on July 18, 2025, Uganda’s Personal Data Protection Office (PDPO) found Google LLC in breach of the country’s Data Protection and Privacy Act and ordered the global tech company to register with the local data protection authority within 30 days. The ruling marks a significant step toward asserting digital sovereignty, but also highlights serious gaps in enforcement capacity under current Ugandan law.
The case stemmed from a complaint filed in November 2024 by four Ugandan citizens who accused Google of collecting and processing their personal data without registering with the PDPO, as required by section 29 of the Act. They further alleged that Google unlawfully transferred their personal data across borders without their consent or the safeguards mandated under section 19.
In its ruling, the PDPO agreed with the complainants, finding that Google had failed to register as a data controller and had carried out cross-border data transfers without demonstrating compliance with Uganda’s data protection requirements. According to the law, companies collecting or storing data outside Uganda must ensure the destination country offers data protection standards equivalent to Uganda’s. Moreover, such transfers must be backed by the consent of the data subject.
Google had argued that since it does not have a physical presence in Uganda, it was not subject to local registration requirements. However, the PDPO rejected this line of reasoning, citing the Act’s extraterritorial scope under section 1, which extends its application to any entity, domestic or foreign, that handles personal data of Ugandan citizens. As the regulator noted, this means global tech companies collecting data from Uganda are legally bound to comply with local data protection rules.
The ruling effectively places Google under the jurisdiction of Uganda’s data protection law, and by extension, sets a precedent for other tech giants such as Meta, TikTok, and X. It aligns with wider continental efforts to hold Big Tech accountable under the African Union’s Malabo Convention and the AU Data Policy Framework, which encourage countries to safeguard personal data and enhance cyber security.
However, the case also exposes deep challenges. While the PDPO has the mandate to investigate and issue declaratory rulings, it lacks the authority to impose administrative fines or grant compensation to complainants. This regulatory gap severely limits its enforcement capacity. Under the current legal framework, affected individuals must pursue compensation through court, as guided by section 33(1) of the Act.
This stands in contrast to data regulators in Kenya’s Office of the Data Protection Commissioner and Tanzania’s Personal Data Protection Commissioners have clear powers to issue administrative fines provisions found under section 9(1)(f) of Kenya’s Data Protection Act, 2019, and section 47 of Tanzania’s Protection of Personal Information Act, 2022, respectively.
In its July 2025 decision, the PDPO also noted that it would not, for now, issue a binding order for data localisation but reminded Google that all cross-border data transfers must fully comply with Ugandan law. This caveat, while diplomatically worded, leaves a vacuum on the enforceability of data rights in Uganda, especially when powerful foreign entities are involved.
In its analysis of the ruling, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) noted that this case reinforces the need for Uganda to strengthen its data governance regime. Specifically, the Data Protection and Privacy Act requires urgent amendments to grant the PDPO authority to impose administrative penalties and enforce its decisions more effectively.
While the decision to hold Google accountable marks progress in asserting digital rights and sovereignty, it also underscores the urgent need to empower African data regulators. Without proper enforcement tools, declarations alone cannot ensure compliance, especially in a global digital economy dominated by powerful tech corporations.