Google declared in breach of Uganda’s data protection laws

________________

The Personal Data Protection Office (PDPO) in Uganda has found Google in breach of the country’s data protection laws.

In a ruling dated July 18, 2025, Baker Birikujja, the acting national PDPO director, found Google in breach for operating without PDPO registration and for transferring Ugandans’ data abroad without demonstrating adequate safeguards.

Google LLC is an American multinational corporation and technology company focused on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial intelligence.

The ruling followed a complaint filed on November 8, 2024, by Frank Ssekamwa, Pamela Sharon Leni, Raymond Amumpaire and Mercy Awino. 

They sought a declaration that Google had unlawfully transferred their personal data outside Uganda without meeting the legal requirements, thereby infringing their data protection and privacy rights.

Following the ruling, Birikujja has given Google thirty days to register as a data collector, controller, and processor, in line with the Data Protection and Privacy Act Cap 97 and its regulations.

“Google LLC shall register with PDPO within thirty (30) days of this decision, in the appropriate capacity as a data collector, data controller, and/or data processor as required under the Act and Regulations. As part of its registration, Google LLC shall provide PDPO with the contact details of its designated Data Protection Officer, in accordance with the law,” Birikujja ruled.

Google has also been directed to submit, within thirty days, documentary evidence of its compliance framework for cross-border transfer of personal data belonging to Ugandan citizens, including the legal basis and accountability measures required by Section 19 of the Data Protection and Privacy Act and Regulation 30 of the Regulations.

While no order was made for data localisation, as requested by the complainants, Birikujja reminded Google that all cross-border transfers of personal data must fully comply with Ugandan law.

Birikujja declined to award compensation to the complainants, stating that PDPO does not have the authority to do so.

He noted that claims for damage or distress must be pursued through a court of competent jurisdiction in accordance with Section 33(1) of the Data Protection and Privacy Act.

He warned Google that failure to comply with the ruling, in the absence of an appeal within thirty days, constitutes an offence under Regulation 48. This may attract a fine not exceeding three currency points (about Uganda shillings 60,000) for each day of non-compliance or imprisonment not exceeding six months, or both.

According to Regulation 46, an aggrieved party has thirty days to lodge an appeal to the Minister for ICT and National Guidance.

Birikujja emphasised that Uganda’s Data Protection and Privacy law applies extraterritorially to any entity monetising Ugandan users, citing Google’s local tax presence as evidence of regulatory reach.

The director added that Google’s failure to register with the PDPO is a violation of Section 29 of the Data Protection and Privacy Act and Regulation 15 of the Data Protection Regulations.

On March 12, 2025, PDPO directed Google to submit a written response within fourteen days.

In its response dated July 10, 2025, Google acknowledged processing the personal data of Ugandan users but argued that its various corporate entities are separate and that, in the absence of a gazetted exemption notice as provided under Regulation 15(2), no registration obligation currently arises.

Google stated that its global privacy policy adequately safeguards personal data and satisfies accountability requirements under Ugandan law.

The company also contended that Section 19 of the Act and Regulation 30 apply only to controllers or processors domiciled in Uganda and that Google LLC is not domiciled in the country.

The PDPO was established as an independent office under the National Information Technology Authority (NITA-U), tasked with enforcing data protection and privacy laws.

It has since taken proactive steps to ensure compliance, particularly following a major data breach at the Uganda Securities Exchange (USE) in 2022. The breach exposed weaknesses in the stock market’s data storage systems, prompting PDPO to issue a three-month remedial order to USE.

The PDPO has also signed memoranda of understanding (MoUs) with the Uganda Communications Commission and the NGO registration board to strengthen enforcement efforts.

Despite these measures, several challenges persist. Public awareness and understanding of data protection rights remain limited, and organisational understanding of compliance obligations varies significantly.

The actual costs of implementing data protection compliance tools are often unclear, especially in environments with weak regulatory frameworks, hindering effective enforcement.

Data protection and privacy are essential for safeguarding individual identity and financial security. However, loopholes in enforcement have exposed many Ugandans to digital fraud in recent years.