Sector Analysis
Telecommunications
46%
SECTOR PERFORMANCE
35
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
The telecommunications sector across Nigeria, Ghana, Botswana, Rwanda, Tanzania, Mauritius, Zimbabwe, Kenya, and Uganda continues to anchor national digital transformation efforts, providing essential infrastructure for mobile connectivity, internet access, and digital financial services. The assessment covered major operators across these countries, including Nigeria's MTN Nigeria, Airtel Nigeria, Globacom Limited, and 9Mobile; Ghana's MTN Ghana, AT Ghana, Telecel Ghana, and Glomobile Ghana; and Botswana's Mascom Wireless, BTC, Orange Botswana, and BoFiNet.
Across the region, telecom operators serve as primary custodians of large volumes of personal data due to their role in mobile communications, mobile money ecosystems, and increasingly digital service portfolios. Markets such as Kenya and Ghana demonstrate strong innovation and rapid uptake of mobile services, with Safaricom, MTN Ghana, and Telecel driving expansion of 4G/5G networks and integrated digital platforms. Nigeria, the continent's largest telecom market, continues to formalize its privacy and regulatory landscape, with its major operators handling complex, high-volume data environments.
Countries like Rwanda and Mauritius show steady advancement driven by national digital strategies and strong regulatory oversight, while Tanzania and Uganda maintain highly competitive markets characterised by widespread mobile money use and expanding broadband coverage.
Meanwhile, Botswana and Zimbabwe, though operating in more constrained economic contexts, continue to rely on telecom operators such as Mascom, Orange Botswana, Econet, and NetOne to sustain digital connectivity and essential communication services.
Overall, the sector is marked by growth, increasing data intensity, and expanding service diversification. Yet this rapid evolution places significant responsibility on telecom companies to strengthen privacy governance, enhance transparency, and align more closely with emerging data protection frameworks. As digital infrastructure deepens and user reliance on telecommunications increases, the privacy practices of these operators remain central to consumer trust and regulatory compliance across the region.
Analysis of Compliance With Each Criterion
In the telecommunications sector, the assessment covered 35 data collectors across the nine participating countries. These included four operators each from Nigeria (MTN Nigeria, Airtel Nigeria, Globacom Limited, 9Mobile), Ghana (MTN Ghana, AT Ghana, Telecel Ghana, Glomobile Ghana), Tanzania (Vodacom, Tigo, TTCL, Airtel Tanzania), Mauritius (Emtel, Liquid Telecom, my.t, Atcomm), Zimbabwe (Econet, TelOne, NetOne, Liquid Telecom Zimbabwe), Kenya (Zuku, Safaricom, Jamii Telecommunications Limited, Airtel Kenya), and Uganda (MTN Uganda, Lycamobile, Airtel Uganda, Roke Telkom), and Botswana (Mascom Wireless, BTC, Orange Botswana, and BoFiNet). In Rwanda (MTN Rwanda, Airtel Rwanda, Liquid Telecom Rwanda), three companies were assessed in the country due to market size and operator availability.
Findings - Telecommunications Sector
Telecommunications Sector - Nigeria
MTN Nigeria, Airtel Nigeria, Globacom Limited, 9Mobile in Nigeria
The data shows that while all four Nigerian telecom operators scored 100% on registration with the national regulator, their broader privacy practices differ sharply, revealing uneven compliance and consumer protection.
MTN Nigeria is the only operator with a 100% score for a transparency report and also leads alongside 9Mobile with 42% on third-party data transfer disclosures, though MTN performs poorly on security with 45%. Airtel Nigeria, Globacom Limited, and 9Mobile each scored 0% on transparency reports, and Airtel's third-party transfer score is low at 16% while Globacom scores 0%. On accessible privacy policies, Airtel Nigeria and 9Mobile lead with 88%, followed by MTN Nigeria and Globacom at 75% each. For pre-collection transparency and data subject rights, 9Mobile scored 73%, MTN 72%, Airtel 64%, and Globacom the lowest. In security practices, Globacom leads with 67%, followed by Airtel and 9Mobile at 61%, while MTN trails with 45%. For internal resolution mechanisms, MTN, Airtel, and 9Mobile share the highest score of 42%, with Globacom again scoring the least. Overall, the scores indicate that while basic regulatory registration is universal, critical areas like transparency reporting, data-sharing clarity, security robustness, and user-rights protections remain inconsistent and expose customers to varying levels of privacy risk.
The data shows that while all four Nigerian telecom operators scored 100% on registration with the national regulator, their broader privacy practices differ sharply, revealing uneven compliance and consumer protection.
MTN Nigeria is the only operator with a 100% score for a transparency report and also leads alongside 9Mobile with 42% on third-party data transfer disclosures, though MTN performs poorly on security with 45%. Airtel Nigeria, Globacom Limited, and 9Mobile each scored 0% on transparency reports, and Airtel's third-party transfer score is low at 16% while Globacom scores 0%. On accessible privacy policies, Airtel Nigeria and 9Mobile lead with 88%, followed by MTN Nigeria and Globacom at 75% each. For pre-collection transparency and data subject rights, 9Mobile scored 73%, MTN 72%, Airtel 64%, and Globacom the lowest. In security practices, Globacom leads with 67%, followed by Airtel and 9Mobile at 61%, while MTN trails with 45%. For internal resolution mechanisms, MTN, Airtel, and 9Mobile share the highest score of 42%, with Globacom again scoring the least. Overall, the scores indicate that while basic regulatory registration is universal, critical areas like transparency reporting, data-sharing clarity, security robustness, and user-rights protections remain inconsistent and expose customers to varying levels of privacy risk.
Telecommunications Sector - Ghana
MTN Ghana, AT Ghana, Telecel Ghana, Glomobile Ghana in Ghana
The assessment of Ghana’s telecommunications sector reveals a landscape of uneven privacy maturity, with operators showing wide variations in regulatory compliance, transparency, and data protection performance.
Registration with the national regulator sharply differentiates the companies: AT Ghana scores 100% and maintains an active registration, Glomobile Ghana scores 50% with an expired certification, while MTN Ghana and Telecel Ghana score 0%, signaling significant compliance gaps.
Transparency reporting is similarly inconsistent. MTN Ghana leads with 100%, Telecel follows with 36%, while AT Ghana and Glomobile score 0%, limiting visibility into government and law enforcement data requests. Third-party data transfer practices also vary: Glomobile Ghana scores 80%, MTN Ghana 6%, and AT Ghana and Telecel 0%, raising concerns about unclear or undisclosed data-sharing arrangements. Although AT Ghana provides the only fully accessible privacy policy (100%), the rest of the operators score 0%, and their policies rely heavily on technical language that reduces user comprehension.
Pre-collection transparency is strongest for Telecel Ghana (65%) and MTN Ghana (64%), while AT Ghana and Glomobile provide minimal detail on data categories, purposes, retention, or user rights. In terms of security, MTN and Telecel lead with 72%, but offer limited policy descriptions of safeguards; AT Ghana performs poorly despite acceptable SSL scores, and Glomobile trails with weak security practices. Internal resolution mechanisms remain underdeveloped across all operators, with Telecel scoring 25%, MTN 17%, and AT Ghana and Glomobile 0%, indicating weak channels for addressing user concerns. Overall, the sector exhibits fragmented and inconsistent privacy governance. Despite isolated areas of strength, the combination of regulatory lapses, weak transparency, insufficient security detail, and inadequate user-protection mechanisms highlights a pressing need for stronger regulatory enforcement, clearer communication, and more robust privacy frameworks.
