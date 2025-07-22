Imagine you download an app in Kampala, search for a nearby hospital, or watch a YouTube video that recommends a new shoe brand.

In a flash, bits of your personal data shoot across the globe - encrypted, analyzed, and stored in servers you will never see.

This is how tech giants like Google, Meta, TikTok, and Amazon built empires - by turning clicks, searches, and habits into fuel.

For them, data isn’t just information; it’s infrastructure. It powers algorithms, drives advertising, and shapes the next product.

But now, that model is crashing. Countries are waking up to the fact that their citizens' data is being mined offshore - with little say, little visibility, and almost no recourse.

Data is modern capital. It runs AI, steers financial behaviour, moves markets, and even nudges politics.

Losing control over it goes beyond losing privacy to power, value, and a stake in the digital future. Uganda, in fact, offers a very real and timely example of this shift.

The Google case

On November 8, 2024, four Ugandans - Frank Ssekamwa, Leni Sharon Pamela, Raymond Amumpaire, and Mercy Awino - filed a complaint against Google over accusations that it violated Uganda’s Data Protection and Privacy Act. Specifically, they cited Section 19 (on consent) and 29 (access and correction) as having been breached by Google, which was harvesting data from Ugandans without following the law.

The Personal Data Protection Office (PDPO) took up the matter and on March 12, 2025, it issued Google a formal notice to respond within 14 days. Google remained silent for nearly four months until July 3, 2025, when it requested an extension, to which PDPO granted just one week.

Google finally responded on July 10, 2025, but while it admitted to processing personal data of Ugandan users, its response mostly deflected responsibility.

Google’s defence

Google carefully leaned on deflections, arguing that since it's not physically registered in Uganda, it isn’t obligated to register as a data controller or processor under local law. This tactic could have been an excuse that sought to disconnect legal responsibility from countries where users live.

Google also pointed to its global privacy policy as a one-size-fits-all solution and further claimed that Section 19 - which governs cross-border data transfers - only applies to companies based in Uganda.

It also stressed that even if violations occurred, PDPO had no power to award damages. Taken together, Google’s defence mirrors a pattern, in which tech giants have resisted many countries’ oversight over their operations.

PDPO’s reasoning

Thus, in a July 18, 2025, ruling, PDPO, represented by the acting National Personal Data Protection Director Baker Birikujja, cited Section 1 of Uganda’s Data Protection and Privacy Act, which explicitly applies to any entity - local or foreign - that processes data on Ugandans.

The clause directly undercut Google’s attempt to dodge jurisdiction, but PDPO also addressed the registration argument, saying that while the law allows exemptions, no exemption had been given to Google.

It went further, linking economic presence to legal responsibility by presenting evidence that Google was registered with Uganda Revenue Authority and pays value added and digital services tax.

In PDPO’s view, this proves that Google is not just a passive platform, but an active player in Uganda’s economy. But perhaps the most compelling argument highlighted the real harm suffered by the complainants.

PDPO argued that unanswered emails, no access to a data protection officer, and unclear data practices weren’t just a matter of legal compliance, but of human dignity, noting that by failing to provide basic mechanisms for redress, Google undermined human dignity.

Moving data beyond borders

PDPO’s ruling targets cross-border data transfers and affirms that Uganda’s data laws apply even to foreign companies operating without a physical presence.

In the ruling, PDPO ordered Google to register in Uganda, appoint and disclose a Data Protection Officer, and submit documentary proof of its compliance framework for international data transfers. The directives apply not only to Google, but to its affiliates, branches, subsidiaries, and holding companies.

PDPO found that Google qualifies as both a data controller and collector under the Data Protection and Privacy Act; thereby, its failure to register with PDPO violated Ugandan laws.

Additionally, by transferring Ugandans’ personal data abroad without demonstrating safeguards that match Uganda’s standards, Google breached the law.

“… the general rule is that registration is mandatory, unless and until a specific exemption is operationalised by way of gazette notice, the mere existence of an enabling provision for exemption does not, by itself, displace the general requirement,” PDPO ruled.

The ruling builds on a growing body of data privacy enforcement in Uganda.

Previous investigations

Before PDPO was formally operationalised, National Information Technology Authority (NITA) investigated SafeBoda in 2021 over data-sharing practices.

NITA found that SafeBoda had "bundled" user consent, failing to give users a choice when sharing personal data with third parties.

NITA noted then that data collectors must clearly name any third parties with access to personal data and keep privacy policies updated and transparent.

In 2023, the PDPO investigated Uganda Securities Exchange following complaints from Unwanted Witness, in which it found that USE and its processor, Soft Edge, had failed to protect personal data after third parties unlawfully accessed users’ personal details, including bank accounts, for more than a week.

Together, investigations on SafeBoda, USE, and now Google form a shift that demonstrates that Uganda is asserting its digital sovereignty and building a clear record of holding both local and global actors accountable.

Implications

Senior lawyers at H&G Advocates argue that the PDPO ruling reinforces the need for ‘any entity that collects or processes personal data of Ugandans - whether or not it is incorporated in Uganda - must register with PDPO.’

In the ruling, PDPO noted that Sections 1 and 19, when read together, make clear any entity handling personal data of Ugandan citizens is governed by Ugandan laws.

Thus, in short, handling Ugandan data creates obligations - regardless of location and data collectors must at all times obtain consent, prove that the receiving country has adequate safeguards, justify the legal basis for the transfer, and show accountability measures are in place, when the need to share data arises.

However, because PDPO has no legal mandate, it did not award damages.

But the complaints can pursue damages in court, a principle that has already been tested in a case in which Nalubega Shadia was awarded Shs5m by the High Court after Stabex published her photos without her consent.

Tactical omission

Interestingly, the PDPO did not directly address Google’s claim that its global privacy policy offers adequate coverage, nor did it comment on the argument that no “actual harm” occurred.

This omission leaves an important legal question unresolved: What exactly constitutes a privacy harm in Uganda?

H&G Advocates lawyers - Dennis L. Wamala, Joel Basoga, and Christopher Musoke - point out that privacy harm is interpreted differently across jurisdictions.

“The inability to identify or contact a responsible person at Google, combined with the absence of any response... caused and is likely to continue causing genuine distress.”