As a lawyer deeply committed to data protection, I have taken a close look at the recently signed Memorandum of Understanding (MoU) between Uganda and the United States on bilateral health cooperation. The MoU is a non-binding framework that outlines the parties’ intentions and collaborative goals in strengthening Uganda’s health sector.

Signed on December 10, 2025, this agreement establishes a five-year partnership backed by a substantial financial commitment of $2.3 billion, $1.7 billion from the United States government, and more than $500 million in increased domestic spending from Uganda. This investment has the potential to catalyze transformative change in a health system that has long faced severe gaps in infrastructure, funding, and service delivery.

For decades, the United States has supported Uganda’s efforts to improve health outcomes. The new MoU continues and expands this partnership, targeting priority areas such as HIV/AIDS, tuberculosis (TB), malaria, maternal and child health, and global health security. These focus areas reflect an understanding that health challenges are interconnected and require coordinated, multifaceted interventions.

At first glance, the MoU appears overwhelmingly positive. Increased funding could strengthen health infrastructure, expand access to essential services, and improve health outcomes nationwide. The partnership also promises knowledge transfer, capacity building, and the adoption of global best practices.

However, major investments, especially those tied to digital health, must come with strong safeguards. As a lawyer focused on data protection, I am particularly concerned about how this agreement handles the privacy, security, and sovereignty of Ugandans’ health data. Modern health systems increasingly rely on digital technologies, raising serious questions about data governance, accountability, and compliance with Uganda’s Data Protection and Privacy Act (DPPA).

In principle, the MoU marks an important step toward strengthening Uganda’s health system. But to ensure that its implementation respects the rights and dignity of individuals, all stakeholders must remain vigilant, insisting on transparency, integrity, and ethical stewardship of public resources and personal information.

As with most international agreements, the details matter. Beneath the sweeping promises of funding and technical support lies a legal dilemma of concerns about data protection, data sovereignty (a nation’s ability to control how its citizens’ data is collected, stored, and used), and long-term dependency.

This blog examines the MoU’s key clauses, highlighting potential risks to Ugandans’ privacy and national autonomy. It argues that while the MoU offers clear benefits, Uganda must insist on stronger safeguards to avoid entering a Faustian bargain, trading sensitive data for aid.

The MoU, part of the US “America First Global Health Strategy,” aims to build Uganda’s capacity and gradually increase domestic financial responsibility. Its key benefits include:

1. Financial and Commodity Support

The US will initially cover 100% of essential commodities, including antiretroviral drugs (ARVs), TB medications, malaria treatments, and laboratory supplies, while Uganda steadily increases its share by 2030. This could stabilize supply chains, safeguard treatment continuity, and save lives.

2. Workforce and Infrastructure Enhancements

The MoU funds the training and equipping of 14,000 Community Health Extension Workers (CHEWs), with Uganda eventually taking over their stipends. It also supports frontline staff salaries and laboratory upgrades toward international ISO 15189 accreditation.

3. Data and Surveillance Improvements

Significant US funding will digitize Uganda’s health records through electronic medical record (EMR) systems and integrated disease surveillance. This could improve outbreak detection within seven days and enhance efficiency, supporting the constitutional right to health under Article 8A.

These initiatives build on more than 60 years of US–Uganda health cooperation. For millions of Ugandans who remain one medical bill away from financial ruin, such support could offer life-changing access to essential services.

Data Access, Privacy Risks, and Sovereignty Trade-Offs

Despite these benefits, the MoU’s data provisions raise serious concerns. A separate 25-year Data Sharing Agreement, five times longer than the MoU itself, grants the United States “secure, uninterrupted access” to Uganda’s health information systems, including login credentials and real-time availability. This data includes highly sensitive information such as HIV status, pregnancy records, TB results, and maternal health data.

Key problematic issues include:

1. Long-Term US Access to Ugandan Health Data

The 25-year data arrangement gives the US sweeping access for audits and performance monitoring, governed by US federal laws rather than Uganda’s DPPA. The Personal Data Protection Office (PDPO) is not explicitly assigned an oversight role, an omission that contradicts national law and risks leaving Ugandans without recourse if their data is mishandled. Although the US pledges to use aggregated data where possible, critics warn that such assurances do not adequately protect sovereignty or prevent misuse, including the use of data for artificial intelligence training.

