What does Airtel Uganda’s transfer of Mobile Money data to Airtel Mobile Commerce mean for users and data protection?
On 29th July, 2020 the President of Uganda having assented to the National Payment Systems Act, 2020, it meant that the revolutionary mobile money services and other FinTech services at large would now be regulated. This was followed by regulations operationalizing the National Payment Systems Act.
As a compliance requirement, the big players i.e., MTN Mobile Money Uganda Ltd and Airtel Mobile Commerce Uganda Ltd in the mobile money sector went forward to apply to Bank of Uganda for licenses to offer services as a Payment Service Provider and a payment System operator (Electronic Money Systems) and the same were granted.
In respect of the compliance requirements under the National Payment Systems Act, a payment service provider other than an entity solely established to issue electronic money, a financial institution or microfinance deposit taking institution that intends to issue electronic money is required to establish a subsidiary legal entity for issuing electronic money.
This explains why Airtel Uganda Ltd which is majorly a telecommunications company incorporated and secured a license for its subsidiary Airtel Mobile Commerce Uganda Ltd for purposes of carrying on its Airtel money business that has been previously under Airtel Uganda Ltd.
Airtel Uganda Ltd has since issued a public notice to its clients and the general public of the intended transfer of Airtel Money to their sister company. In addition to that, Airtel Uganda Ltd has also sent messages to airtel money users informing them that their Airtel money Account and related data is being transferred to Airtel Mobile Commerce (U) Ltd and continued use of the service will be deemed as acceptance of the transfer.
In the wake of these notifications about data transfers, the public has taken to social media platforms to express their discontent with transferring their data and the manner in which their consent is being obtained, notably without explanation for the data transfer.
Following these events, the users are asking why their data is being transferred and whether principles of data protection are being adhered to. Airtel Mobile Commerce Uganda Ltd as a holder of a license of a payment system is under an obligation to comply with the requirements of consumer protection which among others include data protection.
Therefore, Airtel Mobile Commerce Uganda Ltd as an entity required to comply with principles of data protection, cannot collect data from Airtel Uganda Ltd without complying with the Data Protection and Privacy Act 2019.
And on the other end Airtel Uganda Ltd cannot transfer user’s data to a third party in disregard of the obligations and data subject rights provided under the Data Protection and Privacy Act, 2019. These entities are therefore under the obligation to ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data.
At the registration for mobile money services, the user is required to give personal data which includes Airtel Mobile Phone Number, full name, photograph, NIN, ID Number, physical residential address, physical business address, date of birth, nationality, gender and other Know Your Customer (KYC) information as may be required. Important to note is that Airtel Uganda Ltd in its messages to Airtel Money users indicates that it will also transfer related data which obviously includes financial information of its users.
At the center of any dealing with users’ data is their consent, consent must be; specific, informed, unambiguous and freely given by a data subject through a statement or by a clear affirmative action, signifying agreement to the collection or processing of his or her personal data.
By this standard, the messages sent by Airtel Uganda to data subjects fall short of the threshold established by the definition of what amounts to consent.
The reasons for such “inconveniencing” but worth painstaking process is to protect data subjects from data breaches that may have far reaching impacts on individual data subjects and on data subjects as a whole.