Uganda orders Google to register as data processor in landmark privacy ruling

Uganda's Personal Data Protection Office has issued a landmark ruling ordering Google LLC to register as a data controller and collector within 30 days, marking the first major enforcement action under the country's data protection framework. The decision, announced on July 18, 2025, establishes significant precedent for how global technology companies must comply with local data protection laws in African markets.

According to the Personal Data Protection Office decision, four Ugandan citizens filed complaint number 08/11/24/6683 on November 8, 2024, alleging Google violated Uganda's Data Protection and Privacy Act by operating without proper registration and transferring personal data outside Uganda without adequate safeguards. The complainants - Ssekamwa Frank, Leni Sharon Pamela, Amumpaire Raymond, and Awino Mercy - sought declarations, orders for compliance, and compensation for distress caused by Google's alleged violations.

The regulatory authority determined that Google qualifies as both a data controller and collector under Ugandan law. According to the ruling, Google collects various categories of personal data from Ugandan users, including "names, nationality, email addresses, age, date of birth, unique online identifiers, browsing history, and location data." The office found that Google "determines the purposes and means for which this personal data is processed," thereby meeting statutory definitions under the Data Protection and Privacy Act.

Registration requirement enforced despite Google's defense

Google argued that registration requirements were inoperative without a specific exemption notice from the data protection office. According to the decision, Google contended that Regulation 15(2) allows the PDPO to exempt certain categories from registration through gazette notices, and since no such notice existed, the mandatory registration requirement was suspended.

The Personal Data Protection Office rejected this interpretation. According to the ruling, the office found "the legal structure is clear: the general rule is that registration is mandatory, unless and until a specific exemption is operationalized by way of gazette notice." The decision cited Total Uganda Limited v. Uganda Revenue Authority, where courts held that general statutory rules remain operative until exemptions are expressly invoked through proper procedures.

The ruling establishes that Google's non-registration constitutes a violation of Section 29 of the Data Protection and Privacy Act and Regulation 15 of the accompanying regulations. According to the decision, this finding applies regardless of Google's argument about exemption procedures.

Cross-border data transfers deemed non-compliant

The Personal Data Protection Office also ruled against Google's cross-border data transfer practices. According to the decision, Google "failed to provide evidence of a lawful basis or compliance framework for transferring the Complainants' personal data outside Uganda." The office found this constituted violations of Section 19 of the Act and Regulation 30 of the regulations.

Google defended its data transfer practices by arguing that relevant provisions apply only to controllers and processors "domiciled in Uganda." According to the ruling, Google maintained it has no physical presence in Uganda and therefore these provisions don't apply.

The data protection office rejected this narrow interpretation. According to the decision, Section 1 of the Act "expressly provides that the Act applies to 'a person, institution or public body outside Uganda who collects, processes, holds or uses personal data relating to Ugandan citizens.'" The ruling emphasized this establishes extra-territorial application of Ugandan data protection law.

The decision noted significant evidence of Google's commercial presence in Uganda. According to the ruling, the Domestic Revenue Mobilisation Strategy Annual Budget Monitoring Report for FY 2023/24 shows "Google LLC is a registered taxpayer with the Uganda Revenue Authority, is formally onboarded for tax purposes, and is listed among active digital businesses remitting Value Added Tax (VAT) and digital services tax in Uganda."

Marketing industry implications

The Uganda decision carries significant implications for digital marketing operations across emerging markets. Data protection enforcement has intensified globally, with recent rulings affecting major technology platforms' advertising practices. The Uganda ruling establishes that commercial presence through tax obligations creates regulatory nexus for data protection compliance.

For digital advertising professionals, the decision highlights evolving compliance requirements in African markets. Google has faced increasing scrutiny over data practices, with regulators examining real-time bidding systems and cross-border data transfers. The Uganda ruling demonstrates how local data protection authorities are asserting jurisdiction over global platforms serving local users.

Marketing campaigns targeting Ugandan users now operate under clearer regulatory framework requirements. The decision requires Google to "submit documentary evidence of its compliance framework for cross-border transfer of personal data of Ugandan citizens, including the legal basis and accountability measures in place." This establishes precedent for data localization discussions across sub-Saharan Africa.