The assessment of Ghana’s telecommunications sector reveals a landscape of uneven privacy maturity, with operators showing wide variations in regulatory compliance, transparency, and data protection performance.
Registration with the national regulator sharply differentiates the companies: AT Ghana scores 100% and maintains an active registration, Glomobile Ghana scores 50% with an expired certification, while MTN Ghana and Telecel Ghana score 0%, signaling significant compliance gaps.
Transparency reporting is similarly inconsistent. MTN Ghana leads with 100%, Telecel follows with 36%, while AT Ghana and Glomobile score 0%, limiting visibility into government and law enforcement data requests. Third-party data transfer practices also vary: Glomobile Ghana scores 80%, MTN Ghana 6%, and AT Ghana and Telecel 0%, raising concerns about unclear or undisclosed data-sharing arrangements. Although AT Ghana provides the only fully accessible privacy policy (100%), the rest of the operators score 0%, and their policies rely heavily on technical language that reduces user comprehension.
Pre-collection transparency is strongest for Telecel Ghana (65%) and MTN Ghana (64%), while AT Ghana and Glomobile provide minimal detail on data categories, purposes, retention, or user rights. In terms of security, MTN and Telecel lead with 72%, but offer limited policy descriptions of safeguards; AT Ghana performs poorly despite acceptable SSL scores, and Glomobile trails with weak security practices. Internal resolution mechanisms remain underdeveloped across all operators, with Telecel scoring 25%, MTN 17%, and AT Ghana and Glomobile 0%, indicating weak channels for addressing user concerns. Overall, the sector exhibits fragmented and inconsistent privacy governance. Despite isolated areas of strength, the combination of regulatory lapses, weak transparency, insufficient security detail, and inadequate user-protection mechanisms highlights a pressing need for stronger regulatory enforcement, clearer communication, and more robust privacy frameworks.
Telecommunications Sector - Botswana
Mascom Wireless, Wireless BTC (Botswana Telecommunications Company), Orange Botswana, BonFiNet in
Botswana
The performance of Botswana's telecommunications operators, namely Mascom Wireless, BTC, Orange Botswana, and BoFiNet, reveals a sector with moderate but uneven privacy maturity, characterised by partial strengths alongside substantive gaps in transparency, user rights, security, and accountability.
All four operators did not have publicly available information to mount an evaluation on performance in respect of registration with the national data protection regulator, but maintained publicly accessible privacy policies. Indicator-level results highlight deeper weaknesses: no operator has published a transparency report (0%), third-party data-sharing disclosures remain limited (Mascom 38%, BTC and BoFiNet 34%, Orange 20%), and internal resolution mechanisms are severely underdeveloped, with Mascom scoring only 17% and all others 0%. Pre-collection transparency varies widely, with BTC leading at 80%, followed by Mascom (73%), Orange (67%), and BoFiNet (48%), while security practices range from Orange's strong 78% to BoFiNet's modest 39%, exposing inconsistent implementation of technical and organisational safeguards. Privacy policy accessibility is strongest at BoFiNet (100%) and Mascom (88%), though accessibility often masks gaps in clarity, depth, and operational detail.
These quantitative findings align with the qualitative assessment of each operator's privacy posture. Mascom Wireless is among the stronger performers, offering a structured policy and restrictions on law enforcement access, but its breach-handling procedures are vague and it lacks transparency reporting, weakening overall accountability. Orange Botswana provides one of the most comprehensive and user-friendly notices in the market, clearly articulating data categories, lawful bases, and user rights; however, insufficient detail on third-party recipients and silence on user breach notification create critical transparency gaps. BTC performs well on user-rights disclosures and offers strong DPO accessibility, yet its third-party sharing descriptions are incomplete and breach resolution mechanisms remain unclear. BoFiNet lags behind its peers: despite having a highly accessible policy, it offers minimal detail on user rights, security measures, or breach processes, resulting in the weakest overall privacy governance framework.
Overall, Botswana's telecom sector demonstrates basic regulatory compliance but lacks the depth, operationalisation, and consistency expected of a mature data-protection environment. The absence of clear breach-response procedures, user-notification obligations, comprehensive third-party disclosures, and updated transparency reporting (none published since 2023) leaves both consumers and operators exposed to significant risk. As Botswana strengthens its data-protection ecosystem, all four providers will face increasing pressure to elevate their privacy practices, moving beyond procedural compliance toward robust, user-centred, and accountable data-protection frameworks aligned with global standards and essential for sustaining public trust in a rapidly digitising economy.
The performance of Botswana's telecommunications operators, namely Mascom Wireless, BTC, Orange Botswana, and BoFiNet, reveals a sector with moderate but uneven privacy maturity, characterised by partial strengths alongside substantive gaps in transparency, user rights, security, and accountability.
All four operators did not have publicly available information to mount an evaluation on performance in respect of registration with the national data protection regulator, but maintained publicly accessible privacy policies. Indicator-level results highlight deeper weaknesses: no operator has published a transparency report (0%), third-party data-sharing disclosures remain limited (Mascom 38%, BTC and BoFiNet 34%, Orange 20%), and internal resolution mechanisms are severely underdeveloped, with Mascom scoring only 17% and all others 0%. Pre-collection transparency varies widely, with BTC leading at 80%, followed by Mascom (73%), Orange (67%), and BoFiNet (48%), while security practices range from Orange's strong 78% to BoFiNet's modest 39%, exposing inconsistent implementation of technical and organisational safeguards. Privacy policy accessibility is strongest at BoFiNet (100%) and Mascom (88%), though accessibility often masks gaps in clarity, depth, and operational detail.
These quantitative findings align with the qualitative assessment of each operator's privacy posture. Mascom Wireless is among the stronger performers, offering a structured policy and restrictions on law enforcement access, but its breach-handling procedures are vague and it lacks transparency reporting, weakening overall accountability. Orange Botswana provides one of the most comprehensive and user-friendly notices in the market, clearly articulating data categories, lawful bases, and user rights; however, insufficient detail on third-party recipients and silence on user breach notification create critical transparency gaps. BTC performs well on user-rights disclosures and offers strong DPO accessibility, yet its third-party sharing descriptions are incomplete and breach resolution mechanisms remain unclear. BoFiNet lags behind its peers: despite having a highly accessible policy, it offers minimal detail on user rights, security measures, or breach processes, resulting in the weakest overall privacy governance framework.
Overall, Botswana's telecom sector demonstrates basic regulatory compliance but lacks the depth, operationalisation, and consistency expected of a mature data-protection environment. The absence of clear breach-response procedures, user-notification obligations, comprehensive third-party disclosures, and updated transparency reporting (none published since 2023) leaves both consumers and operators exposed to significant risk. As Botswana strengthens its data-protection ecosystem, all four providers will face increasing pressure to elevate their privacy practices, moving beyond procedural compliance toward robust, user-centred, and accountable data-protection frameworks aligned with global standards and essential for sustaining public trust in a rapidly digitising economy.
Telecommunications Sector - Rwanda
MTN Rwanda, Airtel Rwanda and Liquid Telecom Rwanda in Rwanda
All three operators maintained publicly accessible privacy policies, with Airtel Rwanda leading at 100% availability, up from 75% in the previous assessment. Both MTN Rwanda and Liquid Telecom Rwanda also provided accessible policies, each at 88%, consistent with last year's results. In terms of pre-collection data transparency and data subject rights, MTN Rwanda scored highest at 71%, followed by Liquid Telecom Rwanda at 63%, indicating some progress in informing users about data practices before collection.
