Uganda’s Personal Data Protection Office (PDPO) has issued a landmark ruling against Google LLC, marking the first criminal conviction under the country’s Data Protection and Privacy Act, Cap. 97.
The ruling, dated July 18, 2025, finds the global tech giant in violation of Uganda’s data privacy laws and orders it to register with the PDPO and provide proof of compliance with cross-border data transfer requirements within 30 days.
The case was triggered by a complaint lodged on November 8, 2024, by four Ugandan citizens, Frank Ssekamwa, Sharon Pamela Leni, Raymond Amumpaire, and Mercy Awino who accused Google of unlawfully collecting and processing their personal data without registration and of transferring it outside the country without adequate safeguards.
The complainants argued that Google LLC’s operations in Uganda qualified it as a data collector and controller, making it subject to Uganda’s data protection regime.
They claimed that Google’s failure to comply with local legal requirements violated their privacy rights, caused distress, and left them without proper redress mechanisms.
In its defense, Google acknowledged collecting and processing personal data from Ugandan users but argued that it was not obligated to register under Ugandan law because it lacks a physical presence in the country.
The company also claimed that its global privacy policy provided sufficient protections and that the legal requirements for registration and data transfer only applied to entities domiciled in Uganda.
However, PDPO rejected these arguments, stating that Google, by collecting and determining the use of Ugandans’ personal data, qualifies as both a data controller and a data collector under the Act.
The Office emphasized that the definitions in Uganda’s law do not require physical presence for an entity to be considered a data controller or processor, particularly when that entity actively offers digital services to Ugandan citizens.
PDPO also ruled that Google’s failure to register with the Office constitutes a direct violation of Section 29 of the Act and Regulation 15 of its accompanying regulations.
While Google cited the existence of a clause that allows for exemptions through Gazette notices, the Office clarified that this clause does not negate the general rule mandating registration.
The PDPO drew upon local legal precedent to reinforce that statutory obligations remain binding until exemptions are formally issued. As such, Google’s non-registration was determined to be unlawful.
Regarding the transfer of personal data outside Uganda, the PDPO noted that Section 1 of the Act provides for its extra-territorial application, meaning the law applies to any entity whether within or outside Uganda that processes the personal data of Ugandan citizens.
The Office highlighted that Google is not a distant player in Uganda’s economy, pointing to its registration as a taxpayer with the Uganda Revenue Authority (URA), its remittance of VAT and digital services tax, and its established digital footprint in the country.
Based on this nexus, the PDPO found that Google cannot claim to operate beyond the reach of Uganda’s regulatory framework.
Furthermore, while the law does not require data controllers to seek prior approval for every international data transfer, it mandates that they maintain clear records of the legal basis, safeguards, and justifications for such transfers.
Google failed to submit any evidence or documentation to demonstrate such compliance, further solidifying the PDPO’s finding that the company violated Section 19 of the Act and Regulation 30.
The PDPO also addressed the emotional and practical harm suffered by the complainants. The four Ugandans described experiencing anxiety and uncertainty stemming from Google’s lack of transparency, the absence of a locally designated Data Protection Officer, and the company’s failure to respond to their October 2024 inquiry about their data concerns.
The PDPO found these claims credible and emphasized that the distress was not theoretical, but a direct result of Google’s non-compliance with registration and communication obligations.
The ruling reaffirmed that the Act’s registration requirement is not a bureaucratic formality but a core pillar of accountability, ensuring that data subjects have a clear point of contact and recourse when their privacy rights are affected.
In response to the violations, the PDPO ordered Google LLC to register with the Office within thirty days and to provide the contact details of its designated Data Protection Officer in Uganda.
Additionally, the company must submit evidence of its legal and technical framework governing the transfer of Ugandans’ personal data to foreign jurisdictions.
The PDPO, however, stopped short of ordering data localization, noting that such a step may be considered if further violations arise.
The Office also clarified that it lacks authority to award financial compensation, and that any such claims must be pursued through the courts, in accordance with Section 33(1) of the Act.
It reserved the right to issue further directives depending on Google’s level of compliance and any new evidence that may emerge.
Google’s failure to comply with the issued orders may attract criminal penalties, including daily fines and imprisonment of up to six months under Regulation 48.
The company has the right to appeal the decision to the Minister of ICT and National Guidance within 30 days, as provided under Regulation 46.