The ruling comes amid broader shifts in digital advertising regulation. Privacy-enhancing technologies have gained prominence as platforms adapt to regulatory requirements. Google has implemented various data retention policies across its advertising products, while tightening rules for sensitive categories.

Technical compliance requirements detailed

The Personal Data Protection Office specified technical compliance requirements in its orders. According to the decision, Google must "register with PDPO, within thirty (30) days of this decision, in the appropriate capacity as a data collector, data controller, and/or data processor as required under the Act and Regulations." The registration must include contact details for Google's designated Data Protection Officer for Uganda.

The ruling requires Google to submit documentation within 30 days demonstrating its "compliance framework for cross-border transfer of personal data of Ugandan citizens." According to the decision, this must include "the legal basis and accountability measures in place, as required by Section 19 of the Act and Regulation 30 of the Regulations."

The data protection office declined to order data localization at this stage. According to the ruling, "no order is made for data localisation at this stage; however, Google LLC is reminded that all cross-border transfers of personal data must comply fully with Ugandan law."

The decision establishes enforcement mechanisms for non-compliance. According to the ruling, "failure to comply with the above orders is an offence under Regulation 48 and may attract a fine not exceeding three currency points for each day in default of the notice or to imprisonment not exceeding six months or both."

Limited remedies for complainants

While the Personal Data Protection Office granted declaratory relief, it declined to award compensation to the complainants. According to the decision, "PDPO does not have authority to award compensation or interest. Any claims for compensation for damage or distress must be pursued by the Complainants before a court of competent jurisdiction."

The office did find that Google's failures caused distress to complainants. According to the ruling, complainants "sought to have their concerns addressed" but were "left without any official point of contact" due to Google's non-registration. The decision noted that complainants' October 9, 2024 email to Google's Chief Compliance Officer "went unanswered."

The ruling establishes that distress flows from procedural violations even without demonstrated data misuse. According to the decision, "the statutory registration requirement exists precisely to prevent such situations by guaranteeing accountability and providing a clear channel for redress."

The Personal Data Protection Office reserved rights for additional enforcement actions. According to the decision, the office "reserves the right to make further orders or directions as may be necessary based on compliance monitoring and any additional evidence that may arise."

Appeal rights and enforcement timeline

The decision provides Google with appeal options. According to the ruling, "any party aggrieved by this decision may appeal to the Minister of ICT and National Guidance within thirty (30) days from the date of the notice of this decision." This follows procedures established in Regulation 46 of the Data Protection and Privacy Regulations.

The enforcement timeline creates immediate compliance pressure. Google received the initial complaint direction on March 12, 2025, with the data protection office granting a one-week extension after Google's delayed response request. According to the decision, Google filed its response on July 10, 2025, after initially missing the fourteen-day deadline.

The ruling establishes Baker Birikujja as Acting National Personal Data Protection Director, signing the decision on July 18, 2025. This provides clear authority structure for ongoing enforcement actions and compliance monitoring.

For international technology companies, the decision demonstrates expanding regulatory reach of national data protection authorities. The ruling's emphasis on commercial nexus through tax obligations suggests similar enforcement patterns may emerge across other African jurisdictions implementing comprehensive data protection frameworks.

Timeline

• November 8, 2024: Four Ugandan citizens file complaint 08/11/24/6683 against Google LLC with Personal Data Protection Office
• March 12, 2025: PDPO directs Google to file written response within 14 days
• July 3, 2025: Google requests two-week extension after missing initial deadline
• July 10, 2025: Google files response after receiving one-week extension from PDPO
• July 18, 2025: Personal Data Protection Office issues ruling ordering Google to register within 30 days
• October 2024: Google updates privacy policies for US state laws
• April 2025: Google unveils privacy-enhancing technologies at Data Protection Forum
• January 2025: Google consolidates advertising policies for minor protection

Summary

Who: Uganda's Personal Data Protection Office ruled against Google LLC following a complaint by four Ugandan citizens (Ssekamwa Frank, Leni Sharon Pamela, Amumpaire Raymond, and Awino Mercy).

