The Personal Data Protection Office (PDPO) has achieved a major milestone in enforcing Uganda’s data protection framework, with the country securing its first-ever criminal conviction under the Data Protection and Privacy Act, Cap. 97.
This landmark development signals a stronger enforcement of personal data rights in Uganda and highlights the government’s resolve to hold data controllers and processors accountable.
The conviction, made possible through coordinated efforts between PDPO, the Criminal Investigations Directorate (CID), and the Office of the Director of Public Prosecutions (ODPP), was entered against Ronald Mugulusi, Director of Nano Loans Microfinance Ltd and operator of the Quickloan mobile lending application.
He was prosecuted for operating without registration with the PDPO and for processing personal data without the consent of users or any legal justification, as required under the Act.
The offences took place in Kampala between 2023 and 2025, during which Mugulusi’s firm collected and misused personal data in the course of offering digital loan services.
The PDPO revealed that it had engaged with Mugulusi multiple times, offering guidance on how to comply with the Act and relevant regulations, but he failed to take the necessary corrective actions. As a result, the matter was escalated for criminal investigation and prosecution.
Mugulusi was first arraigned in court on April 25, 2025, He later pleaded guilty on July 10, 2025, before the Makindye Standards, Wildlife and Utilities Court on the first count of failure to register with the PDPO.
Through a plea bargain, Mugulusi accepted full responsibility for the offence and waived his right to a full trial. He was convicted and fined UGX 300,000 by the presiding magistrate.
The second count related to a complaint from Wonambwa Michael, whose personal data specifically his name, phone number, and photograph was used in a video circulated via WhatsApp and accompanied by a threat to publish it on TikTok, due to an unpaid loan.
Though the data had initially been shared for legitimate loan processing purposes, its reuse to shame the borrower violated the data protection principle of purpose limitation and was found to have no legal basis.
The case was later resolved through a court-sanctioned reconciliation between Mugulusi and the complainant under Section 160 of the Magistrates Courts Act, Cap. 19 and the Judicature (Reconciliation) Rules of 2011.
Mugulusi offered compensation to Mr. Wonambwa, which led to a stay of further proceedings on the second count.
PDPO emphasized that this case sets a strong precedent, underscoring that breaches of data protection laws carry criminal consequences. The office called on all entities collecting or processing personal data in Uganda to ensure they are registered with PDPO and that their data handling practices align with legal standards of lawfulness, fairness, and transparency.
The PDPO also commended Wonambwa for his courage in seeing the case through to its conclusion an uncommon outcome in many data protection breaches, where victims are often unwilling or afraid to pursue justice.
This conviction represents a turning point in the enforcement of Uganda’s data privacy regime and a stern warning to other entities operating outside the law.
