The media is awash with the Crane Bank saga and there are a lot of theories on what could have or could not have happened, who to point fingers at and what might have gone wrong. This series of discussions however, drive me to a topic that is seldom discussed but a very glaring issue in today's corporate world known as corporate governance. Many people relate this term to big multinational corporations and already established companies. Be that s it may, it affects our day to day living and business life around the world.

With the integration of the world economies and businesses cutting across borders, there is need to adhere to world acceptable principles and business guidelines. Many international investors and private equity firms are looking out for companies that have structures. They need companies where their interests are secured at all levels of the company. This therefore drives the idea of Corporate Governance.

Perhaps what accelerated the need for robust corporate governance were the new century’s financial scandals affecting major American firms, such as Enron, WorldCom and Arthur Andersen, and the resulting loss of confidence of the investing public in the stock market that caused substantial financial losses to millions of individual investors.

The United Kingdom’s 1992 Cadbury Report’s often quoted definition is: “Corporate governance is the system by which businesses are directed and controlled. In simpler terms however, corporate governance is simply about the interaction and relationship among the various stakeholders, in determining the direction and performance of a company.

It should be noted that the foundation of modern company law emanates from the famous “SALOMON’S CASE”. From this case, the veil of incorporation effectively segregates the owners from the management of the company. Therefore the company may be viewed as a conduit with two masters, namely, “the board of directors” deciding as a collective unit and “the members/Shareholders” deciding at a general meeting. The Directors are the directing mind and will of the Company and carry on day to day business of the company whereas the Shareholders own the company. In Uganda the roles of Director and Shareholder are usually married and enriched in one person.

In this view, the primary function of corporate governance law is to devise strategies and mechanisms to ensure that those in control of shareholders’ property apply it strictly for the benefit of shareholders. The separation of ownership and control together with the increasing involvement of other stakeholders who have an interest in the business of the company such as financiers, regulators, surrounding communities and employees has accordingly given rise to the need for a uniform and comprehensive system of control based on the predominant principles of transparency, fairness, responsibility and accountability.

The OECD principles of corporate governance, 2006 cover five areas: The rights of shareholders, the equitable treatment of shareholders, the role of stakeholders, disclosure and transparency, the responsibility of the board.

In Uganda, the 2012 Companies Act provides the primary framework for governance of companies and introduced a code of corporate governance that is voluntary for private companies and mandatory for new public companies. This code of Corporate Governance is enshrined under Table F of the Companies Act.

Corporate governance in Uganda is approached in two forms. The mandatory form, also called ‘comply or else’, and the voluntary one also known as ‘comply or explain’. “The former is where corporate governance standards are enshrined in legal enforceable instruments, with legal penalties for non-compliance, while the latter includes guidelines that contain best practices on particular governance issues such as treatment of shareholders, transparency and accountability among others. In Uganda industries such as Capital markets, Banking and Insurance have compulsory corporate governance requirements.

Corporate governance may sound a preserve for the big corporations in the private sector, but that is a misnomer because the principles also apply to non-governmental organisations, family-owned enterprises and public sector bodies among others.

A good corporate governance image enhances the reputation of the organization and makes it more attractive to customers, suppliers and investors.

It is often said that a good corporate governance is good business. Deciding to ignore the best practice is at your peril and more to both shareholders and stakeholders. 


Ian Mutibwa


Signum Advocates

Implications of granting telecommunication companies access to the National Identity card Database

I have learned with surprise-and a hint of dismay, that the Government, through the

Uganda Communications Commission (UCC), has agreed to give telecommunications operators in Uganda, access to the National Identity Card Database for verification of subscribers before confirmation of SIM card registration.

Although this may deter false registrations, the decision to grant access of personal information to profit making entities may have dire legal and data security implications. Without a clear data security policy and data protection laws, I can only speculate about the implications of a data breach or what would happen if these companies used the data for purposes other than confirmation of identity. 