What: The regulatory authority ordered Google to register as a data controller and collector within 30 days and submit documentation of its cross-border data transfer compliance framework, finding violations of Uganda's Data Protection and Privacy Act.

When: The decision was announced on July 18, 2025, following a complaint filed on November 8, 2024, and Google's response submitted on July 10, 2025.

Where: The ruling applies to Google's operations in Uganda, with particular focus on data processing of Ugandan citizens and cross-border transfers to jurisdictions outside Uganda.

Why: The Personal Data Protection Office found Google violated local law by operating without registration as required and failing to demonstrate adequate safeguards for international data transfers, despite Google's established commercial presence through tax obligations in Uganda.

Key terms explained

Data controller: A fundamental concept in data protection law referring to entities that determine the purposes and means of personal data processing. In this case, Uganda's data protection office classified Google as a data controller because it decides how and why user information is collected and processed. For marketing professionals, understanding data controller status is crucial as it determines primary responsibility for compliance with privacy regulations and user consent requirements.

Cross-border data transfers: The practice of moving personal data from one jurisdiction to another, which has become central to global digital marketing operations. The Uganda ruling highlights how data transfers require specific legal safeguards and documentation. Marketing teams must implement adequate protection measures when customer data moves between countries, particularly when targeting users in jurisdictions with strict data protection laws.

Personal data: Information that can identify individuals, including names, email addresses, browsing history, and location data mentioned in the Uganda case. For digital marketers, personal data forms the foundation of targeted advertising campaigns and customer analytics. The broad definition encompasses traditional identifiers plus digital footprints, requiring careful consideration of what information campaigns collect and how it's processed.

Data protection compliance: The process of adhering to privacy laws and regulations governing personal data handling. The Uganda decision demonstrates how compliance extends beyond technical measures to include registration requirements and documentation standards. Marketing departments must establish comprehensive compliance frameworks covering data collection, processing, storage, and transfer practices across all jurisdictions where they operate.

Registration requirements: Legal obligations for data controllers and processors to formally register with regulatory authorities. Uganda's ruling against Google emphasizes that commercial presence creates registration duties regardless of physical location. Marketing organizations processing personal data must identify and comply with registration requirements in each market they serve, often requiring designated data protection officers and local compliance infrastructure.

Commercial nexus: The connection between business operations and regulatory jurisdiction, established in this case through Google's tax obligations in Uganda. For international marketing campaigns, commercial nexus determines which countries' privacy laws apply. Companies generating revenue from users in specific jurisdictions typically face compliance obligations even without physical presence, affecting how global marketing strategies must account for local regulatory requirements.

Data localization: Requirements for personal data to be stored or processed within specific geographic boundaries. While Uganda's data protection office didn't order immediate localization, the ruling reinforced that cross-border transfers must comply with local law. Marketing teams must consider data residency requirements when selecting advertising platforms and analytics providers, as some jurisdictions mandate local data storage for citizen information.

Privacy-enhancing technologies: Technical solutions designed to protect personal data while maintaining marketing effectiveness. These include confidential computing, differential privacy, and secure multi-party computation methods that enable targeted advertising without exposing individual user information. As privacy regulations tighten globally, marketing departments increasingly rely on these technologies to balance personalization with compliance requirements.

Regulatory enforcement: Government action to ensure compliance with data protection laws, ranging from warnings to financial penalties and operational restrictions. The Uganda case demonstrates how enforcement extends beyond European markets to emerging economies implementing comprehensive privacy frameworks. Marketing professionals must monitor enforcement trends across all operational jurisdictions to anticipate compliance requirements and potential penalties.

Digital advertising ecosystem: The complex network of platforms, data brokers, advertisers, and publishers that enable online marketing campaigns. Uganda's ruling against Google highlights how data protection regulations affect entire advertising ecosystems, not just individual companies. Understanding ecosystem relationships becomes crucial as regulatory authorities examine data flows between advertising partners and hold multiple parties accountable for privacy violations.