However, across all three operators there were notable gaps in compliance relating to third-party data transfers, data security measures, and internal breach resolution mechanisms, each of which registered low levels of adherence to expected standards. Additionally, apart from MTN Rwanda, none of the operators published transparency reports, a deficiency that persisted from last year and highlights ongoing limitations in organisational accountability and public reporting. The figure presents further details on the performance, with an in-depth discussion of the three companies provided below.
All three operators, MTN Rwanda, Airtel Rwanda, and Liquid Home Rwanda, continue to publish publicly accessible privacy policies that exceed minimum length requirements, ensuring baseline transparency for users. This year, Airtel Rwanda's privacy policy stood out for clarity and readability, achieving a Hemingway grade of 6 and a word count of 1,251, which contributed to its highest overall score of 100% among the three. MTN Rwanda's policy was the longest at 2,913 words but was less accessible in language, reflected in a Hemingway grade of 13 and an 88% score, while Liquid Home Rwanda's policy, at 1,591 words with a grade of 12, also scored 88%. Despite all meeting publication and accessibility benchmarks, differences in readability significantly affected their overall performance, with Airtel leading in clarity and user-friendliness.
Compared with last year, where all three companies similarly had privacy policies exceeding 200 words, MTN's at 2,878 words, Airtel's at 1,235 words, and Liquid Telecom's at 1,666 words, the readability landscape has shifted. Last year, MTN and Liquid Telecom's policies were deemed relatively readable, while Airtel's was more challenging for users to understand. This year's assessment shows improvements in Airtel's accessibility alongside continued readability challenges for MTN and Liquid Home, underscoring the importance of clear language in enhancing user comprehension.
A comparative review of last year's detailed analysis also highlighted specific strengths and weaknesses in the content of these policies. Liquid Telecom last year provided comprehensive coverage of data collection, retention, and user rights (including access, correction, objection, restriction, and deletion), and prohibited sharing data with advertisers, though it lacked specifics on data types collected, company contact information, and third-party recipients. MTN outlined data types collected and user rights, allowed permanent deletion, and required opt-in for advertising, but offered limited contact information and permitted broad third-party sharing without clear recipient lists. Airtel specified company contact details and data types collected but lacked defined retention periods and clear provisions on key user rights. Across all three, there was inconsistent handling of breach resolution and law enforcement access, revealing persistent gaps in data protection practice.
In security assessments conducted last year, SSL server scores varied (MTN: B; Airtel: A; Liquid Telecom: B), while security header scores were weaker overall (MTN: F; Airtel: D; Liquid Telecom: D). Only MTN's policy mentioned data security measures, albeit without specific detail, while Airtel and Liquid Telecom did not address data security explicitly in their policies.
Overall, while policy availability and publication have improved, significant differences remain in readability, transparency, and substantive content. Airtel Rwanda's gains in readability contrast with ongoing challenges for MTN and Liquid Home in making their policies fully accessible to users. Persistent gaps in clarity around data security, breach resolution, and third-party sharing highlight the need for continued enhancement of privacy communications to better inform and protect users.
All three operators maintained publicly accessible privacy policies, with Airtel Rwanda leading at 100% availability, up from 75% in the previous assessment. Both MTN Rwanda and Liquid Telecom Rwanda also provided accessible policies, each at 88%, consistent with last year's results. In terms of pre-collection data transparency and data subject rights, MTN Rwanda scored highest at 71%, followed by Liquid Telecom Rwanda at 63%, indicating some progress in informing users about data practices before collection.
However, across all three operators there were notable gaps in compliance relating to third-party data transfers, data security measures, and internal breach resolution mechanisms, each of which registered low levels of adherence to expected standards. Additionally, apart from MTN Rwanda, none of the operators published transparency reports, a deficiency that persisted from last year and highlights ongoing limitations in organisational accountability and public reporting. The figure presents further details on the performance, with an in-depth discussion of the three companies provided below.
All three operators, MTN Rwanda, Airtel Rwanda, and Liquid Home Rwanda, continue to publish publicly accessible privacy policies that exceed minimum length requirements, ensuring baseline transparency for users. This year, Airtel Rwanda's privacy policy stood out for clarity and readability, achieving a Hemingway grade of 6 and a word count of 1,251, which contributed to its highest overall score of 100% among the three. MTN Rwanda's policy was the longest at 2,913 words but was less accessible in language, reflected in a Hemingway grade of 13 and an 88% score, while Liquid Home Rwanda's policy, at 1,591 words with a grade of 12, also scored 88%. Despite all meeting publication and accessibility benchmarks, differences in readability significantly affected their overall performance, with Airtel leading in clarity and user-friendliness.
Compared with last year, where all three companies similarly had privacy policies exceeding 200 words, MTN's at 2,878 words, Airtel's at 1,235 words, and Liquid Telecom's at 1,666 words, the readability landscape has shifted. Last year, MTN and Liquid Telecom's policies were deemed relatively readable, while Airtel's was more challenging for users to understand. This year's assessment shows improvements in Airtel's accessibility alongside continued readability challenges for MTN and Liquid Home, underscoring the importance of clear language in enhancing user comprehension.
A comparative review of last year's detailed analysis also highlighted specific strengths and weaknesses in the content of these policies. Liquid Telecom last year provided comprehensive coverage of data collection, retention, and user rights (including access, correction, objection, restriction, and deletion), and prohibited sharing data with advertisers, though it lacked specifics on data types collected, company contact information, and third-party recipients. MTN outlined data types collected and user rights, allowed permanent deletion, and required opt-in for advertising, but offered limited contact information and permitted broad third-party sharing without clear recipient lists. Airtel specified company contact details and data types collected but lacked defined retention periods and clear provisions on key user rights. Across all three, there was inconsistent handling of breach resolution and law enforcement access, revealing persistent gaps in data protection practice.
In security assessments conducted last year, SSL server scores varied (MTN: B; Airtel: A; Liquid Telecom: B), while security header scores were weaker overall (MTN: F; Airtel: D; Liquid Telecom: D). Only MTN's policy mentioned data security measures, albeit without specific detail, while Airtel and Liquid Telecom did not address data security explicitly in their policies.
Overall, while policy availability and publication have improved, significant differences remain in readability, transparency, and substantive content. Airtel Rwanda's gains in readability contrast with ongoing challenges for MTN and Liquid Home in making their policies fully accessible to users. Persistent gaps in clarity around data security, breach resolution, and third-party sharing highlight the need for continued enhancement of privacy communications to better inform and protect users.
Telecommunications Sector - Tanzania
Vodacom, Tigo Tanzania, TTCL and Airtel Tanzania from Tanzania
As in the previous year, Vodacom and TTCL achieved perfect scores (100%) for the indicator measuring the accessibility of privacy policies, with Airtel Tanzania and Tigo Tanzania close behind at 75% each. Vodacom also remained the only operator to comply with the indicator for an available transparency report, consistent with last year's finding.
Performance on indicators relating to data subject rights and data security was relatively strong across the operators. Vodacom led in data subject rights compliance at 91%, followed by Tigo Tanzania at 66% and Airtel Tanzania at 63%. For data security, Tigo Tanzania was in the lead with 72%, with Vodacom at 67% and Airtel Tanzania at 61%.
In contrast, all operators performed poorly on the third-party data transfer indicator, with scores below 50%, indicating widespread gaps in transparency and controls over data shared with external entities. Similarly, compliance with internal data breach resolution mechanisms was generally low; Airtel Tanzania led this area at 67%, while the remaining companies scored below 50%.
Overall, Vodacom stood out for its consistent performance across multiple indicators, including privacy policy accessibility, transparency reporting, and data subject rights, while other operators demonstrated mixed performance with clear opportunities for improvement. The figure provides additional insights into these results, with a more detailed discussion presented below.
