On 18th July 2025, Uganda’s Personal Data Protection Office (PDPO) under the National Information and Technology Authority (NITA-U) issued a decision against Google LLC (‘Google’) for violation of provisions of Uganda’s Data Protection and Privacy Act Cap 97 and Regulations. This decision reflects growth in the enforcement of data privacy laws in Uganda and sends a strong message to multinational companies operating in the country.

A. Background

Four Ugandan citizens filed a complaint against Google at PDPO, accusing the tech giant of:
i. Failing to register as a data controller, processor, and collector with PDPO.
ii. Transferring personal data outside Uganda unlawfully, without meeting legal conditions.
iii. Infringing their privacy rights, causing them distress and prompting demands for compensation.

B. Issues for determination

PDPO examined five questions:
i. Does Google qualify as a data controller, processor and collector under Ugandan?
ii. Is Google registered with PDPO? If not, does this failure violate the law?
iii. Did Google’s cross-border personal data transfers without prior approval from PDPO breach Uganda’s data protection laws?
iv. Did Google’s violation and infringement law cause or risk causing damage and distress to the Complainants and other Ugandan users?
v. Are the Complainants are entitled to the remedies sought, including compensation?

C. PDPO’s Decision

PDPO held as follows:
i. Google’s Legal Status under Ugandan Data Protection laws. Google qualifies as a data controllers and collector since its collects personal data from users in Uganda and determines the purposes and means of such processing. However, there was no evidence that Google processes data on behalf of another entity, so it was not classified as a data processor.
ii. Registration violations. Under Sect. 29 of the Act and Reg. 15(1) of the Regulations, all data controllers, collectors and processors must register with PDPO. While Reg. 15(2) allows exemptions by gazette notice, no such exemption exists for Google. Additionally, the absence of a gazetted exemption under Reg. 15(2) does not render the general registration requirement under Reg. 15(1) inoperative. As such, as a data controller and collector subject to the provisions of the Act and Regulations, Google remains bound to comply with the registration requirement and its non-registration constitutes a violation.
Google has been ordered to register with PDPO within 30 days of the decision.
iii. Unlawful cross-border data transfers. Sect. 19 of the Act applies to any entity processing personal data of Ugandan citizens, regardless of the location. The law does not require prior approval for each cross-border transfer or storage of personal data but mandates proper record-keeping, accountability of the legal basis, safeguards, and justification for such transfers. These records must be available for inspection during audits, compliance checks, or investigations.
Google failed to demonstrate compliance, making its data transfers unlawful.
Google has been ordered to submit documentary evidence of its compliance framework for cross-border transfers within 30 days.
iv. Harm and Distress to users. The complainants’ inability to identify or contact a responsible person at Google, combined with the absence of any response to the complainants’ communication, caused and is likely to continue causing genuine distress to the complainants and to other Ugandan users.
v. Compensation. PDPO has no authority to award compensation or interest, rather such power lies with courts of law.

D. Implications of this decision.

This decision has far-reaching implications on data privacy in Uganda:
i. Ugandan data protection laws apply to any entity processing citizens’ personal data, even if based abroad. Physical presence is not required for accountability.
ii. Companies don’t need prior cross-border data transfer approval from PDPO; however, they must maintain proper records and accountability of the legal basis, safeguards, and justification for such transfers.
iii. PDPO has no authority to issue compensatory orders. Rather, this power is vested in the courts of law and courts have already been seen to exercise this jurisdiction in Shadia Nalubega vs Stabex International H.C.C.S No. 665/2021 where the High Court awarded damages to Shadia, a former employee of Stabex on finding Stabex to have processed her personal data without her consent in violation of provisions of the Act.
iv. Data Protection Officers (DPOs) must be accessible and responsive to concerns or requests made by data subjects.

Conclusion

This decision follows earlier decided complaints against SafeBoda and the Uganda Security Exchange (USE), signaling PDPO’s commitment to enforcement. However, Uganda’s data protection landscape remains nascent, with gaps in awareness and compliance.

While PDPO is asserting its authority, stronger public sensitization and stricter enforcement are needed to boost compliance. For now, this decision serves as a warning to corporation: Uganda’s data privacy laws are in force, and violations will not go unchecked.