SafeBoda illegally shared users’ data with US company - NITA-U

SafeBoda unlawfully shared clients’ data with a US company, according to an investigation by National Information Technology Authority – Uganda (NITA-U).

The boda boda ride app, according to NITA-U, withheld information from customers that it was sharing their data with CleverTap, a US-based data processor. 

This, NITA-U said in an investigation, contravenes data protection law and the laws of Uganda. 

The investigation report, authored by NITA-U into allegations of unlawful sharing of SafeBoda customer personal data by Guinness Transporters, which trades as SafeBoda, found that the transport company failed to disclose third party recipients of customer information. 

“The SafeBoda privacy policy and data protection policy versions of 2017 and 2019 respectively did not provide information on recipients with whom its users’ personal data will be shared,” the report reads in part.

The Data Protection and Privacy Act 2019 stipulates that information shall be provided where personal data is transferred to one or more third parties. 

The report further notes that while the SafeBoda app seeks consent to access users’ personal data, it failed to inform and specify the extent of data that was to be collected and with whom it would be shared.

Disclosed users’ details 
The NITA-U investigation also found that Safeboda was disclosing users’ email addresses, telephone numbers, first and last names, mobile device operating system, application version and type as well as user log in status to CleverTap, a third part company domiciled in the US. 

According to SafeBoda, it holds a contract with CleverTap for purposes of understanding users’ activities on the app for behavioral analysis. 
NITA-U also noted in the report that while CleverTap committed to keep users’ data confidential, there were no security measures to ensure integrity of the data as prescribed by the data protection law. 

NITA-U opened an investigation into SafeBoda’s data privacy policy after a plea from a petitioner to the Office of the Speaker of Parliament in 2020 alleging that the app had been implicated in an investigation report, which accused it of sharing users’ personal data with third parties without clients’ approval. 

The report, however, noted that there was no evidence to prove that SafeBoda was selling users’ data. 

Therefore, NITA-U recommended that SafeBoda within the next four months must rectify all gaps highlighted in the report, among which included disclosing recipient of users’ personal data and streamlining the reporting process of data security breaches in its 2020 privacy policy, among others. 

At the weekend, Mr Ricky Rapa Thompson, the SafeBoda co-founder, said the interpretation was largely around the concept of consent, which was still debated in data protection best practices. 

However, he said, regardless of the interpretation, SafeBoda had since updated some of its policies to make it more explicit and detailed to customers to build strong standards and best practices in the ecosystem. 
The company also noted that there was an ongoing process to address other concerns highlighted by NITA-U. 

“We are working on this to make sure that customers can find our policies more easily on both the website and our app. This is something we strive to do to improve service to customers,” he said. 

Failure to address and comply with NITA-U directives could attract prosecution under section 35 of the Data Privacy and Protection Act 2019.

SafeBoda last week published new and adjusted policies and guidelines, attracting a lot of debate among users and the general public. 

Uganda passed the Data Protection and Privacy Act in 2019 to protect Ugandans from companies that harvest data, which is later sold or used to blackmail owners. 

The law also regulates collection and processing of personal information in and outside Uganda.

About CleverTap  
Founded in 2014 and headquartered in California, US, with regional offices in Amsterdam, Singapore, Dubai, and Mumbai, CleverTap is a customer engagement and retention platform that helps brands maximise user lifetime value and that of their mobile apps. 

The company personalises customer experiences using real-time behavioral data and individual or personal predictive modeling.

SafeBoda has a contract with CleverTap for purposes of understanding users’ activities on the app for behavioral analysis. 

NITA-U opened an investigation into SafeBoda’s data privacy policy after a plea from a petitioner to the Office of the Speaker of Parliament in 2020, which had alleged that the app had been implicated in an investigation, which had accused it of sharing users’ personal data with third parties without their approval. 

[email protected]