Chronology of events leading to NITA investigating Safe Boda shoddy transparency privacy policy and practices risking its customers’ data

 
Chronology of events leading to NITA Uganda investigating SafeBoda shoddy transparency privacy policy and practices risking its customers’ data.

By Obedgiu Samuel
 
This was based on the unwanted witnesses report titled, “Trading Privacy for a cheap transport system.” On 15th July 2020, unwanted witness, a Non- Governmental organization, released their maiden tech investigative report on the transparency of Safeboda’s data processing mechanisms.
Based on my petition to Parliament, on 24th August 2020, the speaker of Parliament Rebecca Kadaga gave MoICT_Ug an ultimatum of three (3) weeks to study and further investigate data flaw concerns raised by unwanted witness report and present a report before Parliament.
On 10th September 2020, I had a meeting with NITAUganda presented my concerns. By 10th November 2020, SafeBoda had improved parts of its Privacy Policy and included a new feature in its app that prompts users to read their new privacy policy before using their services.

 
Background
Unwated witness carried out research about SafeBoda’s privacy policy and its practice. When reviewing their privacy policy and comparing it to how the app actually operates, a number of discrepancies were identified.
They discovered that the SafeBoda app was sharing data with Facebook without the consent of the users. The app used a Facebook business tool known as a Software Development Kit (SDK). Through this SDK, Facebook routinely collected information on SafeBoda’s users via the SafeBoda app.
The SDK collected information on SafeBoda users and sent it to Facebook servers, regardless of whether they were Facebook users or not; this meant that even if the user didn’t have the Facebook app installed on their phone or a Facebook account, the SafeBoda app would still send data to Facebook.
Following their communication with SafeBoda asking for clarification, they removed Facebook trackers from the application.
Safeboda then proceeded to install a new tracker CleverTap. This Appprovides mobile app analytics – this means that every time a user uses the SafeBoda app, it still sends users’ data to CleverTap, a third-party, without their consent.
It is not the first time CleverTap has been involved in cases of sharing users’ data without their consent. Privacy International, a charity based in London that works at the intersection of modern technologies and rights, discovered this tracker in menstruation applications. The users’ data that’s shared include: the user’s phone type, phone contact number, email address, location, time-zone, user-names, and their carrier (Internet Service Provider).
 
Unwanted witness therefore implore SafeBoda and other data collectors to make adjustments to meet the required data protection standards and principles: 
1.       Safeboda should offer users a genuine choice to consent to the processing of their data for marketing and analytics purposes, including via third parties like Clevertap that may act as processors. Bundling consent negates users choice
2.       Safeboda should have clear comprehensive privacy policies and these should be strictly enforced.
3.       The company should exhaustively specify the third-parties and the exact personal data it shares with them in its privacy policy.
4.       It is recommended that efforts be taken to establish “pathways” that can be followed by data subjects to allow them, if interested, to understand how their personal data may be being processed by the company and any third parties.
  
B) National Information Technology Authority Uganda (NITA-U) has completed its investigations into allegations of unlawful sharing of SafeBoda users’ personal data without their consent by Guinness Transporters Limited Trading as SafeBoda, and issued a report on the same.
The investigations were commenced following a complaint made by me, Obedgiu Sammy, and it was carried out pursuant to the powers upon NITA in section 32 of the Data Protection & Privacy Act of 2019, to investigate complaining alleging either non-compliance with the provisions of the Act or breaches
This investigation, arguably the first investigation under the provisions of the Data Protection and Privacy Act, 2019 concluded that:
1.     The SafeBoda’s Privacy Policing & Data Protection Policy version of 2017 and 2019 respectively did not provide information on recipients with whom its users personal data will be shared;
 

1. SafeBoda’s disclosure of its users’ personal data to CleverTap (a data processor that offered Software as a Service for customer lifestyle management and mobile marketing) contravened the Data Protection and Privacy Act, since the consents’ relied upon for the disclosure were not specific neither were they informed, given that a) The users were not informed of a) the extent of the personal data collected and b) the potential disclosure of their personal data with Clever Tap.
   SafeBoda has been directed to address all the areas of non-compliance identified within four months.
   The conclusions of the report are provided in the form of recommendations. Given that the Act is still new and it’s the regulations have not yet been issued, the report was an opportunity to build best practices for Ugandan companies.
   NITA-U recommended that SafeBoda Data Privacy Policy be made more readily available to customers. “We are working on this to make sure that the customers can find our policies more easily on both the website and our app,” says SafeBoda. They have since then updated their privacy policies to make it more explicit and detailed to their customers to build strong standards and best practices in the ecosystem.
   “This is something we strive to do to improve in service to customers. Ensuring our staff and the wider team understands the importance of data protection is also paramount,” says SafeBoda.
   SafeBoda hails NITA-U and Unwanted Witness for the recommendations to improve its privacy policies to protect users’ rights, as well as thanked NITA-U for the support to ensure compliance with the Data Protection and Privacy Act 2019.
   
   However, the report did not go further enough. It didn’t investigate throughly the commercial transactions of Safeboda’s holding company structure, based in mauritius. Uganda has a double taxation treaty will mauritius. Most transactions are off shore, therefore, I doubt the regulator dug far enough. Therfore, Parliament should urge NITA to dig into that off shore holding company structure transactions further.
   Further more, on May 07, 2019 – Allianz X, the digital investment unit of the Allianz Group, announced an investment in SafeBoda, based in Kampala, Uganda. SafeBoda is a major African ride hailing platform that also offers various on-demand consumer and payment services.
   Safeboda, as of today, is a Series B venture Capital funded company.

Strike Machine