This week, the Ugandan president signed an anti-LGBTQ+ law that has been condemned as a ‘permission slip for hate and dehumanization’. The law imposes the death penalty or life imprisonment for ‘certain same-sex acts’, up to 20 years in prison for ‘recruitment, promotion and funding’ of same-sex ‘activities’ and a 14 year sentence for anyone convicted of ‘attempted aggravated homosexuality’ (Guardian 2023). This law criminalizes people who have been identified as LGBTQ+, and such measures have serious implications for organizations involved in the development and use of platforms and databases for collecting, storing, and sharing identity data.
The criminalisation of LGBTQ+ identities is not unique to Uganda, or unique to the 2023 Act. The criminalization of these communities takes place in many countries around the world. In Africa alone, only 22 of its 54 nations allow homosexuality (Reuters, 2023) and there are many cases from the 64 countries that criminalize homosexuality (BBC 2023) where LGBTQ+ people have been convicted for their mere existence. In 2010, a Malawian gay couple was sentenced to 14 years in prison (UN 2010) and the following year, a gay man in Cameroon was arrested in connection with a text message he sent to another man where he said ‘I’m very much in love with you’ (Guardian 2014). In 2023, a gay Chinese blogger was arrested in Russia for publishing a blog post that was deemed to violate the so-called same-sex ‘propaganda’ law simply for suggesting that a gay sexual orientation is normal (CNN 2023).
The criminalisation of LGBTQ+ identities creates a core tension for database owners who collect and store personally identifiable data who operate in these countries. Typically, the security measures around data handling exist to ensure that personal data does not fall into the wrong hands, where it can be used unlawfully. However, in the context of Uganda in the wake of the anti-homosexuality Act, it is the legislation itself that dictates that LGBTQ+ people must be identified and criminal proceedings be brought against them. Enforcing such a law requires evidence to prove that an individual is engaged in same-sex acts, or has been conducting activities that could be viewed as being the ‘recruitment, promotion and funding’ of LGBTQ+ identities (Guardian 2023). Such evidence needs identity data, which makes databases with identity data a potential source where such evidence could be drawn from or inferred.
Data that can be used to provide insight into a person’s behaviour or practices can potentially be used to infer their sexuality or their gender identity. Such data can come from healthcare, from population census data, and from public health surveillance. It can come from the connections and interactions people have on social media. It can even come from GPS trackers used to determine whether a person has attended an LGBTQ+ centre or correlated with other data to infer who the individual has met.
Since identity data can be used to identify LGBTQ+ identities, database owners are faced with a challenging dilemma. They need to conduct their work and safeguard the identities of the persons whose data they store, whilst also complying with national legislation and with the demands of the government. Any database owner or platform owner whose tools collect and store such personal identifiable data must consider the implications of their work within this new legal landscape. In the current climate, if the Ugandan government calls on a database owner to share such identifiable data, the government could potentially use the legislation to make this demand. Sharing such data could expose LGBTQ+ people to risk of conviction under the Act.
Database owners have a responsibility to safeguard the personal data within their database that can be used to identify individuals. However, when a database owner operates within a country where an LGBTQ+ person’s identity is criminalized, they must consider the ethical implications of their work and plan for how this safeguarding can be ensured.