Vodacom and TTCL have the most accessible privacy policies, each scoring a full 100%. Vodacom's high score is supported by strong compliance in pre-data collection practices, particularly around transparency before data is gathered, with Tigo Tanzania trailing closely behind in this area. Despite this relative strength, all companies performed poorly on third-party data transfer indicators. Scores were low across multiple metrics, including whether personal data is shared with third parties and advertisers, whether those third parties are listed, whether the specific types of data shared are specified, whether data is shared only under lawful requirements such as court orders, and whether multiple reporting channels such as dedicated hotlines, online forms, or email addresses are outlined for breach notifications. This suggests that effective checks and compliance mechanisms for data transfers to third parties are largely absent.
In terms of data security practices, Vodacom, Tigo Tanzania, and Airtel Tanzania show reasonable compliance, with policies that include relevant commitments and controls. In contrast, TTCL scores poorly; its policy mentions data privacy in general terms but lacks specific details on actionable security measures.
Vodacom also achieves a perfect score (100%) for transparency report availability, being the only operator that publishes a transparency report on its corporate website. All other companies score zero on this indicator due to the absence of any publicly accessible transparency reporting.
For internal data breach resolution, Airtel Tanzania performs best among the group. It scores fairly across most of the metrics but falls short in explaining how users can report a data breach. The other operators register lower performance in this area, indicating a broader need for clearer breach reporting and resolution mechanisms.
As in the previous year, Vodacom and TTCL achieved perfect scores (100%) for the indicator measuring the accessibility of privacy policies, with Airtel Tanzania and Tigo Tanzania close behind at 75% each. Vodacom also remained the only operator to comply with the indicator for an available transparency report, consistent with last year's finding.
Performance on indicators relating to data subject rights and data security was relatively strong across the operators. Vodacom led in data subject rights compliance at 91%, followed by Tigo Tanzania at 66% and Airtel Tanzania at 63%. For data security, Tigo Tanzania was in the lead with 72%, with Vodacom at 67% and Airtel Tanzania at 61%.
In contrast, all operators performed poorly on the third-party data transfer indicator, with scores below 50%, indicating widespread gaps in transparency and controls over data shared with external entities. Similarly, compliance with internal data breach resolution mechanisms was generally low; Airtel Tanzania led this area at 67%, while the remaining companies scored below 50%.
Overall, Vodacom stood out for its consistent performance across multiple indicators, including privacy policy accessibility, transparency reporting, and data subject rights, while other operators demonstrated mixed performance with clear opportunities for improvement. The figure provides additional insights into these results, with a more detailed discussion presented below.
Vodacom and TTCL have the most accessible privacy policies, each scoring a full 100%. Vodacom's high score is supported by strong compliance in pre-data collection practices, particularly around transparency before data is gathered, with Tigo Tanzania trailing closely behind in this area. Despite this relative strength, all companies performed poorly on third-party data transfer indicators. Scores were low across multiple metrics, including whether personal data is shared with third parties and advertisers, whether those third parties are listed, whether the specific types of data shared are specified, whether data is shared only under lawful requirements such as court orders, and whether multiple reporting channels such as dedicated hotlines, online forms, or email addresses are outlined for breach notifications. This suggests that effective checks and compliance mechanisms for data transfers to third parties are largely absent.
In terms of data security practices, Vodacom, Tigo Tanzania, and Airtel Tanzania show reasonable compliance, with policies that include relevant commitments and controls. In contrast, TTCL scores poorly; its policy mentions data privacy in general terms but lacks specific details on actionable security measures.
Vodacom also achieves a perfect score (100%) for transparency report availability, being the only operator that publishes a transparency report on its corporate website. All other companies score zero on this indicator due to the absence of any publicly accessible transparency reporting.
For internal data breach resolution, Airtel Tanzania performs best among the group. It scores fairly across most of the metrics but falls short in explaining how users can report a data breach. The other operators register lower performance in this area, indicating a broader need for clearer breach reporting and resolution mechanisms.
Telecommunications Sector- Mauritius
Emtel, Liquid Telecom, MyT (my.t) and Atcomm in Mauritius
Of the four operators assessed, Emtel, Liquid Telecom, and MyT (my.t) each maintained accessible privacy policies, with all three scoring 88% on this indicator. Compared to last year, MyT declined from its previous perfect score of 100%, while Emtel and Liquid Telecom maintained their 88% standing from the prior assessment.
In the area of data subject rights, Liquid Telecom led with 67% compliance, followed by Emtel at 64% and MyT at 50%. This reflects varying levels of commitment to informing users about their rights to access, correct, restrict, or delete personal data, rights confirmed in part by MyT's articulated data subject rights framework in its published privacy policy. Consistent with last year, all operators demonstrated low compliance on third-party data transfer, with scores below 50%, indicating that none sufficiently disclose whether personal data is shared with third parties or detail the recipients and terms of such transfers.
For data security, Emtel led with 67%, followed by MyT at 56%, while Liquid Telecom and Atcomm scored below 50%. This suggests varied maturity in articulating and implementing security measures in policy provisions, with some operators lacking clear commitments to protect data against unauthorized access and breaches.
On transparency reporting, Emtel and MyT both achieved full compliance, being the only operators to publish transparency reports, whereas Liquid Telecom and Atcomm scored 0% for lacking any such reports. This mirrors last year's broader trend of limited transparency reporting across the sector.
Finally, all operators registered poor performance on internal data breach resolution, with Liquid Telecom, MyT, and Atcomm showing the weakest compliance. This indicates ongoing gaps in how companies describe breach detection, reporting channels, resolution procedures, and timelines, an area that also featured prominently as a weakness in the previous year's assessment.
Overall, while basic privacy policy publication remains consistent, notable declines such as MyT's drop in privacy policy accessibility, and persistent weaknesses in third-party transfer, breach resolution, and transparency reporting highlight the need for enhanced privacy governance and accountability across the telecom operators.
Of the four operators assessed, Emtel, Liquid Telecom, and MyT (my.t) each maintained accessible privacy policies, with all three scoring 88% on this indicator. Compared to last year, MyT declined from its previous perfect score of 100%, while Emtel and Liquid Telecom maintained their 88% standing from the prior assessment.
In the area of data subject rights, Liquid Telecom led with 67% compliance, followed by Emtel at 64% and MyT at 50%. This reflects varying levels of commitment to informing users about their rights to access, correct, restrict, or delete personal data, rights confirmed in part by MyT's articulated data subject rights framework in its published privacy policy. Consistent with last year, all operators demonstrated low compliance on third-party data transfer, with scores below 50%, indicating that none sufficiently disclose whether personal data is shared with third parties or detail the recipients and terms of such transfers.
For data security, Emtel led with 67%, followed by MyT at 56%, while Liquid Telecom and Atcomm scored below 50%. This suggests varied maturity in articulating and implementing security measures in policy provisions, with some operators lacking clear commitments to protect data against unauthorized access and breaches.
On transparency reporting, Emtel and MyT both achieved full compliance, being the only operators to publish transparency reports, whereas Liquid Telecom and Atcomm scored 0% for lacking any such reports. This mirrors last year's broader trend of limited transparency reporting across the sector.
Finally, all operators registered poor performance on internal data breach resolution, with Liquid Telecom, MyT, and Atcomm showing the weakest compliance. This indicates ongoing gaps in how companies describe breach detection, reporting channels, resolution procedures, and timelines, an area that also featured prominently as a weakness in the previous year's assessment.
