

In January 2008, the Ministry of Defense lost a computer containing 600,000 staff records. The information commissioner’s office, which has the mandate to handle data security, claims in the UK, has fined companies in the hundreds. In march2007 alone, 11 banks were fined for security breaches. Data controllers have had sleepless nights over the seventh principle and how to come up with appropriate security systems.

Over the years, more and more ways are introduced to handle data security. And because change is inevitable, as a business grows, the risks also grow. The law, time and memorial has always held the employer vicariously liable for the acts of his employees. And, most often than none, it is the employees/contractors of a company that lose data even when state of the art security systems are in place.

The interpretative provisions set out in the data protection act 1998, Schedule 1, Pt II specify that where processing of personal data is carried out by a data processor on behalf of a data controller, compliance with the Seventh Principle requires the data controller to:

  • choose an organization that offers guarantees about the security of the processing it is undertaking on the organization’s behalf;
  • put in place a written contract setting out the requirement for appropriate technical and organizational security measures and restricting processing to carrying out the data controller’s instructions; and
  • Take reasonable steps to ensure compliance with the security measures.

Hence, the data controller must take reasonable steps to ensure the reliability of any employees with access to personal data.


Cloud computing is another area of e-commerce that is affecting the application of principle 7. It has no specific definition but it can be defined as the process of storing, accessing and sharing company data and processes remotely on the Internet.

Most cloud services are offered on a shared server basis, that is, the IT resources on a given server are shared between multiple organizations. Some companies are going down the route of signing up for non-shared cloud services that are offered on a secure basis by the likes of IBM and Unisys.

The promise of cloud computing even with its short comings is slowly being embraced not only in Uganda and the United Kingdom but worldwide, for example, the United States of America Air Force has adopted a new project to design and demonstrate a mission oriented private cloud environment.

Cloud computing is also being used to combat malaria in Tanzania where by a cloud collaboration service is used to apply smart technologies including mobile phones and text messaging. In Canada, the McGill University Health Centre is implementing a private storage cloud to securely house patient Data. Over 800,000 patient cases at multiple sites are then provided to clinics around the clock, providing a strategic and single view of data, including clinical images.

But, cloud computing raises various concerns like where the data collected is stored and who can access that data. Directive 95/46/EEC in article 18 (1)[17] talks about cloud computing and states that if data is to be transmitted over a network,

“The controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.”

But, it would be rather difficult to control data that is in a network like the ones above. Especially, if it goes to a “third country” as provided for in Article 25 of the Directive. However, it is imperative to note that although this area is relatively new, the current law needs to be reviewed to specifically define what cloud computing is and how it can be managed.

Ownership rights under Copyright

Copyright in Uganda is currently governed by The Copyright and Neighboring Rights Act (CNRA) 2010. Ironically, although copyright’s core attribute is originality, for historical reasons, Uganda modeled its copyright laws around the British copyright system. The act provides protection for almost all physical forms of creative work such as songs, drawings, designs, plans, sculptural works among others.

Copyright protection works in three simple ways, have an idea or concept; express that idea/concept in material form and get automatic protection.

Copyright protection is granted to the expression of the idea, not to the idea itself. Usually this protection lasts for 50 years but the right to be associated to your work lasts even beyond an author’s life time.

Section 4 of the act recognizes an author as a owner of a copyright. The act also recognizes ownership rights for collecting societies (under Section 57), a License holder (Section 17), an assignee (Section 14) and in relation to neighboring rights; a performer (Section 22), director (Section 27) and Producer (section 28)

Sadly, the notion of copyright protection is yet to take root in Uganda. In the more developed jurisdictions where copyright protection is more strictly enforced, we have seen a number of famous cases that have the headlines.

For speeches, the issue of whether ownership rights exist in spontaneous speeches delivered orally was until recently a grey area in Uganda copyright law. The Copyright and Neighbouring Rights Act, 2006 only provides for copyright in speeches that have previously been reduced into material form and then delivered in public.

In Al Hajji Nasser Ntege Ssebagala v MTN Uganda & SMS Media, CS 283 of 2012, the Plaintiff sued the Defendants for using a speech he had delivered to journalists as a ringtone. Court held that the Plaintiff did not acquire any copyright in a speech as he had only spontaneously answered questions in his interaction with journalists and was well aware that his rib cracking comments could find their way into the public domain.

Unfair competition law (business secrets) and access that rights exist with respect to data

In Uganda, someone may have a case against an unfair competitor under common law or anti-competition laws like the Communications (Fair Competition) Regulations 2005 and the Communications Act 2013. Under those laws, if a telecommunications company like UTL for example, offering mobile money services, diverted traffic from XYZ’s competitors site, by registering the domain, then XYZ would have a cause of action against UTL.

That is what happened in the Ezee Money v MTN Uganda CIVIL SUIT NO.330 OF 2013, where the High Court of Uganda, ruled in favor of the Plaintiff in a suit where the Defendant, being an holder of a dominant position in the mobile telecommunications market in Uganda and in particular in the provision of mobile money platforms which enables individuals to transfer money and similar transactions using mobile telephony  networks, internet and other electronic mediums; and with an estimated registered subscribers and active agents as of 18th April, 2013 numbering 3.5 million and over 15,000 respectively, breached the duties imposed on it by Sections 53 (1) and 56 of the Communications Act. The Act bared the Defendant from engaging in activities which restricted and or distorted competition in regards to communications services.

Court held that the Defendant unfairly denied the Plaintiff the ability to connect an aggregator called Yo! Uganda Limited (YUL) to its network on top of withdrawing its E1 line and over 300 pre-paid data lines with the result that not only YUL completely severed its ties with the Plaintiff (an act which deprived the Plaintiff of the services of other telecommunications operators).

Rights in rem

in Uganda, rights in rem usually exist under securities and chattel law.

In intellectual property, most rights are rights in personam. However, owing to their nature, owners can impose restrictions on the whole world and can thus be seen as rights in rem. The introduction of new distribution technologies like live streaming, music downloads, ebooks gives owners the ability to prevent any unlicensed access.


Overall, although laws like the Electronic Transactions Act, 2011 have made major strides in taking Uganda through the information age, there is need to enact more legislation if Uganda is to comfortably move with the information age.

Kenneth Muhangi

Partner - KTA Advocates
LLB Hons (UCU) LLM (Wales) Dip Lp. LDC
Technology, Media, Telecommunications & Intellectual Property Law Practitioner

All author posts