top of page
Search

Amazon Slapped With A Hefty Fine of $886m For Alleged Data Law Breach. What Does It Mean To Ugandans



Two days ago BBC reported that the Luxembourg's National Commission for Data Protection fined Amazon with a fine tuning to $886.6m (£636m) fine for allegedly breaking European Union data protection laws, the commission claimed that the tech giant's processing of personal data did not comply with EU law.


The EU's General Data Protection Regulation (GDPR) rules requires companies to seek people's consent before using their personal data or face steep fines. Luxembourg's data protection authority, also known as Commission Nationale pour la Protection des Données (CNPD), issued the fine to Amazon on 16 July, according to a US Securities and Exchange Commission (SEC) filing by the company on Friday.


In response, Amazon said; "We believe the CNPD's decision to be without merit and intend to defend ourselves vigorously in this matter."


The fine comes following rising regulatory scrutiny of large tech companies due to concerns over privacy and misinformation, as well as complaints from some businesses that the tech giants have abused their market power.


The Wall Street Journal reported in June that Amazon could be fined more than $425m under the European Union's privacy law.


What Does The Law Say About Data Protection?

Different countries have different regulatory frameworks that monitor and ensure that Big Tech Companies and growing techs that require their consumers to share their personal data with them comply with the law and most of all ensure data safety of their consumers.


The European Union, which is regarded as the region with the toughest regulation on data protection for her member states, closely referring to the General Data Protection Regulation (GDPR)[1]The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world.


Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.


Closely referring to 2 articles that concretize this law,


article 99 which states that

When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

Whereas article 173 provides that,

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-àvis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council ( 2 ), including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.

This means that this is the biggest slap since the formation of the 3 year old regulation. It is claimed that they possessed personal information about people illegally.


Article 99 talks about the date of start of enforcing the regulation which was twentieth day after it's publication and that was - 25th May 2018. And that it will be binding on its entirety to all member states


Whereas Article 173 concerns with protection of personal liberties in particular personal data, and obligations of the controller if one who has such information and the owner.

The privacy probe also adds to intense antitrust scrutiny of Amazon’s business in Europe. Amazon is being probed by the EU over its use of data from sellers on its platform and whether it unfairly favors its own products. Germany has multiple probes into Amazon’s sales. The U.K. is also examining similar issues to the EU.


The European Commission last month also said it sees potential antitrust problems with voice assistants and the data they allow Amazon and others to collect on user behavior.

The company says it collects data to improve the customer experience, and sets guidelines governing what employees can do with it. Some lawmakers and regulators have raised concerns that the company has used what it knows to give itself an unfair advantage in the marketplace.


What does this mean in Uganda.

In Uganda, in 2019 parliament passed the Data Protection and Privacy Act, 2019 which aims to protect individuals and their personal data by regulating processing of personal information by state and non-state actors, within and outside Uganda.[2]


Subsequently in May 2021 a Data Protection and Privacy Regulations, 2021 was passed, it is anticipated that the Regulations will implement the Act which is not yet in effect.[3]


The Act and Regulations are intended to support privacy protections, which are already guaranteed to Ugandans under the Constitution and complement sectoral laws for regulated activities that had previously incorporated data protection provisions.


The law expands the rights of individuals to control how their personal data is collected and processed, placing a range of obligations on those processing, which includes both public bodies and companies, personal data to be more accountable for data protection. It further regulates and limits the processing of special categories of personal data, including tribe, religion and health, amongst others. [4]


Section 10 of the Data Protection and Privacy Act, 2019 prohibits the collection and processing of personal data in manner that infringes on the privacy of a data subject. It is therefore essential to review the deployment of such a data center which will include amongst other changes limiting the purpose for which a database is built and used.

Similarly, the trend of collecting personal data has increased among companies particularly telecommunication service providers countrywide.


First, the Data Protection and Privacy Act, 2019 makes it clear that every person, institution or public body collecting or processing personal data is mandated to register with NITA-U(The National Information Technology Authority-Uganda which is an autonomous statutory body established under the NITA-U Act 2009[5], which is mandated to coordinate and regulate Information Technology services in Uganda. NITA-U is under the general supervision of the Ministry of ICT and National Guidance.

In addition, the Register can be accessed by the public for purposes of inspection for inclusion on the Register.


The Act places an obligation on data processors to ensure that (Section 3 of the Act)[6]:

They hold and process personal data in a manner that which does not infringe on the privacy of the data subject;
data is complete, accurate and up to date;
they only process relevant data; and
they maintain security measures for the protection of data.

Whereas Sections 24 to 28 of the Act. Give Data subjects (that’s me and you) rights which include

· The right to access personal information;
· The right to know the purpose for which the information is collected;
· The right to prevent processing of personal data;
· The right to prevent processing of personal data for direct marketing purposes; and
· The right not to be subjected to a decision affecting the data subject which is solely based on processing by automatic means

The data subject has the right to know the purpose for which the information is collected. A data collector, processor or controller who collects or processes personal data without the prior consent of the data subject contravenes Section 7 of the Act and is liable, on conviction to a fine not exceeding three currency points for each day the contravention continues.


Even though our Data and Privacy Act has some missing links as observed by Ritah Nakalema[7]she expresses that among other cons in the Act is that the Act does not bar the processing or storage of personal data outside Uganda, as long as the jurisdiction receiving the data has adequate protection measures at least equivalent to the protection under the Act or the data subject has consented to such transfer (Section 19 of the Act).

Consequently, once a data subject consents to processing or storage of their personal data outside Uganda, this negates the need to ensure the existence of adequate protection measures.


Lastly, the Act does not provide for an obligation to maintain data processing records.[8]


In conclusion,

The Amazon court decision is a yardstick for all bodies, techs and institutions that manage or take in people's' data for whatever use


First, they must comply with what the law says

Second Data subjects can sue you for mishandling their personal data and the consequence can be very heavy.


See also Amazon Stock Loses $130 Billion In Market Value After $885 Million Fine And Disappointing Earnings Report[9]


By

Waboga David

And contributions from

Kabuubi Sulaiman(Salman)





Comments

WhatsApp Image 2024-12-03 at 18.32.53_b97c34af.jpg

LEAVE A REPLY

Thanks for submitting!

Writing in Notepad

Write for Us

Appointing New Writers

We're actively seeking passionate researchers and writers to join our team. If you're enthusiastic about sharing knowledge and contributing to our platform, we'd love to hear from you. Don't hesitate to apply – your expertise could make a significant impact on our community's learning experience.

Green Modern Real Estate Agent Linkedin Banner (1).jpg

SUBSCRIBE TO OUR NEWSLETTER

Be the first to know about our events, conferences, workshops, live training and consultations.

SUCCESSFULLY SUBSCRIBED!

Green Modern Real Estate Agent Linkedin Banner.jpg
bottom of page