Overall, while basic privacy policy publication remains consistent, notable declines such as MyT's drop in privacy policy accessibility, and persistent weaknesses in third-party transfer, breach resolution, and transparency reporting highlight the need for enhanced privacy governance and accountability across the telecom operators.
Telecommunications Sector - Zimbabwe
Econet, TelOne, NetOne and Liquid Telecom Zimbabwe in Zimbabwe
TelOne and NetOne continued to lead in accessible privacy policy compliance, each scoring 88%, with Liquid Home Zimbabwe trailing at 63%. Compared to last year, this represents a shift in leadership: Econet and Liquid Telecom Zimbabwe previously led with 63% on this indicator, while Liquid Home maintained a similar position. This change suggests that TelOne and NetOne have strengthened the visibility and accessibility of their privacy disclosures, an important baseline for user awareness and accountability.
On data subject rights, NetOne (81%) and Liquid Home (67%) recorded the highest compliance among the operators, indicating relatively stronger acknowledgement of users' rights to access, correct, object to, or delete their personal data. By contrast, other operators scored below 50%, showing persistent gaps in how clearly user rights are articulated and operationalised in published policies. This variation reflects uneven alignment with core data protection principles that emphasise transparency and user control.
Across all operators, third-party data transfer compliance remained very low (below 50%), highlighting a systemic weakness in disclosing whether and how personal data is shared with external entities. This includes inadequate visibility on the categories of third parties, purposes of sharing, and safeguards to ensure lawful and secure transfers. Weaknesses in this area expose users to potential risks of unauthorized disclosure and reduce accountability for downstream data use.
In data security practices, NetOne and Econet led with moderate scores (56% and 50% respectively), but overall compliance among operators was low. This outcome suggests that while some policies mention data protection measures, few provide sufficiently detailed commitments or mechanisms to safeguard personal data against unauthorized access or breaches. Effective security practices are fundamental to building trust and demonstrating compliance with data protection requirements; low scores in this area may signal weak institutional controls or communication gaps in policy disclosures.
Only Econet published a transparency report, achieving a perfect score (100%) on this indicator, while TelOne, NetOne, and Liquid Home scored 0% due to the absence of such reports. Last year, Econet similarly stood alone in publishing a transparency report, reinforcing a persistent gap in corporate reporting and accountability across most operators. Transparency reports are critical for informing the public about data practices, governance, and accountability measures, and their absence undermines trust and inhibits external oversight.
All operators registered very low compliance on internal data breach resolution, indicating that few policies clearly outline how breaches are detected, reported, remediated, or how users are informed. This weak performance is consistent with last year's findings, where internal redress mechanisms were similarly absent or poorly articulated. Lack of robust breach resolution mechanisms not only impedes operational readiness but also increases regulatory risk and diminishes user confidence in the operator's ability to protect personal data.
TelOne and NetOne, as noted above, perform above average on accessible privacy policies, each presenting reasonably detailed and fairly readable policies that help users understand how their data is handled. In contrast, Econet performs poorly in this category, largely because it lacks a published privacy policy, while Liquid Home Zimbabwe records an average score, indicating room for improvement in clarity and accessibility.
Under the pre-data collection transparency indicator, NetOne stands out, providing a comprehensive list of the types of data it collects, the purposes for collection, and clear provisions on targeted marketing with an opt-out option. NetOne's approach aligns more closely with accepted data protection principles. Liquid Home Zimbabwe and TelOne follow, demonstrating some commitment to pre-collection transparency, while Econet again scores zero, reflecting an absence of clear disclosure practices.
All telecommunication companies perform poorly on third-party data transfer transparency, with Econet scoring zero. This suggests that most operators do not adequately disclose whether personal data is shared with external parties, the categories of third parties involved, or the safeguards in place, an important gap in compliance with global data protection expectations.
In the area of data security practices, TelOne leads with the best performance, achieving a moderately fair score of 56% by detailing specific security measures in its policy. Liquid Home Zimbabwe scores the lowest (28%), indicating that its policy lacks substantive information on how data is protected against unauthorized access or compromise.
Econet redeems itself under the transparency report indicator, earning a perfect score for making its transparency report publicly available. None of the other companies publish a transparency report, highlighting a broader shortfall in meeting international best practices for data protection accountability and openness.
While some operators show improvements in privacy policy accessibility and recognition of data subject rights, the overall picture reveals significant structural weaknesses in their privacy practices. Across the board, there is low disclosure of third-party data sharing, minimal transparency reporting, inconsistent commitments to data security, and poor breach management practices, suggesting that many companies are not fully meeting expectations under contemporary data protection frameworks.
Such deficiencies not only undermine user trust but also expose companies to increased regulatory scrutiny and potential non-compliance with national and international data protection standards that require clear articulation of user rights, documented security controls, and transparent data governance practices.
In particular, performance on internal data breach resolution is very weak among all operators. The highest score recorded is 8% by NetOne, but this reflects only an indirect reference to breach-related details rather than a clearly articulated data breach process. Most companies do not meaningfully address how breaches are detected, reported, managed, or communicated to affected users, highlighting a widespread gap in institutional readiness and policy clarity.
TelOne and NetOne continued to lead in accessible privacy policy compliance, each scoring 88%, with Liquid Home Zimbabwe trailing at 63%. Compared to last year, this represents a shift in leadership: Econet and Liquid Telecom Zimbabwe previously led with 63% on this indicator, while Liquid Home maintained a similar position. This change suggests that TelOne and NetOne have strengthened the visibility and accessibility of their privacy disclosures, an important baseline for user awareness and accountability.
On data subject rights, NetOne (81%) and Liquid Home (67%) recorded the highest compliance among the operators, indicating relatively stronger acknowledgement of users' rights to access, correct, object to, or delete their personal data. By contrast, other operators scored below 50%, showing persistent gaps in how clearly user rights are articulated and operationalised in published policies. This variation reflects uneven alignment with core data protection principles that emphasise transparency and user control.
Across all operators, third-party data transfer compliance remained very low (below 50%), highlighting a systemic weakness in disclosing whether and how personal data is shared with external entities. This includes inadequate visibility on the categories of third parties, purposes of sharing, and safeguards to ensure lawful and secure transfers. Weaknesses in this area expose users to potential risks of unauthorized disclosure and reduce accountability for downstream data use.
In data security practices, NetOne and Econet led with moderate scores (56% and 50% respectively), but overall compliance among operators was low. This outcome suggests that while some policies mention data protection measures, few provide sufficiently detailed commitments or mechanisms to safeguard personal data against unauthorized access or breaches. Effective security practices are fundamental to building trust and demonstrating compliance with data protection requirements; low scores in this area may signal weak institutional controls or communication gaps in policy disclosures.
Only Econet published a transparency report, achieving a perfect score (100%) on this indicator, while TelOne, NetOne, and Liquid Home scored 0% due to the absence of such reports. Last year, Econet similarly stood alone in publishing a transparency report, reinforcing a persistent gap in corporate reporting and accountability across most operators. Transparency reports are critical for informing the public about data practices, governance, and accountability measures, and their absence undermines trust and inhibits external oversight.
All operators registered very low compliance on internal data breach resolution, indicating that few policies clearly outline how breaches are detected, reported, remediated, or how users are informed. This weak performance is consistent with last year's findings, where internal redress mechanisms were similarly absent or poorly articulated. Lack of robust breach resolution mechanisms not only impedes operational readiness but also increases regulatory risk and diminishes user confidence in the operator's ability to protect personal data.
