NITA (U) Finds Safe Boda in Breach of Data Protection Law, Let off with Impunity


In 2020, a watchdog, the Unwanted Witness released a report wherein it made allegations that Safe Boda, a ride hailing app, was conducting practices that breached Uganda’s data protection laws, principally, the “Data Protection and Privacy Act 2019 (DPPA)”.

Following the release of the report, a concerned citizen Obedgiu Sammy appealed to the speaker of Parliament, Rebecca Kagada, petitioning that the Company should be investigated and penalised for sharing user’s personal data without their consent. The speaker then directed Uganda’s National Information Technology Authority (NITA) Uganda to conduct the said investigation and report back to it in due time for action.

A report from that investigation was released at the end of January last month and the findings have been made available online. While the Authority did not find evidence to fault the company for selling any user data, it found that Safe Boda specifically breached section 35 of the DPPA when it;

“…unlawfully obtain(ed), disclose(d) or procure(d) the disclosure to another person of personal data held and processed by a data collector, data controller or data processor”.

The basis for the above guilt was premised on the findings that the consents that the Company claimed to have acquired when the users registered for the Safe Boda application, were not sufficient enough to enable the end user make an informed consent as “the ‘consents’ relied upon for the disclosure were not specific because they did not disclose the parties with whom the information was going to be shared with”.

One of the third parties that the information was shared with was CleverTap to which the company claims it shared data with for “behavioural analysis” purposes.

“NITA’s finding is that Safe Boda’s disclosure of its users’ personal data to CleverTap contravened the Data Protection and Privacy Act”, reads part of the findings. The report however goes on to note that there was no evidence to support allegations that the company sells its users’ personal data.

While the Company was found to be in breach, NITA (U) did not recommend any prosecution or penal action to be taken against the spirit of the DPPA, that would have found the company liable and penalised it.

Under the above section, it is stated that any person that breaches the above provision “commits an offence” and when convicted, a fine not exceeding two hundred and forty currency points shall be payable or imprisonment for 10 years or both, the fine and imprisonment.
The breach has been found, but the company has been let off.

Following recommendations in the report, Safe Boda has released an updated set of terms and conditions that have since gone viral on social media, as the company excludes itself from any form of liability arising from the use of its platform. It has also highlighted the names of third parties with whom user personal data is shared.

The actions to be taken by Parliament are yet to be ascertained given that the speaker requested that the findings be furnished to her.