By Nabakooza Faith Kakooza
Through the minister for security, the Republic of Uganda declared the use of digitalized number plates. The minister also revealed that the project will commence its rollout on 31st October 2023. While appearing before the committee on 8th August 2023, the minister stated that the government will not be putting or investing any money in the project, though the investor, in this case will invest in the project but has to recover the input.
However, the new vehicle and motorcycle owners will be required to pay Shs. 714000 for the digital number plates that will be installed. The already registered vehicle and motorcycle owners will be required to pay Shs. 150,000 and Shs. 50,000, respectively.
Government will install the intelligent Transporting System (ITMS) in phases; however, the system will be managed by Joint Stock Company Global Security for 10 years before the system is fully handled to the government. The government’s rationale is to protect its citizens as mandated by the Anti-terrorism Act. However, this also poses a high risk on the right to privacy, particularly a right to data privacy.
Article 27 of the Constitution envisages the right to privacy of home, communication and correspondence. The same provision is recognized under international instruments. For example, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) states that no one shall be subjected to unlawful or arbitrary privacy interference. However, it is quite evident that human rights are not absolute. Nonetheless, the limitations should be justifiable under a free and democratic society, as enunciated in Andrew Mujuni Mwenda V AG.
In 2019, the president signed the Data Protection and Privacy Act (DPPA), a substantive legal framework on data rights. However, other laws like the Data Protection and Privacy Regulations and Regulation of Interception of Communications Act exist.
In its interpretation section, the DPPA defines data collection, data controller and data processor and how data should be collected without interfering with the subject. S2 of the Act defines a data collector as person who collects personal data. A data controller is a person who, alone, jointly with other persons or in common with other persons or as a statutory duty, determines the purposes for and the manner in which personal data is processed or is to be processed. It further provides that a data subject is an individual from whom or in respect of whom personal information has been requested, collected, collated, processed or stored. In this case, Joint Stock Company Global Security will be the data collector, the government of Uganda will be the controller, and the data subject will be the citizens whose vehicles and motorcycles the system will be installed.
In order to protect the data privacy of the data subject, S3 of the DPPA, provides for data protection principles which include;
- Accountability to the data subject for data collected, processed held or used.
- Collect and process data fairly and lawfully
- Collect, process, use or hold adequate, relevant and not excessive or unnecessary personal data.
- Retain personal data for the period authorized by law or for which the data subject required.
- Ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data.
- Observe security safeguards in respect of the data.
In the bid to protect the data privacy of the citizens, S7 of the DPPA, requires that there is consent before data is collected. However, the consent can be dispensed with in matters of state security. This is because S18 of the Anti-terrorism Act gives unfettered discretion to the government to do anything reasonable to protect its citizens.
This is not in contention; the issue is how the state can have its surveillance in place without infringing on citizen’s rights to privacy. The government will install the digital number plates, which will be controlled by the system that the Joint Stock Company Global Security will manage. The system can access citizens’ information or data in their vehicles and motorcycles.
We concede that the right to privacy is not absolute; however, the limitation ought to be justifiable. Article 35 of the General Data Protection Regulations (GDPR) of the EU, requires, if the collection of data poses a high risk on the infringement of the right to privacy, the data controller, processor, should carry out a due diligence by carrying out a data impact assessment on the data and the data collector its self.
The same provision is reiterated in Regulation 12 of the DPPA regulations. The regulation requires that where personal data collection or processing poses a high risk to the freedoms of natural persons, the data collector/processor shall, prior to the collection or processing, carry out a data impact assessment of the impact of the envisaged collection or processing.
The data impact assessment shall include;
- A systematic description of the envisaged processing and the purposes of the processing.
- An assessment of the risks to personal data and measures to address the risks.
- And other that the Data protection office shall require.
The installation of digital number plates poses a high risk on the right to privacy. This is because the system can monitor the vehicles and motorcycles everywhere without forgetting the people in them and whatever they do. This infringes not only on a right to privacy but also on freedom of expression.
Before infringing on the right to data privacy, the government of Uganda ought to have carried out due diligence by carrying out a data impact assessment on Joint Stock Company Global Security. Technically, the government had to ascertain the envisaged risks in the installation of the digital number plates and how the risks are to be remedied.
According to the General Comment of the United Nations, the state is obliged to regulate the confidentiality of the data collector. In this case, how will the Joint Stock Company Global Security keep the data collected from the individuals through the number plates confidential without reaching third parties who may, in return, endanger the data subject?
Consequently, S21 of the DPPA provides that there should be security measures relating to data processed by the data processor. The contract between the data controller and data processor relating to personal data processing shall require the data processor to establish and maintain the confidentiality and security measures necessary to protect the integrity of the personal data. Essentially, the government of Uganda should guarantee its citizens that the information obtained will be confidential.
In addition to that, S10 of the DPPA prohibits data collection by a data collector or processor in a manner that infringes on the data subject. Technically, the government has to take precautions so that as it installs the digital number plates it doesn’t infringe on the data subject (its citizens). That is to say the data collected should don’t be related to personal data.
The government should also be clear on how and who will manage the data collected. The Ministry of Works should also exercise its due diligence in monitoring the system that will be installed. It follows, therefore, that before the digital number plates are installed, the government of Uganda has to make the limitations justifiable by carrying out due diligence by having a data impact assessment on Joint Stock Company Global Security and other prerequisites demanded by the law in order to balance the national security with the right to data privacy because both are paramount.
 Article 27,1995 Constitution of Uganda as amended
 Articlen17,International Covenant on Civil and Political rights
 Andrew Mujuni Mwenda V AG CP No.12 of 2005
 S7,Data Protection and Privacy Act
 S18 ,Anti-terrorism Act
 Article 35, General Data Protection Regulations
 Regulation 12 ,Data Protection and Privacy Act regulations
 S21, Data Protection and Privacy Act
 I B I D