TelOne and NetOne, as noted above, perform above average on accessible privacy policies, each presenting reasonably detailed and fairly readable policies that help users understand how their data is handled. In contrast, Econet performs poorly in this category, largely because it lacks a published privacy policy, while Liquid Home Zimbabwe records an average score, indicating room for improvement in clarity and accessibility.
Under the pre-data collection transparency indicator, NetOne stands out, providing a comprehensive list of the types of data it collects, the purposes for collection, and clear provisions on targeted marketing with an opt-out option. NetOne's approach aligns more closely with accepted data protection principles. Liquid Home Zimbabwe and TelOne follow, demonstrating some commitment to pre-collection transparency, while Econet again scores zero, reflecting an absence of clear disclosure practices.
All telecommunication companies perform poorly on third-party data transfer transparency, with Econet scoring zero. This suggests that most operators do not adequately disclose whether personal data is shared with external parties, the categories of third parties involved, or the safeguards in place, an important gap in compliance with global data protection expectations.
In the area of data security practices, TelOne leads with the best performance, achieving a moderately fair score of 56% by detailing specific security measures in its policy. Liquid Home Zimbabwe scores the lowest (28%), indicating that its policy lacks substantive information on how data is protected against unauthorized access or compromise.
Econet redeems itself under the transparency report indicator, earning a perfect score for making its transparency report publicly available. None of the other companies publish a transparency report, highlighting a broader shortfall in meeting international best practices for data protection accountability and openness.
While some operators show improvements in privacy policy accessibility and recognition of data subject rights, the overall picture reveals significant structural weaknesses in their privacy practices. Across the board, there is low disclosure of third-party data sharing, minimal transparency reporting, inconsistent commitments to data security, and poor breach management practices, suggesting that many companies are not fully meeting expectations under contemporary data protection frameworks.
Such deficiencies not only undermine user trust but also expose companies to increased regulatory scrutiny and potential non-compliance with national and international data protection standards that require clear articulation of user rights, documented security controls, and transparent data governance practices.
In particular, performance on internal data breach resolution is very weak among all operators. The highest score recorded is 8% by NetOne, but this reflects only an indirect reference to breach-related details rather than a clearly articulated data breach process. Most companies do not meaningfully address how breaches are detected, reported, managed, or communicated to affected users, highlighting a widespread gap in institutional readiness and policy clarity.
Telecommunications Sector - Kenya
Zuku, Safaricom, Jamii Telecommunications Limited (JTL) and Airtel Kenya in Kenya
All operators demonstrated full compliance with registration with the national regulator, with each scoring 100%, indicating that they are all formally recognised and subject to regulatory oversight. In terms of accessible privacy policies, JTL led with a perfect score (100%), followed by Zuku, Safaricom, and Airtel Kenya each scoring 88%, showing broad progress in making privacy statements publicly available and visible to users.
For the data subject rights indicator, Airtel Kenya took the lead at 68%, followed by Safaricom at 63% and Zuku at 56%, reflecting varying degrees of commitment to informing users about their rights and how to exercise them. These outcomes suggest a general trend toward enhancing user empowerment compared to last year, when detailed articulation of pre-collection transparency and rights was uneven across operators. In last year's analysis, Safaricom, JTL, and Airtel Kenya each scored 100% for accessible privacy policies, while third-party data transfer and internal breach resolution were areas of very low compliance across the sector.
Despite this progress, all operators continue to score poorly on compliance with third-party data transfer indicators, with results below 50%. This persistent gap indicates that, while privacy policies are being published, there is still limited transparency around how and with whom personal data is shared outside the operator, undermining full compliance with data protection expectations and reducing users' ability to understand the flow of their information.
Under data security, Airtel Kenya leads with a strong score of 89%, followed by Safaricom and JTL each at 78%, indicating that these operators are comparatively better at articulating security commitments and measures to protect personal data. However, lower scores among others show that many operators still need to strengthen their security disclosures and practices in policy documentation.
On the transparency reporting indicator, Zuku and Airtel Kenya both achieved perfect scores (100%) by publishing transparency reports, while the remaining operators did not, reflecting uneven implementation of this accountability mechanism. The availability of transparency reports represents an important step toward openness and accountability, but the continued absence of such reports for some operators suggests that compliance with internationally recognised data protection practices remains inconsistent.
Finally, all operators scored low on internal data breach resolution, with Airtel Kenya leading at only 58%, while others scored below 50%. This indicates that few operators clearly outline in their policies how data breaches are detected, reported, and resolved, representing a continued weakness compared to last year, when internal breach resolution was one of the lowest-scoring indicators across the sector.
In sum, while there have been improvements in privacy policy accessibility and articulation of data subject rights, significant structural gaps remain, especially in third-party data transfer transparency, uniform security disclosures, and breach management practices. These weaknesses highlight that many operators are not yet fully aligned with contemporary data protection standards, potentially undermining user trust and exposing them to regulatory scrutiny as data protection laws increasingly emphasise transparency, accountability, and robust user safeguards. The figure below provides additional details on the performance, followed by a further discussion.
The telecommunications sector exhibits a wide range of privacy compliance, from Safaricom Kenya's industry-leading performance to Jamii Telecommunications' concerning low score. This variation reflects notable differences in how operators prioritise data protection, invest in governance frameworks, and respond to regulatory expectations.
Safaricom Kenya achieved a perfect compliance score (100%), demonstrating comprehensive implementation of privacy practices. The company's robust framework includes internationally recognised certifications such as ISO 27701 for Privacy Information Management Systems, which validates its commitment to structured privacy governance across services including customer support, billing, and mobile money operations. Safaricom also publishes detailed retention schedules and maintains dedicated privacy resources, contributing to its exemplary score.
Airtel Kenya performed with strong compliance, showing that international operators often benefit from global privacy governance models applied across multiple jurisdictions. Airtel's privacy policy includes extensive categorisation of personal data covering identity, contact, financial, location, device, and usage information, along with clear consent mechanisms and disclosures about third-party sharing. However, gaps remain, such as the lack of explicit reference to Kenya's Data Protection Act 2019 and absence of complaint procedures through the Office of the Data Protection Commissioner.
In contrast, Zuku Kenya scored poorly, underscoring ongoing compliance challenges. The company's weak score reflects deficiencies in its privacy policy, including the absence of specific data retention periods, incomplete data subject rights information, and limited transparency around third-party data sharing. Zuku has also faced regulatory enforcement actions, including a KES 500,000 fine by the Office of the Data Protection Commissioner (ODPC) for violations of data retention and unauthorized marketing practices, demonstrating the risks of inadequate compliance.
Jamii Telecommunications' extremely low score is the most concerning finding across the sector, indicating a near-absence of formal privacy protection measures despite serving a substantial customer base. The company lacks any publicly accessible privacy policy, violating basic transparency requirements under Kenya's Data Protection Act and warranting urgent regulatory investigation and enforcement.
Comparison with last year shows a significant shift in the compliance landscape. Previously, both Safaricom and JTL maintained comprehensive and accessible privacy policies, with Safaricom's policy closely aligned to the Data Protection Act and including detailed user rights, lawful bases for processing, and engagement mechanisms, while JTL's policy similarly framed robust processing principles and safeguards. Last year, transparency reporting and enforcement readiness were largely absent across the sector.
The current assessment suggests that Safaricom has further strengthened its privacy practices, while other operators show mixed progress. Airtel's improved score reflects stronger policy articulation, but areas such as regulatory references and complaint channels still need enhancement. Meanwhile, Zuku's regulatory penalty highlights the concrete consequences of privacy non-compliance, and Jamii's lack of policy underscores persistent accountability gaps.
