This is the third annual Privacy Scorecard Report produced by Unwanted Witness. The report in 2023 took stock of compliance with data protection and privacy laws and regulations in four countries: Mauritius, Zimbabwe, Kenya and Uganda. The report is cognisant of the implementation of data protection laws alongside growing digital economies and the utilisation of an in-depth methodology, which informed the evaluation in Primaline with specific objectives and functions of the Unwanted Witness.
The report is divided into seven sections: background; methodology and criteria for the assessment; insights into the four countries highlighting the context, analysis of the data protection and privacy landscape, the legal and institutional framework, and findings at country sector level as well as overall deductions for impact on personal data protection and privacy rights; challenges; lessons learned and best practices; conclusions; and finally, recommendations to different actors – both state and non-state actors.
The study highlights the data protection performance of a total of 48 selected companies/entities across six sectors: telecommunication, e-commerce, financial services, e-government, digital loan services and online betting. Over the past decade, each of the countries has experienced rapid growth in digital services, with extensive adoption of mobile money, e-commerce, ride-hailing applications and digital lending platforms. However, this digital transformation has also increased risks of personal data misuse, data protection breaches, and unauthorised surveillance given the collection of sensitive information like financial transactions, location data and communications by both private sector applications and government systems. The existing legislation set good foundations with the newest in Zimbabwe that was passed in 2021, but turning principles into practice remains challenging. The practical implementation and enforcement of data protection laws and regulations are in their nascent stages. Further concerns surround insufficient regulatory capacities and resources responsible for overseeing compliance; limited understanding of data protection laws and privacy rights, along with low public awareness; and an absence of effective redress mechanisms for addressing data breaches, to name but a few.
The study also highlights experiences and emerging practices that countries under review and the wider region can draw key practical lessons from, while stressing that effective data protection that upholds user rights will necessitate action across diverse sectors/industries and stakeholders.
The third annual Privacy Scorecard Report was produced with the support of an APC subgrant, made possible by funding from the Swedish International Development Cooperation Agency (Sida).