Entities, whether domiciled in Uganda or not, that process personal data of Ugandans are bound by Uganda’s Data Protection and Privacy Act, Cap. 97. Registration with the PDPO, designation of a Data Protection Officer (DPO), and compliance with cross-border data transfer requirements are mandatory statutory obligations. The absence of a gazetted exemption or internal compliance framework does not excuse non-compliance.

Legal brief on the case of Ssekamwa Frank and others versus Google LLC, Complaint No.08/11/24/6683.

Duration

The decision was made on 18th July 2025.

Area of Law

Data Protection Laws

Before

AG. Baker Birikijja

Introduction

A person, organization, or Public body that handles personal data for Ugandans, whether domiciled in Uganda or not, must, as a statutory obligation, locally register with PDPO, appoint a data protection officer, and comply with the cross-border transfer rules. A mere claim for compliance doesn't count, but documentary evidence for compliance must be adduced. The absence of a discretionary administrative obligation does not render a mandatory statutory obligation inoperative. The Act and Regulations must be read hand in hand, not in isolation from each other.

Background

A complaint was made to PDPO on 8th November 2024 that Google LCC collected and processed the complainants' personal data without registering as a data collector, controller, or processor in Uganda. It also unlawfully transfers personal data outside Uganda without complying with the safeguards stipulated in Uganda's data protection Laws, leading to data protection infringement. Google acknowledged processing the personal data of Ugandan users, that it complies with the global privacy policy, and claimed that since it is not domiciled in Uganda, it's not liable to register in Uganda.

Issues Raised

1)    Whether Google LLC qualifies as a data controller, collector, or processor within the meaning of the Data Protection and Privacy Act, Cap 97.

2)    Whether Google LLC is registered with PDPO and if not, whether such non-registration constitutes a non-violation of the Data Protection and Privacy Act, Cap 97.

3)    Whether the Respondent’s transfer of the Complainant’s personal data to Jurisdictions outside Uganda without obtaining prior approval from PDPO amounts to a violation of the Act, Cap 97.

4)    Whether the Respondent’s violation and infringement of the Act and its Regulations have caused and are likely to cause damage and distress to the Complainants and other Ugandans who use Google services.

5)    Whether the Complainants are entitled to the orders sought and other remedies arising from the Respondent’s alleged violations of the Act, Cap. 97 and its Regulations.

Resolution of Legal Issues

1)    Whether Google LLC qualifies as a data controller, collector, or processor within the meaning of the Data Protection and Privacy Act, Cap 97.

Submission of the Complainants

Complainants claimed that Google LCC collects data through its services, which include names, nationality, email address, age, age of birth, unique online identifier, browsing history, and location data, and Google determines the purpose and means of processing.

Submission of the Respondent

Google acknowledged the provision of its services to users, the complainants included, but claimed its privacy policy is explicit on the types of data it collects and the purpose, which is analytics, personalization, security, communication, and provision of services.

Determination by PDPO

Relied on Section 2 of the Data Protection & Privacy Act, Cap. 97 to define data controller, collector, and processor. A data controller is a person who alone, jointly with other persons or in common with other persons or as a statutory duty determines purpose and manner in which personal data is processed or is to be processed and a data processor is a person, other than an employee of the data controller, who processes the data on behalf of the data controller.

Hence, Google LLC is a data controller and collector but not a processor because no evidence that it solely processes data on behalf of another party.

The issue was partially resolved in the affirmative and negative aspects.

2)    Whether Google LLC is registered with PDPO and if not, whether such non-registration constitutes a non-violation of the Data Protection and Privacy Act, Cap 97.

Submission of the Complainants

That Google LLC is not registered with the PDPO as required by Section 29 & Regulation 15

Submission of the Respondent

The Respondent affirmed not being registered with PDPO, and the laws require registration, but claimed to fall under the exception in Regulation 15(2) exempt categories, which the Register had to pin but has not yet pinned. The absence of the gazetted exemption notice made the mandatory requirement in Reg 15(1) inoperative.