Data is the oil of the information age, and whoever has access to the National Identity Card Database, has in essence, a wealth of information that may be used for other purposes like customer profiling for target advertising. 

So, while the Telecom companies themselves through due diligence might take steps to control and secure this data, without a national data security and retention policy, the storage and usage of the data would merely be governed by the entities privacy policies, if any. In the age of cloud computing, it would also be difficult to hold Telecoms accountable in the event of a data breach without clearly defined security guidelines.

This is what happened in the UK in November 2007, when Her Majesty’s Revenue and Customs (HMRC), lost two CD-ROMs containing 25 million records of child benefit recipients, including names, addresses and bank details. 

In December 2007, sensitive data, including religious beliefs and sexual orientation, relating to junior doctors were accessible to anyone accessing a website of the UK Department of Health. 

In the same month, the UK Driving Agency’s US contractor lost a computer hard drive containing contact details of three million candidates for the driving theory test. 

In January 2008, the UK Ministry of Defense lost a computer containing 600,000 staff records. 

In all those cases, even with data protection laws, it was difficult for the regulators to asses the extent of liability without clearly elucidated data security guidelines. 

It may be wise in this case, for UCC, to issue appropriate technical data security guidelines that the Telecom companies would be contractually obligated to follow, before giving them access to the database. UCC, may also designate the Telecoms as Data controllers and require them to offer guarantees about the security of the data and put mechanisms in check to ensure compliance with defined security measures.

UCC may also provide clear guidelines on the use of the data and put in place sanctions in the event that the Data is used for reasons other than those authorized. 

Data protection is globally recognized as a distinct human or fundamental right. Some countries have recognized data protection as a constitutional right, thereby highlighting its importance as an element of democratic societies. The detailed article 35 of the 1976 Constitution of Portugal can be seen as an example of best practice here.  

Uganda, has taken steps to regulate data through the Data Protection and Privacy Bill. The law, once in force, will regulate the collection and retention of personal data; and will provide for obligations of data collectors and processors.

The Bill comprehensively provides for rights of persons whose data is collected, obligations of data collectors and data processors, governance measures and procedures to administer, receive complaints and settle disputes. 

It also mandates data controllers and processors with the responsibility to protect data subjects and provides for an enforcement mechanism that will allow individuals to enforce their rights and remedies in cases of infringement. 

The draft Bill further requires that data subjects should be informed of who the data controller is; the purpose of collecting the data; how long the data will be kept and any third parties to whom the data will be disclosed.

It is unclear in these circumstances, why the Government of Uganda would consider releasing such sensitive information about its citizens to third parties without first passing the Data Protection and Privacy bill into law. This oversight if unchecked, may in the end, open the Telecoms and the regulators, to law suits over the breach of the right to privacy as enshrined under Article 27 of the Constitution of the Republic of Uganda. 

Kenneth Muhangi

Managing Partner 

Signum Advocates

Intellectual property, ICT Law & international commercial Law practitioner 


Trademark registration in Uganda, is governed by the Trademarks Act 2010 and accompanying regulations. The Act, does not expressly provide for registration of a Trademark for a domain name.

Under Section 4 of the act, only a graphically represented sign or combination of signs, capable of distinguishing goods or services of one undertaking from those of other undertakings, can be registered as a trademark.

In countries like the USA and the UK, domain names can be registered as Trademarks. In order to acquire a Trademark, an applicant would have to prove that the domain is being used for some some other purpose than for people to find and contact the applicant.

For example, the law firm of Signum advocates, would have a hard time registering as a trademark. It would have to prove that the domain is being used for provision of online legal services rather than as a point of reference for the services the firm offers and how to access the firm.

An applicant would also have a problem registering a generic name like as a trademark. eCommerce websites, like or would generally be able to acquire Trademarks owing to the distinctive nature of their domain names that become synonymous to the services they offer.