2. Specimen and Pathogen Sharing

Uganda must sign a separate agreement granting the US access to biological specimens and pathogen genetic sequences within five days of detection, for 25 years. This raises biosecurity concerns, as Uganda risks providing raw material for foreign-developed vaccines or treatments without guaranteed benefits such as technology transfer or equitable pricing.

3. Audit and Compliance Powers

The US can audit commodity use, facility performance, and compliance with US laws such as the Helms Amendment (which restricts funding for abortion-related activities). Failure to comply could result in funding cuts, pressuring Uganda to align with US policy priorities over domestic needs.

These issues mirror similar concerns raised in Kenya and Rwanda. Health data is deeply sensitive, akin to a digital diary of the most personal aspects of one’s life. Even anonymized data can be re-identified through cross-referencing. As one post on X (formerly Twitter) put it, “Jokes on Uganda if you think we’re sovereign.” While Uganda formally retains data ownership, granting broad access effectively cedes control.

Uganda’s MoU has not yet faced legal scrutiny, but Kenya offers a timely warning. On December 10, 2025 (unironically, the same day Uganda was signing its MoU with the US), Kenya’s High Court issued a conservatory order suspending implementation of its similar $1.6 billion health cooperation pact with the US. In COFEK v. Ministry of Health (HCCHRPET/E809/2025), Justice Bahati Mwamuye halted any data transfer or sharing, citing violations of Kenya’s Data Protection Act, Digital Health Act, and Health Act. Civil society figures, including Senator Okiya Omtatah, raised concerns about sovereignty and privacy.

This ruling demonstrates that when public participation is sidelined and data rights are threatened, courts can intervene decisively. Uganda should learn from Kenya’s experience before concerns escalate into litigation.

Why This Matters

Health data is not an abstract policy issue; it affects everyday people. Russia's President, Vladimir Putin, reportedly travels with his own waste to protect his biometric privacy. Some US establishments require consent for biological sample analysis. In Uganda, where paper health booklets are rapidly being replaced with digital records, the stakes are high.

Imagine explaining to your jaj guy (boda boda rider): “Your wife’s pregnancy records used to stay in a clinic booklet. Now they will be digitized and accessible to a foreign government for 25 years. Are you comfortable with your HIV test results being stored abroad, even if ‘aggregated’?”

Politically, both the government and opposition have remained largely silent. The government cannot risk jeopardizing aid, while the opposition fears appearing anti-healthcare. This silence sidelines public debate and widens inequality. Uganda must ensure the MoU strengthens, not undermines, public trust.

What Uganda Should Do Next

The MoU is signed, but implementation plans and annexes, including the Data Sharing Agreement, offer opportunities for amendment. Uganda can still embed stronger protections.

Recommended steps include:

1. Embed Sovereignty Clauses

Require compliance with Uganda’s DPPA, formalize PDPO oversight, and ensure disputes are resolved under Ugandan law.

2. Limit Access and Purpose

Restrict US access to aggregated data, prohibit unnecessary personally identifiable information (PII), and impose penalties for breaches.

3. Strengthen Local Control and Benefits

Mandate data storage within Uganda and require benefit-sharing for products developed from shared pathogens.

4. Increase Public Engagement

Break down the issues in accessible language, e.g., “Your health data is your dignity.” Public participation and legal petitions, like Kenya’s, can provide democratic oversight.

Conclusion

The US–Uganda MoU could significantly improve Uganda’s health care (especially in a country where a single medical bill can push a family into poverty). But that promise will only be realized if its implementation is paired with tight safeguards for privacy, data protection, and national sovereignty. Aid should empower nations, not dilute their autonomy.

Kenya’s High Court has already set a regional precedent by insisting on strong data governance. Uganda now has a clear and timely roadmap, protect data rights today, or risk legal, political, and societal consequences tomorrow.

As we embrace global partnerships, let us ensure that Ugandans are not left holding the short end of the stick.