Overall, these findings highlight the critical importance of robust privacy governance, transparent data handling, and regulatory alignment within the telecommunications sector. Operators demonstrating strong frameworks such as Safaricom and Airtel Kenya are better positioned to build user trust and mitigate regulatory risks, whereas those with limited compliance face increased scrutiny, potential penalties, and reputational harm.
All operators demonstrated full compliance with registration with the national regulator, with each scoring 100%, indicating that they are all formally recognised and subject to regulatory oversight. In terms of accessible privacy policies, JTL led with a perfect score (100%), followed by Zuku, Safaricom, and Airtel Kenya each scoring 88%, showing broad progress in making privacy statements publicly available and visible to users.
For the data subject rights indicator, Airtel Kenya took the lead at 68%, followed by Safaricom at 63% and Zuku at 56%, reflecting varying degrees of commitment to informing users about their rights and how to exercise them. These outcomes suggest a general trend toward enhancing user empowerment compared to last year, when detailed articulation of pre-collection transparency and rights was uneven across operators. In last year's analysis, Safaricom, JTL, and Airtel Kenya each scored 100% for accessible privacy policies, while third-party data transfer and internal breach resolution were areas of very low compliance across the sector.
Despite this progress, all operators continue to score poorly on compliance with third-party data transfer indicators, with results below 50%. This persistent gap indicates that, while privacy policies are being published, there is still limited transparency around how and with whom personal data is shared outside the operator, undermining full compliance with data protection expectations and reducing users' ability to understand the flow of their information.
Under data security, Airtel Kenya leads with a strong score of 89%, followed by Safaricom and JTL each at 78%, indicating that these operators are comparatively better at articulating security commitments and measures to protect personal data. However, lower scores among others show that many operators still need to strengthen their security disclosures and practices in policy documentation.
On the transparency reporting indicator, Zuku and Airtel Kenya both achieved perfect scores (100%) by publishing transparency reports, while the remaining operators did not, reflecting uneven implementation of this accountability mechanism. The availability of transparency reports represents an important step toward openness and accountability, but the continued absence of such reports for some operators suggests that compliance with internationally recognised data protection practices remains inconsistent.
Finally, all operators scored low on internal data breach resolution, with Airtel Kenya leading at only 58%, while others scored below 50%. This indicates that few operators clearly outline in their policies how data breaches are detected, reported, and resolved, representing a continued weakness compared to last year, when internal breach resolution was one of the lowest-scoring indicators across the sector.
In sum, while there have been improvements in privacy policy accessibility and articulation of data subject rights, significant structural gaps remain, especially in third-party data transfer transparency, uniform security disclosures, and breach management practices. These weaknesses highlight that many operators are not yet fully aligned with contemporary data protection standards, potentially undermining user trust and exposing them to regulatory scrutiny as data protection laws increasingly emphasise transparency, accountability, and robust user safeguards. The figure below provides additional details on the performance, followed by a further discussion.
The telecommunications sector exhibits a wide range of privacy compliance, from Safaricom Kenya's industry-leading performance to Jamii Telecommunications' concerning low score. This variation reflects notable differences in how operators prioritise data protection, invest in governance frameworks, and respond to regulatory expectations.
Safaricom Kenya achieved a perfect compliance score (100%), demonstrating comprehensive implementation of privacy practices. The company's robust framework includes internationally recognised certifications such as ISO 27701 for Privacy Information Management Systems, which validates its commitment to structured privacy governance across services including customer support, billing, and mobile money operations. Safaricom also publishes detailed retention schedules and maintains dedicated privacy resources, contributing to its exemplary score.
Airtel Kenya performed with strong compliance, showing that international operators often benefit from global privacy governance models applied across multiple jurisdictions. Airtel's privacy policy includes extensive categorisation of personal data covering identity, contact, financial, location, device, and usage information, along with clear consent mechanisms and disclosures about third-party sharing. However, gaps remain, such as the lack of explicit reference to Kenya's Data Protection Act 2019 and absence of complaint procedures through the Office of the Data Protection Commissioner.
In contrast, Zuku Kenya scored poorly, underscoring ongoing compliance challenges. The company's weak score reflects deficiencies in its privacy policy, including the absence of specific data retention periods, incomplete data subject rights information, and limited transparency around third-party data sharing. Zuku has also faced regulatory enforcement actions, including a KES 500,000 fine by the Office of the Data Protection Commissioner (ODPC) for violations of data retention and unauthorized marketing practices, demonstrating the risks of inadequate compliance.
Jamii Telecommunications' extremely low score is the most concerning finding across the sector, indicating a near-absence of formal privacy protection measures despite serving a substantial customer base. The company lacks any publicly accessible privacy policy, violating basic transparency requirements under Kenya's Data Protection Act and warranting urgent regulatory investigation and enforcement.
Comparison with last year shows a significant shift in the compliance landscape. Previously, both Safaricom and JTL maintained comprehensive and accessible privacy policies, with Safaricom's policy closely aligned to the Data Protection Act and including detailed user rights, lawful bases for processing, and engagement mechanisms, while JTL's policy similarly framed robust processing principles and safeguards. Last year, transparency reporting and enforcement readiness were largely absent across the sector.
The current assessment suggests that Safaricom has further strengthened its privacy practices, while other operators show mixed progress. Airtel's improved score reflects stronger policy articulation, but areas such as regulatory references and complaint channels still need enhancement. Meanwhile, Zuku's regulatory penalty highlights the concrete consequences of privacy non-compliance, and Jamii's lack of policy underscores persistent accountability gaps.
Overall, these findings highlight the critical importance of robust privacy governance, transparent data handling, and regulatory alignment within the telecommunications sector. Operators demonstrating strong frameworks such as Safaricom and Airtel Kenya are better positioned to build user trust and mitigate regulatory risks, whereas those with limited compliance face increased scrutiny, potential penalties, and reputational harm.
Telecommunications Sector - Uganda
MTN Uganda, Lycamobile, Airtel Uganda and Roke Telkom in Uganda
MTN Uganda, Airtel Uganda, Lycamobile, and Roke Telkom remain the leading telecommunications operators in Uganda. MTN Uganda continues to dominate the market with approximately 22–22.8 million subscribers, representing nearly half of the national market, followed by Airtel Uganda with about 17.9 million subscribers. Consistent with last year's findings, MTN Uganda demonstrates relatively higher compliance across the seven assessed indicators, while systemic weaknesses persist across the sector. The figure offers additional insights into the performance, with a further discussion provided below.
All operators achieved full compliance (100%) with registration requirements under the national regulator, reflecting continued adherence to baseline licensing obligations. This marks an improvement from the previous year, when Lycamobile's status as a Mobile Virtual Network Operator (MVNO) limited regulatory oversight and contributed to compliance gaps. While all operators have publicly accessible privacy policies, their quality and effectiveness vary significantly. Roke Telkom continues to lead on accessibility and clarity of privacy policies, scoring 100%. Its policy is prominently published, concise (449 words), and written in clear language that is easy for the average user to understand.
Lycamobile and Airtel Uganda followed with scores of 88%, while MTN Uganda scored 75%, reflecting ongoing concerns also noted last year regarding the complexity and length of MTN's policy, despite its substantive strengths.
MTN Uganda remains the strongest performer on data collection transparency and user rights. As observed last year, MTN's policy clearly outlines the types of personal data collected and explicitly grants users rights to access, correct, and delete their data, and lodge complaints. This continues to align well with DPPA requirements on lawful processing and data subject rights.
