Technological advancement in areas such as artificial intelligence, robotics and quantum computing have made the possibility of living in a digitally interconnected world a plausible aspiration in the past decade. One of, if not the most important factor driving today’s interconnected digital world, is data. Every website or application that we visit today collects different pieces of information about us, and that information is stored on a server somewhere.

Such information may be: the type of Instagram posts you like, your search history, map trip data etc. This information may be sold to potential advertisers that will deliver customised targeted ads to you, it may be used for analytics purposes, market research, product development among other use cases.

As companies collect more and more data, chances of this data being misused or falling into the wrong hands increase. It is now prudent to protect data from compromise and guarantee data privacy. The protection from compromise and ensuring privacy are other key components in data protection, and must be guaranteed by remote data protection strategies.

In Uganda, the principal legislation governing data protection and privacy is the Data Protection and Privacy Act 2019, which is for the most part a mirror of the EU General Data Protection Regulation. (The GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states). The Data Protection and Privacy Act 2019 establishes the personal data protection office, provides for data protection principles, rights of data subjects, and offences relating to data breach, and remedies.

The objective of the Act is to protect the privacy of individuals by regulating the collection and processing of personal information by state or non-state actors within and outside Uganda if the information relates to Ugandan citizens. Enforcement of the rights under the Act via the prescribed mechanisms is yet to be tested. Below are some key issues in data protection litigation under the Act.

Do You Have the Standing to Sue?

Also known as locus standi, the standing to sue allows an intending plaintiff to show the court that they had a right, that right was violated, and the intending defendant is the one liable for the wrong suffered by the intending plaintiff. Under the Data Protection and Privacy Act 2019, data subjects (persons whose personal information is collected) have a different set of rights laid out between sections 24-28 of the Act. Some of these rights include the right to access personal information and the right to prevent processing of personal data. An intending plaintiff will therefore have to establish whether any of their rights under the Act were violated and identify the responsible person or organisation responsible for the violation of their different rights.

Who Is Responsible?

Often the last limb in proving locus standi, it is prudent for an intending plaintiff to know who the responsible person for the violation they have suffered is. A litigant should consider whether the person or company they intend to sue is responsible by way of contract, common law, or statute. Under the Data Protection And Privacy Act 2019, collection and processing of data mainly falls in the hands of the “data collector”, “data processor” and “data controller”. A litigant should be cognizant of the fact that whereas one entity may be the data collector, a separate entity may be the data processor or data controller, and some of the work may have been subcontracted to a third party, which may necessitate adding the third party to their intended suit. Due diligence should always be done to ascertain the party that caused the actual violation. Often, data collecting entities include in their Ts and Cs that they may assign collected data to their partners, affiliates within or outside the country ‘without seeking further consent from the data subject!’

What Types of Claims Can Be Raised?

Different types of claims may be brought in an action for data protection. An intending plaintiff may bring an action for violation of statutory provisions of the Data Protection and Privacy Act 2019, actions in tort (such as negligence) and actions in contract (such as breach of contract). The boundaries of these doctrines will be tested even further, as companies that already have access to some personal data start to expand into different industries (for instance, technology companies entering the healthcare industry).

What Are the Possible Reliefs?

The misuse of a data subject’s data usually results in the data subject, whether individual or corporate, suffering some type of injury. Injuries envisaged in context include loss of reputation, mental anguish, loss of finances in situations where credit and debit card information is exposed, and sometimes endangering the safety of the data subject by disclosing their geo-location data without their consent. An intending plaintiff can seek compensatory damages, liquidated damages, interest, injunctive reliefs and costs.

What Are the Alternative Dispute Resolution Mechanisms?

A data subject may first seek alternative remedies before resorting to courts of law. The Data Protection and Privacy Act 2019 established the Data Protection Office under The National Information Technology Authority Uganda (NITA-U), whose mandate is ensuring the protection of personal data. The office has powers to receive and investigate complaints relating to infringement of the rights of a data subject. A data subject can therefore first make a complaint to NITA-U, which will investigate the complaint and make recommendations to the data controller, collector or processor if an infringement has been found. A case in example is the SafeBoda Uganda and CleverTap scandal. In 2020, Unwanted Witness, a Non Governmental Organisation, published an investigative report that revealed SafeBoda Uganda was sharing customer’s information without their consent to CleverTap, a foreign data analysis company. NITA-U also commenced its own investigation and found SafeBoda guilty of breaching The Data Protection and Privacy Act 2019. Whereas NITA-U did not mete out any punishment against SafeBoda, it made several recommendations, which included SafeBoda revising its privacy policy. The Safeboda case demonstrates how an aggrieved person can pursue alternative remedies under the Act without resorting to courts of law.

What Possible Challenges Can Arise During the Litigation Process?

The litigation process can be unwieldy, even for simple matters. This is only going to be exacerbated by the increasing complexity in the relevant technologies and subject matter. Some of the factual and legal challenges will include proving or disproving harm, explaining technical aspects, and establishing the meaning of “reasonable security measures” given constant developments in available technology. Preparedness for these challenges and the use of experts may help mitigate the risks.

Conclusion

With the increasing amount of data being collected by different entities today, regulators have come out to establish laws and regulations that ensure protection of personal data. Uganda has enacted the Data Protection and Privacy Act 2019 and established the Data Protection Office. These safeguards may not always be adequate, and some data subjects may have their rights violated and desire to go to courts of law. Data protection and privacy litigation is complex and intending litigants will need to take into consideration several issues before they institute claims in court.