In a notable decision with potential regional implications, Uganda’s Personal Data Protection Office (PDPO) on July 18 ruled that Google had violated Uganda’s Data Protection and Privacy Act. In November last year, four Ugandan citizens filed a formal complaint with the PDPO against Google LLC, alleging non-compliance with Uganda’s Data Protection and Privacy Act. PDPO is an independent body under the National Information Technology Authority, established to regulate the collection and processing of personal data. Its primary mandate is to ensure compliance with the Data Protection and Privacy Act of 2019. The petitioners were ‘descendants’ of Max Schrems, an Austrian national who successfully sued Facebook several years ago. In a landmark ruling, the European Union Court of Justice agreed with him, saying European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. The complainants told the PDPO that Google had failed to register as a data collector, processor, or controller, as required under the Act, and that it had engaged in the cross-border transfer of personal data without prior authorisation from the PDPO. They further claimed that these actions violated their data protection rights and caused emotional distress, warranting compensation. Echoing the extraterritorial reach from the European Union’s GDPR, at the heart of the decision is the concept of “commercial nexus” – the idea that a company which derives value from users in a particular jurisdiction, regardless of where it is physically located, must comply with that jurisdiction’s data protection laws. The PDPO determined that Google collects, processes, and monetizes data from Ugandan users, thereby establishing a substantial and ongoing economic presence in the country. In effect, economic not physical footprint, defines regulatory responsibility in the digital age.
This is an example of how global data governance is evolving. In the past, global platforms have argued that they are not subject to local laws because they have no local servers or registered legal entities. The decision rejects this logic, essentially asserting local presence is defined by more than just office space.
By holding Google accountable for non-compliance with user consent requirements and insufficient transparency under Ugandan law, the PDPO is asserting Uganda’s digital sovereignty.
Crucially, while this is a single-country decision, it reflects a broader regulatory assertiveness taking root across the continent. Specific Orders against Google include, registering as a controller, collector with the PDPO within 30 days, provide the PDPO with the contact details of its designated data protection officer; and submit documentary evidence of its compliance framework for cross-border data transfers, including the legal basis for such transfers and the accountability measures in place to ensure the security of personal data transferred outside Uganda. Crucially, the PDPO’s interpretation of ‘commercial nexus’ could be adopted by peer authorities, resulting in a significant increase in risk exposure and compliance expectations for global platforms. If replicated across other jurisdictions, the decision could reshape how global platforms approach compliance, risk, policy, and regulatory engagement in the Global South. Importantly, Uganda’s position reflects a maturing approach to digital governance, based on regulatory parity, and respect for user rights, extending the compliance and accountability expectations of smaller local entities to large multinational platforms to restore balance and trust in the global digital ecosystem.
