An NGO in Uganda, the Unwanted Witness has published “evidence – based” findings from their research under the title “Trading Privacy for a Cheap Transport System” where they report that Safe Boda (Company) has violated and continues to violate the Data Protection and Privacy Act, 2019 (DPPA) by failing to be compliant with the said Act, and by sharing users’ personal data with third parties, however they fail to provide empirical evidence of the breaches of personal data by the Company.
The report also makes references to the European Union (EU) General Data Protection Regulations of 2018 a.k.a the GDPR. The GDPR is the EU version of the Ugandan DPPA, and most of the provisions (if not all) in the Ugandan Act are inspired by the GDPR.
Safe Boda is accused of sharing information like location data, phone numbers, emails and names, among other personal information that can be used to identify a user.
The Act (the DPPA) that they quote defines personal information (read data) to include information about a person “from which the person can be identified” (emphasis in the quoted texts) and includes nationality, age, marital status, educational level, occupation among others, and the information from their own findings fall short of identifiable personal data. Section 7 of the DPPA on which the entirety of the report lies, provides for the protection of persona data and privacy, however, that evidence of personal data breaches are yet to be identified from the organization’s report.
It should be noted that the Organization’s actual evidence of personal data breaches is not presented. The findings refer to attached screenshots shared in the report of the alleged data breaches. The Organization accuses Safe Boda of sharing personal information with Facebook, however, from their own study in the published screenshots, the only information that they reveal to be shared with Facebook is general information such as the phone type, operating system, the country, screen size and the location details but nothing to indicate the name of the user, phone number or email or other user identifiable information that is actually captured and shared with Facebook.
The report states that the Organization raised the issue of sharing data with Facebook and states that Safe Boda later stopped sharing the data with the social media company, but instead adopted other third party apps like Clevertap to continue the data mining. Their evidence of personal data breaches using Clevertap arise from their reliance on the publications of Privacy International which state that the app (Clevertap) stores the phone type, contact, email address, location, time zone, user-names, email address and their carrier (ISP). However, when you consider their own published findings as revealed in the screenshots, the only information shared and captured by Clevertap is the phone build, operator, phone make, model, operating system SDK version etc, none of which includes the name, email, phone number to be able identify the user behind the device. All this information is generic data that would enable the proper functionalities of an application.
The report faults Safe Boda for failing to include retention periods in their policy to enable the data subjects to ascertain how long their data will be stored by the Company as is required under section 18 (1) of the DPPA. However, to note, section 18 (1) does not speak to retention periods of data and not the section quoted. The section above provides that personal data is not to be kept for a a period longer than is necessary, but not a requirement for a retention period for non identifiable personal data.
A possibility of a biased research may be implied from the research because the report is targeted towards one ride hailing app, however, the organization has clarified in their findings that they chose Safe Boda because it was “Uganda’s leading transport application”. Maybe it is not enough to dispel bias in their findings, as inconsistencies in previous and current privacy policies and non personal data are not evidence of data breaches under the DPPA.