In a decision issued on 18 July 2025 against Google LLC, the Personal Data Protection Office (PDPO) has affirmed that the data protection compliance obligations under Ugandan law apply to all entities that handle the personal data of Ugandan citizens, regardless of where they are based. 

The office has also clarified that a data controller or processor is not required to seek advance permission before each cross-border transfer or storage of personal data. However, it must maintain proper records of the legal basis, safeguards and justification for such transfers, which records must be available for inspection during audits, compliance checks or investigations. [Ssekamwa Frank & 3 others v. Google LLC., Complaint No. 08/11/24/6683]

Factual context

In November 2024, four Ugandan citizens filed a complaint against Google for alleged breaches of Uganda’s data protection law. Specifically, the complainants argued that:

Regulator’s findings

• Qualification as a data collector, processor or controller under the Act:

The PDPO found that by collecting personal data from users in Uganda and determining the purposes for which and means by which that data is processed, Google qualifies as both a data collector and data controller under Ugandan law.

The Data Protection and Privacy Act, Cap. 97 provides the following classifications with regard to either (i) personal data in Uganda; or (ii) the personal data of Ugandan citizens:

• Data collector – a person who collects personal data.
• Data processor – a person who processes data on behalf of a data controller.
• Data controller – a person who, jointly or with others, determines the purposes for which and the manner in which personal data is processed.

These qualifications apply equally to domestic and foreign entities. In its findings, the PDPO confirmed that the obligations under Uganda’s data protection law “attach not only to entities physically present in Uganda but to any entity handling personal data of Ugandan citizens, including those established abroad, provided they collect or process such data”.

• Mandatory registration requirement:

Every data collector, processor or controller is legally required to register with the PDPO and renew its registration every year.

The PDPO confirmed that this requirement applies to every qualifying entity until a specific exemption is gazetted by the office. This means that every entity that deals with personal data either; (i) in Uganda; or (ii) outside Uganda but in relation to Ugandan citizens, must register with the PDPO.

Data protection registration is a non-contentious process completed online through the PDPO’s portal at https://pdpo.go.ug/register. The registration requirements are summarized below:

• Cross-border data transfer requirements:

On a positive note, the PDPO confirmed that the law does not require a data controller or processor to seek approval before each cross-border transfer or storage of personal data. Uganda’s data protection law permits the transfer and storage of personal data outside Uganda in two circumstances:

• Where the data subject has consented to such transfer; or
• Where the recipient jurisdiction has adequate protection measures in place for the protection of personal data that are at least equivalent to the protection under the Act.

Presently, an applicant for data protection registration is simply required to file an undertaking not to process or store personal data in a country outside Uganda unless that country has equivalent protection for personal data. The PDPO has not yet published the list of countries designated as having equivalent protection, but has previously intimated that such country must, at a minimum, have data protection legislation and a data protection regulator in place.

The office has now provided additional guidance for compliance in this regard: it expects every entity to maintain proper records of the legal basis, safeguards and justification for cross-border data transfers, which records must be available for inspection during audits, compliance checks, or investigations. Google was held to be in violation of the law for failing to provide evidence of a lawful basis or compliance framework for the transfer of personal data outside Uganda.

• Actionable infringement:

A common objection to data protection infringement claims is the absence of, or failure to prove, actionable harm. While a finding of non-compliance may be made, it is always argued that the claimants are unable to demonstrate any resulting damage, loss or distress to sustain an action for relief.

The PDPO in this case ruled that Google’s non-registration left the complainants without a point of contact for any concerns regarding their personal data.

The complainants’ showed that their communications to the Google Chief Compliance Officer about their data protection and privacy concerns remained unanswered, which the PDPO found to have caused them “genuine distress”. The office emphasized that this distress was not speculative, but flowed directly from the complainants’ actual experience of being left without recourse, guidance or assurance regarding their personal data.

Orders against Google

Google was ordered to within 30 days: (i) register with the PDPO; (ii) provide the PDPO with the contact details of its designated data protection officer; and (iii) submit documentary evidence of its compliance framework for cross-border data transfers, including the legal basis for such transfers and the accountability measures in place to ensure the security of personal data transferred outside Uganda.

Notably, the PDPO acknowledged that it has no authority to award monetary relief in the form of compensation or interest. Uganda’s data protection law reserves the jurisdiction of the courts on this issue, requiring that any claims for compensation for damage or distress be pursued in a court of law. However, the office may issue administrative fines for non-compliance with the Act or with its orders.

Compliance checkpoints

In light of this decision, all businesses that interact with the personal data of Ugandan citizens are reminded to:

• Confirm whether they qualify as data collectors, processors or controllers under Ugandan law.
• Appoint or designate a data protection officer within the business to monitor data protection compliance and serve as the point of contact for any client or consumer queries.
• Register with the PDPO and ensure that this registration is renewed every year.
• Establish a compliance framework for cross-border data transfers. From a practical standpoint, the best approach is to secure express consent for the transfer or storage of personal data outside Uganda by making specific provision for this within the business’ privacy notice and consent form.
• Maintain accurate, comprehensive and updated records of the legal basis for the collection and transfer of personal data, the justification for such transfer, and the security measures in place to safeguard personal data both within and outside Uganda.