Allowing eCommerce sites to be able to register their domains, is imperative as it improves the businesses brand and provides comfort against Cybersquatting and typosquatting. Cybersquatting is the practice of registering a domain name similar or deceptively similar to an existing name. Usually, the name is registered with the aim of selling the domain name to that company or to post paid advertising links on a website at the domain name in order to profit from visitors looking for the Trademark owner or its business. Or maybe the registrant is a competitor seeking to divert customers to a business competing with the trade mark owner.

Typosquatting is a variation of cybersquatting where someone registers a domain name designed to benefit from typing mistakes made by internet users. This can involve registering / using a common misspelling of the target name / trade mark. Or a typical typing error.

In the USA, cybersquatting is illegal under the Anti-Cybersquatting Consumer Protection Act which defines cybersquatting as registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trade mark belonging to someone else.

In Uganda, someone may have a case against a cybersquatter under common law or anti-competition laws like the Communications (Fair Competition) Regulations 2005 and the Communications Act 2013. Under those laws, if a telecommunications company like UTL for example, offering mobile money services, diverted traffic from XYZ’s competitors site, by registering the domain, then XYZ would have a cause of action against UTL.

Under e-commerce, a business in Uganda whose site has been cybersquatted, may have a claim against the Cybersquatter if the Cybersquatter while registering the domain, agreed to be bound by a dispute resolution policy such as the ICANN Uniform Dispute Resolution Policy, also known as the UDRP. The policy, recognizes Cybersquatting and an affected party may be able to get redress by conducting arbitration outside Uganda.

A claimant may also have a cause of action in Fraud and passing off, as seen in the One in a Million Case, British Telecommunications plc and others -v- One in a Million Ltd [1999] 1 WLR 903, where the UK Court of Appeal held that registration of a domain name inherently like someone else's name could amount to an "instrument of fraud", a kind of passing off. The facts of the case were that one in a Million (the appellants), were dealers in Internet domain names, specializing in registering names identical or similar to the names of well-known companies without their consent. Domain names including Marks & Spencer, Sainsbury’s, Virgin, British Telecommunications and Ladbroke Group were registered by the appellants who wrote to the various companies whose name or mark featured in particular domain names, offering them for sale.

The UK Court of Appeal opined that, "the domain names were registered to take advantage of the distinctive character and reputation of the marks. That is unfair and detrimental".

As an example of passing off, the judge considered the Marks & Spencer name. Anybody seeing or hearing the name connects it with the business of Marks & Spencer plc. So, if a person taps on his keyboard the domain name, and sees the name One in a Million Ltd, it could clearly create a false representation constituting the common law tort passing of off.

Nevertheless, the appellants argued that mere registration did not amount to passing off and that M & S had not established any damage or likelihood of damage. The judges refuted such arguments by explaining that the registration of the domain name including the words "Marks & Spencer" was an "erosion" of the exclusive goodwill in the name which damages or is likely to damage M & S.

The judges came to a similar conclusion, for slightly different reasons, in respect of all the other companies involved (Virgin, BT, Sainsbury’s and Ladbrokes) and

further held that the mere sale of a domain name, which is confusingly similar to a registered trademark, represents an infringement.

This case has been cited and used in various subsequent claims and has evolved to infer liability on a cybersquatter at the time of registration and before actual use of a domain name as was seen in another UK case, limited and Royal Bank of Scotland Group Plc and Others [2015] EWHC 3509 (Ch). Consequently,a claimant may under common law, bring a successful domain name infringement claim in Uganda.

Giving express Intellectual property protection/recognition to domain names especially in the realm of eCommerce, is necessary if Uganda is to move with the digital age. Recognition of domain names as a form of intellectual property, may be crucial to curbing cybersquatting and will likely to be a pre-requisite to undertaking domain dispute proceedings in Uganda.

In the meantime, it wouldn’t be wise to register another company’s business name as a domain name as this may open you up to civil liability.


Kenneth Muhangi

LLB (Hons) LLM (Wales) Dip Lp LDC Managing Partner

Signum Advocates

Intellectual property, ICT Law & international commercial Law practitioner