Roke Telkom and MTN Uganda recorded the highest scores on data subject rights this year (63% and 60%, respectively), with Lycamobile and Airtel Uganda also scoring above 50%. However, persistent gaps remain. Airtel and Lycamobile, as noted in last year's analysis, still fail to clearly articulate the purposes for data collection or comprehensively list third parties with access to user data. Roke Telkom continues to allow behavioural marketing without providing users with clear opt-in or opt-out mechanisms, a practice that raises consent and fairness concerns under data protection law.
All operators engage in third-party data sharing, yet compliance in this area remains weak, with all scores below 50%. While MTN Uganda, Lycamobile, and Airtel Uganda demonstrated incremental improvements compared to last year, Roke Telkom experienced a sharp regression, falling from 60% to 0%. Last year, Roke Telkom's policy was noted for prohibiting third-party access to personal data; however, this position remains inadequately supported by clear breach reporting or accountability mechanisms. MTN, Airtel, and Lycamobile permit third-party access, but only MTN explicitly lists the categories of third parties involved, including enforcement and regulatory bodies, insurers, auditors, and advertisers. As in the previous year, none of the operators clearly specify the types of personal data shared, creating ongoing risks for users and undermining the principles of transparency and purpose limitation.
Lycamobile continues to exhibit serious deficiencies in this area, including lack of clarity on data retention periods, third-party data sharing, and law enforcement access. The previously identified unlawful practice of charging users UGX 43,000 to access their personal data, contrary to the DPPA, remains a stark example of non-compliance and weak enforcement. Lycamobile again recorded the highest score on data security (94%), consistent with last year's findings, followed by MTN Uganda and Roke Telkom (67% each), while Airtel Uganda continues to lag behind (61%).
Despite these scores, all operators performed poorly on internal data breach resolution mechanisms. As in the previous year, none of the companies provide robust processes for reporting, investigating, and remedying data breaches. The highest score in this category was only 42%, indicating systemic weaknesses in accountability and risk management. MTN Uganda remains the only telecommunications operator to have published a transparency report, a practice it has maintained since 2023. This positions MTN as the sector leader in accountability and disclosure of government and third-party data requests. Airtel Uganda, Lycamobile, and Roke Telkom continue to offer no comparable insight, perpetuating opacity around state and commercial access to user data. While MTN also stands out for appointing a Data Protection Officer and establishing multiple channels for data subject complaints and whistleblowing, its overall performance is still constrained by policy complexity and limited specificity regarding the types of data shared with third parties.
Taken together, the findings reveal a pattern of incremental improvement without structural reform. MTN Uganda continues to set the benchmark for transparency, user rights, and governance, though it must improve policy clarity and data-sharing specificity. Roke Telkom excels in policy accessibility but lacks substantive safeguards around consent, third-party sharing, and breach accountability. Airtel Uganda's comparatively weaker security protections and limited transparency expose users to elevated risks, while Lycamobile's repeated non-compliance underscores significant enforcement gaps within Uganda's data protection regime. Without stronger regulatory enforcement and meaningful accountability measures, current practices risk entrenching a culture of formal compliance without effective protection of users' privacy rights.
MTN Uganda, Airtel Uganda, Lycamobile, and Roke Telkom remain the leading telecommunications operators in Uganda. MTN Uganda continues to dominate the market with approximately 22–22.8 million subscribers, representing nearly half of the national market, followed by Airtel Uganda with about 17.9 million subscribers. Consistent with last year's findings, MTN Uganda demonstrates relatively higher compliance across the seven assessed indicators, while systemic weaknesses persist across the sector. The figure offers additional insights into the performance, with a further discussion provided below.
All operators achieved full compliance (100%) with registration requirements under the national regulator, reflecting continued adherence to baseline licensing obligations. This marks an improvement from the previous year, when Lycamobile's status as a Mobile Virtual Network Operator (MVNO) limited regulatory oversight and contributed to compliance gaps. While all operators have publicly accessible privacy policies, their quality and effectiveness vary significantly. Roke Telkom continues to lead on accessibility and clarity of privacy policies, scoring 100%. Its policy is prominently published, concise (449 words), and written in clear language that is easy for the average user to understand.
Lycamobile and Airtel Uganda followed with scores of 88%, while MTN Uganda scored 75%, reflecting ongoing concerns also noted last year regarding the complexity and length of MTN's policy, despite its substantive strengths.
MTN Uganda remains the strongest performer on data collection transparency and user rights. As observed last year, MTN's policy clearly outlines the types of personal data collected and explicitly grants users rights to access, correct, and delete their data, and lodge complaints. This continues to align well with DPPA requirements on lawful processing and data subject rights.
Roke Telkom and MTN Uganda recorded the highest scores on data subject rights this year (63% and 60%, respectively), with Lycamobile and Airtel Uganda also scoring above 50%. However, persistent gaps remain. Airtel and Lycamobile, as noted in last year's analysis, still fail to clearly articulate the purposes for data collection or comprehensively list third parties with access to user data. Roke Telkom continues to allow behavioural marketing without providing users with clear opt-in or opt-out mechanisms, a practice that raises consent and fairness concerns under data protection law.
All operators engage in third-party data sharing, yet compliance in this area remains weak, with all scores below 50%. While MTN Uganda, Lycamobile, and Airtel Uganda demonstrated incremental improvements compared to last year, Roke Telkom experienced a sharp regression, falling from 60% to 0%. Last year, Roke Telkom's policy was noted for prohibiting third-party access to personal data; however, this position remains inadequately supported by clear breach reporting or accountability mechanisms. MTN, Airtel, and Lycamobile permit third-party access, but only MTN explicitly lists the categories of third parties involved, including enforcement and regulatory bodies, insurers, auditors, and advertisers. As in the previous year, none of the operators clearly specify the types of personal data shared, creating ongoing risks for users and undermining the principles of transparency and purpose limitation.
Lycamobile continues to exhibit serious deficiencies in this area, including lack of clarity on data retention periods, third-party data sharing, and law enforcement access. The previously identified unlawful practice of charging users UGX 43,000 to access their personal data, contrary to the DPPA, remains a stark example of non-compliance and weak enforcement. Lycamobile again recorded the highest score on data security (94%), consistent with last year's findings, followed by MTN Uganda and Roke Telkom (67% each), while Airtel Uganda continues to lag behind (61%).
Despite these scores, all operators performed poorly on internal data breach resolution mechanisms. As in the previous year, none of the companies provide robust processes for reporting, investigating, and remedying data breaches. The highest score in this category was only 42%, indicating systemic weaknesses in accountability and risk management. MTN Uganda remains the only telecommunications operator to have published a transparency report, a practice it has maintained since 2023. This positions MTN as the sector leader in accountability and disclosure of government and third-party data requests. Airtel Uganda, Lycamobile, and Roke Telkom continue to offer no comparable insight, perpetuating opacity around state and commercial access to user data. While MTN also stands out for appointing a Data Protection Officer and establishing multiple channels for data subject complaints and whistleblowing, its overall performance is still constrained by policy complexity and limited specificity regarding the types of data shared with third parties.
Taken together, the findings reveal a pattern of incremental improvement without structural reform. MTN Uganda continues to set the benchmark for transparency, user rights, and governance, though it must improve policy clarity and data-sharing specificity. Roke Telkom excels in policy accessibility but lacks substantive safeguards around consent, third-party sharing, and breach accountability. Airtel Uganda's comparatively weaker security protections and limited transparency expose users to elevated risks, while Lycamobile's repeated non-compliance underscores significant enforcement gaps within Uganda's data protection regime. Without stronger regulatory enforcement and meaningful accountability measures, current practices risk entrenching a culture of formal compliance without effective protection of users' privacy rights.