Historic win: Uganda court establishes privacy violation penalty
Uganda Secures First Data Privacy Conviction and Orders Google to Register
Uganda's data protection enforcement has taken a significant step forward with the first historic data privacy conviction and a landmark ruling against global tech giant Google.
In a groundbreaking move, Ronald Mugulusi, director of digital lending company Nano Loans Microfinance, became the first person in Uganda to be criminally convicted under the Data Protection and Privacy Act. This conviction, handed down by the Makindye Standards, Wildlife and Utilities Court on July 10, 2025, serves as a stark reminder that breaches of data protection laws can lead to criminal penalties.
Meanwhile, the Personal Data Protection Office (PDPO) issued a ruling on July 18, 2025, against Google LLC for violating several provisions of the Data Protection and Privacy Act. The PDPO found Google in violation of the Act for operating without proper registration and for transferring personal data of Ugandan citizens outside Uganda without adequate safeguards. The office ordered Google to register as a data controller and collector within 30 days.
However, the PDPO's enforcement capacity has limitations. It only issues declaratory orders and lacks direct power to impose administrative fines or compensation. This means, although it can mandate registration and compliance, its rulings are not binding in the same way as regulatory bodies in neighbouring countries like Kenya or Tanzania, which have powers to impose fines and administrative sanctions. The PDPO recommended that complainants seek remedies through the courts, indicating a reliance on judicial processes for enforcement beyond declaratory rulings.
The conviction against Mugulusi was sparked by a complaint submitted by Wonambwa Michael, who alerted to the misuse of his name, phone number, and photograph, which had been video recorded and used as a threat to induce loan repayment. Mugulusi pleaded guilty and was fined UGX 300,000 (USD 83.61). The PDPO clarified that Mugulusi had violated the purpose limitation principle of the Act by reusing the information to shame the borrower.
On the other hand, the Google conviction was a reflection of the Ugandan government's "firm commitment" to holding data controllers and processors to account, according to Acting national personal protection director of the PDPO, Baker Birikujja. The PDPO has also ordered Google to submit within 30 days evidence of its compliance procedures for the cross-border transfer of Ugandan citizens' personal data.
In summary:
- Uganda has secured its first historic data privacy conviction, demonstrating that breaches of data protection laws can lead to criminal penalties.
- The PDPO has ordered Google to register with the regulator within 30 days and provide contact details of its designated Data Protection Officer.
- The PDPO's enforcement capacity has limitations, as it only issues declaratory orders and lacks direct power to impose administrative fines or compensation.
- The conviction against Mugulusi was sparked by a complaint submitted by Wonambwa Michael, who alerted to the misuse of his personal data.
- The PDPO has clarified that Mugulusi had violated the purpose limitation principle of the Act by reusing the information to shame the borrower.
- The conviction involved the processing of personal data without consent or a legally backed justification.
- The Data Protection and Privacy Act of 2019 was the legislation under which the conviction was made.
- The complainant and director reached a court-sanctioned reconciliation under section 160 of the Magistrates Courts Act and the Judicature (Reconciliation) Rules of 2011.
- Birikujja stressed that the conviction should send "a strong and clear message that non-compliance with data protection and privacy obligations is a criminal offence and will be prosecuted".
This situation highlights the progress Uganda has made in data protection enforcement, while also exposing the need to strengthen PDPO's powers through amendments to the law to enhance the effectiveness of data privacy enforcement.
- The ruling against Google by the Personal Data Protection Office (PDPO) underscores the importance of complying with data protection regulations, as Google was found in violation of the Data Protection and Privacy Act for operating without proper registration and failing to provide adequate safeguards for transferring personal data of Ugandan citizens outside Uganda.
- In this digital age, adherence to technology regulations, such as the Data Protection and Privacy Act, is crucial for global tech giants operating in countries like Uganda, as non-compliance can lead to penalties and a tarnished reputation.
