Uganda hammers Google over data violations

Ruling against US tech giant hailed as a significant win for Uganda’s data sovereignty

ANALYSIS | IAN KATUSIIME | Google LLC, the tech giant that looms over the world gobbling tonnes of personal data and making billions in profit, has received a warning shot from Uganda: there are rules to be followed.

A ruling by Uganda’s Personal Data Protection Office (PDPO) found the U.S. company in violation of several provisions of Uganda’s Data Protection and Privacy Act in a move that has been hailed as a significant victory for the country’s data sovereignty.

Uganda, a country whose GDP is just a fraction of Google’s valuation has just set a precedent for data protection and many are taking notice. The ruling was the result of a complaint filed in November 2024 by four Ugandans; Frank Ssekamwa, Pamela Sharon Leni, Raymond Amumpaire and Mercy Awino over extensive breaches of their personal data by Google.

The quartet complained that Google collected and processed their personal data without first registering with the PDPO as a data collector, controller or processor in Uganda.

In their filings, the digital activists accused Google of transferring their personal data outside Uganda without adhering to the legal safeguards stipulated in Uganda’s data regulations. The breached data was in the form of names, nationality, emails, location data and browser history.

The ruling delivered by the data ombudsman on July 18 ordered Google to register with the PDPO within thirty days of the decision as a data collector, data controller, and data processor as required under the Data Act.

Baker Birikujja, the Acting Director of the PDPO also ruled, “As part of its registration, Google LLC shall provide PDPO with the contact details of its designated Data Protection Officer, in
accordance with the law.”

Birikujja also ordered Google to submit documentary evidence of its compliance to the cross-border transfer of personal data of Ugandan citizens, including the legal basis and accountability measures in place, as required by Section 19 of the Act and Regulation 30 of the Regulations.

The body did not make an order for “data localisation” but it told Google that henceforth all cross-border transfer of personal data must comply with Ugandan law. PDPO did not offer compensation to the complainants because it does not have the authority.

The ruling has been welcomed by privacy advocates and it has also sparked cheers in the Ugandan tech community where building a data pipeline remains a pipe dream owing to low grade infrastructure, a gaping skills gap and a perennial lack of capital not to mention weak data protection mechanisms.

Google’s dilly-dallying in filing a response to Ugandan complainants is part of a familiar playbook by the internet behemoth in dealing with data activists the world over. The complainants emailed the Google Chief Compliance Officer in October 2024 about their concerns but their pleas went unanswered. They also stated that Google’s actions caused them distress for which they sought compensation.

PDPO wrote to Google on March 12 asking the US-based company to file a response within a fortnight but Google only answered back on July 3 and requested a two-week extension.

Google’s defence

In response, Google acknowledged processing personal data of Ugandan users but maintained that its various corporate entities are separate and also disputed registration obligations. The company also asserted that its global Privacy Policy adequately safeguards personal data and meets accountability requirements under Uganda’s law.

Google also contended that Section 19 of the Data Act and Regulation 30 apply only to controllers or processors domiciled in Uganda, and that Google LLC has no such domicile; and
sought dismissal of the complaint as “devoid of merit, observing that any relief in the
form of damages or data localisation orders lies beyond PDPO’s statutory authority
and must be pursued through the courts.”

However PDPO dismissed the latter part of the defence out of hand because Google is a registered taxpayer with Uganda Revenue Authority and is listed among digital companies remitting Value Added Tax and digital services tax in Uganda.

The PDPO also reasoned that by collecting revenue from Ugandan users through its digital platforms like Android, Google Search, Gmail, YouTube, Chrome and Google Maps, the company is effectively within Uganda’s regulatory ambit including tax laws.

After months of back and forth, the Ugandan regulator read Google the Riot Act in a decision that has far reaching implications for data privacy. The PDPO in a trio of declarations stated that Google qualifies as a data controller and collector within the meaning of the Data Protection and Privacy Act, Cap. 97.

Secondly, that Google’s failure to register with PDPO is a violation of Section 29 of the Act and
Regulation 15 of the Regulations. Thirdly was that Google’s transfer of personal data of Ugandan citizens to jurisdictions outside Uganda, without demonstrating adequate safeguards or accountability, is in breach of Section 19 of the Act and Regulation 30.

But in the intervening period, the activists were dissatisfied with the Data Protection Office for dragging its feet on the matter and in effect—undermining the digital rights of Ugandan citizens—a signal of Uganda’s burgeoning data privacy movement.

The group also petitioned Attorney General Kiryowa Kiwanuka for intervention. The letter to the AG was copied to the National Information Technology Authority and Ministry of ICT.

In their petition, they bemoaned the prolonged inaction of the PDPO and asserted that the delays were “eroding trust in regulatory institutions and compromising digital sovereignty.” Fast forward and there is a different hymn.

The ruling is not just a shot in the arm for data privacy but it sets a bold path forward for Uganda’s data governance framework.

Territorial data protection

“The PDPO’s determination underscores the principle of territoriality in data protection. It signifies that entities processing the personal data of citizens within a jurisdiction are subject to its data protection laws, irrespective of their physical establishment or domicile,” wrote Sam Higenyi, a tech lawyer in a commentary where he said the case has ramifications for the entire African continent.

Higenyi added that the ruling underscored the growing scrutiny of international data transfers. “Data protection authorities are increasingly demanding demonstrable evidence of adequate safeguards and compliance mechanisms to protect the personal data of their citizens when it is transferred outside national borders.”

Higenyi argued that the orders issued by the PDPO may spur a fundamental shift in Google LLC’s approach to data protection concerning Ugandan users although enforcement against the company may remain a tall order. “This case will likely serve as a precedent for future data protection matters in Uganda and potentially influence the approach taken by other data protection authorities in the region when dealing with multinational technology companies.”

The decision puts on notice the rest of Big Tech like Apple, Meta, Amazon, and Microsoft who have operations in Uganda. The companies are notorious for their gigantic data mining and some have had a fair share of hefty fines in other continental jurisdictions.

Joel Basoga, the head of Technology Practice at H & G Advocates, commenting on the decision said global companies should tailor their global privacy policies to Uganda’s data protection laws. He also said Ugandans have a right to inquire whether the persons collecting their personal data are registered with the PDPO.

“Failure to comply with the data privacy laws is an offence which creates personal liability for the responsible officer and may attract a fine not exceeding 2% of the entity’s annual gross turnover.”

In a related development, PDPO secured its first ever criminal conviction under the Data Protection and Privacy Act, Cap 97 on July 23. The case was pursued with the Criminal Investigations Directorate and Office of the Director of Public Prosecutions.

The conviction was entered against Ronald Mugulusi, Director of Nano Loans Microfinance and operator of the Quickloans app. This followed prosecution of Mugulusi on two counts of failure to register with PDPO and violation of individual privacy rights—the same charges Google is on the spot for.

There is a sustained urge to develop effective national data sovereignty frameworks. African countries are adopting localised data governance policies to ensure data remains within their borders for national security and economic growth. The ruling adds a chapter to Uganda’s data regulation rulebook.

With the rapid development of Artificial Intelligence, there is now greater urgency to data ownership.