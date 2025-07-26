On Friday July 18, the Personal Data Protection Office (PDPO) of Uganda issued a decision against technology giant Google LLC, with ramifications for cross border data transfers. The decision addresses the application of the Uganda data privacy laws to entities that are not registered in Uganda and affects several multinational entities processing or holding data of Ugandans.

While the decision follows the text of the Data Protection and Privacy Act (DPPA) Cap. 97 and asserts Uganda’s sovereignty in relation to the personal data of its citizens, it left some questions unanswered. The decision arose out of a complaint by four Ugandans submitted to the PDPO concerning the conduct and omissions of Google. They averred that Google was collecting personal data without registering as a data collector and processor in Uganda.

Further, that Google unlawfully transferred their personal data without complying with the legal requirements under Uganda’s data privacy laws. The decision of PDPO found that Google is a data controller and collector, as such, Google’s failure to register with the Uganda PDPO violated Uganda’s data privacy laws.

Further, that Google’s transfer of personal data of Ugandan citizens to jurisdictions outside Uganda, without demonstrating adequate safeguards breached the law. This decision must be understood in the context of similar decisions. Before the PDPO was established, the National Information Technology Authority (Nita) investigated Guinness Transporters Limited T/a Safeboda and made a report about Safeboda’s sharing of data with third parties without the consent of the data subjects in January 2021.

Nita found that Safeboda had “bundled” its consent and never given their customers the opportunity to consent meaningfully to the sharing of their personal data with third parties, and that data collectors and processors should specify which third parties may access or receive the personal data of the data subjects, among others. In 2023, the PDPO investigated the Uganda Securities Exchange (USE) concerning unauthorised access to their information by third parties.

The complaints arose from the privacy watch group, Unwanted Witness and an individual. The PDPO found that the USE and its processor, Soft Edge, were negligent for failing to comply with the requirements of the data privacy laws. Some of the key implications for Google PDPO decision are: First, entities which collect or process personal data relating to Ugandans, whether registered or (not) incorporated in Uganda must register with the Uganda PDPO. This affirms the extra territorial application of Uganda’s data privacy laws.

Second, There is no legal requirement to obtain approval from the PDPO before transfers of data outside Uganda. However, entities engaged in transfering personal data outside Uganda must, obtain consent of the data subject and demonstrate that the countries where they are transferring data have adequate protections and safeguards of equivalent protection.

Some concerns raised by Google remained unanswered. For instance, the PDPO did not respond to Google’s defense about its maintance of a global privacy policy and the absence of “harm” in the specific complaint. What amounts to a privacy harm is a matter of contention in major jurisdictions. As a key take away, global companies should tailor their global privacy policies to Uganda’s data protection laws.

Ugandans have a right to inquire whether the persons collecting their personal data are registered with the PDPO. It is important to note that failure to comply with the data privacy laws is an offence which creates personal liability for the responsible officers and may attract a fine not exceeding two percent of the entity’s annual gross turnover.

The writer, Joel Basoga, is the head of the technology practice at H&G Advocates. [email protected]