Researcher NGO Accuses Safe Boda of Personal Data Breaches, Fails to Provide Evidence.


An NGO in Uganda, the Unwanted Witness has published “evidence – based” findings from their research under the title “Trading Privacy for a Cheap Transport System” where they report that Safe Boda (Company) has violated and continues to violate the Data Protection and Privacy Act, 2019 (DPPA) by failing to be compliant with the said Act, and by sharing users’ personal data with third parties, however they fail to provide empirical evidence of the breaches of personal data by the Company.

The report also makes references to the European Union (EU) General Data Protection Regulations of 2018 a.k.a the GDPR. The GDPR is the EU version of the Ugandan DPPA, and most of the provisions (if not all) in the Ugandan Act are inspired by the GDPR.

The Organization claims to base their findings in their own examinations of the app, and in the review of the privacy policy of Safe Boda (older and the updated versions), which they compared with the way the application operated on the market. They state to have identified a number of discrepancies some of which will be summarised here.

Safe Boda is accused of sharing information like location data, phone numbers, emails and names, among other personal information that can be used to identify a user.

The Act (the DPPA) that they quote defines personal information (read data) to include information about a person “from which the person can be identified” (emphasis in the quoted texts) and includes nationality, age, marital status, educational level, occupation among others, and the information from their own findings fall short of identifiable personal data. Section 7 of the DPPA on which the entirety of the report lies, provides for the protection of persona data and privacy, however, that evidence of personal data breaches are yet to be identified from the organization’s report.

It should be noted that the Organization’s actual evidence of personal data breaches is not presented. The findings refer to attached screenshots shared in the report of the alleged data breaches. The Organization accuses Safe Boda of sharing personal information with Facebook, however, from their own study in the published screenshots, the only information that they reveal to be shared with Facebook is general information such as the phone type, operating system, the country, screen size and the location details but nothing to indicate the name of the user, phone number or email or other user identifiable information that is actually captured and shared with Facebook.

The report states that the Organization raised the issue of sharing data with Facebook and states that Safe Boda later stopped sharing the data with the social media company, but instead adopted other third party apps like Clevertap to continue the data mining. Their evidence of personal data breaches using Clevertap arise from their reliance on the publications of Privacy International which state that the app (Clevertap) stores the phone type, contact, email address, location, time zone, user-names, email address and their carrier (ISP). However, when you consider their own published findings as revealed in the screenshots, the only information shared and captured by Clevertap is the phone build, operator, phone make, model, operating system SDK version etc, none of which includes the name, email, phone number to be able identify the user behind the device. All this information is generic data that would enable the proper functionalities of an application.

Regarding the privacy policy and whether or not it was in tandem with the DPPA, they reveal that “our findings showed that the Safe Boda privacy policy was not clear and (that) some of its provisions did not seem to be entirely in line with the Data Protection Act 2019 and internationally recognized data protection standards” especially because the requirement to inform the user what their data is being used for, and that consent was not sought before information is used or shared.

The Organization also quotes clause 12.1.2 of the Privacy Policy of Safe Boda but fails to provide the full context for which the provision is stated under the Safe Boda website to be able to give an informed analysis, just like the convenient reading of scripture. Whereas the excerpt in the report refers to Safe Boda sharing information with third parties, the full text on the website refers to the information that Safe Boda gets from third parties and what the company does with that Safe Boda. Failure to give full context has been known to give the Bible or the Quran distorted interpretation.

The report faults Safe Boda for failing to include retention periods in their policy to enable the data subjects to ascertain how long their data will be stored by the Company as is required under section 18 (1) of the DPPA. However, to note, section 18 (1) does not speak to retention periods of data and not the section quoted. The section above provides that personal data is not to be kept for a a period longer than is necessary, but not a requirement for a retention period for non identifiable personal data.

A possibility of a biased research may be implied from the research because the report is targeted towards one ride hailing app, however, the organization has clarified in their findings that they chose Safe Boda because it was “Uganda’s leading transport application”. Maybe it is not enough to dispel bias in their findings, as inconsistencies in previous and current privacy policies and non personal data are not evidence of data breaches under the DPPA.