Determination by PDPO

Relied on Section 29 & Regulation 15(1) that which imposes a general obligation to be registered with PDPO, which is mandatory unless an exemption is granted via an operationalized gazette notice. The mere existence of an exemption does not, by itself, displace the general requirement relying on the principle in Total Uganda Limited v URA, the Court held that the statute sets out a general rule and also provides for exemptions, the general rule remains fully operative until the exemption is expressly invoked in accordance with statutory procedure.

The general statutory obligation is binding on all parties regardless of the absence of the statutory precondition.

The issue was answered in the affirmative.

3)    Whether the Respondent’s transfer of the Complainant’s personal data to Jurisdictions outside Uganda without obtaining prior approval from PDPO amounts to a violation of the Act, Cap 97.

Submission of the Complainants

Google LCC collects and transfers personal data outside Uganda without the required approval of the PDPO, which contravenes Sections 19, 29, and Regulations 15 & 30 of data protection laws, hence exposing data to risks. The law doesn't require seeking the PDPO’s approval before commencing cross-border personal data transfers; rather, PDPO aspects include proper records and accountability of the legal basis, safeguards, and justification of the transfers. The records must be available for audit, inspection, compliance checks, or investigations, though it did not provide any records or evidence for compliance.

Submission of the Respondent

Google argued that it's not domiciled in Uganda for all these sections and regulations to apply.

PDPO relied on Section 1  to state that the Act applies to persons, entities, or public bodies within or outside Uganda, establishing an extra-territorial obligation. The Act and Regulations must be read as a whole, not in isolation from each other. The fact that Google LLC is a registered taxpayer in Uganda on the grounds of regulatory obligation, it's the same basis it has to register with PDPO. PDPO stated that Google LCC has not demonstrated compliance with the laws by failing to provide evidence of a lawful basis or a compliance framework.

The issue was answered in the affirmative.

4)    Whether the Respondent’s violation and infringement of the Act and its Regulations have caused and are likely to cause damage and distress to the Complainants and other Ugandans who use Google services.

Submission of the Complainants

Claimed exposure to the risk of unauthorised access and misuse of their data and absence of registered data protection officer left their concerns unaddressed.

Submission of the Respondent

Denied that its actions have caused or are likely to cause actual damage or distress to the complainants or other Ugandan users. It argued that compliance with global privacy controls and no-harm evidence were provided.

PDPO’s determination

Relied on Section 29 to state that requirement is not merely procedural but rather designed to ensure the data collectors & processors remain accountable and accessible to data subjects, providing a clear and direct channel through which individuals may raise and resolve their concerns regarding the processing of personal data. Hence, Google LLC's failure to register made it impossible to identify or contact a responsible person at Google LLC, making it unlikely to address genuine distress to the complainants.

The issue was answered in the affirmative.

5)    Whether the Complainants are entitled to the orders sought and other remedies arising from the Respondent’s alleged violations of the Act, Cap. 97 and its Regulations.

PDPO grants the following reliefs:

That Google LCC qualifies as a data controller and collector as per the data protection laws and provides PDPO with its DPO contact details.

That Google LCC’s failure to register with PDPO is a violation of Section 29 and Regulation 15.

That Google LCC’s transfer of personal data of Ugandan citizens to a jurisdiction outside Uganda, without demonstrating adequate safeguards or accountability, is a breach of Section 19

PDPO Orders:

Google LCC registers with PDPO within 30 days in the appropriate capacity and submits within 30 days compliance documentary evidence for cross-border transfers.

Key Takeaway

Foreign entities like Google LLC that collect or process the personal data of Ugandan citizens are legally required to comply with Uganda’s Data Protection and Privacy Act, Cap. 97, regardless of their domicile. This includes:

1. Mandatory registration with the PDPO,

2. Appointment of a Data Protection Officer (DPO), and

3. Adherence to cross-border data transfer safeguards.

Mere reliance on a global privacy policy or claims of compliance is insufficient—documented evidence of compliance is required. The ruling affirms that statutory obligations under Ugandan law have extraterritorial effect and are enforceable even against global technology companies operating digitally within Uganda.

Read the full case below